HijackThis is a program developed by Merijn Bellekom, a Dutch student studying chemistry and computer science. One of Merijn's programs, HijackThis, is an essential utility to help find and remove spyware, viruses, worms, trojans and other pests. This is a basic guide to understanding HijackThis usefulness and what specific sections mean and some tips on reading it yourself. Although its best to have a knowledge person help you examine the HijackThis logs, knowing more about the logs help individuals understand more about them and their use.

Installing HijackThis:

1. First, create a folder for HijackThis in the root folder of your hard drive.
2. Click START>My Computer>right click Local Disk usually (C:) for most people)> Explore..
3. Right click an open area in the main pane.
4. Select New>Folder.
5. Type in HJT & press Enter.
6. Now download HijackThis from www.download.com. When given a choice of whether to Save or Open this file: choose Save. Save the file to the HJT folder you just made.
7. When the download is complete, click "Open Containing Folder".
8. Now you need to unzip HijackThis. This is easily done with XP.
9. Double click HijackThis.zip.
10. In the left hand column, click "Extract all Files". The Extraction Wizard will pop up.
11. Click Next, then Browse.
12. Select the HJT folder you created, then OK. HijackThis is now in a proper permanent folder.

To put a shortcut on your Desktop for HijackThis:

1. Navigate to your HJT folder and double click to open it.
2. Right click HijackThis.exe.
3. Select "Create Shortcut". An icon with an arrow in a box should now appear in the HJT folder's main pane.
4. Right click the shortcut icon.
5. Select "Send To">Desktop.

Running the program HijackThis:

After clicking on “HijackThis.exe” you will see:

Click “Scan”.

To the novice, the log that was generated looks foreign, DON’T BE AFRAID!! HijackThis directly accesses common areas of your PC that spyware can affect. The log file also provides useful settings, for example: Your homepage settings, common buttons within your preferred web browser (internet explorer, Netscape, etc.). This will override your Windows and Browser settings.

The beginning of each line of the log file is an identifier for what type of setting it effects. To remove these items it’s as easy as checking the check box to the left of the identifier and click on “Fix checked”.

This will permanently remove anything that you have selected. To ensure that HijackThis creates a back up, you need to click on “Config” on the bottom right of the menu. If you have an item that is known not to be harmful, you can ensure that only safe items are selected, then click “Add to ignore list”. This will prevent them from coming up in future scans. If you feel that you added it to your ignore list by accident, you can always remove it from your ignore list.

Be sure that “Make backups before fixing items” is checked off. While we're on this Configuration Main Menu, we’ll go over an explanation of each setting. One quick way of totally messing up your computer and not recommended, is to check “Mark everything found for fixing after scan”. Your consequence’s consists of removing every program that you have set to startup at Startup, removing your homepage from IE, remove all of your Internet Explorer buttons, and your toolbars. This is a Big No-No and you definitely will not be pleased with the results. One of the steps of a clean removal is to run these Spyware tools in Safe Mode. The box

“Confirm fixing and ignoring items (safe mode)” is a re-assurance that it is not removing items that you have selected to ignore and also a confirmation that you have fixed the selected entries.

Built into HijackThis is a list of safe web pages (domains) that will be picked up in a scan. You can select “Ignore non-standard but safe domains in IE(e.g. MSN.Com microsoft.com)”. This will make sure that you do not remove safe entries. “Include list of running processes in log files”- If need be you can post your log files to our forums in the HijackThis section. And by having this selected, we can further can examine your pc for start-up items.

On the bottom part of this screen you will see settings that will lock your homepage. This is a very good feature to ensure that your internet start page never changes. If your having difficulties on determining on what to remove, you can create a log file from the “Misc Tools” button and when you request it, you can post it to our forums. Also, from this screen you can update your version of HijackThis by clicking on “Check for update online”, a pop-up will appear stating that it is going to ‘phone home’.

Click “OK”. If you’re always connected to the internet either through cable, DSL, or a company network, just click “OK”. If you have a firewall installed, it may prompt you to allow HijackThis to connect to the internet. Just permit it. This will ensure that HijackThis will detect any new Spyware and also possibly add new features to the software.

Click “Config” on the bottom right, than click on the “Backups” button on the top center. You can restore any items that you may have backed up.

BHO (Browser Help Objects): is just a small program that runs automatically every time you start your Internet Browser. Usually, a BHO is installed on your system by another software program. For example, Go!Zilla, the downloading utility, installs a BHO created by Radiate (formerly Aureate Media); this BHO tracks which advertisements you see as you surf the Web. The natural question is, what do BHO’s do? The technical answer is "anything", but generally, it will have something to do with "helping" you browse the Internet. Of course, many BHO’s are called “”Ad-ware” or “Spyware””: they do things like monitor the websites you visit and report this data back to their creators.

