# how do U read this?



## yehmeriidhain (Feb 22, 2005)

people i wana ask U a very simple question ..how to U read & identify errors in the hijack thing!! 

plzz tell me how U people understand those number things ..with port number & all tht stuff?? 

I'm curious abt it


----------



## swatkat (Feb 22, 2005)

do u mean HiajckThis Lof file?


----------



## yehmeriidhain (Feb 22, 2005)

Exactly tht Swat .. explain it yaar plzz!


----------



## swatkat (Feb 22, 2005)

well....First few entries in HijackThis (HJT) Log file is the *Background Running Processes*/ Here u check the files or processes which have suspecious looking names like Expl0rer.ex (has Zero instead of O) or winupdt.exe (windows doents have this file, but the user is tricked by the name) or some random names like sdfrw3345sdf.exe or something.Then we to delete those fiels.

Netx, in HJT log u will have entries preceded by R0, R1, R2, these entries list IE Startup Page, Search Page and Default update page. If the Browser is 
hijacked, these links will be changed to some unknown underground websites or some AD websites. Default entries r contains links to msn, microsoft, wwindowsupadte.microsoft like that...

Next, u will have entries precede by F0, F1, These list the Programas that run at Startup. Here also u have look at the Filenames which is suspecious in nature.

then there r entries preceded by o1, o2, o3 up to o23, all these may not be in a single log file....
Important ones are:-
O2 - Browser Helper Objects (BHO)
O3 - Internet Explorer toolbars (like Google Toolbar)
O4 - Autoloading programs from Registry 
O8 - Extra items in IE right-click menu (Added Context menu items)
O9 - Extra buttons on main IE button toolbar, or extra items in IE 'Tools' menu  (Added buttons like FlashGet or DAP buttons)
O12 - IE plugins  (Lists all the Plugins of IE installed)
O15 - Unwanted site in Trusted Zone (Trusted Zone ideally lists WindowsUpdate Site, but some Spyware adds sites like Ad-sites, Warez site etc to it, HJT list all the sites here)
O16 - ActiveX Objects (aka Downloaded Program Files) (lists all ActiveX components, like Java, Flash plugin and any possible spyware)
O17 - Lop.com domain hijackers (LOP.COM is one Spyware/ADware site, which when infects a system, it places Icons like Poker, Travel, Bingo etc on Desktop and these can not be deleted)

HJT lists ALL entries of above fields, but we have to filter out the bad ones out of these and remove them....

common methods to identify bad things r:-
1]Suspicious looking or randome looking filename
2]Non default IE startup/search page.
3]Suspicious DLL files that too residing in Temp folders.
4]AdWare (like IEPlugin, Aureate, Go!zilla etc) based buttons / toolbars in IE.


----------



## yehmeriidhain (Feb 22, 2005)

thanks! a lot .. Swat .. i'll try it on my ow & will ask further queries if any comes!


----------



## Charley (Feb 22, 2005)

yehmeriidhain said:
			
		

> people i wana ask U a very simple question ..how to U read & identify errors in the hijack thing!!
> 
> plzz tell me how U people understand those number things ..with port number & all tht stuff??
> 
> I'm curious abt it




swat is the right person,dr.grudge.ennonmai tooo .i got a .lot of probs solved by them....... It's free advice


----------



## tuxfan (Feb 23, 2005)

Cool short tutoral swatkat 

But besides the knowledge about these entries, you even need some more general knowledge about the known viruses, trojans, worms to be able to locate their existence in the log.


----------



## club_pranay (Feb 23, 2005)

Nice info swatkat!


----------



## it_waaznt_me (Feb 23, 2005)

Have a look at this page  too .. 

The new HijackThis (1.99) have the option 023 for Services in WinXP ...


----------



## tuxfan (Feb 24, 2005)

That was a pretty useful link. Thanks.


----------



## hsnayvid (Feb 24, 2005)

Very Informative.

Thanks for the info swatkat.

Thanks yehmeriidhain
for asking for the information.


