What is
HijackThis?
HijackThis is a program originally developed by Merijn
Bellekom, a Dutch student studying chemistry and computer science. One
of Merijn's programs, Hijackthis, is an essential utility to help find
and remove spyware, viruses, worms, trojans and other pests.
This is a basic guide to understanding the HijackThis logs, what
specific sections mean and some tips on reading it yourself. Although
its best to have a knowledgeable person help you examine the Hijackthis
log and decide what to remove, its helpful to have a basic
understanding of what the different sections mean and how they work.
In March 2007, Merijn sold Hijackthis to TrendMicro
because he didnt have the time and energy to update it and support it.
Trend Micro has incorporated many of Merijn's changes, updates, and
fixes and released a version 2 of Hijackthis.
|
|
Download HijackThis
To
Download the original Hijackthis, click on the following link.
http://www.pchell.com/downloads/HijackThis.exe
To Download the NEW HijackThis 2.0, click below
http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php
New Features
The
newest feature of HijackThis 2.0 is a button called AnalyzeThis that
will upload your HijackThis log to the TrendSecure website and compare
it to other uploaded log files. You can see a sample screenshot by clicking here.
Unfortunately I was hoping for more from this feature, although it does
give you a rough estimate of the number of users that have a particular
file in their logs as well. For the novice user however this doesnt
explain WHAT the file does and if its really a threat or not. A better
online tool to analyze the Hijackthis logs is found at http://www.hijackthis.de.
There you can either cut and paste a copy of your HijackThis log or
upload a log file from your computer to analyze. This information
returned from the HijackThis.DE site is much more helpful in
determining good and bad items in the log. For a screenshot of the
Hijackthis.de analysis click here.
There appear to be other minor modifications as well.
Overview of items in the HijackThis logs
Each line in a HijackThis log starts with a section name. (For
technical information on this, click 'Info' in the main window and
scroll down. Highlight a line and click 'More info on this item'.)
R0,
R1, R2, R3 - IE Start & Search page
R0 - Changed registry value
R1 - Created registry value
R2 - Created registry key
R3 - Created extra registry value where only one should be
What it looks like:
R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start
Page=http://www.google.com/
R1 - HKLMSoftwareMicrosoftInternet
ExplorerMain,Default_Page_URL=http://www.google.com/
R3 - Default URLSearchHook is missing
What to do:
If you recognize the URL at the end as your homepage or search engine,
it's OK. If you don't, check it and have HijackThis fix it. In cases
like a hijacker you may want to leave them til later but
in general if you dont recognize it, fix it.
For the R3 items, always fix them unless it mentions a program you
recognize.
F0,
F1, F2, F3 - Autoloading programs
F0 - Changed inifile value
F1 - Created inifile value
F2 - Changed inifile value, mapped to Registry
F3 - Created inifile value, mapped to Registry
What it looks like:
F0 - system.ini: Shell=Explorer.exe Openme.exe
F1 - win.ini: run=hpfsched
What to do:
The F0 items are always bad, so fix them.
The F1 items are usually very old programs that are safe, so you should
find some more info on the filename to see if it's good or bad.
N1,
N2, N3, N4 - Netscape/Mozilla Start & Search page
N1 - Change in prefs.js of Netscape 4.x
N2 - Change in prefs.js of Netscape 6
N3 - Change in prefs.js of Netscape 7
N4 - Change in prefs.js of Mozilla
What it looks like:
N1 - Netscape 4: user_pref("browser.startup.homepage",
"www.google.com"); (C:Program FilesNetscapeUsersdefaultprefs.js)
N2 - Netscape 6: user_pref("browser.startup.homepage",
"http://www.google.com"); (C:Documents and SettingsUserApplication
DataMozillaProfilesdefaulto9t1tfl.sltprefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine",
"engine://C%3A%5CProgram%20Files%5CNetscape%206%5Csearchplugins%5CSBWeb_02.src");
(C:Documents and SettingsUserApplication
DataMozillaProfilesdefaulto9t1tfl.sltprefs.js)
What to do:
Usually the Netscape and Mozilla homepage and search page are safe.
They rarely get hijacked. Should you see an URL you don't recognize as
your homepage or search page, have HijackThis fix it.
O1
- Hosts file redirection
What it looks like:
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
What to do:
This hijack will redirect the address to the right to the IP address to
the left. If the IP does not belong to the address, you will be
redirected to a wrong site everytime you enter the address. You can
always have HijackThis fix these, unless you knowingly put those lines
in your Hosts file.
