Presentation is loading. Please wait.

Presentation is loading. Please wait.

HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004.

Published byPearl Perkins Modified over 8 years ago

Similar presentations

Presentation on theme: "HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004."— Presentation transcript:

1 HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004

2 Overview Browser Hijacking and Why The Techniques Preventing a Hijack HijackThis- A Hijack Removal Tool Download Information Getting around with the tool

3 Overview (cont.) Testing Summary Important things learnt Useful Links References

4 What is Browser Hijacking? Where browser’s default settings is forcibly modified by using scripting tools Spyware takes over our internet settings, Redirects our searches and steals our homepage adding links to favourites changing homepage persistently - scripting - changing registry values - auto-running programs - secret files put on the hard disk

5 Why Hijacking? Bring us back to a website or a sponsor’s site of Hijacker’s choice Generate advertising revenues Keep users trapped in their sites Expand website’s traffic Is it Reversible? - as easy as to switch the internet options back -as crucial as to undo the changes by going to windows registry

6 The Techniques Multiple Windows pop-ups while leaving the site Windows half off screen hard to close and allows no control Offering “freebies” in their sites Installing AOL software, messenger, ICQ adds http://free.aol.com to IE’s trusted sites zone without our permission-can download activeX, run scripts, perform various actions. http://free.aol.com Removing internet options from tool menu and control panel Changing reg settings to reset homepage Installing program to reset homepage on reboot

7 Preventing Hijack Various anti-hijacking and anti-virus tools available. HijackThis- utility tool to remove browser hijacks, viruses, trojans & spyware Does not target specific prog./URLs Targets methods used by hijackers

8 HijackThis Developed by Marijn Freeware 178 KB latest version: 1.98.2 Intended for advanced users Increasingly updated to detect & remove new hijacks Runs on all windows OS

9 Download Info & caution http://www.spychecker.com/program/hijackthis.html Required to place it in its own folder otherwise backups will not be made. Recommended to be used after running spybot or spyware/hijacker remover- malware files will be left behind. Requires knowledge in windows and OS in general. If deleted entries without knowing- problems as IE not working, running windows.

10 Caution(cont) Scans registry and various files in HD. Entries similar to what a spyware/hijacker program would leave behind Interpreting the results can be tricky. Legitimate programs get installed in similar way hijackers get installed. Extra causion should be taken fixing a problem.

11 Getting started Go to the desired folder where hijackthis was created from zip unpack. Double click on hijackthis.exe

12 Scan results Each line starts with a section name

13 Info on selected items To know info about a selected obj

14 Fix entries Select an item to fix/remove

15 Restoring items deleted mistakenly We can make backup & restore items for erroneous scenarios for items which were removed but legitimate. Under config button

16 Generating startup listing Has a built-in tool to generate listing of all the prog that launch when comp starts. Under config, Misc tools option.

17 Process Manager Built-in tool to 1)Kill processes that are currently running 2)Check what DLLs are loaded in a particular process Under config, Misc tools option

18 Process Manager (cont.)

19 Hosts File Manager View our host file, Delete lines Toggle lines on/off HijackThis will add a “#” sign before the line to comment it out so that it will not be used by Windows.

20 Delete on reboot Sometimes files obstinately reject to get deleted from the system by any traditions means. Could be virus/ spyware HijackThis allows windows to delete the file on reboot.

21 HijackThis log Each line on the scan list starts with a section name Each entry has a 2-letter code to say what it is.

22 Testing Windows XP SP2 Running spybot S&D, ad-aware Specific problem in IE: always redirects to http://213.159.117.134/index.php http://213.159.117.134/index.php Even using spybot S&D, AboutBuster, Spywareblaster, Ad-aware problem was still there Following entries were deleted after scan: O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF- 000874180BB3} - (no file) 02 entries refers to BHO- plugins for browser that extend the functionality of it. Used by spyware & legitimate programs. CLSID refers to reg. entries that contains info about BHO/toolbars. This particular entry means the entry exists in the registry but the associated file does not exist. Therefore cleaned to tidy up the registry.

23 Testing (cont.) R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php http://213.159.117.134/index.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php http://213.159.117.134/index.php R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php http://213.159.117.134/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php http://213.159.117.134/index.php R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php http://213.159.117.134/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php http://213.159.117.134/index.php R0,R1 entries refer to IE start page & search functions. The url R0, R1 are pointing to is unwanted. Therefore cleaned to get rid of it.

24 Testing (cont.) O4 - HKLM\..\Run: [SysTime]  startup item C:\WINDOWS\system32\systime.exe  Trojan downloaded O4 - HKCU\..\Run: [SysTime] C:\WINDOWS\system32\systime.exe 04 entries refer to app that are listed in certain keys in reg/startup folders and are loaded automatically when windows starts. Here 04 entry shows a CoolWebSearch Trojan. Therefore fixed by HijackThis. The corresponding file C:\WINDOWS\system32\systime.exe was deleted by running windows on safe mode after fixing with HijackThis.

25 Testing (cont.) O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php...edceabcca450006 http://public.windupdates.com/get_file.php...edceabcca450006 016 entries refer to ActiveX obj-programs that are downloaded from websites and stored in our computer. Also referenced in the reg by their CLSID. Here the object/URL could not be recognized from where it was downloaded. Therefore cleaned by HijackThis. HijackThis also deletes the offending file from C:\Windows\Downloaded Program Files- where the these types of objects are stored.

26 Testing (cont.) Booting with safe mode following file was deleted C:\WINDOWS\system32\systime.exe Temp internet files were deleted System rebooted normally, Ad-aware was run to do some more cleanup. No bad entries were found in the new log.

