R0 - Internet Explorer Start page/search page/search bar/search assistant URL


A registry value that has been changed from the default, resulting in a changed Internet explorer start page, search page, search bar page, search assistant, search url, customize search etc. HijackThis monitors the following registry keys among others for changes;

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchUrl

Example of R0 entries from HijackThis logs

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://best-search.cc/index.php?v=6&aff=3412714
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = c:\searchpage.html#1526
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.jethomepage.com/ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

Recommendation:

The key in these R0 entries tagged by HijackThis are the URL's shown in each entry. If you don't recognize the URL or there are no URL's at the end of the entry, it can be safely fixed with HijackThis. Further, the URL's may be researched for CWS infection by using the known CWS Domains List.



R1 - Internet Explorer Start page/search page/search bar/search assistant URL

A registry value that has been created and is not present in a default windows install nor needed, possibly resulting in a changed Internet Explorer start page, search page, search bar page, search assistant, search url, customize search etc. HijackThis monitors the above mentioned registry keys in addition to

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings

Example of R1 entries from HijackThis logs

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = c:\searchpage.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dl...r=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://mshp.dll/sp.html#37049

Recommendation:

The same rule as for R0 entries applies. The Key to look for are the URL"s. If you don't recognize the URL or there are no URL's at the end of the entry, it can be safely fixed with HijackThis. Also research for CWS infection by using the CWS Domain List.





R2 - This is not used

Merijn, the author of HijackThis wrote:

this type is not used by HijackThis yet.

R3 - Default URL Searchhook

URLSearchHook is called by the browser when the browser cannot determine the protocol of a URL address.. When attempting to browse to a URL address that does not contain a protocol, Internet Explorer first attempts to determine the correct protocol using the unmodified address. If this fails, Internet Explorer creates URL Search Hook objects that have been registered, and calls each object's translate method until the URL has been translated or until all hooks have been called. Normally there should be only one value in this key.

URL Search Hooks are registered by adding a value that contains the object's class identifier (CLSID) string under the following key in the registry:

HKEY_LOCAL_MACHINE/Software/Microsoft/Internet Explorer/UrlSearchHooks

Many IE hijackers will add their UrlSearchHook to your system so every time when you type a url without protocol, you will be redirected to the hijacker's site. HijackThis tags this, if the default search hook value is changed, missing or a new value added in the above key.

Example of R3 entries from HijackThis logs.

R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
R3 - URLSearchHook: PerfectNavBHO Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL

Recommendation:

Generally it's safe to have HijackThis fix this entry.

F0 - Autoloading programs from system.ini file

This is one of the way, out of many different possible ways, Malware can automatically start and run in your system. HijackThis targets the "shell=" line in the system.ini file in your windows folder. The default legitimate line should read as "shell=explorer.exe". However malware like trojans, viruses etc., use this line to execute themselves at startup, for example Dumaru.Y Worm , W32.HLLW.Caspid worm and Subseven Trojan. This is achieved by adding an entry to the "shell=" line, like this,

shell=Explorer.exe C:\Windows\Capside.exe

So that when the system boots, the worm is also set to start alongwith explorer.exe. It is to be noted that in windowsNT based systems, the shell line is not located in the ini files but in the registry. Typically, in the "shell" string value of

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\current version\Winlogon

whose contents again should be just "Explorer.exe". HijackThis tags this, if the line contains more than just "Explorer.exe" and restores the default value if you choose to fix it.

Example of F0 entries from HijackThis logs

F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\FF.EXE
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
F0 - system.ini: Shell=explorer.exe winuser32.exe
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\cmd32.exe

Recommendation:

Unless you are running one of those shell changing programs which changes the default windows interface (explorer.exe) to one of its own, F0 entries are most probably bad, fix them always.



F1 - Autoloading programs from win.ini file

Like F0 entries, HijackThis targets "win.ini" file, one of the possible autoloading location for both valid programs and a lot of viruses use to run at startup.

[windows]

Run=

Load=

Any filename after the run or load= will start everytime you boot into windows. Seperated by semicolons, multiple programs may be started using this method.

In windows NT based systems this is once again found in the Registry:

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]

"run"=""

"load"=""

HijackThis will tag all items listed in these locations.

