Hijack This

Tuesday, June 07 2005 @ 07:01 PM CDT

Contributed by: admin

How To Install and Use Hijack This

HijackThis is a program developed by Merijn Bellekom, a Dutch student studying chemistry and computer science. One of Merijn's programs, HijackThis, is an essential utility to help find and remove spyware, viruses, worms, trojans and other pests. This is a basic guide to understanding HijackThis usefulness and what specific sections mean and some tips on reading it yourself. Although its best to have a knowledge person help you examine the HijackThis logs, knowing more about the logs help individuals understand more about them and their use.

Installing HijackThis:

First, create a folder for HijackThis in the root folder of your hard drive.
Click START>My Computer>right click Local Disk usually (C:) for most people)> Explore..
Right click an open area in the main pane.
Select New>Folder.
Type in HJT & press Enter.
Now download HijackThis from www.download.com. When given a choice of whether to Save or Open this file: choose Save. Save the file to the HJT folder you just made.
When the download is complete, click "Open Containing Folder".
Now you need to unzip HijackThis. This is easily done with XP.
Double click HijackThis.zip.
In the left hand column, click "Extract all Files". The Extraction Wizard will pop up.
Click Next, then Browse.
Select the HJT folder you created, then OK. HijackThis is now in a proper permanent folder.

To put a shortcut on your Desktop for HijackThis:

Navigate to your HJT folder and double click to open it.
Right click HijackThis.exe.
Select "Create Shortcut". An icon with an arrow in a box should now appear in the HJT folder's main pane.
Right click the shortcut icon.
Select "Send To">Desktop.

Running the program HijackThis:

After clicking on “HijackThis.exe” you will see:

Click “Scan”.

To the novice, the log that was generated looks foreign, DON’T BE AFRAID!! HijackThis directly accesses common areas of your PC that spyware can affect. The log file also provides useful settings, for example: Your homepage settings, common buttons within your preferred web browser (internet explorer, Netscape, etc.). This will override your Windows and Browser settings.

The beginning of each line of the log file is an identifier for what type of setting it effects. To remove these items it’s as easy as checking the check box to the left of the identifier and click on “Fix checked”.

This will permanently remove anything that you have selected. To ensure that HijackThis creates a back up, you need to click on “Config” on the bottom right of the menu. If you have an item that is known not to be harmful, you can ensure that only safe items are selected, then click “Add to ignore list”. This will prevent them from coming up in future scans. If you feel that you added it to your ignore list by accident, you can always remove it from your ignore list.

Be sure that “Make backups before fixing items” is checked off. While we're on this Configuration Main Menu, we’ll go over an explanation of each setting. One quick way of totally messing up your computer and not recommended, is to check “Mark everything found for fixing after scan”. Your consequence’s consists of removing every program that you have set to startup at Startup, removing your homepage from IE, remove all of your Internet Explorer buttons, and your toolbars. This is a Big No-No and you definitely will not be pleased with the results. One of the steps of a clean removal is to run these Spyware tools in Safe Mode. The box
“Confirm fixing and ignoring items (safe mode)” is a re-assurance that it is not removing items that you have selected to ignore and also a confirmation that you have fixed the selected entries.

Built into HijackThis is a list of safe web pages (domains) that will be picked up in a scan. You can select “Ignore non-standard but safe domains in IE(e.g. MSN.Com microsoft.com)”. This will make sure that you do not remove safe entries. “Include list of running processes in log files”- If need be you can post your log files to our forums in the HijackThis section. And by having this selected, we can further can examine your pc for start-up items.

On the bottom part of this screen you will see settings that will lock your homepage. This is a very good feature to ensure that your internet start page never changes. If your having difficulties on determining on what to remove, you can create a log file from the “Misc Tools” button and when you request it, you can post it to our forums. Also, from this screen you can update your version of HijackThis by clicking on “Check for update online”, a pop-up will appear stating that it is going to ‘phone home’.

Click “OK”. If you’re always connected to the internet either through cable, DSL, or a company network, just click “OK”. If you have a firewall installed, it may prompt you to allow HijackThis to connect to the internet. Just permit it. This will ensure that HijackThis will detect any new Spyware and also possibly add new features to the software.

Restoring Backups

Click “Config” on the bottom right, than click on the “Backups” button on the top center. You can restore any items that you may have backed up.

BHO (Browser Help Objects): is just a small program that runs automatically every time you start your Internet Browser. Usually, a BHO is installed on your system by another software program. For example, Go!Zilla, the downloading utility, installs a BHO created by Radiate (formerly Aureate Media); this BHO tracks which advertisements you see as you surf the Web. The natural question is, what do BHO’s do? The technical answer is "anything", but generally, it will have something to do with "helping" you browse the Internet. Of course, many BHO’s are called “”Ad-ware” or “Spyware””: they do things like monitor the websites you visit and report this data back to their creators.

Toolbars: seem that they are a part of your browser. Toolbars that are provided from Google and Yahoo also perform functions such as Pop-up blockers and a field to conduct a search using their search engine. Then there’s Toolbars such as HotBar, Cool Search, and many more. These toolbars are browser hijackers. They will make you use there search technologies, unknowingly, and will restrict your search results to companies that they are affiliated with. These companies are making huge amounts of money off of your web browsing. HijackThis, will remove these nasty toolbars and put an end to their mischievous scheme.

OVERVIEW

Each line in a HijackThis log starts with a section name. (For technical information on this, click “Info” in the main window and scroll down. “Highlight a line” and click “More info on this item”).

R0, R1, R2, R3 - IE Start & Search page

What it looks like:

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page=http://www.google.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL=http://www.google.com/
R3 - Default URLSearchHook is missing

What to do:

If you recognize the URL at the end as your homepage or search engine, it's OK. If you don't, check it and have HijackThis fix it. In cases like the random.dll hijacker you may want to leave them until later but in general if you don’t recognize it, fix it. For the R3 items, always fix them unless it mentions a program you recognize.

________________________________________
F0, F1 - Autoloading programs
What it looks like:

F0 - system.ini: Shell=Explorer.exe Openme.exe
F1 - win.ini: run=hpfsched

What to do:

The F0 items are always bad, so fix them.
The F1 items are usually very old programs that are safe, so you should find some more information on the filename to see if it is good or bad.

________________________________________
N1, N2, N3, N4 - Netscape/Mozilla Start & Search page

What it looks like:

N1 - Netscape 4: user_pref("browser.startup.homepage", "www.google.com"); (C:Program FilesNetscapeUsersdefaultprefs.js)

N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.google.com"); (C:Documents and SettingsUserApplication DataMozillaProfilesdefaulto9t1tfl.sltprefs.js)

N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%206%5Csearchplugins%5CSBWeb_02.src"); (C:Documents and SettingsUserApplication DataMozillaProfilesdefaulto9t1tfl.sltprefs.js)

What to do:

Usually the Netscape and Mozilla homepage and search page are safe. They rarely get hijacked. Should you see an URL you don't recognize as your homepage or search page, have HijackThis fix it.

________________________________________
O1 - Hosts file redirection

What it looks like:

O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch

What to do:

This hijack will redirect the address to the right to the IP address to the left. If the IP does not belong to the address, you will be redirected to a wrong site every time you enter the address. You can always have HijackThis fix these, unless you knowingly put those lines in your Hosts file.

________________________________________
O2 - Browser Helper Objects

What it looks like:

O2 - BHO: Yahoo! