how do U read this?

[yehmeriidhain]

people i wana ask U a very simple question ..how to U read & identify errors in the hijack thing!!

plzz tell me how U people understand those number things ..with port number & all tht stuff??

I'm curious abt it

 

[swatkat]

do u mean HiajckThis Lof file?

 

[yehmeriidhain]

Exactly tht Swat .. explain it yaar plzz!

 

[swatkat]

well....First few entries in HijackThis (HJT) Log file is the Background Running Processes/ Here u check the files or processes which have suspecious looking names like Expl0rer.ex (has Zero instead of O) or winupdt.exe (windows doents have this file, but the user is tricked by the name) or some random names like sdfrw3345sdf.exe or something.Then we to delete those fiels.

Netx, in HJT log u will have entries preceded by R0, R1, R2, these entries list IE Startup Page, Search Page and Default update page. If the Browser is
hijacked, these links will be changed to some unknown underground websites or some AD websites. Default entries r contains links to msn, microsoft, wwindowsupadte.microsoft like that...

Next, u will have entries precede by F0, F1, These list the Programas that run at Startup. Here also u have look at the Filenames which is suspecious in nature.

then there r entries preceded by o1, o2, o3 up to o23, all these may not be in a single log file....
Important ones are:-
O2 - Browser Helper Objects (BHO)
O3 - Internet Explorer toolbars (like Google Toolbar)
O4 - Autoloading programs from Registry
O8 - Extra items in IE right-click menu (Added Context menu items)
O9 - Extra buttons on main IE button toolbar, or extra items in IE 'Tools' menu (Added buttons like FlashGet or DAP buttons)
O12 - IE plugins (Lists all the Plugins of IE installed)
O15 - Unwanted site in Trusted Zone (Trusted Zone ideally lists WindowsUpdate Site, but some Spyware adds sites like Ad-sites, Warez site etc to it, HJT list all the sites here)
O16 - ActiveX Objects (aka Downloaded Program Files) (lists all ActiveX components, like Java, Flash plugin and any possible spyware)
O17 - Lop.com domain hijackers (LOP.COM is one Spyware/ADware site, which when infects a system, it places Icons like Poker, Travel, Bingo etc on Desktop and these can not be deleted)

HJT lists ALL entries of above fields, but we have to filter out the bad ones out of these and remove them....

common methods to identify bad things r:-
1]Suspicious looking or randome looking filename
2]Non default IE startup/search page.
3]Suspicious DLL files that too residing in Temp folders.
4]AdWare (like IEPlugin, Aureate, Go!zilla etc) based buttons / toolbars in IE.

 

[yehmeriidhain]

thanks! a lot .. Swat .. i'll try it on my ow & will ask further queries if any comes!

 

[Charley]

people i wana ask U a very simple question ..how to U read & identify errors in the hijack thing!!

plzz tell me how U people understand those number things ..with port number & all tht stuff??

I'm curious abt it

swat is the right person,dr.grudge.ennonmai tooo .i got a .lot of probs solved by them....... It's free advice

 

[tuxfan]

Cool short tutoral swatkat

But besides the knowledge about these entries, you even need some more general knowledge about the known viruses, trojans, worms to be able to locate their existence in the log.

 

[club_pranay]

Nice info swatkat!

 

[it_waaznt_me]

Have a look at this page too ..

The new HijackThis (1.99) have the option 023 for Services in WinXP ...

 

[tuxfan]

That was a pretty useful link. Thanks.

 

[hsnayvid]

Very Informative.

Thanks for the info swatkat.

Thanks yehmeriidhain
for asking for the information.

 

[yehmeriidhain]

Thanks! it_waaznt_me tht was great! link ..thanks! man!

Tell me one more thing! ..to which extent this hijack thing is useful!

 

[enoonmai]

Its useful to the extent of finding out what processes are currently running on your computer, what processes autoload and what programs are associated with your browser like helper apps, plugins and basically all the stuff that swatkat listed in his post. It cannot help you fix internal Windows problems like corrupted files, startup/boot troubles and pretty much anything outside the browser environment.
And considering that most people are just infected with spyware/viruses, its dead useful, basically a way of narrowing down the problem.

 

[yehmeriidhain]

thanks! enoonmai! great ..

 

[yehmeriidhain]

here is my system log .. i didn't find nething! suspicious can U people help me in this ..

Logfile of HijackThis v1.99.0
Scan saved at 8:46:47 PM, on 2/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
E:\Set Ups\Yz Dock\YzDock.exe
C:\Program Files\foobar2000\foobar2000.exe
E:\Set Ups\buddy\BuddyOnlineCheckerV2.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCCLIENT.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCGUIDE.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\POP3TRAP.EXE
E:\Set Ups\buddy\BuddyOnlineCheckerV2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
E:\Set Ups\Softwares\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Upcoming Storm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = *www.iiita.ac.in/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.31.1.1:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet3_88.dll
O2 - BHO: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O17 - HKLM\System\CCS\Services\Tcpip\..\{17A4555B-650A-45C5-9EEA-814BD4A62437}: NameServer = 172.31.1.30
O17 - HKLM\System\CS1\Services\Tcpip\..\{17A4555B-650A-45C5-9EEA-814BD4A62437}: NameServer = 172.31.1.30
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

Thanks ! in advance!