Example of F1 entries from HijackThis logs

F1 - win.ini: load=C:\WINDOWS\Msgsvr32win.exe
F1 - win.ini: run=hpfsched
F1 - win.ini: run=C:\WINDOWS\System32\services\wmplayer.exe
F1 - win.ini: load=d:\progra~1\YDPDict\watch.exe
F1 - win.ini: run=msinfo.exe

Recommendation:

As win.ini file is used by many older programs to auto start programs, you should be selective in fixing those entries with HijackThis. Try to find some more info on the filename to see if it's good or bad before deciding to fix it.



F2 & F3 - Autoloading programs from registry in windows NT based systems

Merijn said:

F2/F3 are essentially F0/F1 items, mapped to the Registry. Only present in WinNT/2k/XP.

On Windows NT based systems,most sections of the win.ini and system.ini files are mapped into the registry. That is to say, Windows intercepts certain requests to access these files and, instead,accesses the registry. To determine which sections are mapped in this way, refer to the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping

Note that although Windows NT based systems retains the Win.ini file for compatibility with older programs, it does not use the Load= and Run= lines in Win.ini itself.

Let's see what MS says about inifilemapping in windows NT resourcekit,

When you install an application created for 16-bit Windows, the application's setup program creates its own .ini file or creates entries for the Win.ini or System.ini file in the same way that it does for any version of Windows 3.x. These entries are not updated in the Registry because these applications do not have a way to access the Windows NT Registry. For this reason, basic System.ini, Win.ini, and Winfile.ini files appear in the Systemroot directory in Windows NT.

If a Windows-based application tries to write to Win.ini, System.ini, or any other section listed in the IniFileMapping key, and if the application uses the Windows NT Registry APIs, the information is stored in the Registry. If the application writes to other sections of the .ini file or tries to open the .ini file directly without using the Windows NT Registry APIs, the information is saved in an .ini file.

To find mapping information in the HKEY_LOCAL_MACHINE \Software key, the system searches for the filename extension of the initialization file. If it finds the filename extension, it looks under the mapped key for the name of the application associated with that file type and a variable name. If necessary, it continues to look for keys whose value entries are the variable names. If no mapping for either the application name or filename is found, the system looks for an .ini file to read and write its contents. You can see where the Windows initialization files are mapped in the Registry by viewing the subkeys and value entries under this path:

HKEY_LOCAL_MACHINE\Software\MicrosoftWindowsNT\Current Version\IniFileMapping

F2 entry in a HijackThis log also refers to the Userinit value in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and by default, Winlogon runs Userinit.exe, which is an application used to run a program before a shell starts. The service runs logon scripts, reestablishes network connections and starts the shell.

The default value is C:\WINDOWS\SYSTEM32\Userinit.exe, (note the comma at the end).This value could be hacked by malware to read:

C:\WINDOWS\SYSTEM32\Userinit.exe, trojan.exe

HijackThis will tag the contents of this key even if only the comma is missing and it's OK to have it fixed though it's harmless.

Example of entries from HijackThis logs

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\WINNT\sysctl.exe

Recommendation:

Do not use HijackThis to fix these entries without expert guidance. If you fix the wrong entry, your computer may not be bootable without some serious trobleshooting. This is especially true for F2 entries as the restore function of HijackThis for this particular section has some potentially serious issues.

N1 - Netscape 4x default homepage and search page URLs


N1 entry in a HijackThis log refers to the homepage URL settings in Netscape 4.x browser in the prefs.js file located in the users Netscape directory.

Example of N1 entries from HijackThis logs

N1- Netscape 4: user_pref("browser.startup.homepage", "http://www.travelocity.com/?Service=TRAVELOCITY"); (C:\Program Files\Netscape\Users\default\prefs.js)
N1 - Netscape 4: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Program Files\Netscape\Users\doug\prefs.js)
N1 - Netscape 4: user_pref("browser.startup.homepage", "www.google.com"); (C:\Program Files\Netscape\Users\default\prefs.js)

N2 - Netscape 6x default homepage and search page URLs

N2 entry in a HijackThis log refers to homepage and searchpage URLs of Netscape 6 browser in the prefs.js file located in the 'Application Data' folder.