Toolbars: seem that they are a part of your browser. Toolbars that are provided from Google and Yahoo also perform functions such as Pop-up blockers and a field to conduct a search using their search engine. Then there’s Toolbars such as HotBar, Cool Search, and many more. These toolbars are browser hijackers. They will make you use there search technologies, unknowingly, and will restrict your search results to companies that they are affiliated with. These companies are making huge amounts of money off of your web browsing. HijackThis, will remove these nasty toolbars and put an end to their mischievous scheme.

Each line in a HijackThis log starts with a section name. (For technical information on this, click “Info” in the main window and scroll down. “Highlight a line” and click “More info on this item”).

R0, R1, R2, R3 - IE Start & Search page

What it looks like:

• R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page=http://www.google.com/
• R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL=http://www.google.com/
• R3 - Default URLSearchHook is missing
  
  

What to do:

• If you recognize the URL at the end as your homepage or search engine, it's OK. If you don't, check it and have HijackThis fix it. In cases like the random.dll hijacker you may want to leave them until later but in general if you don’t recognize it, fix it. For the R3 items, always fix them unless it mentions a program you recognize.

What it looks like:

• F0 - system.ini: Shell=Explorer.exe Openme.exe
• F1 - win.ini: run=hpfsched

What to do:

• The F0 items are always bad, so fix them.
• The F1 items are usually very old programs that are safe, so you should find some more information on the filename to see if it is good or bad.

What it looks like:

• N1 - Netscape 4: user_pref("browser.startup.homepage", "www.google.com"); (C:Program FilesNetscapeUsersdefaultprefs.js)

• N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.google.com"); (C:Documents and SettingsUserApplication DataMozillaProfilesdefaulto9t1tfl.sltprefs.js)

• N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%206%5Csearchplugins%5CSBWeb_02.src"); (C:Documents and SettingsUserApplication DataMozillaProfilesdefaulto9t1tfl.sltprefs.js)

What to do:

• Usually the Netscape and Mozilla homepage and search page are safe. They rarely get hijacked. Should you see an URL you don't recognize as your homepage or search page, have HijackThis fix it.

What it looks like:

• O1 - Hosts: 216.177.73.139 auto.search.msn.com
• O1 - Hosts: 216.177.73.139 search.netscape.com
• O1 - Hosts: 216.177.73.139 ieautosearch

What to do:

• This hijack will redirect the address to the right to the IP address to the left. If the IP does not belong to the address, you will be redirected to a wrong site every time you enter the address. You can always have HijackThis fix these, unless you knowingly put those lines in your Hosts file.

What it looks like:

• O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:PROGRAM FILESYAHOO!COMPANIONYCOMP5_0_2_4.DLL
• O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:AdobeAcrobat 5.0AcrobatActiveXAcroIEHelper.ocx
• O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:Program FilesSiber SystemsAI RoboFormRoboForm.dll

What to do:

• If you don't directly recognize a Browser Helper Object's name, use TonyK's BHO List to find it by the class ID (CLSID, the number between curly brackets) and see if it is good or bad. In the BHO List, 'X' means Spyware and 'L' means safe.

What it looks like:

• O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:PROGRAM FILESYAHOO!COMPANIONYCOMP5_0_2_4.DLL
• O3 - Toolbar: Popup Eliminator - {86BCA93E-457B-4054-AFB0-E428DA1563E1} - C:PROGRAM FILESPOPUP ELIMINATORPETOOLBAR401.DLL (file missing)
• O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:Program FilesSiber SystemsAI RoboFormRoboForm.dll

What to do:

• If you don't directly recognize a toolbar's name, use TonyK's Toolbar List to find it by the class ID (CLSID, the number between curly brackets) and see if it is good or bad. In the Toolbar List, 'X' means Spyware and 'L' means safe.
• If it's not on the list and the name seems a random string of characters and the file is somewhere in a folder named 'Application Data', it is definitely bad, and you should have HijackThis fix it.

What it looks like:

• O4 - HKLM..Run: [ScanRegistry] C:WINDOWSscanregw.exe /autorun
• O4 - HKLM..Run: [SystemTray] SysTray.Exe
• O4 - HKLM..Run: [ccApp] "C:Program FilesCommon FilesSymantec SharedccApp.exe"
• O4 - Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOfficeOSA9.EXE

What to do:

• Use PacMan's Startup List to find the entry and see if it is good or bad.

