All posts by Brett

About Brett

I live in Jacksonville, Florida USA where I ride my bike and run a small PC and network repair biz. I consider my self extremely lucky to earn a living doing what I love. I have been earning my living in this way for several years. Alas, my personality doesn’t allow me to rest on the successes of my past. Entrepreneurs are cursed that way. I started SpyandSeek while still in college but never finished it. (slight ADD another curse.) After a two years in the PC trade I decided it was time to finish what I started and so SpyandSeek was born. SpyandSeek has analyzed thousands of HijackThis logs from around the world since it’s launch in late 2005. It still amazes me how a tiny site like mine can touch so many far off places.

How do I stop Unity from starting windows maximised?

Install CompizConfig Settings Manager.

sudo apt-get install compizconfig-settings-manager

Launch it by searching from the dash in Unity, or Preferences > CompizConfig Settings Manager in Ubuntu Classic

  • Navigate to Place Windows
  • screenshot1.png
  • Then Navigate to the Fixed Window Placement Tab
  • Add a rule to fixed placement mode
  • open FireFox and size it to your need
  • Use the Grab button to “grab” the window name and size
  • Your rule should look like this when done

Interpreting HijackThis Entries – Part 3

ORIGANAL POST (Thanks to malwarehelp.org  only copied here so we don’t lose it)

A word of caution: This program should be used with utmost caution as most of the entries shown after the scan will be necessary for smooth running of the operating system. All users are not expected to understand all of the entries it produces as it requires certain level of expertize. Unless you can spot a spyware program by the names of its Registry keys and DLL files it is best left to those specifically trained in interpreting the HijackThis logs. It is recommended that you reproduce the log file generated by HijackThis on one of the recommended online forums dedicated for this cause.

O10 – Winsock hijacker

Winsock is short for Windows Sockets API. It describes a standard way for Windows programs to work with TCP/IP. You use WinSock or the more recent Winsock2 if you directly connect your Windows PC to the Internet. Winsock incorporates a feature called Layered Service Provider (LSP), which allows legitimate third-party software like anti-virus, firewall and other security related software vendors to insert their own code into the “chain”. It has access to every data entering and leaving the computer.

This feature is mis-used by a few hijackers to facilitate their own monitoring. Data packets outward bound from your computer to a legitimate destination on the web can be intercepted by a malware LSP and sent somewhere else, other than where you had intended it to go. As Merijn says “Only a very small selection of spyware used this method of infection as it requires hooking into the Winsock LSP chain, which lies very deep into the bowels of Windows and is one of the hardest parts of Windows to manipulate.” Some examples are New.net, Webhancer, CommonName and a CWS variant CWS.Msspi do this.

Example 010 entries from HijackThis logs

  • O10 – Hijacked Internet access by New.Net
  • O10 – Broken Internet access because of LSP provider ‘c:\progra~1\common~2\toolbar\cnmib.dll’ missing
  • O10 – Unknown file in Winsock LSP: c:\program files\newton knows\vmain.dll
  • O10 – Unknown file in Winsock LSP: c:\windows\system32\msspi.dll

Recommendation: Do not fix 010 entries or use programs like LSPfix or WinsockFix yourself without any expert/helper advising you to do so. Fixing the LSP stack is not advised unless you are sure of what you are doing and know how to undo as a wrong fix will screw up your internet connection and in some cases only a repair install or a reinstall will get you back. A lot of legitimate programs use the LSP to perform their tasks, HijackThis has only a part of them in its ignored (safe) list, so many false positives are imminent. Please note that merijn also says that “unknown’ files in the LSP stack will not be fixed by HijackThis, for safety issues.”

If you want to have a look at the LSPs in your system, use Spybot S&D or download the free LSP explorer add-on for Ad-Aware SE.

Spybot-S&D is able to display a list of installed network drivers and allows this list to be exported for future reference. In version 1.3 entries that have changed since the last snapshot are displayed in bold letters.This allows you to see changes to the list at once. Ad-Aware SE LSP explorer goes a step further by letting you backup and restore the LSPs. It also lets you view active LSP and Name Service Providers on your system, along with detailed information about each so you can determine whether or not they’re legitimate.