----------



## yehmeriidhain (Feb 24, 2005)

Thanks! *it_waaznt_me* tht was great! link ..thanks! man!  

Tell me one more thing! ..to which extent this hijack thing is useful!


----------



## enoonmai (Feb 25, 2005)

Its useful to the extent of finding out what processes are currently running on your computer, what processes autoload and what programs are associated with your browser like helper apps, plugins and basically all the stuff that swatkat listed in his post. It cannot help you fix internal Windows problems like corrupted files, startup/boot troubles and pretty much anything outside the browser environment.
And considering that most people are just infected with spyware/viruses, its dead useful, basically a way of narrowing down the problem.


----------



## yehmeriidhain (Feb 26, 2005)

thanks! enoonmai! great ..


----------



## yehmeriidhain (Feb 27, 2005)

here is my system log .. i didn't find nething! suspicious can U people help me in this .. 



> Logfile of HijackThis v1.99.0
> Scan saved at 8:46:47 PM, on 2/27/2005
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
> ...



Thanks ! in advance!


----------



## swatkat (Feb 28, 2005)

yehmeriidhain said:
			
		

> here is my system log .. i didn't find nething! suspicious can U people help me in this ..
> 
> 
> 
> ...



u have NewDotNet hijacker in ur PC....and that O10 entry says that ur WinSock has been hijacked by NewDotNet and u have to fix ur WinSock Layer by using tools like LSPFix or WinSockFix....

First, uninstall these softwares if u find them in Add/Remove programs:-
1]QuickSearchBar

After this, in HijackThis, Check the red entries above and click Fix.
Then restart in safe mode, and delete the files:-
1]newdotnet3_88.dll
2]QuickSearchBar1_27.dll
and also the folders containing these files....

download LSPFix and run it....
*www.cexx.org/lspfix.htm


----------



## yehmeriidhain (Feb 28, 2005)

hey! Swat! Y did U said newdot is a virus ..or either Y did U asked me to uninstall it! ... wat is new.net & Y was it suspicious ..... 

plus tht LSPfix can be unstable with Ad-Aware utilities it says .. still i have run it & this is my new log do U still find this suspicious somewhere ??

& this Quicksearch bar .dll  might be a file of Quicktime player or sth like tht ..dunt U feel .. Y did ya marked these two dll's as red! 

Can U plzz tell me! thx! a lot for ur help! 


> Logfile of HijackThis v1.99.0
> Scan saved at 8:57:09 AM, on 2/28/2005
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
> ...


----------



## enoonmai (Feb 28, 2005)

NewDotNet is not a virus, its what is known as "malware", a malicious BHO that downloads and silently executes code from its servers and overrides your system settings without your knowledge or permission. It comes in three variants 'New.net domains (B variant), â€˜FirstLookâ€™ (FirstLook variant) and â€˜QuickSearch Toolbarâ€™ (QuickSearch variant). So, you see, QuickSearch toolbar doesnt have anything to do with QuickTime.  What NewDotNet does is override the DNS queries for Top Level Domains (TLD) with its own new.net subdomains, so that whenever you type in a address/query into the browser address bar, the system sends a query to a DNS server to figure out where it should take you. This BHO makes sure you're only taken to its subdomains. 

NewDotNet uses a Winsock2 Layered Service Provider (LSP) and a Browser Helper Object (BHO) that redirects searches from the browserâ€™s address bar to NewDotNetâ€™s search engines at qsrch.com and the popup-filled search.findsall.info. It also downloads updates from its controlling server at client.new.tech (aka client.new.tech.new.net) or upgrade.new.tech (upgrade.new.tech.new.net, upgrade.newdotnet.net). 

Now you see why he asked you to remove the entries in red and asked you to run LSPFix. Because it hijacks the LSP, if you carelessly remove it, you run the risk of totally disconnecting yourself from the Internet, since simply put, the Windows Sockets layer (WinSock) is what allows you to connect in the first place to the Internet.

BTW, your new log is clean. Download Spybot S&D and leave its TeaTimer protection turned on at all times.

*www.safer-networking.org/en/download/


----------



## swatkat (Feb 28, 2005)

yeah...enoonmai has told u everything...NewDotNet is a Adware/Malware....and QuickSearchBar is affiliated to it....
now ur log is clean!!!


----------



## yehmeriidhain (Feb 28, 2005)

Thanks! a lot mates!   

 Cheers! for my system's clear log .. he hee!


----------



## yehmeriidhain (Mar 1, 2005)

here is one more! log of my frd i did some work although but still advice me again .. if U dunt mind :roll: ....


> Logfile of HijackThis v1.99.0
> Scan saved at 2:46:33 PM, on 3/1/2005
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
> ...



Am I correct this time or wrong again somewhere? :roll:


----------



## enoonmai (Mar 1, 2005)

Yes, you've identified the spyware, now all you have to do is fix it. There you go, that wasn't so difficult now, was it?

And BTW, this isnt really malicious or spyware

O4 - HKLM\..\Run: [QuickTime Task] "D:\QuickTime\qttask.exe" -atboottime 

All you have to do is go to the QuickTime preferences in the Control Panel and uncheck the "Show icon in the taskbar" or go to regedit and 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
and delete the qttask.exe entry.


----------



## yehmeriidhain (Mar 1, 2005)

Thanks! *enoonmai* yep! tht was easy i suppose :roll: i'll do wat U have said! thanks! a lot mate! 

now for my accuracy one more computer's log .. this might be my last learning step bcz it looked complex to me .....   



> Logfile of HijackThis v1.99.0
> Scan saved at 6:51:15 PM, on 3/1/2005
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
> ...



can U do it one last time ??


----------



## swatkat (Mar 2, 2005)

u left this one, related to 180SearchAssistant!


> C:\program files\winsys180\saap.exe
> O3 - Toolbar: (no name) - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - (no file)



and u marked these legit ones as bad:-


> O4 - HKLM\..\Run: [NuTCSetupEnviron] C:\PROGRA~1\RATIONAL\RATION~1\NUTCROOT\bin\ncoeenv.exe *(this related to NutCracker Software)*
> 
> O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - *software-dl.real.com/22544ea5c0daf79da420/netzip/RdxIE601.cab....(*Real Player Web)*
> 
> ...



hey....u can get info abt files unknown or suspecious to u here....
*www.iamnotageek.com/a/file_info.php


----------



## yehmeriidhain (Mar 2, 2005)

Thanks! mate .. Swat !! .. although i marked red entry specified by U as red .. check it  

newayzz thanks! a lot mates! .... this failure gives me one more assignment to finish accurately .. 

People U have to do it once again! sorry! for inconvienience! :roll:


----------



## vijaythefool (Mar 2, 2005)

What does swat cat do ! He appears a better lecturer than mine at the college ! THX for the detailed info .


----------



## yehmeriidhain (Mar 2, 2005)

People U have helped me a lot ... till now .. just verify me this last time ... 



> Logfile of HijackThis v1.99.0
> Scan saved at 9:54:40 PM, on 3/1/2005
> Platform: Windows XP SP2 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
> ...




can U help me once again .. this probably is my final attempt ... to this hijack thing! .. plz ?


----------



## yehmeriidhain (Mar 2, 2005)

& Swat wat's ur Yahoo! id ... ??


----------



## swatkat (Mar 2, 2005)

yehmeriidhain said:
			
		

> People U have helped me a lot ... till now .. just verify me this last time ...
> 
> 
> 
> ...


no probs abt helping  ....

this comp is having a lot of pests!!!!!
here *blue* are bad ones u left!!!!!
and u also indicated some good processes like QuickTime and Real UPadter as bad ones....


u can get a good info abt Spywares/Adwares/Viruese/Worms here....
*www3.ca.com/securityadvisor/pest/


----------



## yehmeriidhain (Mar 2, 2005)

Thanks! Swat again! ..


----------

