HijackThis Tutorial
Essential program to help remove spyware

What is HijackThis?
HijackThis is a program originally developed by Merijn Bellekom, a Dutch student studying chemistry and computer science. One of Merijn's programs, Hijackthis, is an essential utility to help find and remove spyware, viruses, worms, trojans and other pests.

This is a basic guide to understanding the HijackThis logs, what specific sections mean and some tips on reading it yourself. Although its best to have a knowledgeable person help you examine the Hijackthis log and decide what to remove, its helpful to have a basic understanding of what the different sections mean and how they work.


In March 2007, Merijn sold Hijackthis to TrendMicro because he didnt have the time and energy to update it and support it. Trend Micro has incorporated many of Merijn's changes, updates, and fixes and released a version 2 of Hijackthis.

Download HijackThis

To Download the original Hijackthis, click on the following link.

http://www.pchell.com/downloads/HijackThis.exe

To Download the NEW HijackThis 2.0, click below

http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php

New Features

The newest feature of HijackThis 2.0 is a button called AnalyzeThis that will upload your HijackThis log to the TrendSecure website and compare it to other uploaded log files. You can see a sample screenshot by clicking here. Unfortunately I was hoping for more from this feature, although it does give you a rough estimate of the number of users that have a particular file in their logs as well. For the novice user however this doesnt explain WHAT the file does and if its really a threat or not. A better online tool to analyze the Hijackthis logs is found at http://www.hijackthis.de. There you can either cut and paste a copy of your HijackThis log or upload a log file from your computer to analyze. This information returned from the HijackThis.DE site is much more helpful in determining good and bad items in the log. For a screenshot of the Hijackthis.de analysis click here.

There appear to be other minor modifications as well. 

Overview of items in the HijackThis logs

Each line in a HijackThis log starts with a section name. (For technical information on this, click 'Info' in the main window and scroll down. Highlight a line and click 'More info on this item'.)


R0, R1, R2, R3 - IE Start & Search page

R0 - Changed registry value
R1 - Created registry value
R2 - Created registry key
R3 - Created extra registry value where only one should be


What it looks like:

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page=http://www.google.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL=http://www.google.com/
R3 - Default URLSearchHook is missing

What to do:
If you recognize the URL at the end as your homepage or search engine, it's OK. If you don't, check it and have HijackThis fix it. In cases like a hijacker you may want to leave them til later but in general if you dont recognize it, fix it.
For the R3 items, always fix them unless it mentions a program you recognize.


F0, F1, F2, F3 - Autoloading programs

F0 - Changed inifile value
F1 - Created inifile value
F2 - Changed inifile value, mapped to Registry
F3 - Created inifile value, mapped to Registry


What it looks like:
F0 - system.ini: Shell=Explorer.exe Openme.exe
F1 - win.ini: run=hpfsched

What to do:
The F0 items are always bad, so fix them.
The F1 items are usually very old programs that are safe, so you should find some more info on the filename to see if it's good or bad.


N1, N2, N3, N4 - Netscape/Mozilla Start & Search page

N1 - Change in prefs.js of Netscape 4.x
N2 - Change in prefs.js of Netscape 6
N3 - Change in prefs.js of Netscape 7
N4 - Change in prefs.js of Mozilla


What it looks like:
N1 - Netscape 4: user_pref("browser.startup.homepage", "www.google.com"); (C:Program FilesNetscapeUsersdefaultprefs.js)
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.google.com"); (C:Documents and SettingsUserApplication DataMozillaProfilesdefaulto9t1tfl.sltprefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%206%5Csearchplugins%5CSBWeb_02.src"); (C:Documents and SettingsUserApplication DataMozillaProfilesdefaulto9t1tfl.sltprefs.js)

What to do:
Usually the Netscape and Mozilla homepage and search page are safe. They rarely get hijacked. Should you see an URL you don't recognize as your homepage or search page, have HijackThis fix it.