 

[swatkat]

here is my system log .. i didn't find nething! suspicious can U people help me in this ..

Logfile of HijackThis v1.99.0
Scan saved at 8:46:47 PM, on 2/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
E:\Set Ups\Yz Dock\YzDock.exe
C:\Program Files\foobar2000\foobar2000.exe
E:\Set Ups\buddy\BuddyOnlineCheckerV2.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCCLIENT.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCGUIDE.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\POP3TRAP.EXE
E:\Set Ups\buddy\BuddyOnlineCheckerV2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
E:\Set Ups\Softwares\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Upcoming Storm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = *www.iiita.ac.in/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.31.1.1:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet3_88.dll
O2 - BHO: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O3 - Toolbar: QuickSearch Search Bar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar1_27.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O17 - HKLM\System\CCS\Services\Tcpip\..\{17A4555B-650A-45C5-9EEA-814BD4A62437}: NameServer = 172.31.1.30
O17 - HKLM\System\CS1\Services\Tcpip\..\{17A4555B-650A-45C5-9EEA-814BD4A62437}: NameServer = 172.31.1.30
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

Thanks ! in advance!

u have NewDotNet hijacker in ur PC....and that O10 entry says that ur WinSock has been hijacked by NewDotNet and u have to fix ur WinSock Layer by using tools like LSPFix or WinSockFix....

First, uninstall these softwares if u find them in Add/Remove programs:-
1]QuickSearchBar

After this, in HijackThis, Check the red entries above and click Fix.
Then restart in safe mode, and delete the files:-
1]newdotnet3_88.dll
2]QuickSearchBar1_27.dll
and also the folders containing these files....

download LSPFix and run it....
*www.cexx.org/lspfix.htm

 

[yehmeriidhain]

hey! Swat! Y did U said newdot is a virus ..or either Y did U asked me to uninstall it! ... wat is new.net & Y was it suspicious .....

plus tht LSPfix can be unstable with Ad-Aware utilities it says .. still i have run it & this is my new log do U still find this suspicious somewhere ??

& this Quicksearch bar .dll might be a file of Quicktime player or sth like tht ..dunt U feel .. Y did ya marked these two dll's as red!

Can U plzz tell me! thx! a lot for ur help!

Logfile of HijackThis v1.99.0
Scan saved at 8:57:09 AM, on 2/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
E:\Set Ups\Yz Dock\YzDock.exe
C:\Program Files\foobar2000\foobar2000.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCCLIENT.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCGUIDE.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\POP3TRAP.EXE
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\Set Ups\Softwares\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Upcoming Storm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = *www.iiita.ac.in/proxy.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.31.1.1:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{17A4555B-650A-45C5-9EEA-814BD4A62437}: NameServer = 172.31.1.30
O17 - HKLM\System\CS1\Services\Tcpip\..\{17A4555B-650A-45C5-9EEA-814BD4A62437}: NameServer = 172.31.1.30
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC-cillin PersonalFirewall - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

 

[enoonmai]

NewDotNet is not a virus, its what is known as "malware", a malicious BHO that downloads and silently executes code from its servers and overrides your system settings without your knowledge or permission. It comes in three variants 'New.net domains (B variant), ‘FirstLook’ (FirstLook variant) and ‘QuickSearch Toolbar’ (QuickSearch variant). So, you see, QuickSearch toolbar doesnt have anything to do with QuickTime. What NewDotNet does is override the DNS queries for Top Level Domains (TLD) with its own new.net subdomains, so that whenever you type in a address/query into the browser address bar, the system sends a query to a DNS server to figure out where it should take you. This BHO makes sure you're only taken to its subdomains.

NewDotNet uses a Winsock2 Layered Service Provider (LSP) and a Browser Helper Object (BHO) that redirects searches from the browser’s address bar to NewDotNet’s search engines at qsrch.com and the popup-filled search.findsall.info. It also downloads updates from its controlling server at client.new.tech (aka client.new.tech.new.net) or upgrade.new.tech (upgrade.new.tech.new.net, upgrade.newdotnet.net).

Now you see why he asked you to remove the entries in red and asked you to run LSPFix. Because it hijacks the LSP, if you carelessly remove it, you run the risk of totally disconnecting yourself from the Internet, since simply put, the Windows Sockets layer (WinSock) is what allows you to connect in the first place to the Internet.

BTW, your new log is clean. Download Spybot S&D and leave its TeaTimer protection turned on at all times.

*www.safer-networking.org/en/download/

 

[swatkat]

yeah...enoonmai has told u everything...NewDotNet is a Adware/Malware....and QuickSearchBar is affiliated to it....
now ur log is clean!!!

 

[yehmeriidhain]

Thanks! a lot mates!

Cheers! for my system's clear log .. he hee!