LSP’s can be researched at SystemLookup – O10 List.

O11 – Extra group in IE ‘Advanced Options’ window

In this section HijackThis tags the addition of an extra group in the “Advanced” tab of Internet options in IE. The options in the “Advanced” tab of IE options are stored in the registry and extra options can be added easily by creating extra registry keys. Very rarely malware add their own options there, E.g,. CommonName adds a group with a few options. Some legitimate programs also add their group there.

Example of 011 entries from HijackThis logs.

  • O11 – Options group: [CommonName] CommonName
  • O11 – Options group: [Multimedia] Multimedia
  • O11 – Options group: [TB] Toolbar
  • O11 – Options group: [TOEGANKELIJKHEID] Toegankelijkheid

Recommendation: If the listed program name is ‘CommonName’, have HijackThis fix this. If you don’t recognize the name, take an expert’s opinion before fixing this entry.

O12 – IE plugins

Plugins are small programs that add particular functions to an existing larger programs like IE, typically used to display or play some multimedia content found on a web document. For example, QuickTime movies, Flash and Shockwave animations. When spyware or hijackers add plugins for their filetypes, the danger exists that they get reinstalled if everything but the plugin has been removed, and the browser opens such a file.

Example of 012 entries from HijackThis logs

  • O12 – Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
  • O12 – Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
  • O12 – Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
  • O12 – Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll

HijackThis lists all the plugins installed on your machine. There seems to be only one pest that use this method at present, it is Onflow media player, a graphics provider and ad-tracking and reporting company for Web advertisers. It appears in the HijackThis logs with an extension “.ofb”.

Recommendation: All most all of the entries appearing in this section are harmless. Don’t fix anything otherthan onflow.

O13 – IE DefaultPrefix hijack

When a website URL like www.microsoft.com is typed into IE’s address bar without the prefix, http:// in this case, it is automatically added when you hit Enter. This prefix, together with the default prefixes for FTP, Gopher and a few other protocols are stored in the registry keys

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\URL\DefaultPrefix
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefix

A hijacker change these values to the URL of his server, as a result the victims, always get redirected to the hijacker’s website when they forget to type the prefix. Many variants of CWS parasite uses this method.

Example of 013 entries from HijackThis logs

  • O13 – DefaultPrefix: http://ehttp.cc/?
  • O13 – WWW Prefix: http://ehttp.cc/?
  • O13 – DefaultPrefix: http://www.nkvd.us/1507/
  • O13 – WWW Prefix: http://www.nkvd.us/1507/
  • O13 – Home Prefix: http://www.nkvd.us/1507/
  • O13 – Mosaic Prefix: http://www.nkvd.us/1507/
  • O13 – WWW. Prefix: http://

Recommendation: You need not be selective here. Whatever changes the default prefix of various protocols cannot be good. Have HijackThis fix all instances of this.

O14 – ‘Reset Web Settings’ hijack

In this section HijackThis checks the file “iereset.inf” for changes which might indicate a hijack. When you click on “Reset Web settings” on the Programs tab of Internet options, IE restores the default values for home page, search page and a few other items from the registry files stored in “iereset.int” file. This file is located in inf folder in your system folder. Some OEM’s create their own custom URL’s for this file.

Malware changes the default URL’s to its own, so that when you click “Reset web settings” you get re-infected rather than cured.

Example of 014 entries from HijackThis logs

  • O14 – IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
  • O14 – IERESET.INF: START_PAGE_URL=http://www.oninet.pt
  • O14 – IERESET.INF: START_PAGE_URL=http://www.mysingtel.com.sg
  • O14 – IERESET.INF: START_PAGE_URL=http://www.searchalot.com

Recommendation: If the URL is not the provider of your computer or your ISP, have HijackThis fix it.

O15 – Unwanted site in Trusted Zone

In this section HijackThis lists the sites in the “Trusted Zone” – originally meant for content located on Web sites that are considered more reputable or trustworthy than other sites on the Internet – of Internet explorer. Web sites in the Trusted Zone (Internet options > Security > Trusted Zone > Sites) are allowed to use normally dangerous scripts and ActiveX objects other sites are not allowed to use as the default security level is low. Some malware programs will automatically add a site to the Trusted Zone without you knowing.