27 Summary HijackThis is a very powerful tool to root out serious infestation or attack in our system. we should be cautious enough, since incorrectly removing inappropriate objects can cause problems with legitimate programs and compromise our system. Many online forums & tutorials for inspecting logfiles. Useful links available for CLSID, startup lists. we need a great deal of devotion, commitment and knowledge towards our system security. HijackThis by itself can not make our system secure from Hijackers, we need other relevant tools as well to detect and remove spyware and viruses.

28 Important things learnt In order to keep computer clean and secure: Make our Internet Explorer more secure by customizing security options. Use an AntiVirus Software Use Spyware & Malware remover utility tools Spybot S&D, Ad-aware, CWShredder, HijackThis, SpywareBluster Update our AntiVirus Software Use a Firewall Visit Microsoft's Windows Update Site Frequently Update all these programs regularly

29 Useful links HijackThis log file analysis: http://www.hijackthis.de/index.php?langselect=english TonyK's Browser Helper Obj (BHO) & Toolbar list: http://www.sysinfo.org/bholist.php PacMan's Start-up list to find the entry and see if it's good or bad. http://www.sysinfo.org/bholist.php

30 References http://www.spywareinfo.com/%7Emerijn/htlogtutorial. html http://www.spywareinfo.com/%7Emerijn/htlogtutorial. html http://www.bleepingcomputer.com/forums/index.php ?showtutorial=42#RDiag http://www.bleepingcomputer.com/forums/index.php ?showtutorial=42#RDiag

31 Thank You!

Download ppt "HijackThis - A general Homepage Hijacker Detector and Removal Tool By: Tahira Farid 60-564 Project 1 Fall 2004."

Similar presentations

The Web Wizards Guide to Freeware/Shareware Chapter Two Downloading and Installing Software.

The Web Wizards Guide to Freeware/Shareware Chapter Two Downloading and Installing Software.
®® Microsoft Windows 7 for Power Users Tutorial 7 Enhancing Your Computers Security.

®® Microsoft Windows 7 for Power Users Tutorial 7 Enhancing Your Computers Security.
What is Spyware? Where did it come from?.

What is Spyware? Where did it come from?.
Computer Basics Hit List of Items to Talk About ● What and when to use left, right, middle, double and triple click? What and when to use left, right,

Computer Basics Hit List of Items to Talk About ● What and when to use left, right, middle, double and triple click? What and when to use left, right,
Internet Safety Topic 2 Malware This presentation by Tim Fraser Malware is short for malicious software VirusesViruses SpywareSpyware AdwareAdware other.

Internet Safety Topic 2 Malware This presentation by Tim Fraser Malware is short for malicious software VirusesViruses SpywareSpyware AdwareAdware other.
What is a Firewall Anyway?

What is a Firewall Anyway?
NetAcumen ActiveX Download Instructions

NetAcumen ActiveX Download Instructions
Computer Referbishment The Demonstration. To Do… Virus Protection Schedule A Full System Scan Install Service Pack 3 Clean Up Tools Drive Formatting Install.

Computer Referbishment The Demonstration. To Do… Virus Protection Schedule A Full System Scan Install Service Pack 3 Clean Up Tools Drive Formatting Install.
Chapter 8 Damage Control How to remove viruses and spyware infections.

Chapter 8 Damage Control How to remove viruses and spyware infections.
Symantec AntiVirus Update Mark Reynolds Manager of Support Services Technology Support Services Michael Satut Manager of Distributed Support Services Technology.

Symantec AntiVirus Update Mark Reynolds Manager of Support Services Technology Support Services Michael Satut Manager of Distributed Support Services Technology.
What is spyware? Supervisor dr. lo’ay tawalbeh Search By Mahmoud al-ashram Soufyan al-qblawe.

What is spyware? Supervisor dr. lo’ay tawalbeh Search By Mahmoud al-ashram Soufyan al-qblawe.
Patricia O’Brien30 June 2015 Housekeeping your PC Training Session for XP and VISTA.

Patricia O’Brien30 June 2015 Housekeeping your PC Training Session for XP and VISTA.
Spring 2008 www.umsl.edu/~iclabs. Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.

Spring Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.
Week:#14 Windows Recovery

Week:#14 Windows Recovery
MS System Setup Securing A System. Use Automatic Updates For a workstation or server, schedule the updates to occur regularly. –Control panel click on.

MS System Setup Securing A System. Use Automatic Updates For a workstation or server, schedule the updates to occur regularly. –Control panel click on.
Spyware & Internet Security

Spyware & Internet Security
Physical Cleaning Disconnect Power Open the Case.

Physical Cleaning Disconnect Power Open the Case.
Utility Programs  A type of system software that is used to solve a particular problem is called utility program. Many operating system provides different.

Utility Programs  A type of system software that is used to solve a particular problem is called utility program. Many operating system provides different.
Use my floppy disk. 1. copy short cut to desktop. 2.run NoAdHOSTS.exe 3. Surf without ad’s. 4.to reverse everything -edit out all url s you want to return.

Use my floppy disk. 1. copy short cut to desktop. 2.run NoAdHOSTS.exe 3. Surf without ad’s. 4.to reverse everything -edit out all url s you want to return.
PASSWORD MANAGEMENT MADE EASY A Project Play Date - September 26, 2008 Beth Carpenter, Library Services Manager, Outagamie Waupaca Library System.

PASSWORD MANAGEMENT MADE EASY A Project Play Date - September 26, 2008 Beth Carpenter, Library Services Manager, Outagamie Waupaca Library System.

Similar presentations

Ads by Google