O1 - Hosts file redirection

What it looks like:
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch

What to do:
This hijack will redirect the address to the right to the IP address to the left. If the IP does not belong to the address, you will be redirected to a wrong site everytime you enter the address. You can always have HijackThis fix these, unless you knowingly put those lines in your Hosts file.


O2 - Browser Helper Objects

What it looks like:
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:PROGRAM FILESYAHOO!COMPANIONYCOMP5_0_2_4.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll

What to do:
If you don't directly recognize a Browser Helper Object's name, use TonyK's BHO List to find it by the class ID (CLSID, the number between curly brackets) and see if it's good or bad. In the BHO List, 'X' means spyware and 'L' means safe. Or Upload your Hijackthis log to the Online HijackThis Analyzer and see if its safe.


O3 - IE toolbars

What it looks like:
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:PROGRAM FILES\YAHOO!COMPANION\YCOMP5_0_2_4.DLL
O3 - Toolbar: Popup Eliminator - {86BCA93E-457B-4054-AFB0-E428DA1563E1} - C:PROGRAM FILES\POPUP ELIMINATOR\PETOOLBAR401.DLL (file missing)
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll

What to do:
If you don't directly recognize a toolbar's name, use TonyK's Toolbar List to find it by the class ID (CLSID, the number between curly brackets) and see if it's good or bad. In the Toolbar List, 'X' means spyware and 'L' means safe.
If it's not on the list and the name seems a random string of characters and the file is somewhere in a folder named 'Application Data', it's definitely bad, and you should have HijackThis fix it. 
Or Upload your Hijackthis log to the Online HijackThis Analyzer and see if its safe.


O4 - Autoloading programs from Registry

What it looks like:
O4 - HKLM..Run: [ScanRegistry] C:WINDOWSscanregw.exe /autorun
O4 - HKLM..Run: [SystemTray] SysTray.Exe
O4 - HKLM..Run: [ccApp] "C:Program FilesCommon FilesSymantec SharedccApp.exe"
O4 - Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOfficeOSA9.EXE

What to do:
Use PacMan's Startup List to find the entry and see if it's good or bad.


O5 - IE Options not visible in Control Panel

What it looks like:
O5 - control.ini: inetcpl.cpl=no

What to do:
Unless you've knowingly hidden the icon from Control Panel, have HijackThis fix it.


O6 - IE Options access restricted by Administrator

What it looks like:
O6 - HKCUSoftwarePoliciesMicrosoftInternet ExplorerRestrictions present

What to do:
Unless you have the Spybot S&D option 'Lock homepage from changes' active, have HijackThis fix this.


O7 - Regedit access restricted by Administrator

What it looks like:
O7 - HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem, DisableRegedit=1

What to do:
Always have HijackThis fix this.


O8 - Extra items in IE right-click menu

What it looks like:
O8 - Extra context menu item: &Google Search - res://C:WINDOWSDOWNLOADED PROGRAM FILESGOOGLETOOLBAR_EN_1.1.68-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Yahoo! Search - file:///C:Program FilesYahoo!Common/ycsrch.htm

What to do:
If you don't recognize the name of the item in the right-click menu in IE, have HijackThis fix it.


O9 - Extra buttons on main IE toolbar, or extra items in IE 'Tools' menu

What it looks like:
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: AIM (HKLM)

What to do:
If you don't recognize the name of the button or menuitem, have HijackThis fix it.


O10 - Winsock hijackers

What it looks like:
O10 - Hijacked Internet access by New.Net
O10 - Broken Internet access because of LSP provider 'c:progra~1\common~2\toolbarcnmib.dll' missing
O10 - Unknown file in Winsock LSP: c:program files\newton knows\vmain.dll


What to do:
It's best to fix these using LSPFix from Cexx.org or  WinsockXPFix


O11 - Extra group in IE 'Advanced Options' window

What it looks like:
O11 - Options group: [CommonName] CommonName

What to do:
The only hijacker as of now that adds its own options group to the IE Advanced Options window is CommonName. So you can always have HijackThis fix this.