Example of N2 entries from HijackThis logs

N2-Netscape6:user_pref("browser.startup.homepage",
"http://www.plymslayer.com/graphics/plymmies/dumbass.gif");
(C:\WINDOWS\Application Data\Mozilla\Profiles\default\p7clsp39.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\User\Application Data\Mozilla\Profilesdefaulto9t1tfl.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%
5Csearchplugins%
5CSBWeb_01.src"); (C:\Documents and Settings\user\Application Data\Mozilla\Profiles\default\20gihcu7.slt\prefs.js)

N3 - Netscape 7x default homepage and search page URLs

N3 entry in a HijackThis log refers to homepage and searchpage URLs of Netscape 7 browser in the pref.js file located in the 'Application Data' folder.

Example of N3 entries from HijackThis logs

N3 - Netscape 7: user_pref("browser.startup.homepage", "www.msn.com"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\xg8itvly.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CPROGRAM%20FILES%5CNETSCAPE%5CNETSCAPE%
5Csearchplugins%5CSBWeb_02.src"); (C:\WINDOWS\Application Data\Mozilla\Profiles\default\xg8itvly.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Kir\Application Data\Mozilla\Profiles\default\sij0wvc1.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%
5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Kir\Application Data\Mozilla\Profiles\default\sij0wvc1.slt\prefs.js)

N4 - Mozilla default homepage and search page URLs

N4 entry in a HijackThis log refers to homepage and searchpage URLs of Mozilla browser in the prefs.js file located in the 'Application Data' folder.

I have not seen the N4 entries in any of the HijackThis logs.

Recommendation:

The N entries are similar to the R0 and R1 entries which refers to the IE browser. Again the key is the URL shown in the respective entries. If you don't recognize the URL or there are no URL's at the end of the entry, it can be safely fixed with HijackThis. It's very unlikely that Netscape or Mozilla browsers to get hijacked unless you download and install a malware installer unknowingly. An example would be LOP.com hijack. This comes in the form of an executable installer which may masquerade as 'mp3_finder.exe, download_file.exe, free_warez exe or free_sex_viewer.exe among others. These installers change your preferred home and search page URL's in Netscape and Mozilla browsers. It also adds a task to run on startup which sets your homepage and search back to lop if you change them.

O1 - Hosts file redirection

The hosts file maps host names to IP addresses.

The short answer is that the Hosts file is like an address book. When you type an address like



into your browser, the Hosts file is consulted to see if you have the IP address, or "telephone number," for that site. If you do, then your computer will "call it" and the site will open. If not, your computer will ask your ISP's (internet service provider) computer for the phone number before it can "call" that site. Most of the time, you do not have addresses in your "address book," because you have not put any there. Therefore, most of the time your computer asks for the IP address from your ISP to find sites.

What is a hosts file?



Hosts file can also be hijacked by malware, by changing the DNS entries in your hosts file, effectively making windows believe a web site has a different IP than it really has and thus making IE open the wrong page. A benign hostname such as cnn.com could be made to point to a malicious website. HijackThis can detect the re-direction entries.

Example of 01 malicious entries from HijackThis logs

O1 - Hosts: 64.191.95.139 www.google.com
O1 - Hosts: 66.98.178.19 cookies.cmpnet.com
O1 - Hosts: 66.98.178.19 counter.aaddzz.com
O1 - Hosts: 66.98.178.19 counter14.sextracker.com
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com

Here the hijack will redirect the address on the right to the IP address to the left.

i.e,

In the first entry of the example, if you type



in your browser you will be taken to the malicious website 64.191.95.139 instead of google.com. Many variants of CWS (Cool Web Search) parasite uses this method to hijack IE.

You may find one another entry in HijackThis logs pertaining to hosts file redirection. It may look like this;

O1 - Hosts file is located at C:\Windows\Help\hosts
O1 - Hosts file is located at: C:\WINNT\nsdb\hosts

Here the HijackThis tags the redirection to the hosts file itself perperated by some parasites. The legitimate hosts file is located in the following locations in various flavours of windows;

Windows NT/2K/XP = [System root]\system32\drivers\etc
Windows 95/98/ME = [drive]\windows
The [drive] is usually drive "c:"
The [System root] is usually "c:\winnt" or "c:\windows"

Recommendation:

You can always have HijackThis fix these, unless you knowingly put those entries in your Hosts file.



