Hijackthis
This presentation is the property of its rightful owner.
Sponsored Links
1 / 31

HijackThis PowerPoint PPT Presentation


  • 56 Views
  • Uploaded on
  • Presentation posted in: General

HijackThis. - A general Homepage Hijacker Detector and Removal Tool. By: Tahira Farid 60-564 Project 1 Fall 2004. Overview. Browser Hijacking and Why The Techniques Preventing a Hijack HijackThis- A Hijack Removal Tool Download Information Getting around with the tool.

Download Presentation

HijackThis

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Hijackthis

HijackThis

- A general Homepage Hijacker Detector and Removal Tool

By: Tahira Farid

60-564 Project 1

Fall 2004


Overview

Overview

  • Browser Hijacking and Why

  • The Techniques

  • Preventing a Hijack

  • HijackThis- A Hijack Removal Tool

  • Download Information

  • Getting around with the tool


Overview cont

Overview (cont.)

  • Testing

  • Summary

  • Important things learnt

  • Useful Links

  • References


What is browser hijacking

What is Browser Hijacking?

  • Where browser’s default settings is forcibly modified by using scripting tools

  • Spyware takes over our internet settings, Redirects our searches and steals our homepage

  • adding links to favourites

  • changing homepage persistently

    - scripting

    - changing registry values

    - auto-running programs

    - secret files put on the hard disk


Why hijacking

Why Hijacking?

  • Bring us back to a website or a sponsor’s site of Hijacker’s choice

  • Generate advertising revenues

  • Keep users trapped in their sites

  • Expand website’s traffic

  • Is it Reversible?

    -as easy as to switch the internet options back

    -as crucial as to undo the changes by going to windows registry


The techniques

The Techniques

  • Multiple Windows pop-ups while leaving the site

  • Windows half off screen hard to close and allows no control

  • Offering “freebies” in their sites

  • Installing AOL software, messenger, ICQ adds http://free.aol.com to IE’s trusted sites zone without our permission-can download activeX, run scripts, perform various actions.

  • Removing internet options from tool menu and control panel

  • Changing reg settings to reset homepage

  • Installing program to reset homepage on reboot


Preventing hijack

Preventing Hijack

  • Various anti-hijacking and anti-virus tools available.

  • HijackThis- utility tool to remove browser hijacks, viruses, trojans & spyware

  • Does not target specific prog./URLs

  • Targets methods used by hijackers


Hijackthis1

HijackThis

  • Developed by Marijn

  • Freeware

  • 178 KB

  • latest version: 1.98.2

  • Intended for advanced users

  • Increasingly updated to detect & remove new hijacks

  • Runs on all windows OS


Download info caution

Download Info & caution

  • http://www.spychecker.com/program/hijackthis.html

  • Required to place it in its own folder otherwise backups will not be made.

  • Recommended to be used after running spybot or spyware/hijacker remover- malware files will be left behind.

  • Requires knowledge in windows and OS in general.

  • If deleted entries without knowing- problems as IE not working, running windows.


Caution cont

Caution(cont)

  • Scans registry and various files in HD.

  • Entries similar to what a spyware/hijacker program would leave behind

  • Interpreting the results can be tricky.

  • Legitimate programs get installed in similar way hijackers get installed.

  • Extra causion should be taken fixing a problem.


Getting started

Getting started

  • Go to the desired

    folder where hijackthis

    was created from zip

    unpack. Double click

    on hijackthis.exe


Scan results

Scan results

  • Each line

    starts with

    a section

    name


Info on selected items

Info on selected items

  • To know info

    about a

    selected obj


Fix entries

Fix entries

  • Select an

    item to

    fix/remove


Restoring items deleted mistakenly

Restoring items deleted mistakenly

  • We can make

    backup & restore

    items for erroneous

    scenarios for

    items which were

    removed but

    legitimate.

  • Under config

    button


Generating startup listing

Generating startup listing

  • Has a built-in tool

    to generate listing

    of all the prog that

    launch when comp

    starts.

  • Under config,

    Misc tools option.


Process manager

Process Manager

  • Built-in tool to

    1)Kill processes that

    are currently running

    2)Check what DLLs

    are loaded in a

    particular process

  • Under config,

    Misc tools option


Process manager cont

Process Manager (cont.)