Example of 015 entries from HijackThis logs

  • O15 – Trusted Zone: *.registration.weather.com
  • O15 – Trusted Zone: *.i-lookup.com
  • O15 – Trusted Zone: *.offshoreclicks.com
  • O15 – Trusted Zone: *.teensguru.com

Recommendation: Some variants of CWS parasite are known to add sites to the Trusted Zone. If you didn’t add the listed domain to the Trusted Zone yourself, have HijackThis fix it.

O16 – ActiveX Objects (aka Downloaded Program Files)

In this section HijackThis tags the items found in “Downloaded Program Files” folder in the Windows folder. This folder holds various types of files downloaded from the internet including ActiveX and Java objects. The legitimate purpose of ActiveX objects is to allow website creators to embed small programs in their sites which will interact with your browser to provide an enhanced experience to the visitor. Because of its nature, ActiveX makes a very good platform for installing spyware, adware, dialers, and hijackers.

Example of 016 entries from HijackThis logs

  • O16 – DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) – 66.48.68.135/save/makeover.cab
  • O16 – DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) – 207.188.7.150/093979d9dd85d80a6d03/net..
  • O16 – DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) – messenger.zone.msn.com/binary/Messenge..
  • O16 – DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) – v4.windowsupdate.microsoft.com/CAB/x86..
  • O16 – DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) – install.wildtangent.com/bgn/partners/

Recommendation: If you don’t recognize the name of the object, or the URL it was downloaded from, it is safe to have HijackThis fix it. If you are unsure about an item get an expert opinion about fixing it. Even if you have choosen to fix a legitimate ActiveX object, you will be prompted to download it when you use that particular service from the website concerned. Please note that fixing those ActiveX objects required for sites using secure logins will cause problems when you try to login to that site again, So be careful what you choose to fix with HijackThis.

O17 – Lop.com domain hijackers

In this section HijackThis checks various keys in registry hive HKEY LOCAL MACHINE for specific values which help windows to resolve domain names into IP addresses. Hijacking these values can cause the programs which use the internet to be redirected to other malicious sites. Some versions of Lop.com use this method, together with huge list of cryptic domains.

Example of 017 entries from HijackThis logs

  • O17 – HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ao.lop.com
  • O17 – HKLM\System\CCS\Services\Tcpip\..\{665F2FE6-9364-453A-AD28-9DDF4773B522}: Domain = ao.lop.com
  • O17 – HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ao.lop.com
  • O17 – HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ao.lop.com
  • O17 – HKLM\System\CCS\Services\Tcpip\..\{ADB2672A-97BB-4C94-9EE0-5447635C8D03}: NameServer = 204.127.129.2 12.102.244.2

Recommendation: It’s best to leave the O17s alone unless they clearly point to a bad site. Removing a needed 017 entry may break your internet connectivity as they may be used by your ISP or your company network.

O18 – Extra protocols and protocol hijackers

This section of HijackThis looks for new or changed protocols used by Windows to ‘talk’ to programs, servers or itself. A protocol is one IE interprets as the beginning of an address like http://, https://, ftp://, gopher:// etc,. LOP.com uses this method to make IE load content using an “ayb:// whatever address” similarly CommonName uses cn://. Several legitimate programs also do this.

Example of 018 entries from HijackThis logs

  • O18 – Protocol: ayb – {07C0D34D-11D7-43F7-832B-C6BB41726F5F}
  • O18 – Protocol: pcn – {D540F040-F3D9-11D0-95BE-00C04FD93CA5} – C:\PROGRAM FILES\ENCOMPASS\V1MK.DLL

Recommendation: Only a few hijackers show up here. The known baddies are ‘cn’ (CommonName), ‘ayb’ (Lop.com) and ‘relatedlinks’ (Huntbar), you should have HijackThis fix those. Other things that show up are either not confirmed safe yet, or are hijacked. If you are in doubt get an expert opinion before fixing it. The 018 items can be researched at SystemLookup – O18 List.