O2 - Browser Helper Objects

In this section, HijackThis tags all the "Browser Helper Objects" that is being used by your IE, whether good or bad. A browser helper object, or BHO, is a component that Internet Explorer loads whenever it starts or if you have Active Desktop turned on, even when you open a file folder on your own computer and can perform many actions on available windows. BHOs can be either good or bad, but most of them contain spyware in one form or another.Sometimes these BHOs just sneak onto your computer and you don't even realize they are there! Some of them can be downright malicious!

Some common examples of BHOs are Aureate/Radiate, Alexa, Flyswat, Gator, GetRight, Gozilla, RealDownload, and Yahoo Companion

Example of 02 entries from HijackThis logs.

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - C:\WINDOWS\System32\mskhhe.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\System32\bridge.dll

Recommendation:

Need to be careful in selecting entries in this section for fixing with HijackThis as it lists both benign (google toolbar, acrobat reader and Spybot S & Ds download protection etc) and malicious BHOs. There is a very comprehensive regularly updatedated at the CastleCops.com,The CLSID/BHO List/Toolbar Master List



where it is possible to search by the CLSID's (the alpha-numeric charecters in between the curly brackets). Choose to fix an entry only if you are absolutely sure otherwise consult an expert as deletion of certain BHOs will affect the smooth functioning of IE.



O3 - Internet Explorer toolbars

A toolbar for Internet Explorer is nomally located below the menu bar at the top of the form. IE Toolbars are created by Browser Helper Objects. Many toolbars available on the Internet are spyware. They can be annoying or even outright malicious by tracking your online behaviour and displaying popup ads.

Example of 03 entries from HijackThis logs

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Band Class - {D848A3CA-0BFB-4DE0-BA9E-A57F0CCA1C13} - C:\WINDOWS\dealhlpr.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX

Recommendation:

As Hijackthis lists all the 3rd party toolbars good and bad, discretion is required when selecting entries to fix. Again the exhaustive list at CastleCops The CLSID/BHO List/Toolbar Master List



may be used to search for the offending CLSID's, if you don't directly recognize a toolbar's name.



O4 - Autoloading programs from Registry & Startup group

As the title indicates, this section of HijackThis logs lists all programs that autolaod from the registry and startup group. Autoloading entries can load a registry script, VBScript or Javascript file possibly causing the IE start page, search page, search bar or search assistant to revert back to a hijackers page after a system reboot. Also, a DLL file can be loaded that will hook into several parts of your system.

Example of 04 entries from HijackThis logs

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe

Recommendation:

An amazing number of Windows applications, from freeware and shareware utilities to full-blown commercial suites such as Microsoft Office, manage to insert some portion of themselves into your Windows Startup. There are some you should never turn off, though. Definitely leave entries such as ScanRegistry and SystemTray well alone, as these are critical parts of Windows itself and are best left alone. How do you identify malware or unnecessary programs loading at startup? If you don't recognize the program from its name or if you are plainly suspicious of an entry, use CastleCops - StartupList, a searchable, comprehensive list of the programs you may find that run when you switch on your PC as typically identified by MSCONFIG or the registry "Run" keys - and whether you need them.





O5 - IE Options icon not visible in Control Panel

In this section HijackThis checks for the "Internet options" applet available in the control panel. Each item in Control Panel has an associated ".cpl" file. These files, along with the Control Panel initialization file, "Control.ini", are loaded into memory when Control Panel is opened. A hijacker may modify the control.ini to prevent access to the "Internet Options" window, thereby preventing the user from resetting various hijacked options.

Example of 05 entries from HijackThis logs

O5 - control.ini: inetcpl.cpl=no

This entry is not commonly seen in HijackThis logs.

Recommendation:

Unless you or an administrator has chosen to hide the 'Internet options' applet from the control panel by modifying the control.ini file, it's safe to have HijackThis fix this entry.

O6 - IE Options access restricted by Administrator

This section is similar to 05 section in the sense that HijackThis tags the disabling of the "Internet options" applet in the windows control panel and the restriction on changing the startpage setting. The difference here is HijackThis checks the registry key "HKCU\Software\Policies\Microsoft\Internet Explorer\" for any restrictions placed by using administrative policies. HijackThis lists this even if the option in Spybot S&D is used to protect the startpage from being changed by malware.

