HiJackThis Log Quick
Reference Help
Download HiJackThis
Complete HijackThis Tutorial.pdf
Sectional Quick
Reference
|
|
|
|
R0, R1, R2, R3
|
Internet Explorer Start/Search
pages URLs |
|
F0, F1, F2,F3 |
Auto loading programs
|
|
N1, N2, N3, N4
|
Netscape/Mozilla Start/Search
pages URLs |
|
O1
|
Hosts file redirection
|
|
O2
|
Browser Helper Objects
|
|
O3
|
Internet Explorer toolbars
|
|
O4
|
Auto loading programs from
Registry |
|
O5
|
IE Options icon not visible in
Control Panel |
|
O6
|
IE Options access restricted by
Administrator |
|
O7
|
Regedit access restricted by
Administrator |
|
O8
|
Extra items in the IE
right-click menu |
|
O9
|
Extra buttons on main IE button
toolbar, or extra items in IE 'Tools' menu |
|
O10
|
Winsock hijacker
|
|
O11
|
Extra group in IE 'Advanced
Options' window |
|
O12
|
IE plugins |
|
O13
|
IE Default Prefix hijack
|
|
O14
|
'Reset Web Settings' hijack
|
|
O15
|
Unwanted site in Trusted Zone
|
|
O16
|
ActiveX Objects (aka Downloaded
Program Files) |
|
O17
|
Lop.com/Domain Hijackers
|
|
O18
|
Extra protocols and protocol
hijackers |
|
O19
|
User style sheet hijack
|
|
O20 |
AppInit_DLLs Registry value
Autorun |
|
O21 |
ShellServiceObjectDelayLoad |
|
O22 |
SharedTaskScheduler |
|
O23 |
Windows XP/NT/2000 Services |
|
O24 |
Windows Active Desktop
Components |
The hosts file is a
text file that can be edited by any text editor and is stored by
default in the following places for each Operating System,
unless you chose to
install to different path.
|
Operating
System |
|
|
Windows XP |
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS |
|
Windows NT |
C:\WINNT\SYSTEM32\DRIVERS\ETC\HOSTS |
|
Windows 2000 |
C:\WINNT\SYSTEM32\DRIVERS\ETC\HOSTS |
|
Windows 2003 |
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS |
The location of the
Hosts file can be changed by modifying the Registry key below for
Windows NT/2000/XP.
Registry Key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\:
DatabasePath
Program
Startup Locations:
User's Startup Folder: Any files
located in a user's Start Menu Startup folder will be listed as
a O4 - Startup. This location, for the newer versions of
Windows, are C:\Documents and Settings\USERNAME\Start
Menu\Programs\Startup or under C:\User\USERNAME\ in Vista.
These entries will be executed when the particular user
logs onto the computer.
All Users Startup Folder: These
items refer to applications that load by having them in the All
Users profile Start Menu Startup Folder and will be listed as O4
- Global Startup. This location, for the newer versions of
Windows, are C:\Documents and Settings\All Users\Start
Menu\Programs\Startup or under C:\User\All Users\ in Vista.
These entries will be executed when any user logs onto the
computer.
Note: In the listing
below, HKLM stands for HKEY_LOCAL_MACHINE and HKCU stands for
HKEY_CURRENT_USER.
Program Startup
Locations:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
Explanation
Run
keys are used to launch a program automatically when a user, or all
users, logs on to the machine.
RunOnce keys are used to launch a service or
background process whenever a user, or all users, logs on to the
computer. Once the program is successfully launched for the first
time its entry will be removed from the Registry so it does not run
again on subsequent logons.
RunServices keys are used to launch a service or
background process whenever a user, or all users, logs on to the
computer.
RunServicesOnce keys are used to launch a service or
background process whenever a user, or all users, logs on to the
computer. Unlike the RunServices keys, when a program is launched
from the RunServicesOnce key its entry will be removed from the
Registry so it does not run again on subsequent logons.
RunOnceEx keys are used to launch a program once and
then remove itself from the Registry. This particular key is
typically used by installation or update programs.
Policies\Explorer\Run keys are used by network
administrator's to set a group policy settings that has a program
automatically launch when a user, or all users, logs on to the
computer. Under the Policies\Explorer\Run key are a series of
values, which have a program name as their data. When a user, or all
users, logs on to the computer each of the values under the Run key
is executed and the corresponding programs are launched.
A complete listing of other startup
locations that are not necessarily included in HijackThis can be
found here :
Windows Program Automatic Startup Locations
Site to use for
research on startup entries:
Bleeping Computer Startup Database
Answers that work
Greatis Startup Application Database
Pacman's Startup Programs List
Pacman's Startup Lists for Offline Reading
Kephyr File Database
Wintasks Process Library
The following are files
that programs can autostart from on bootup:
1 c:\autoexec.bat
2 c:\config.sys
3 windir\wininit.ini - Usually used by setup
programs to have a file run once and then get deleted.
4 windir\winstart.bat
5 windir\win.ini - [windows] "load"
6 windir\win.ini - [windows] "run"
7 windir\system.ini - [boot] "shell"
8 windir\system.ini - [boot] "scrnsave.exe"
9 windir\dosstart.bat - Used in Win95 or 98 when
you select the "Restart in MS-DOS mode" in the shutdown menu.
10 windir\system\autoexec.nt
11 windir\system\config.nt