O2
- Browser Helper Objects
What it looks like:
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59}
- C:PROGRAM FILESYAHOO!COMPANIONYCOMP5_0_2_4.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} -
C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
What to do:
If you don't directly recognize a Browser Helper Object's name, use TonyK's BHO List to
find it by the class ID (CLSID, the number between curly brackets) and
see if it's good or bad. In the BHO List, 'X' means spyware and 'L'
means safe. Or Upload your Hijackthis log to the Online HijackThis Analyzer and see if its safe.
O3 - IE toolbars
What it looks like:
O3 - Toolbar: &Yahoo! Companion -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:PROGRAM
FILES\YAHOO!COMPANION\YCOMP5_0_2_4.DLL
O3 - Toolbar: Popup Eliminator - {86BCA93E-457B-4054-AFB0-E428DA1563E1}
- C:PROGRAM FILES\POPUP ELIMINATOR\PETOOLBAR401.DLL (file missing)
O3 - Toolbar: &RoboForm -
{724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber
Systems\AI RoboForm\RoboForm.dll
What to do:
If you don't directly recognize a toolbar's name, use TonyK's Toolbar
List to find it by the class ID (CLSID, the number between
curly brackets) and see if it's good or bad. In the Toolbar List, 'X'
means spyware and 'L' means safe.
If it's not on the list and the name seems a random string of
characters and the file is somewhere in a folder named 'Application
Data', it's definitely bad, and you should have HijackThis fix it. Or Upload your Hijackthis log to the Online HijackThis Analyzer and see if its safe.
O4
- Autoloading programs from Registry
What it looks like:
O4 - HKLM..Run: [ScanRegistry] C:WINDOWSscanregw.exe /autorun
O4 - HKLM..Run: [SystemTray] SysTray.Exe
O4 - HKLM..Run: [ccApp] "C:Program FilesCommon FilesSymantec
SharedccApp.exe"
O4 - Startup: Microsoft Office.lnk = C:Program FilesMicrosoft
OfficeOfficeOSA9.EXE
What to do:
Use PacMan's
Startup List to find the entry and see if it's good or bad.
O5
- IE Options not visible in Control Panel
What it looks like:
O5 - control.ini: inetcpl.cpl=no
What to do:
Unless you've knowingly hidden the icon from Control Panel, have
HijackThis fix it.
O6
- IE Options access restricted by Administrator
What it looks like:
O6 - HKCUSoftwarePoliciesMicrosoftInternet ExplorerRestrictions present
What to do:
Unless you have the Spybot S&D option 'Lock homepage from
changes' active, have HijackThis fix this.
O7
- Regedit access restricted by Administrator
What it looks like:
O7 - HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem,
DisableRegedit=1
What to do:
Always have HijackThis fix this.
O8
- Extra items in IE right-click menu
What it looks like:
O8 - Extra context menu item: &Google Search -
res://C:WINDOWSDOWNLOADED PROGRAM
FILESGOOGLETOOLBAR_EN_1.1.68-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Yahoo! Search - file:///C:Program
FilesYahoo!Common/ycsrch.htm
What to do:
If you don't recognize the name of the item in the right-click menu in
IE, have HijackThis fix it.
O9
- Extra buttons on main IE toolbar, or extra items in IE 'Tools' menu
What it looks like:
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
What to do:
If you don't recognize the name of the button or menuitem, have
HijackThis fix it.
O10
- Winsock hijackers
What it looks like:
O10 - Hijacked Internet access by New.Net
O10 - Broken Internet access because of LSP provider
'c:progra~1\common~2\toolbarcnmib.dll' missing
O10 - Unknown file in Winsock LSP: c:program files\newton
knows\vmain.dll
What to do:
It's best to fix these using LSPFix from Cexx.org or WinsockXPFix
O11
- Extra group in IE 'Advanced Options' window
What it looks like:
O11 - Options group: [CommonName] CommonName
What to do:
The only hijacker as of now that adds its own options group to the IE
Advanced Options window is CommonName. So you can always have
HijackThis fix this.
O12
- IE plugins
What it looks like:
O12 - Plugin for .spop: C:Program Files\Internet
Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .PDF: C:Program Files\Internet
Explorer\PLUGINS\ppdf32.dll
What to do:
Most of the time these are safe. Only OnFlow adds a plugin here that
you don't want (.ofb).
O13
- IE DefaultPrefix hijack
What it looks like:
O13 - DefaultPrefix: http://www.pixpox.com/cgi-bin/click.pl?url=
O13 - WWW Prefix: http://prolivation.com/cgi-bin/r.cgi?