In this section, Hijackthis lists different types of entries,

Example of 06 entries from HijackThis logs

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
06 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present

Restrictions present: You or an administrator has set a policy which disables changing IE start page for the current user.

Control Panel present: You or an administrator has set a policy which restricts access to the 'Internet options' from within the IE or in the control panel.

Toolbars\Restrictions present: You or an administrator has set a policy which restricts access to the IE toolbar.

This setting is also used by malware to restrict the user from changing the hijacked start page, search page etc,. and generally to restrict the user from accessing the "Internet options" applet in the control panel.

Recommendation:

Unless you or an administrator has applied this policy in your system for the users, it is safe to have HijackThis fix these entries.



O7 - Regedit access restricted by Administrator

Once again this setting is applied through administrative policies. Disabling the ability to use the registry editor is normally used by administrators to restrict their users, it can also be used by malware to prevent access the registry settings. HijackThis checks the registry key

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" for any restrictions.

Example of 07 entries from HijackThis logs

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Recommendation:

Unless you or an administrator has applied this policy in your system for the users, it is safe to have HijackThis fix this entry.



08 - Extra items in IE right-click menu

In this section HijackThis lists the extra items -i.e. not those default items like back, forward etc,.- only the items installed by 3rd party software, both legitimate and otherwise. HijackThis checks the registry keys

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MenuExt

and lists all the extra items. These extra context menu items can prove helpful or annoying. Some hijackers are known to add to the context menu.

Example of 08 entries from HijackThis logs

O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\DOWNLOADED PROGRAM FILES\GOOGLETOOLBAR_EN_1.1.68-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

Recommendation:

If you don't recognize the name of the item or if you don't use an item in the right-click menu in IE, it can be safely fixed with HijackThis.



O9 - Extra buttons on main IE button toolbar, or extra items in IE 'Tools' menu

In this section HijackThis tags the extra buttons on main IE tool bar and extra items in the 'Tools' menu of IE. HijackThis checks the registry keys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions

and lists all the extra buttons and extra items on the "Tools" menu of IE.
These can be researched at CastleCops - O9 List of Extra IE Buttons list.



Example of 09 entries from HijackThis logs

O9 - Extra button: Messenger (HKLM)
O9 - Extra button: Joyo (HKLM)
O9 - Extra button: Run DAP (HKLM)
O9 - Extra button: Copernic Agent (HKLM)
O9 - Extra 'Tools' menuitem: Console Java (Sun) (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)

Recommendation:

If you don't recognize the name of the item or if you don't use an item in the right-click menu in IE, it can be safely fixed with HijackThis.



O10 - Winsock hijacker

Winsock is short for Windows Sockets API. It describes a standard way for Windows programs to work with TCP/IP. You use WinSock or the more recent Winsock2 if you directly connect your Windows PC to the Internet. Winsock incorporates a feature called Layered Service Provider (LSP), which allows legitimate third-party software like anti-virus, firewall and other security related software vendors to insert their own code into the "chain". It has access to every data entering and leaving the computer.

This feature is mis-used by a few hijackers to facilitate their own monitoring. Data packets outward bound from your computer to a legitimate destination on the web can be intercepted by a malware LSP and sent somewhere else, other than where you had intended it to go. As Merijn says "Only a very small selection of spyware used this method of infection as it requires hooking into the Winsock LSP chain, which lies very deep into the bowels of Windows and is one of the hardest parts of Windows to manipulate." Some examples are New.net, Webhancer, CommonName and a CWS variant CWS.Msspi do this.

Example 010 entries from HijackThis logs

O10 - Hijacked Internet access by New.Net
O10 - Broken Internet access because of LSP provider 'c:\progra~1\common~2\toolbar\cnmib.dll' missing
O10 - Unknown file in Winsock LSP: c:\program files\newton knows\vmain.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\msspi.dll

Recommendation:

Do not fix 010 entries or use programs like LSPfix or WinsockFix yourself without any expert/helper advising you to do so. Fixing the LSP stack is not advised unless you are sure of what you are doing and know how to undo as a wrong fix will screw up your internet connection and in some cases only a repair install or a reinstall will get you back. A lot of legitimate programs use the LSP to perform their tasks, HijackThis has only a part of them in its ignored (safe) list, so many false positives are imminent. Please note that merijn also says that "unknown' files in the LSP stack will not be fixed by HijackThis, for safety issues."

