Technology, Current Events, and Over Generalizations

Now Reading:

The Omnivore’s Dilemma: A Natural History of Four Meals
The Omnivore’s Dilemma: A Natural History of Four Meals by Michael Pollan

Recent books:

Odd Hours
by Dean Koontz

Spin
by Robert Charles Wilson

21: Bringing Down the House - Movie Tie-In: The Inside Story of Six M.I.T. Students Who Took Vegas for Millions
by Ben Mezrich

The Brief Wondrous Life of Oscar Wao
by Junot Díaz

How to Survive a Robot Uprising [UNABRIDGED]
by Daniel H. Wilson

View full Library

Archive for May 5th, 2006

HijackThis

Yesterday I wrote about dealing with an infected computer and how I used HijackThis to help diagnose and fix problems. A good amount of malware likes to attach itself to the web browser since that is where we spend much of our time. Common tactics are replacing your start page with another, substituting a new search page when sites are not found, adding unwanted toolbars and buttons to the browser, and the every popular continuous pop-up ads. Most of these can be considered adware since they are trying to push traffic and clicks to their sites. Beyond being annoying, it is also scary that your system can be hijacked like this with the fear that spyware could capture personal information while online.

HijackThis

HijackThis is a utility that scans your system registry and hard drive for suspicious entries and reports them to you, allowing you to make a decision about what to remove. The caveat here is that it does not positively identify anything as harmful and remove it automatically. That means you have to understand what is shown to you and make the decision yourself. Often people post the report output to spyware forums where helpful participants advise people the best course. You can also Google the results and make your own decision. Much of the time, the problem is obvious – If you are having problems with something like HotBar, you will see entries for HotBar that you can easily remove. I suggest running a report when your system is known to be healthy, so you can compare it when you are suspicious.

Example output:

O4 - HKCU\..\Run: [TPKMAPMN] C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: QConGina - C:\WINDOWS\SYSTEM32\QConGina.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

This looks very confusing, but upon further inspection and a little Googling, you see IBM ThinkPad utilities and Adobe Acrobat Reader entries which check out.

There is a basic tutorial on understanding the output here. As mentioned, posting your suspicious log to this spyware forum will also get you some guidance as well. You could also pester your favorite IT professional.

In summary, HijackThis is a powerful and free tool that gives you an under-the-hood look at the problem areas where malware hangs out, allowing you to remove it.

HijackThis is available here.

Add comment May 5th, 2006

Calendar

May 2006
S M T W T F S
    Jun »
 123456
78910111213
14151617181920
21222324252627
28293031  

Posts by Month

Posts by Category