What to do:
These are always bad. Have HijackThis fix them.
O14
- 'Reset Web Settings' hijack
What it looks like:
O14 - IERESET.INF: START_PAGE_URL=http://www.searchalot.com
What to do:
If the URL is not the provider of your computer or your ISP, have
HijackThis fix it.
O15
- Unwanted site in Trusted Zone
What it looks like:
O15 - Trusted Zone: http://www.badspyware.com
What to do:
Many different spyware and adware programs will add items to the
Tursted Zone. In most cases, you'll want to remove these with
HijackThis.
O16
- ActiveX Objects (aka Downloaded Program Files)
What it looks like:
O16 - DPF: Yahoo! Chat -
http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) -
http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
What to do:
If you don't recognize the name of the object, or the URL it was
downloaded from, have HijackThis fix it. If the name or URL contains
words like 'dialer', 'casino', 'free_plugin' etc, definitely fix it.
O17
- Lop.com domain hijacks
What it looks like:
O17 - HKLMSystemCCSServicesVxDMSTCP: Domain = aoldsl.net
O17 - HKLMSystemCCSServicesTcpipParameters: Domain =
W21944.find-quick.com
O17 - HKLMSoftware..Telephony: DomainName = W21944.find-quick.com
O17 -
HKLMSystemCCSServicesTcpip..{D196AB38-4D1F-45C1-9108-46D367F19F7E}:
Domain = W21944.find-quick.com
What to do:
If the domain is not from your ISP or company network, have HijackThis
fix it. You may want to run the Lop.com uninstaller as well to clean up misc Lop problems.
O18
- Extra protocols and protocol hijackers
What it looks like:
O18 - Protocol: relatedlinks - {5AB65DD4-01FB-44D5-9537-3767AB80F790} -
C:PROGRA~1\COMMON~1\MSIETS\msielink.dll
O18 - Protocol: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82}
O18 - Protocol hijack: http - {66993893-61B8-47DC-B10D-21E0C86DD9C8}
What to do:
Only a few hijackers show up here. The known baddies are 'cn'
(CommonName), 'ayb' (Lop.com) and 'relatedlinks' (Huntbar), you should
have HijackThis fix those. Other things that show up are either not confirmed safe yet, or are
hijacked by spyware. In the last case, have HijackThis fix it.
O19
- User style sheet hijack
What it looks like:
O19 - User style sheet: c:WINDOWS\Java\my.css
What to do:
In the case of a browser slowdown and frequent popups, have HijackThis
fix this item if it shows up in the log.
O20 - AppInit_DLLs autorun Registry value, Winlogon Notify Registry keys
What it looks like:
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 -
Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O20 - Winlogon Notify: dvd4free -
C:\WINDOWS\SYSTEM32\dvd4free.dll
What to do:
Although
some of these files are legitimate, many are spyware/adware hijacks
that need to be removed. You can upload your log to the Hijackthis.de Online Analyzer
O21 - ShellServiceObjectDelayLoad (SSODL) autorun Registry key
What it looks like:
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -
C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: Trayz - {F5B7D0BE-5f02-4211-96DB-386DFA244900} -
C:\WINDOWS\lghngdne.dll
What to do:
Not all entries are bad, but you should check Online Hijackthis Analyzer to verify before deleting an entry.
O22 - SharedTaskScheduler autorun Registry key
What it looks like:
O22 - SharedTaskScheduler: Browseui preloader -
{438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon -
{8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
What to do:
Again, many of these entries are good. The old version of Hijackthis
1.99 didnt check this section, while Hijack version 2 does. SmitFraud attacks usually hide here. Check the Online Hijackthis Analyzer if you are unsure before deleting.
O23 - Enumeration of NT Services
What it looks like:
O23 - Service: AlfaCleanerService - AlfaCleaner.com
- C:\Program Files\AlfaCleaner\ACServer.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies -
D:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown -
C:\WINDOWS\system32\sdkkv32.exe
What to do:
These are services which are loaded by the Service Control
Manager in Windows 2000, XP, and Vista. They are generally loaded at
bootup, before a user logs in. Firewalls and other important programs
but rogue cleaning programs like AlfaCleaner may also load here. Check the Online Hijackthis Analyzer if you are unsure before deleting.
O24 - Enumeration of ActiveX Desktop Components
What it looks like:
What to do:
If
something in your log still puzzles you after this short tutorial,
there is nothing stopping you from posting at many of the hijackthis related forums on the web.
