Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Questions About Hijackthis Log


  • This topic is locked This topic is locked
2 replies to this topic

#1 Jove

Jove

  • Members
  • 2,739 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Very South Jersey
  • Local time:01:37 PM

Posted 15 August 2008 - 03:06 PM

I have completed a scan using Trend Micro HJT, I wanted to see what the log looked like and see if it made references to infected files as I believe I have seen in others logs at BC.

I do not see any references to infected or not infected ? Shouldn't I at least see the words, "not infected" ?

I don't see any of the, "%", references as are displayed at the Trend site ?

There is no, "other stuff" in the HJT log, it looks pertinent, how come it isn't there ?

Concerning the log, i.e.;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:53:27 PM, on 8/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Info on selected items;
R1-HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=
http://go.microsoft.com/fwink/?LinkId=54896

Detailed Information on item R1:

A Registry value that has been created and is not present in a default Windows install nor needed, possibly resulting in a changed IE Search Page or
Search Assistant.

(Action taken:Registry value deleted.)


Does this mean that Trend HJT, actually made a change and deleted this Program?, Key?, Value?


Also please tell me, . . . .

Concerning Other Stuff, i.e.;


* Trend Micro HijackThis v2.0.2 *


See bottom for version history.

The different sections of hijacking possibilities have been separated into the following groups.
You can get more detailed information about an item by selecting it from the list of found items OR highlighting the relevant line below, and clicking 'Info on selected item'.

R - Registry, StartPage/SearchPage changes
R0 - Changed registry value
R1 - Created registry value
R2 - Created registry key
R3 - Created extra registry value where only one should be
F - IniFiles, autoloading entries
F0 - Changed inifile value
F1 - Created inifile value
F2 - Changed inifile value, mapped to Registry
F3 - Created inifile value, mapped to Registry
N - Netscape/Mozilla StartPage/SearchPage changes
N1 - Change in prefs.js of Netscape 4.x
N2 - Change in prefs.js of Netscape 6
N3 - Change in prefs.js of Netscape 7
N4 - Change in prefs.js of Mozilla
O - Other, several sections which represent:
O1 - Hijack of auto.search.msn.com with Hosts file
O2 - Enumeration of existing MSIE BHO's
O3 - Enumeration of existing MSIE toolbars
O4 - Enumeration of suspicious autoloading Registry entries
O5 - Blocking of loading Internet Options in Control Panel
O6 - Disabling of 'Internet Options' Main tab with Policies
O7 - Disabling of Regedit with Policies
O8 - Extra MSIE context menu items
O9 - Extra 'Tools' menuitems and buttons
O10 - Breaking of Internet access by New.Net or WebHancer
O11 - Extra options in MSIE 'Advanced' settings tab
O12 - MSIE plugins for file extensions or MIME types
O13 - Hijack of default URL prefixes
O14 - Changing of IERESET.INF
O15 - Trusted Zone Autoadd
O16 - Download Program Files item
O17 - Domain hijack
O18 - Enumeration of existing protocols and filters
O19 - User stylesheet hijack
O20 - AppInit_DLLs autorun Registry value, Winlogon Notify Registry keys
O21 - ShellServiceObjectDelayLoad (SSODL) autorun Registry key
O22 - SharedTaskScheduler autorun Registry key
O23 - Enumeration of NT Services
O24 - Enumeration of ActiveX Desktop Components

Command-line parameters:
* /autolog - automatically scan the system, save a logfile and open it
* /ihatewhitelists - ignore all internal whitelists
* /uninstall - remove all HijackThis Registry entries, backups and quit
* /silentautuolog - the same as /autolog, except with no required user intervention

* Version history *

[v2.00.0]
* AnalyzeThis added for log file statistics
* Recognizes Windows Vista and IE7
* Fixed a few bugs in the O23 method
* Fixed a bug in the O22 method (SharedTaskScheduler)
* Did a few tweaks on the log format
* Fixed and improved ADS Spy
* Improved Itty Bitty Procman (processes are frozen before they are killed)
* Added listing of O4 autoruns from other users
* Added listing of the Policies Run items in O4 method, used by SmitFraud trojan
* Added /silentautolog parameter for system admins
* Added /deleteonreboot [file] parameter for system admins
* Added O24 - ActiveX Desktop Components enumeration
* Added Enhanced Security Confirguration (ESC) Zones to O15 Trusted Sites check
[v1.99.1]


Are these changes and fixes that Trend actually performed ?

When you don't have to worry about your computer anymore, you can start
living again !

vrwqzc.gif
Success is a result, not a goal. . . . Flaubert


BC AdBot (Login to Remove)

 


#2 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:01:37 PM

Posted 30 August 2008 - 08:34 PM

Hi :thumbsup:

I have completed a scan using Trend Micro HJT, I wanted to see what the log looked like and see if it made references to infected files as I believe I have seen in others logs at BC.


Please post your complete Hijackthis log & explain what you mean by references to infected files.
DON'T fix anything yet!

I do not see any references to infected or not infected ? Shouldn't I at least see the words, "not infected" ?


Hijackthis does have an internal "whitelist" of known safe entries created by a clean fresh install of windows However it does not point out or flag "safe" or "not safe" entries in log.
It simply shows stuff that is different than a clean install.
It is people like us who determine what is safe/needed/not needed/bad and how it will be dealt with.
Hijackthis cannot tell you what is good or bad. It only tells you what it sees as "different".
It takes research & experience/knowledge to determine what is safe/not safe & how to deal with it if bad.

don't see any of the, "%", references as are displayed at the Trend site ?


Please explain.

There is no, "other stuff" in the HJT log, it looks pertinent, how come it isn't there ?


Please explain.

Info on selected items;
R1-HKCU\Software\Microsoft\Internet Explorer\Main,Search Page=
http://go.microsoft.com/fwink/?LinkId=54896

Detailed Information on item R1:

A Registry value that has been created and is not present in a default Windows install nor needed, possibly resulting in a changed IE Search Page or
Search Assistant.

(Action taken:Registry value deleted.)

Does this mean that Trend HJT, actually made a change and deleted this Program?, Key?, Value?


Only if you checkmarked that line & clicked "fix checked"
Otherwise Hijackthis makes no changes to system other than create a log if you tell it to.
And creates a couple registry entries to tell windows where Hijackthis is located.

The different sections of hijacking possibilities have been separated into the following groups.
You can get more detailed information about an item by selecting it from the list of found items OR highlighting the relevant line below, and clicking 'Info on selected item'.
....
.....
and so on....

Are these changes and fixes that Trend actually performed ?


It only makes changes if you tell it to.
The "version history" is what updates were made to the app to show more info in log.

Thanks :)
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#3 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:01:37 PM

Posted 07 September 2008 - 06:12 PM

Due to lack of feedback this topic is closed.

If you still require assistance please PM me or a moderator with a link to your topic.

All others please begin new topic.

Thank you

Blender
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users