If you want to have a look at the LSPs in your system, use Spybot S&D



or download the free LSP explorer add-on



for Ad-Aware SE.



Spybot-S&D is able to display a list of installed network drivers and allows this list to be exported for future reference. In version 1.3 entries that have changed since the last snapshot are displayed in bold letters.This allows you to see changes to the list at once. Ad-Aware SE LSP explorer goes a step further by letting you backup and restore the LSPs. It also lets you view active LSP and Name Service Providers on your system, along with detailed information about each so you can determine whether or not they're legitimate.

LSP's can be researched at CastleCop's LSP List.

O11 - Extra group in IE 'Advanced Options' window

In this section HijackThis tags the addition of an extra group in the "Advanced" tab of Internet options in IE. The options in the "Advanced" tab of IE options are stored in the registry and extra options can be added easily by creating extra registry keys. Very rarely malware add their own options there, E.g,. CommonName adds a group with a few options. Some legitimate programs also add their group there.

Example of 011 entries from HijackThis logs.

O11 - Options group: [CommonName] CommonName
O11 - Options group: [Multimedia] Multimedia
O11 - Options group: [TB] Toolbar
O11 - Options group: [TOEGANKELIJKHEID] Toegankelijkheid

Recommendation:

If the listed program name is 'CommonName', have HijackThis fix this. If you don't recognize the name, take an expert's opinion before fixing this entry.



O12 - IE plugins

Plugins are small programs that add particular functions to an existing larger programs like IE, typically used to display or play some multimedia content found on a web document. For example, QuickTime movies, Flash and Shockwave animations. When spyware or hijackers add plugins for their filetypes, the danger exists that they get reinstalled if everything but the plugin has been removed, and the browser opens such a file.

Example of 012 entries from HijackThis logs

O12 - Plugin for .csm: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .csml: C:\Program Files\Internet Explorer\Plugins\npchime.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .au: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll

HijackThis lists all the plugins installed on your machine. There seems to be only one pest that use this method at present, it is Onflow media player, a graphics provider and ad-tracking and reporting company for Web advertisers. It appears in the HijackThis logs with an extension ".ofb".

Recommendation:

All most all of the entries appearing in this section are harmless. Don't fix anything otherthan onflow.



O13 - IE DefaultPrefix hijack

When a website URL like



is typed into IE's address bar without the prefix, http:// in this case, it is automatically added when you hit Enter. This prefix, together with the default prefixes for FTP, Gopher and a few other protocols are stored in the registry keys

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefix

A hijacker change these values to the URL of his server, as a result the victims, always get redirected to the hijacker's website when they forget to type the prefix. Many variants of CWS parasite uses this method.

Example of 013 entries from HijackThis logs

O13 - DefaultPrefix: http://ehttp.cc/?
O13 - WWW Prefix: http://ehttp.cc/?
O13 - DefaultPrefix: http://www.nkvd.us/1507/
O13 - WWW Prefix: http://www.nkvd.us/1507/
O13 - Home Prefix: http://www.nkvd.us/1507/
O13 - Mosaic Prefix: http://www.nkvd.us/1507/
O13 - WWW. Prefix: http://

Recommendation:

You need not be selective here. Whatever changes the default prefix of various protocols cannot be good. Have HijackThis fix all instances of this.



O14 - 'Reset Web Settings' hijack

In this section HijackThis checks the file "iereset.inf" for changes which might indicate a hijack. When you click on "Reset Web settings" on the Programs tab of Internet options, IE restores the default values for home page, search page and a few other items from the registry files stored in "iereset.int" file. This file is located in inf folder in your system folder. Some OEM's create their own custom URL's for this file.

Malware changes the default URL's to its own, so that when you click "Reset web settings" you get re-infected rather than cured.

Example of 014 entries from HijackThis logs

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O14 - IERESET.INF: START_PAGE_URL=http://www.oninet.pt
O14 - IERESET.INF: START_PAGE_URL=http://www.mysingtel.com.sg
O14 - IERESET.INF: START_PAGE_URL=http://www.searchalot.com

Recommendation:

If the URL is not the provider of your computer or your ISP, have HijackThis fix it.