Printer Friendly Version of This Page
Bookmark and Share this Article on PCHELL with these Social Networks:
Removal Instructions for Other Programs
Spyware Removal and Other Resources
Essential Tools for Removing Spyware, Adware, and Malware
Rootkit Removal Tools and Help
How to Delete Undeleteable Files
Review of Free Registry Cleaner
How to Manually Run the Microsoft Malicious Software Removal Tool
Review of WinsockFix
How to Remove Windows Diagnostic or Windows Restore malware
Review of SuperAntiSpyware
How to Remove SurferBar
How to Remove Starware
Bargain Buddy Removal Instructions and Help
Bonzi Buddy Removal
Click2FindNow and I-Lookup Removal
Comet Cursor Removal
Electronic Greeting Card Virus - MSDATAACCESS.EXE Removal Instructions and Help
Date Manager Removal
Powered by Zedo Popup Ad Removal Instructions and Help
Search and Destroy Removal Instructions and Help
Spyaxe, Spy Trooper, Spy Sheriff, Brave Sentry and Similar Removal Instructions and Help
TheSpyBot Removal Instructions and Help
Spam Blocker Utility Removal Instructions and Help
DriveCleaner Removal Instructions and Help
Alfacleaner Removal Instructions and Help
Spylocked Removal Instructions and Help
AntivirusGolden Removal Instructions and Help
VirusProtectPro Removal Instructions and Help
UltimateDefender and UltimateCleaner 2007 Removal Instructions and Help
VirusRescue Removal Instructions and Help
PestCapture Removal Instructions and Help
SystemDoctor 2006 Removal Instructions and Help
How to Fix Task Manager disabled by your Administrator
How to Fix Problem Changing Desktop Wallpaper
How to Remove SmitFraud Variants like WinAntivirus Pro 2007 and PestCapture
SurfSideKick Removal Instructions and Help
How to Remove Zango Search Assistant and Toolbar
How to Remove Alot Toolbar
About:Blank Homepage Hijacker Removal Instructions and Help
Kazaa Removal Instructions and Help
How to Disable Windows XP Security Alert Balloons and Notifications
res://random.dll Homepage Hijacker Removal Instructions and Help
IBIS Web Search (websearch.com) Removal Instructions and Help
Open Search Web (Lop.com) Removal Instructions and Help
UPDMGR.EXE Removal Instructions and Help
FCADVICE.EXE Removal Instructions and Help
U3 Smart Drives - What are they and how to remove U3
Dubolom.com Homepage Hijacker Removal Instructions and Help
DSO Exploit Removal Instructions and Help
FastSearch.cc Homepage Hijacker Removal Instructions and Help
My Web Search Removal Instructions and Help
Cursor Mania Removal Instructions and Help
Fun Buddy Icons Removal Instructions and Help
Smiley Central Removal Instructions and Help
My Mail Stamps Removal Instructions and Help
My Mail Stationery Removal Instructions and Help
My Mail Signatures Removal Instructions and Help
Fun Web Products Popular Screensavers Removal Instructions and Help
Webfetti Removal Instructions and Help
What is PDF Spam and Does it Contain Viruses
Gator Software Removal
Hugesearch.net Homepage Hijacker Removal Instructions and Help
Search-Space.com and Start-Space.com Homepage Hijacker Removal Instructions and Help
How to Remove Global-Finder.com Homepage Hijacker
Globaltoolbar Removal
GoHip Software Removal
HotBar Toolbar Removal
Huntbar and Search Toolbar Info and Removal
Look2Me Removal Instructions and Help
Lookfor.cc (res://mshp.dll/index.html) Homepage Hijacker Removal Instructions and Help
MaximumSearch.net Homepage Hijacker Removal Instructions and Help
Ncase Removal Instructions and Help
People OnPage Toolbar Info and Removal
Precision Time Removal
Prolivation.com Removal
SaveNow and NewDotNet Removal
SearchMyRequest.com Homepage Hijacker Removal Instructions and Help
Smartsearch.ws Homepage Hijacker Removal Instructions and Help
SysUpd.exe (TSCash) Removal Instructions and Help
Ezula TopText (yellow underlined links) Removal Instructions and Help
How to Remove SpeedBlaster and MemoryMeter
TopRebates and WebRebates Removal Instructions and Help
Twaintec.dll Removal Instructions and Help
Viewpoint Removal Instructions and Help
WeatherBug Removal
WildTangent Removal Instructions and Help
WinTools Removal Instructions and Help
Xupiter Removal
Xzoomy.com Removal
ZY Web Search (db105.com) Removal
|