O17 entries in a HijackThis log

Explaining the O17 entries in a HijackThis log

When you are working with HiJackThis logs your main effort will most likely be concentrated at the top part of the HJT log, since most hijacks and malware will show as R, F, N and O1-O4 entries in the log. But eventually you will reach the bottom of the HJT log and from time to time there will be an O17 entry. These are often good, but sometimes bad - the following are advice on how to figure out if it is one or the other. First of all let's look at the guidance given by Merijn:

O17 - Lop.com domain hijacks

What it looks like:
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = W21944.find-quick.com
O17 - HKLM\Software\..\Telephony: DomainName = W21944.find-quick.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{D196AB38-4D1F-45C1-9108-46D367F19F7E}: Domain = W21944.find-quick.com

What to do:
If the domain is not from your ISP or company network, have HijackThis fix it.

Sounds easy enough - ask the poster if it's his or hers ISP and if not have them fix it. However, not all poster will know if it is or not so the following are some hints that might enable you to give the poster some help.

THE REGISTRY ENTRY

As you might have noticed the O17 entry points toward an entry in the Registry (HKLM = HKEY Local Machine) - this can be in several places in the registry. Windows uses several registry values as a help to resolve doimain names into IP addresses. Hijacking these values can cause all programs that use the Internet to be redirected to other pages/servers for malicious reasons. When page requests are made, they are rerouted to specified Domain Name Servers. This allows a remote "administrator" to direct users to the pages of their choosing. For example, if an infected user attempted to navigate to http://www.google.com, they would be routed to a different site. New versions of Lop.com use this method together with a (huge) list of cryptic domains.

You will find your surfing almost normal, but with lop.com searching directly from your browser address field will take you to a lop.com site - and present you with advertising and probably a different search machine like Search the Web (try looking at ao.lop.com). Apart from the above I've listed a couple of others, but there are many more:

O17 - HKLM\System\CCS\Services\Tcpip\..\{268D59D3-2679-4CBC-A0B7-3A96BC0C8751}: NameServer = 1.1.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = itdmis02.futureshop.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = itdmis02.futureshop.com,futureshop.com,bestbuycanada.ca,bestbuy.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.57.146.14
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = itdmis02.futureshop.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = itdmis02.futureshop.com,futureshop.com,bestbuycanada.ca,bestbuy.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = itdmis02.futureshop.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = itdmis02.futureshop.com,futureshop.com,bestbuycanada.ca,bestbuy.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ao.lop.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{665F2FE6-9364-453A-AD28-9DDF4773B522}: Domain = ao.lop.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ao.lop.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ao.lop.com

In the examples I have listed you will notice the same entry in CSS, CS1 and CS2 (CurrentControlSet, ControlSet001 and 002) and if you search the registry the same entry (legal or not) is written several places in the registry. The currentcontrolset and controlset001, 002, 003 etc. are separate copies of the boot information required by the OS. Currentcontrolset is the set used to boot the sytem and is copied to controlset002 by default on completion of the logon process to be used as the last known good.

Personally I don't have an entry like this, but the software from your ISP might have written this in to the registry without you knowing this or you might have inserted it yourself - or some malware like lop.com or Troj/Qhost-1 could have done it. If you fix it using HiJackThis the entries will be removed from the registry.

IS IT GOOD OR BAD?

The way to figure out if the entry is good or bad boils down to identifying whatever comes after the "=" sign. In the above examples it's (these are all bad):

"itdmis02.futureshop.com" / "futureshop.com" / "bestbuycanada.ca" / "mydomain.com" and of course "ao.lop.com" - or it's the IP: "1.1.1.1" / "69.57.146.14".

Initially you should get suspicious and look for O17 entries when you see other signs of lop.com. The CLSID list at sysinfo.org will give you some help, since it often will identify the BHO and toolbar that might show up with lop.com. Also lop.com produces a random named executable followed by -QuiT (always capital Q and T) showing up as a O4 entry in the HiJackThis log. But even without an indication of lop.com you need to check O17 entries.

If the O17 has a "domain name" in it you can check this up against the lists of lop.com domains that the links above are pointing to (doxdesk and Wilders). Also if the O17 points towards a shopping site like "bestbuy" or similar, there's a good chance that it should be fixed. If you are not sure, remember to let the poster have a choice whether it should be removed or not.

If it's an IP that show up in the O17 entry it's a bit more difficult. The following links gives you a chance to research the character of an IP:

http://msv.dk/
http://www.whois.sc/
http://www.samspade.org/
http://www.dnsstuff.com/
http://www.network-tools.com/default.asp?p...ost=209.244.0.3
http://www.unixhub.com/block.html (list of bad IPs)
http://www.geektools.com/traceroute.php (list of other relevant whois sites)
IESPYADListing.htm (IESPYAD list of 7000+ IPs and domains to avoid)

However, Rand1038 gave me a method that is now my preferred. Do a Google search of the IP. When Google comes back with no relevant hits you have the option of continuing the search with "Find web pages that contain the term xxx.xxx.xxx.xxx" (x's are the IP you are researching). Click this and read through the different hits - this will often give you a good idea of what the IP is for. If it's a legal entry you will often find links to ISPs giving instructions on how to set up your internet connection. Bad entries will give you links to suspicious pages, pornsites, shopping sites etc.

Finally - if you are well protected you might want to enter the IP in to the address field of your browser and see where it takes you. You will not always be able to identify whether it's good or bad, but this will give you a good start.

For more on this subject and for learning purposes do a search at TC, SWI etc for lop.com and O17 and watch the experts dealing with this problem in HiJackThis logs.

http://www.doxdesk.com/parasite/lop.html

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100719