O19 – User style sheet hijack

IE has an option to use a user-defined stylesheet for all pages instead of the default one, to enable visually challenged users to better view the web pages. Many CWS parasites overwrite any stylesheet the user has setup and replaces it with one that causes popup, as well as system slowdown.

Example of 019 entries from HijackThis logs.

  • O19 – User stylesheet: C:WINNTsystem.css
  • O19 – User stylesheet: c:\windows\my.css
  • O19 – User stylesheet: C:\WINNT\default.css
  • O19 – User stylesheet: C:\WINDOWS\Web\oslogo.bmp
  • O19 – User stylesheet: C:\WINDOWS\Web\win.def
  • O19 – User stylesheet: C:\WINDOWS\default.css

Recommendation: At present as only CWS does this, it is recommended to use CWShredder to fix it unless you have setup a stylesheet for your use.

O20 – AppInit_DLLs Registry value autorun

AppInit_DLLs value is documented in MS Knowledge Base article, Working with the AppInit_DLLs registry value.

The AppInit_DLLs value is found in the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

All the DLLs that are specified in this value are loaded by each Microsoft Windows-based application that is running in the current log on session.

What the above means is that any DLL listed in the AppInit_DLLs value will run concurrently with every program launched, even in Safemode.

Example of 020 entries from HijackThis logs

  • O20 – AppInit_DLLs: cahooknt.dll
  • O20 – AppInit_DLLs: wbsys.dll
  • O20 – AppInit_DLLs: CLKERN.DLL
  • O20 – AppInit_DLLs: mad.dll
  • O20 – AppInit_DLLs: ssohook
  • O20 – Winlogon Notify: DPWLN – C:\WINDOWS\system32\DPWLEvHd.dll
  • O20 – Winlogon Notify: igfxcui – C:\WINNT\SYSTEM32\igfxsrvc.dll

Recommendation: The 020 entries can be researched at SystemLookup – O20 List. Very few legitimate programs use this autostart method, some variants of CWS infection are known to use this method to load a hidden dll at Windows startup. You should get an expert’s opinion before deciding to fix (delete) these entries.

O21 – ShellServiceObjectDelayLoad

This is an undocumented autorun method, executed by “Explorer.exe” as soon as it has loaded. Each value under the following registry key contains information to the DLL name and location. The system will load the referred DLLs and link them to ”

Explorer.exe”

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\ShellServiceObjectDelayLoad

Example of 021 entries from HijackThis logs

  • O21 – SSODL: DDE Control Module – {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} – (no file) O21 – SSODL: Trayz – {F5B7D0BE-5f02-4211-96DB-386DFA244900} – C:\WINDOWS\lghngdne.dll
  • O21 – SSODL: 0aMCPClient – {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} – (no file)
  • O21 – SSODL: XmLdrLocation – {0C887F38-5178-43DA-B9F0-B856141FCDA4} – C:\WINDOWS\System32\msuueng.dll
  • O21 – SSODL: WebExtLocation – {FE2DB5FF-5ECF-11D2-B28F-0080C8383C7B} – C:\WINNT\system32\lrluser.dll

Recommendation: HijackThis tags only those entries that are not in its internal whitelist, but not all entries tagged by HijackThis are bad. The 021 items can be researched at SystemLookup – O21 List. Please obtain expert/helper help before fixing (deleting) these entries.

O22 – SharedTaskScheduler

This undocumented autorun method applies only to Windows XP, Windows 2000 and NT. Here HijackThis tags the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Explorer\SharedTaskScheduler

Example of 022 entry from HijackThis logs

O22 – SharedTaskScheduler: (no name) – {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} – c:\windows\system32\mtwirl32.dll

Recommendation: This is a rare entry appearing in the HijackThis logs. The 022 items can be researched at SystemLookup – O22 List. Please obtain opinion from helper/expert before fixing (deleting) this entry.

O23 – NT Services

An NT Service is a background process which is loaded by the Service Control Manager of the NT kernel. They are often loaded at bootup, before any user logs in, and are often independent of any specific user being logged on at the time. If a service is not launched automatically by the system at boot time, as many services are, it can also be manually launched by a user at the console, via the NT Control Panel’s Services applet, or by another program which interfaces to NT’s Service Control Manager. An Introduction to NT Services

HijackThis checks the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services, for non-Microsoft services.
Note that not all entries tagged by HijackThis are bad.