O12 - IE plugins

What it looks like:
O12 - Plugin for .spop: C:Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .PDF: C:Program Files\Internet Explorer\PLUGINS\ppdf32.dll

What to do:
Most of the time these are safe. Only OnFlow adds a plugin here that you don't want (.ofb).


O13 - IE DefaultPrefix hijack

What it looks like:
O13 - DefaultPrefix: http://www.pixpox.com/cgi-bin/click.pl?url=
O13 - WWW Prefix: http://prolivation.com/cgi-bin/r.cgi?

What to do:
These are always bad. Have HijackThis fix them.


O14 - 'Reset Web Settings' hijack

What it looks like:
O14 - IERESET.INF: START_PAGE_URL=http://www.searchalot.com

What to do:
If the URL is not the provider of your computer or your ISP, have HijackThis fix it.


O15 - Unwanted site in Trusted Zone

What it looks like:
O15 - Trusted Zone: http://www.badspyware.com

What to do:
Many different spyware and adware programs will add items to the Tursted Zone. In most cases, you'll want to remove these with HijackThis.


O16 - ActiveX Objects (aka Downloaded Program Files)

What it looks like:
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

What to do:
If you don't recognize the name of the object, or the URL it was downloaded from, have HijackThis fix it. If the name or URL contains words like 'dialer', 'casino', 'free_plugin' etc, definitely fix it.


O17 - Lop.com domain hijacks

What it looks like:
O17 - HKLMSystemCCSServicesVxDMSTCP: Domain = aoldsl.net
O17 - HKLMSystemCCSServicesTcpipParameters: Domain = W21944.find-quick.com
O17 - HKLMSoftware..Telephony: DomainName = W21944.find-quick.com
O17 - HKLMSystemCCSServicesTcpip..{D196AB38-4D1F-45C1-9108-46D367F19F7E}: Domain = W21944.find-quick.com

What to do:
If the domain is not from your ISP or company network, have HijackThis fix it. You may want to run the Lop.com uninstaller as well to clean up misc Lop problems.


O18 - Extra protocols and protocol hijackers

What it looks like:
O18 - Protocol: relatedlinks - {5AB65DD4-01FB-44D5-9537-3767AB80F790} - C:PROGRA~1\COMMON~1\MSIETS\msielink.dll
O18 - Protocol: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82}
O18 - Protocol hijack: http - {66993893-61B8-47DC-B10D-21E0C86DD9C8}

What to do:
Only a few hijackers show up here. The known baddies are 'cn' (CommonName), 'ayb' (Lop.com) and 'relatedlinks' (Huntbar), you should have HijackThis fix those. Other things that show up are either not confirmed safe yet, or are hijacked by spyware. In the last case, have HijackThis fix it.


O19 - User style sheet hijack

What it looks like:
O19 - User style sheet: c:WINDOWS\Java\my.css

What to do:
In the case of a browser slowdown and frequent popups, have HijackThis fix this item if it shows up in the log.


O20 - AppInit_DLLs autorun Registry value, Winlogon Notify Registry keys 

What it looks like:
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: msupdate - C:\WINDOWS\SYSTEM32\msupdate32.dll
O20 - Winlogon Notify: dvd4free - C:\WINDOWS\SYSTEM32\dvd4free.dll

What to do:
Although some of these files are legitimate, many are spyware/adware hijacks that need to be removed. You can upload your log to the Hijackthis.de Online Analyzer


O21 - ShellServiceObjectDelayLoad (SSODL) autorun Registry key 

What it looks like:
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O21 - SSODL: Trayz - {F5B7D0BE-5f02-4211-96DB-386DFA244900} - C:\WINDOWS\lghngdne.dll

What to do:
Not all entries are bad, but you should check  Online Hijackthis Analyzer to verify before deleting an entry.