O15 - Unwanted site in Trusted Zone

In this section HijackThis lists the sites in the "Trusted Zone" - originally meant for content located on Web sites that are considered more reputable or trustworthy than other sites on the Internet - of Internet explorer. Web sites in the Trusted Zone (Internet options Security Trusted Zone Sites) are allowed to use normally dangerous scripts and ActiveX objects other sites are not allowed to use as the default security level is low. Some malware programs will automatically add a site to the Trusted Zone without you knowing.

Example of 015 entries from HijackThis logs

O15 - Trusted Zone: *.registration.weather.com
O15 - Trusted Zone: *.i-lookup.com
O15 - Trusted Zone: *.offshoreclicks.com
O15 - Trusted Zone: *.teensguru.com

Recommendation:

Some variants of CWS parasite are known to add sites to the Trusted Zone. If you didn't add the listed domain to the Trusted Zone yourself, have HijackThis fix it.

O16 - ActiveX Objects (aka Downloaded Program Files)

In this section HijackThis tags the items found in "Downloaded Program Files" folder in the Windows folder. This folder holds various types of files downloaded from the internet including ActiveX and Java objects. The legitimate purpose of ActiveX objects is to allow website creators to embed small programs in their sites which will interact with your browser to provide an enhanced experience to the visitor. Because of its nature, ActiveX makes a very good platform for installing spyware, adware, dialers, and hijackers.

Example of 016 entries from HijackThis logs

O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - 66.48.68.135/save/makeover.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - 207.188.7.150/093979d9dd85d80a6d03/net..
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - messenger.zone.msn.com/binary/Messenge..
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - v4.windowsupdate.microsoft.com/CAB/x86..
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} (WTDMMPVersion Class) - install.wildtangent.com/bgn/partners/

Recommendation:

If you don't recognize the name of the object, or the URL it was downloaded from, it is safe to have HijackThis fix it. If you are unsure about an item get an expert opinion about fixing it. Even if you have choosen to fix a legitimate ActiveX object, you will be prompted to download it when you use that particular service from the website concerned. Please note that fixing those ActiveX objects required for sites using secure logins will cause problems when you try to login to that site again, So be careful what you choose to fix with HijackThis.



O17 - Lop.com domain hijackers

In this section HijackThis checks various keys in registry hive HKEY LOCAL MACHINE for specific values which help windows to resolve domain names into IP addresses. Hijacking these values can cause the programs which use the internet to be redirected to other malicious sites. Some versions of Lop.com use this method, together with huge list of cryptic domains.

Example of 017 entries from HijackThis logs

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ao.lop.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{665F2FE6-9364-453A-AD28-9DDF4773B522}: Domain = ao.lop.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ao.lop.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ao.lop.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{ADB2672A-97BB-4C94-9EE0-5447635C8D03}: NameServer = 204.127.129.2 12.102.244.2

Recommendation:

It's best to leave the O17s alone unless they clearly point to a bad site. Removing a needed 017 entry may break your internet connectivity as they may be used by your ISP or your company network.



O18 - Extra protocols and protocol hijackers

This section of HijackThis looks for new or changed protocols used by Windows to 'talk' to programs, servers or itself. A protocol is one IE interprets as the beginning of an address like http://, https://, ftp://, gopher:// etc,. LOP.com uses this method to make IE load content using an "ayb:// whatever address" similarly CommonName uses cn://. Several legitimate programs also do this.

Example of 018 entries from HijackThis logs

O18 - Protocol: ayb - {07C0D34D-11D7-43F7-832B-C6BB41726F5F}
O18 - Protocol: pcn - {D540F040-F3D9-11D0-95BE-00C04FD93CA5} - C:\PROGRAM FILES\ENCOMPASS\V1MK.DLL

Recommendation:

Only a few hijackers show up here. The known baddies are 'cn' (CommonName), 'ayb' (Lop.com) and 'relatedlinks' (Huntbar), you should have HijackThis fix those. Other things that show up are either not confirmed safe yet, or are hijacked. If you are in doubt get an expert opinion before fixing it.
The 018 items can be researched at CastleCops - O18 Extra protocols and protocol hijackers list.





O19 - User style sheet hijack

IE has an option to use a user-defined stylesheet for all pages instead of the default one, to enable visually challenged users to better view the web pages. Many CWS parasites overwrite any stylesheet the user has setup and replaces it with one that causes popup, as well as system slowdown.