Examples of 023 entries in HijackThis logs

  • O23 – Service: Remote Procedure Call (RPC) Helper – Unknown – C:\WINDOWS\system32\sdkkv32.exe
  • O23 – Service: ISEXEng – Unknown – C:\WINDOWS\system32\angelex.exe
  • O23 – Service: NOD32 Kernel Service (NOD32krn) – Unknown owner – D:\Program Partition\Eset\nod32krn.exe
  • O23 – Service: Kerio Personal Firewall 4 (KPF4) – Kerio Technologies – D:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

Recommendation:The 023 items can be researched at SystemLookup – O23 List. Please obtain help from helper/expert before fixing (deleting) these entries.

Interpreting HijackThis Entries – Part 1- Entries – R0 to N4

Interpreting HijackThis Entries – Part 2- Entries – O1 to O9

Interpreting HijackThis Entries – Part 3-Entries – O10 to O23

Interpreting HijackThis Entries – Part 2

ORIGANAL POST (Thanks to malwarehelp.org  only copied here so we don’t lose it)

A word of caution: This program should be used with utmost caution as most of the entries shown after the scan will be necessary for smooth running of the operating system. All users are not expected to understand all of the entries it produces as it requires certain level of expertize. Unless you can spot a spyware program by the names of its Registry keys and DLL files it is best left to those specifically trained in interpreting the HijackThis logs. It is recommended that you reproduce the log file generated by HijackThis on one of the recommended online forums dedicated for this cause.

O1 – Hosts file redirection

The hosts file maps host names to IP addresses.

The short answer is that the Hosts file is like an address book. When you type an address like www.yahoo.com into your browser, the Hosts file is consulted to see if you have the IP address, or “telephone number,” for that site. If you do, then your computer will “call it” and the site will open. If not, your computer will ask your ISP’s (internet service provider) computer for the phone number before it can “call” that site. Most of the time, you do not have addresses in your “address book,” because you have not put any there. Therefore, most of the time your computer asks for the IP address from your ISP to find sites. What is a hosts file

Hosts file can also be hijacked by malware, by changing the DNS entries in your hosts file, effectively making windows believe a web site has a different IP than it really has and thus making IE open the wrong page. A benign hostname such as cnn.com could be made to point to a malicious website. HijackThis can detect the re-direction entries.

Example of 01 malicious entries from HijackThis logs

  • O1 – Hosts: 64.191.95.139 www.google.com
  • O1 – Hosts: 66.98.178.19 cookies.cmpnet.com
  • O1 – Hosts: 66.98.178.19 counter.aaddzz.com
  • O1 – Hosts: 66.98.178.19 counter14.sextracker.com
  • O1 – Hosts: 216.177.73.139 auto.search.msn.com
  • O1 – Hosts: 216.177.73.139 search.netscape.com

Here the hijack will redirect the address on the right to the IP address to the left.

i.e,

In the first entry of the example, if you type ‘www.google.com’ in your browser you will be taken to the malicious website 64.191.95.139 instead of google.com. Many variants of CWS (Cool Web Search) parasite uses this method to hijack IE.

You may find one another entry in HijackThis logs pertaining to hosts file redirection. It may look like this;

  • O1 – Hosts file is located at C:\Windows\Help\hosts
  • O1 – Hosts file is located at: C:\WINNT\nsdb\hosts

Here the HijackThis tags the redirection to the hosts file itself perperated by some parasites. The legitimate hosts file is located in the following locations in various flavours of windows;

  • Windows NT/2K/XP = [System root]\system32\drivers\etc
  • Windows 95/98/ME = [drive]\windows
  • The [drive] is usually drive “c:”

The [System root] is usually “c:\winnt” or “c:\windows”

Recommendation: You can always have HijackThis fix these, unless you knowingly put those entries in your Hosts file.