O22 - SharedTaskScheduler autorun Registry key 

What it looks like:
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

What to do:
Again, many of these entries are good. The old version of Hijackthis 1.99 didnt check this section, while Hijack version 2 does. SmitFraud attacks usually hide here. Check the Online Hijackthis Analyzer if you are unsure before deleting.


O23 - Enumeration of NT Services 

What it looks like:
O23 - Service: AlfaCleanerService - AlfaCleaner.com - C:\Program Files\AlfaCleaner\ACServer.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - D:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\sdkkv32.exe

What to do:
These are services which are loaded by the Service Control Manager in Windows 2000, XP, and Vista. They are generally loaded at bootup, before a user logs in. Firewalls and other important programs but rogue cleaning programs like AlfaCleaner may also load here.
Check the Online Hijackthis Analyzer if you are unsure before deleting.


O24 - Enumeration of ActiveX Desktop Components

What it looks like:

What to do:


If something in your log still puzzles you after this short tutorial, there is nothing stopping you from posting at many of the hijackthis related forums on the web.  


Printer Friendly Version of This Page






Bookmark and Share this Article on PCHELL with these Social Networks:
Add to: Mr. Wong Add to: Digg Add to: Del.icio.us Add to: Reddit Add to: Simpy Add to: StumbleUpon Add to: Slashdot Add to: Netscape Add to: Furl Add to: Yahoo Add to: Spurl Add to: Google Add to: Blinklist Add to: Blogmarks Add to: Technorati Add to: Blinkbits Add to: Ma.Gnolia


Removal Instructions for Other Programs

Spyware Removal and Other Resources

Essential Tools for Removing Spyware, Adware, and Malware

Rootkit Removal Tools and Help

How to Delete Undeleteable Files

Review of Free Registry Cleaner

How to Manually Run the Microsoft Malicious Software Removal Tool

Review of WinsockFix

How to Remove Windows Diagnostic or Windows Restore malware

Review of SuperAntiSpyware

How to Remove SurferBar

How to Remove Starware

Bargain Buddy Removal Instructions and Help

Bonzi Buddy Removal

Click2FindNow and I-Lookup Removal

Comet Cursor Removal

Electronic Greeting Card Virus - MSDATAACCESS.EXE Removal Instructions and Help

Date Manager Removal

Powered by Zedo Popup Ad Removal Instructions and Help

Search and Destroy Removal Instructions and Help

Spyaxe, Spy Trooper, Spy Sheriff, Brave Sentry and Similar Removal Instructions and Help