Hosts file manager

Hosts File Manager

  • View our host file,

  • Delete lines

  • Toggle lines on/off

  • HijackThis will

    add a “#” sign

    before the line

    to comment it

    out so that it will not

    be used by Windows.


Delete on reboot

Delete on reboot

  • Sometimes files

    obstinately reject

    to get deleted from

    the system by any

    traditions means.

  • Could be virus/

    spyware

  • HijackThis allows

    windows to delete

    the file on reboot.


Hijackthis log

HijackThis log

  • Each line on the

    scan list starts

    with a section name

  • Each entry has a

    2-letter code to say

    what it is.


Testing

Testing

  • Windows XP SP2

  • Running spybot S&D, ad-aware

  • Specific problem in IE: always redirects to http://213.159.117.134/index.php

  • Even using spybot S&D, AboutBuster, Spywareblaster, Ad-awareproblem was still there

  • Following entries were deleted after scan:

  • O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

    02 entries refers to BHO- plugins for browser that extend the functionality of it. Used by spyware & legitimate programs.

    CLSID refers to reg. entries that contains info about BHO/toolbars. This particular entry means the entry exists in the registry but the associated file does not exist. Therefore cleaned to tidy up the registry.


Testing cont

Testing (cont.)

  • R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php

  • R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

  • R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php

  • R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php

  • R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

  • R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php

    R0,R1 entries refer to IE start page & search functions. The url R0, R1 are pointing to is unwanted. Therefore cleaned to get rid of it.


Testing cont1

Testing (cont.)

  • O4 - HKLM\..\Run: [SysTime]  startup itemC:\WINDOWS\system32\systime.exe  Trojan downloaded

  • O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\system32\systime.exe

    04 entries refer to app that are listed in certain keys in reg/startup folders and are loaded automatically when windows starts.

    Here 04 entry shows a CoolWebSearch Trojan. Therefore fixed by HijackThis. The corresponding file

    C:\WINDOWS\system32\systime.exewas deleted by running windows on safe mode after fixing with HijackThis.


Testing cont2

Testing (cont.)

  • O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...edceabcca450006

    016 entries refer to ActiveX obj-programs that are downloaded from websites and stored in our computer. Also referenced in the reg by their CLSID.

    Here the object/URL could not be recognized from where it was downloaded. Therefore cleaned by HijackThis. HijackThis also deletes the offending file from C:\Windows\Downloaded Program Files-

    where the these types of objects are stored.


Testing cont3

Testing (cont.)

  • Booting with safe mode following file was deleted

  • C:\WINDOWS\system32\systime.exe

  • Temp internet files were deleted

  • System rebooted normally, Ad-aware was run to do some more cleanup.

  • No bad entries were found in the new log.


Summary

Summary

  • HijackThis is a very powerful tool to root out serious infestation or attack in our system.

  • we should be cautious enough, since incorrectly removing inappropriate objects can cause problems with legitimate programs and compromise our system.

  • Many online forums & tutorials for inspecting logfiles.

  • Useful links available for CLSID, startup lists.

  • we need a great deal of devotion, commitment and knowledge towards our system security.

  • HijackThis by itself can not make our system secure from Hijackers, we need other relevant tools as well to detect and remove spyware and viruses.


Important things learnt

Important things learnt

In order to keep computer clean and secure:

  • Make our Internet Explorer more secure by customizing security options.

  • Use an AntiVirus Software

  • Use Spyware & Malware remover utility tools

    Spybot S&D, Ad-aware, CWShredder , HijackThis, SpywareBluster

  • Update our AntiVirus Software

  • Use a Firewall

  • Visit Microsoft's Windows Update Site Frequently

  • Update all these programs regularly


Useful links

Useful links

  • HijackThis log file analysis:

    http://www.hijackthis.de/index.php?langselect=english

  • TonyK's Browser Helper Obj (BHO) & Toolbar list:

    http://www.sysinfo.org/bholist.php

  • PacMan's Start-up list to find the entry and see if it's good or bad.

    http://www.sysinfo.org/bholist.php


References

References

  • http://www.spywareinfo.com/%7Emerijn/htlogtutorial.html

  • http://www.bleepingcomputer.com/forums/index.php?showtutorial=42#RDiag


Hijackthis

Thank You!


  • Login