O2 – Browser Helper Objects

In this section, HijackThis tags all the “Browser Helper Objects” that is being used by your IE, whether good or bad. A browser helper object, or BHO, is a component that Internet Explorer loads whenever it starts or if you have Active Desktop turned on, even when you open a file folder on your own computer and can perform many actions on available windows. BHOs can be either good or bad, but most of them contain spyware in one form or another.Sometimes these BHOs just sneak onto your computer and you don’t even realize they are there! Some of them can be downright malicious!

Some common examples of BHOs are Aureate/Radiate, Alexa, Flyswat, Gator, GetRight, Gozilla, RealDownload, and Yahoo Companion.

Example of 02 entries from HijackThis logs

  • O2 – BHO: (no name) – {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} – C:\Program Files\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
  • O2 – BHO: (no name) – {0982868C-47F0-4EFB-A664-C7B0B1015808} – C:\WINDOWS\System32\mskhhe.dll
  • O2 – BHO: (no name) – {53707962-6F74-2D53-2644-206D7942484F} – C:\PROGRA~1\SPYBOT~1\SDHelper.dll
  • O2 – BHO: (no name) – {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} – C:\WINDOWS\System32\bridge.dll

Recommendation: Need to be careful in selecting entries in this section for fixing with HijackThis as it lists both benign (google toolbar, acrobat reader and Spybot S & Ds download protection etc) and malicious BHOs. Look up SystemLookup – CLSID List where it is possible to search by the CLSID’s (the alpha-numeric charecters in between the curly brackets). Choose to fix an entry only if you are absolutely sure otherwise consult an expert as deletion of certain BHOs will affect the smooth functioning of IE.

O3 – Internet Explorer toolbars

A toolbar for Internet Explorer is nomally located below the menu bar at the top of the form. IE Toolbars are created by Browser Helper Objects. Many toolbars available on the Internet are spyware. They can be annoying or even outright malicious by tracking your online behaviour and displaying popup ads.

Example of 03 entries from HijackThis logs

  • O3 – Toolbar: &Google – {2318C2B1-4965-11d4-9B18-009027A5CD4F} – c:\program files\google\googletoolbar1.dll
  • O3 – Toolbar: Band Class – {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} – C:\WINDOWS\dealhlpr.dll
  • O3 – Toolbar: &Radio – {8E718888-423F-11D2-876E-00A0C9082467} – C:\WINDOWS\SYSTEM\MSDXM.OCX

Recommendation: As Hijackthis lists all the 3rd party toolbars good and bad, discretion is required when selecting entries to fix. Again the exhaustive list at SystemLookup – CLSID List may be used to search for the offending CLSID’s, if you don’t directly recognize a toolbar’s name.

O4 – Autoloading programs from Registry & Startup group

As the title indicates, this section of HijackThis logs lists all programs that autolaod from the registry and startup group. Autoloading entries can load a registry script, VBScript or Javascript file possibly causing the IE start page, search page, search bar or search assistant to revert back to a hijackers page after a system reboot. Also, a DLL file can be loaded that will hook into several parts of your system.

Example of 04 entries from HijackThis logs

  • O4 – HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
  • O4 – HKLM\..\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe
  • O4 – HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
  • O4 – HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
  • O4 – Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
  • O4 – Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
  • O4 – Startup: PowerReg Scheduler.exe
  • O4 – Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

Recommendation: An amazing number of Windows applications, from freeware and shareware utilities to full-blown commercial suites such as Microsoft Office, manage to insert some portion of themselves into your Windows Startup. There are some you should never turn off, though. Definitely leave entries such as ScanRegistry and SystemTray well alone, as these are critical parts of Windows itself and are best left alone. How do you identify malware or unnecessary programs loading at startup? If you don’t recognize the program from its name or if you are plainly suspicious of an entry, use the following lists. They provide searchable, comprehensive list of the programs you may find that run when you switch on your PC as typically identified by MSCONFIG or the registry “Run” keys – and whether you need them.

O5 – IE Options icon not visible in Control Panel

In this section HijackThis checks for the “Internet options” applet available in the control panel. Each item in Control Panel has an associated “.cpl” file. These files, along with the Control Panel initialization file, “Control.ini”, are loaded into memory when Control Panel is opened. A hijacker may modify the control.ini to prevent access to the “Internet Options” window, thereby preventing the user from resetting various hijacked options.

