HijackThis. - A general Homepage Hijacker Detector and Removal Tool. By: Tahira Farid 60-564 Project 1 Fall 2004. Overview. Browser Hijacking and Why The Techniques Preventing a Hijack HijackThis- A Hijack Removal Tool Download Information Getting around with the tool.
- A general Homepage Hijacker Detector and Removal Tool
By: Tahira Farid
60-564 Project 1
- changing registry values
- auto-running programs
- secret files put on the hard disk
-as easy as to switch the internet options back
-as crucial as to undo the changes by going to windows registry
folder where hijackthis
was created from zip
unpack. Double click
backup & restore
items for erroneous
items which were
to generate listing
of all the prog that
launch when comp
Misc tools option.
1)Kill processes that
are currently running
2)Check what DLLs
are loaded in a
Misc tools option
add a “#” sign
before the line
to comment it
out so that it will not
be used by Windows.
to get deleted from
the system by any
windows to delete
the file on reboot.
scan list starts
with a section name
2-letter code to say
what it is.
02 entries refers to BHO- plugins for browser that extend the functionality of it. Used by spyware & legitimate programs.
CLSID refers to reg. entries that contains info about BHO/toolbars. This particular entry means the entry exists in the registry but the associated file does not exist. Therefore cleaned to tidy up the registry.
R0,R1 entries refer to IE start page & search functions. The url R0, R1 are pointing to is unwanted. Therefore cleaned to get rid of it.
04 entries refer to app that are listed in certain keys in reg/startup folders and are loaded automatically when windows starts.
Here 04 entry shows a CoolWebSearch Trojan. Therefore fixed by HijackThis. The corresponding file
C:\WINDOWS\system32\systime.exewas deleted by running windows on safe mode after fixing with HijackThis.
016 entries refer to ActiveX obj-programs that are downloaded from websites and stored in our computer. Also referenced in the reg by their CLSID.
Here the object/URL could not be recognized from where it was downloaded. Therefore cleaned by HijackThis. HijackThis also deletes the offending file from C:\Windows\Downloaded Program Files-
where the these types of objects are stored.
In order to keep computer clean and secure:
Spybot S&D, Ad-aware, CWShredder , HijackThis, SpywareBluster