Example of 019 entries from HijackThis logs.

O19 - User stylesheet: C:WINNTsystem.css
O19 - User stylesheet: c:\windows\my.css
O19 - User stylesheet: C:\WINNT\default.css
O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp
O19 - User stylesheet: C:\WINDOWS\Web\win.def
O19 - User stylesheet: C:\WINDOWS\default.css

Recommendation:

At present as only CWS does this, it is recommended to use CWShredder to fix it unless you have setup a stylesheet for your use.



O20 - AppInit_DLLs Registry value autorun

AppInit_DLLs value is documented in MS Knowledge Base article, Working with the AppInit_DLLs registry value.



The AppInit_DLLs value is found in the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

All the DLLs that are specified in this value are loaded by each Microsoft Windows-based application that is running in the current log on session.

What the above means is that any DLL listed in the AppInit_DLLs value will run concurrently with every program launched, even in Safemode.

Example of 020 entries from HijackThis logs

O20 - AppInit_DLLs: cahooknt.dll
O20 - AppInit_DLLs: wbsys.dll
O20 - AppInit_DLLs: CLKERN.DLL
O20 - AppInit_DLLs: mad.dll
O20 - AppInit_DLLs: ssohook
O20 - Winlogon Notify: DPWLN - C:\WINDOWS\system32\DPWLEvHd.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll

Recommendation:

The 020 entries can be researched at CastleCops - O20 AppInit_DLLs and Winlogon Notify list.



Very few legitimate programs use this autostart method, some variants of CWS infection are known to use this method to load a hidden dll at Windows startup. You should get an expert's opinion before deciding to fix (delete) these entries.

O21 - ShellServiceObjectDelayLoad

This is an undocumented autorun method, executed by "Explorer.exe" as soon as it has loaded. Each value under the following registry key contains information to the DLL name and location. The system will load the referred DLLs and link them to "Explorer.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Current Version\ShellServiceObjectDelayLoad

Example of 021 entries from HijackThis logs

O21 - SSODL: DDE Control Module - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - (no file)
O21 - SSODL: Trayz - {F5B7D0BE-5f02-4211-96DB-386DFA244900} - C:\WINDOWS\lghngdne.dll
O21 - SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - (no file)
O21 - SSODL: XmLdrLocation - {0C887F38-5178-43DA-B9F0-B856141FCDA4} - C:\WINDOWS\System32\msuueng.dll
O21 - SSODL: WebExtLocation - {FE2DB5FF-5ECF-11D2-B28F-0080C8383C7B} - C:\WINNT\system32\lrluser.dll

Recommendation:

HijackThis tags only those entries that are not in its internal whitelist, but not all entries tagged by HijackThis are bad. The 021 items can be researched at CastleCops - O21 ShellServiceObjectDelayLoad list.



Please obtain expert/helper help before fixing (deleting) these entries.



O22 - SharedTaskScheduler

This undocumented autorun method applies only to Windows XP, Windows 2000 and NT. Here HijackThis tags the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

Example of 022 entry from HijackThis logs

O22 - SharedTaskScheduler: (no name) - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - c:\windows\system32\mtwirl32.dll

Recommendation:

This is a rare entry appearing in the HijackThis logs. The 023 items can be researched at CastleCops - O22 SharedTaskScheduler list



Please obtain opinion from helper/expert before fixing (deleting) this entry.



O23 - NT Services

An NT Service is a background process which is loaded by the Service Control Manager of the NT kernel. They are often loaded at bootup, before any user logs in, and are often independent of any specific user being logged on at the time. If a service is not launched automatically by the system at boot time, as many services are, it can also be manually launched by a user at the console, via the NT Control Panel's Services applet, or by another program which interfaces to NT's Service Control Manager. An Introduction to NT Services

HijackThis checks the registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

for non-Microsoft services.

Note that not all entries tagged by HijackThis are bad.

Examples of 023 entries in HijackThis logs

O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\sdkkv32.exe
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\system32\angelex.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Unknown owner - D:\Program Partition\Eset\nod32krn.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe

Recommendation:

The 023 items can be researched at CastleCops - O23 List of Windows XP/NT services.



Please obtain help from helper/expert before fixing (deleting) these entries.