Example of 05 entries from HijackThis logs

O5 – control.ini: inetcpl.cpl=no

This entry is not commonly seen in HijackThis logs.

Recommendation: Unless you or an administrator has chosen to hide the ‘Internet options’ applet from the control panel by modifying the control.ini file, it’s safe to have HijackThis fix this entry.

O6 – IE Options access restricted by Administrator

This section is similar to 05 section in the sense that HijackThis tags the disabling of the “Internet options” applet in the windows control panel and the restriction on changing the startpage setting. The difference here is HijackThis checks the registry key “HKCU\Software\Policies\Microsoft\Internet Explorer\” for any restrictions placed by using administrative policies. HijackThis lists this even if the option in Spybot S&D is used to protect the startpage from being changed by malware.

In this section, Hijackthis lists different types of entries,

Example of 06 entries from HijackThis logs

  • O6 – HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  • 06 – HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  • O6 – HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present

Restrictions present: You or an administrator has set a policy which disables changing IE start page for the current user.

Control Panel present: You or an administrator has set a policy which restricts access to the ‘Internet options’ from within the IE or in the control panel.

Toolbars\Restrictions present: You or an administrator has set a policy which restricts access to the IE toolbar.

This setting is also used by malware to restrict the user from changing the hijacked start page, search page etc,. and generally to restrict the user from accessing the “Internet options” applet in the control panel.

Recommendation: Unless you or an administrator has applied this policy in your system for the users, it is safe to have HijackThis fix these entries.

O7 – Regedit access restricted by Administrator

Once again this setting is applied through administrative policies. Disabling the ability to use the registry editor is normally used by administrators to restrict their users, it can also be used by malware to prevent access the registry settings. HijackThis checks the registry key ”
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System” for any restrictions.

Example of 07 entries from HijackThis logs

O7 – HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Recommendation: Unless you or an administrator has applied this policy in your system for the users, it is safe to have HijackThis fix this entry.

08 – Extra items in IE right-click menu

In this section HijackThis lists the extra items -i.e. not those default items like back, forward etc,.- only the items installed by 3rd party software, both legitimate and otherwise. HijackThis checks the registry keys

  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MenuExt

and lists all the extra items. These extra context menu items can prove helpful or annoying. Some hijackers are known to add to the context menu.

Example of 08 entries from HijackThis logs

  • O8 – Extra context menu item: &Google Search – res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.68-DELEON.DLL/cmsearch.html
  • O8 – Extra context menu item: Open with GetRight Browser – C:\Program Files\GetRight\GRbrowse.htm
  • O8 – Extra context menu item: Zoom &In – C:\WINDOWS\WEB\zoomin.htm
  • O8 – Extra context menu item: Coupons – file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
  • O8 – Extra context menu item: &Add animation to IncrediMail Style Box – C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

Recommendation: If you don’t recognize the name of the item or if you don’t use an item in the right-click menu in IE, it can be safely fixed with HijackThis.

O9 – Extra buttons on main IE button toolbar, or extra items in IE ‘Tools’ menu

In this section HijackThis tags the extra buttons on main IE tool bar and extra items in the ‘Tools’ menu of IE. HijackThis checks the registry keys

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions
  • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions

and lists all the extra buttons and extra items on the “Tools” menu of IE. These can be researched at SystemLookup – O9 List.

Example of 09 entries from HijackThis logs

  • O9 – Extra button: Messenger (HKLM)
  • O9 – Extra button: Joyo (HKLM)
  • O9 – Extra button: Run DAP (HKLM)
  • O9 – Extra button: Copernic Agent (HKLM)
  • O9 – Extra ‘Tools’ menuitem: Console Java (Sun) (HKLM)
  • O9 – Extra ‘Tools’ menuitem: Yahoo! Messenger (HKLM)

Recommendation: If you don’t recognize the name of the item or if you don’t use an item in the right-click menu in IE, it can be safely fixed with HijackThis.

Interpreting HijackThis Entries – Part 1- Entries – R0 to N4

Interpreting HijackThis Entries – Part 2- Entries – O1 to O9

Interpreting HijackThis Entries – Part 3-Entries – O10 to O23