[chadfree] HiJackThis terms defined
- From: "Mike" <mikebike@xxxxxxxxx>
- To: Computer_Help_and_Discussion@xxxxxxxxxxxxxxx,chadfree@xxxxxxxxxxxxx
- Date: Fri, 04 Jun 2004 16:46:59 -0700
This is from the the HijackThis turorial it explains what the letters in
it's report reffer to;
http://www.spywareinfo.com/~merijn/htlogtutorial.html
HijackThis log tutorial
On the forums of SpywareInfo, a lot of people new to browser hijacking post
topics asking for help analyzing logs from HijackThis, because they don't
understand what stuff is good and what is bad.
This is a basic guide as to what the log means, and some tips on reading it
yourself. This should in no way replace asking for help in the SWI forums,
but help you somewhat in understanding the log yourself.
Overview
Each line in a HijackThis log starts with a section name. (For technical
information on this, click 'Info' in the main window and scroll down.
Highlight a line and click 'More info on this item'.)
For practical information, click the section name you need help with:
R0, R1, R2, R3 - Internet Explorer Start/Search pages URLs
F0, F1 - Autoloading programs
N1, N2, N3, N4 - Netscape/Mozilla Start/Search pages URLs
O1 - Hosts file redirection
O2 - Browser Helper Objects
O3 - Internet Explorer toolbars
O4 - Autoloading programs from Registry
O5 - IE Options icon not visible in Control Panel
O6 - IE Options access restricted by Administrator
O7 - Regedit access restricted by Administrator
O8 - Extra items in IE right-click menu
O9 - Extra buttons on main IE button toolbar, or extra items in IE 'Tools'
menu
O10 - Winsock hijacker
O11 - Extra group in IE 'Advanced Options' window
O12 - IE plugins
O13 - IE DefaultPrefix hijack
O14 - 'Reset Web Settings' hijack
O15 - Unwanted site in Trusted Zone
O16 - ActiveX Objects (aka Downloaded Program Files)
O17 - Lop.com domain hijackers
O18 - Extra protocols and protocol hijackers
O19 - User style sheet hijack
R0, R1, R2, R3 - IE Start & Search pages
What it looks like:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.google.com/
R2 - (this type is not used by HijackThis yet)
R3 - Default URLSearchHook is missing
What to do:
If you recognize the URL at the end as your homepage or search engine, it's
OK. If you don't, check it and have HijackThis fix it.
For the R3 items, always fix them unless it mentions a program you
recognize, like Copernic.
F0, F1, F2, F3 - Autoloading programs from INI files
What it looks like:
F0 - system.ini: Shell=Explorer.exe Openme.exe
F1 - win.ini: run=hpfsched
What to do:
The F0 items are always bad, so fix them.
The F1 items are usually very old programs that are safe, so you should find
some more info on the filename to see if it's good or bad.
Pacman's Startup List can help with identifying an item.
++ There is more on the web site.
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see ~ http://www.mwn.ca
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
See my Anti-Virus pages
<http://www3.telus.net/mikebike/mikes_virus_page.htm>
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance & OWTA Charter Member
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Was this forwarded to you? Want to subscribe? Send an email
to chadfree-request@xxxxxxxxxxxxx?Subject=subscribe.
For a complete list of email commands for our list send an email
to ecartis@xxxxxxxxxxxxx with a subject line of "info chadfree" without the
quotes.
If you wish to unsubscribe from our list send an email to;
chadfree-request@xxxxxxxxxxxxx?Subject=unsubscribe
To contact the list moderators send an email to
chadfree-moderators@xxxxxxxxxxxxx
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Other related posts:
- » [chadfree] HiJackThis terms defined
