Friday, September 19, 2014

How to analyze HijackThis Logs

O17 - Lop.com domain hijacking


How it looks:
O17 - HKLM \ System \ CCS \ Services \ VxD \ MSTCP: Domain = aoldsl.net
O17 - HKLM \ System \ CCS \ Services \ Tcpip \ Parameters: Domain = W21944.find-quick.com
O17 - HKLM \ Software \ .. \ Telephony: DomainName = W21944.find-quick.com
O17 - HKLM \ System \ CCS \ Services \ Tcpip \ .. \ {} D196AB38-4D1F-45C1-9108-46D367F19F7E: Domain = W21944.find-quick.com
O17 - HKLM \ System \ CS1 \ Services \ Tcpip \ Parameters: list = gla.ac.uk
O17 - HKLM \ System \ CS1 \ Services \ VxD \ MSTCP: Name Server = 69.57.146.14,69.57.147.175

What to do:
If the domain is not to fix the network of your Internet service provider or organization. The same applies to the entries in the "search list. For the" Name Server "(DNS) and search, Google will see the IP address or IP address, and be easy if they are good or bad.

O18 - Extra protocols and protocol hijackers


How it looks:
O18 - Protocol: Related - 5AB65DD4-01FB-44D5-9537-3767AB80F790 {} - C: \ Progra ~ 1 \ COMMON ~ 1 \ MSIETS \ msielink.dll
O18 - Protocol: TMH - {d7b95390-b1c5-11d0-b111-0080c712fe82}
O18 - Protocol hijack: http - {66993893-61B8-47DC-AB10d 21E0C86DD9C8}

What to do:
Only kidnappers are displayed here. It is known bad 'cn' (common) (Lop.com) and "'AYB' Related (huntbar), you should have to fix it. Others things that happen or not yet confirmed safe, or diverted (eg CLSID changed by spyware In the latter case, to fix)..

O19 - User stylesheet hijack


How it looks:
O19 - User stylesheet: C: \ WINDOWS \ Java \ my.css

What to do:
In the event of a slowdown in the pop-ups and browser-Fix often have this option if it appears in the newspaper. How CoolWebSearch do this, it is best to use CWShredder to fix it.

O20 - AppInit_DLLs Autorun registry value


How it looks:
O20 - AppInit_DLLs: msconfd.dll

What to do:
This registry value under HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Windows loads a DLL file in the memory when the user logs in, after which it is held until logoff. Very few legitimate programs (Norton CleanSweep used apitrap.dll), mostly used by trojans or hacker aggressive browser.

In the case of a load DLL "hidden" this registry value (only visible when the regedit "edit binary data" is used) DLL names are preceded by a pipe '|' to be visible in the log.

O21 - Shell


How it looks:
O21 - SSODL - AUHOOK - {11566B38-955B-4549-930F-7B7482668782} - C: \ Windows \ System \ auhook.dll

What to do:
This is a method undocumented startup usually used by some Windows system components. The products listed in HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer Shell will be loaded when Windows starts. HijackThis uses a whitelist of several very common SSODL elements, so that if an item is displayed in the log, is unknown and possibly malicious. Be handled with care.

O22 - Shared


How it looks:
O22 - Shared: (no name) - {-3F143C3A 1457-6CCA-03A7-7AA23B61E40F} - C: \ WINDOWS \ system32 \ mtwirl32.dll

What to do:
This is an undocumented autostart for Windows NT / 2000 / XP, which is very rarely used. So far only CWS.Smartfinder have used. Handle with care.

O23 - Service NT


How it looks:
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies - C: \ Program Files \ Kerio \ Personal Firewall \ persfw.exe

What to do:
This is the list of services that are not Microsoft. The list must be the same as shown in Windows XP in the MSConfig utility. Several Trojan kidnappers using a delivery service adittion other start-ups to relocate. The full name is usually important, so study "Network Security Service", "Workstation Service Logon" or "Remote Procedure Call Helper", but the internal name (in parentheses) is a chain of garbage as "City". The second part of the line is the owner of the file at the end, as seen in the file properties.

Note that the setting of an element O23 just stop and disable services. The service must be removed from the registry manually or with another tool. In HijackThis 1.99.1 or higher, NT Service Delete "in the Tools section" Anything can be used for it.

No comments:

Post a Comment