What it looks like:

• O5 - control.ini: inetcpl.cpl=no

What to do:

• Unless you have knowingly hidden the icon from Control Panel, have HijackThis fix it.

What it looks like:

• O6 - HKCUSoftwarePoliciesMicrosoftInternet ExplorerRestrictions present

What to do:

• Unless you have the Spybot S&D option 'Lock homepage from changes' active, have HijackThis fix it.

What it looks like:

• O7 - HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem, DisableRegedit=1

What to do:

• Always have HijackThis fix it.

What it looks like:

• O8 - Extra context menu item: &Google Search - res://C:WINDOWSDOWNLOADED PROGRAM FILESGOOGLETOOLBAR_EN_1.1.68-DELEON.DLL/cmsearch.html
• O8 - Extra context menu item: Yahoo! Search - file:///C:Program FilesYahoo!Common/ycsrch.htm

What to do:

• If you do not recognize the name of the item in the right-click menu in Internet Explorer, have HijackThis fix it.

What it looks like:

• O9 - Extra button: Messenger (HKLM)
• O9 - Extra 'Tools' menuitem: Messenger (HKLM)
• O9 - Extra button: AIM (HKLM)

What to do:

• If you do not recognize the name of the button or menu item, have HijackThis fix it.

What it looks like:

• O10 - Hijacked Internet access by New.Net
• O10 - Broken Internet access because of LSP provider 'c:progra~1common~2toolbarcnmib.dll' missing
• O10 - Unknown file in Winsock LSP: c:program filesNewton knowsvmain.dll

What to do:

• It's best to fix these using Spybot Search and Destroy

What it looks like:

• O11 - Options group: [CommonName] CommonName

What to do:

• The only hijacker as of now that adds its own options group to the IE Advanced Options window is CommonName. So you can always have HijackThis fix it.

What it looks like:

• O12 - Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dll
• O12 - Plugin for .PDF: C:Program FilesInternet ExplorerPLUGINSppdf32.dll

What to do:

• Most of the time these are safe. Only OnFlow adds a plugin here that you don't want (.ofb).

What it looks like:

• O13 - DefaultPrefix: http://www.pixpox.com/cgi-bin/click.pl?url=
• O13 - WWW Prefix: http://prolivation.com/cgi-bin/r.cgi?

What to do:

• These are always bad. Have HijackThis fix them.

What it looks like:

• O14 - IERESET.INF: START_PAGE_URL=http://www.searchalot.com

What to do:

• If the URL is not the provider of your computer or your ISP, have HijackThis fix it.

What it looks like:

• O15 - Trusted Zone: http://free.aol.com

What to do:

• So far, only AOL has the tendency to add itself to your Trusted Zone, allowing it to run any ActiveX it wants. Always have HijackThis fix it.

What it looks like:

• O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
• O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

What to do:

• If you don't recognize the name of the object, or the URL it was downloaded from, have HijackThis fix it. If the name or URL contains words like 'dialer', 'casino', 'free_plugin' etc, definitely fix it.

What it looks like:

• O17 - HKLMSystemCCSServicesVxDMSTCP: Domain = aoldsl.net
• O17 - HKLMSystemCCSServicesTcpipParameters: Domain = W21944.find-quick.com
• O17 - HKLMSoftware..Telephony: DomainName = W21944.find-quick.com
• O17 - HKLMSystemCCSServicesTcpip..{D196AB38-4D1F-45C1-9108- 46D367F19F7E}: Domain = W21944.find-quick.com

What to do:

• If the domain is not from your ISP or company network, have HijackThis fix them.

What it looks like:

• O18 - Protocol: relatedlinks - {5AB65DD4-01FB-44D5-9537-3767AB80F790} - C:PROGRA~1COMMON~1MSIETSmsielink.dll
• O18 - Protocol: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82}
• O18 - Protocol hijack: http - {66993893-61B8-47DC-B10D-21E0C86DD9C8}

What to do:

• Only a few hijackers show up here. The known bad hijackers are 'cn' (CommonName), 'ayb' (Lop.com) and 'relatedlinks' (Huntbar), you should have HijackThis fix all of those. Other things that show up are either not confirmed safe yet, or are hijacked by Spyware. In the last case, have HijackThis fix it.

What it looks like:

• O19 - User style sheet: c:WINDOWSJavamy.css

• In the case of a browser slowdown and frequent popups, have HijackThis fix this item if it shows up in the log. You can do one of two things with the Log file that was created. You can manually repair the Spyware objects by using the tutorial that is provided in this e-book

Back to Hijack This Tutorial Page