TheSpyBot Removal Instructions and Help

Spam Blocker Utility Removal Instructions and Help

DriveCleaner Removal Instructions and Help

Alfacleaner Removal Instructions and Help

Spylocked Removal Instructions and Help

AntivirusGolden Removal Instructions and Help

VirusProtectPro Removal Instructions and Help

UltimateDefender and UltimateCleaner 2007 Removal Instructions and Help

VirusRescue Removal Instructions and Help

PestCapture Removal Instructions and Help

SystemDoctor 2006 Removal Instructions and Help

How to Fix Task Manager disabled by your Administrator

How to Fix Problem Changing Desktop Wallpaper

How to Remove SmitFraud Variants like WinAntivirus Pro 2007 and PestCapture

SurfSideKick Removal Instructions and Help

How to Remove Zango Search Assistant and Toolbar

How to Remove Alot Toolbar

About:Blank Homepage Hijacker Removal Instructions and Help

Kazaa Removal Instructions and Help

How to Disable Windows XP Security Alert Balloons and Notifications

res://random.dll Homepage Hijacker Removal Instructions and Help

IBIS Web Search (websearch.com) Removal Instructions and Help

Open Search Web (Lop.com) Removal Instructions and Help

UPDMGR.EXE Removal Instructions and Help

FCADVICE.EXE Removal Instructions and Help

U3 Smart Drives - What are they and how to remove U3

Dubolom.com Homepage Hijacker Removal Instructions and Help

DSO Exploit Removal Instructions and Help

FastSearch.cc Homepage Hijacker Removal Instructions and Help

My Web Search Removal Instructions and Help

Cursor Mania Removal Instructions and Help

Fun Buddy Icons Removal Instructions and Help

Smiley Central Removal Instructions and Help

My Mail Stamps Removal Instructions and Help

My Mail Stationery Removal Instructions and Help

My Mail Signatures Removal Instructions and Help

Fun Web Products Popular Screensavers Removal Instructions and Help

Webfetti Removal Instructions and Help

What is PDF Spam and Does it Contain Viruses

Gator Software Removal

Hugesearch.net Homepage Hijacker Removal Instructions and Help

Search-Space.com and Start-Space.com Homepage Hijacker Removal Instructions and Help

How to Remove Global-Finder.com Homepage Hijacker

Globaltoolbar Removal

GoHip Software Removal

HotBar Toolbar Removal

Huntbar and Search Toolbar Info and Removal

Look2Me Removal Instructions and Help

Lookfor.cc (res://mshp.dll/index.html) Homepage Hijacker Removal Instructions and Help

MaximumSearch.net Homepage Hijacker Removal Instructions and Help

Ncase Removal Instructions and Help

People OnPage Toolbar Info and Removal

Precision Time Removal

Prolivation.com Removal

SaveNow and NewDotNet Removal

SearchMyRequest.com Homepage Hijacker Removal Instructions and Help

Smartsearch.ws Homepage Hijacker Removal Instructions and Help

SysUpd.exe (TSCash) Removal Instructions and Help

Ezula TopText (yellow underlined links) Removal Instructions and Help

How to Remove SpeedBlaster and MemoryMeter

TopRebates and WebRebates Removal Instructions and Help

Twaintec.dll Removal Instructions and Help

Viewpoint Removal Instructions and Help

WeatherBug Removal

WildTangent Removal Instructions and Help

WinTools Removal Instructions and Help

Xupiter Removal

Xzoomy.com Removal

ZY Web Search (db105.com) Removal

space.gif (58 bytes)

 

Search PCHell.com



 




Tools for Removing Spyware, Adware, and Malware


PC HELL
Other Pages

Spyware/Adware Removal Help

MSBlast.exe Worm Removal

Welchia (Dllhost.exe and SVCHost.exe) Worm Removal

Uninstall McAfee Instructions

Uninstall Norton Instructions

Uninstall Avast Instructions

Uninstall AVG Instructions

Uninstall Antivir Instructions

Uninstall Panda Instructions

How to Manually Run the Microsoft Malicious Software Removal Tool

Bloodhound.Exploit.6 Virus Removal

MyDoom Virus Removal

MiMail.C Virus Removal

Swen Worm Virus Removal

SoBig.F Worm Removal

Dumaru Virus Removal

BugBear.B Worm Removal

SoBig.E Worm Removal

Pop Up Ad Removal Info

KAK Worm Removal

MiMail.A Worm Removal

W95.MTX Virus Removal

Snow White Virus Removal

BadTrans Trojan Removal

Wininit Virus (Bymer Trojan)

Happy99 Worm Removal

VBS Netlog Worm Removal

Pretty Park Worm Removal

Sasser Worm Virus Removal

Backdoor SDBot.H Trojan Removal

VBS.Loveletter Help

Computer Security Information

Back Orifice Information

PC HELL Main Page

 






iPadastic - News, Tutorials, Help, Tips, and Hints for the iPad



Download Hoyle Games
including Casino 3D, Card, Board, and Solitaire games.



Written by Mark Hasting

Recommended Software for PC Hell Visitors
Malwarebytes Anti-Malware
Malwarebytes Anti-Malware
iolo System Mechanic® - Fix, Speed Up Your PC
iolo System Mechanic®
Emsisoft Anti Malware
Emsisoft Anti Malware
space.gif (58 bytes)

Search PCHELL.COM

Return to PC Hell
Return to PC Hell

Google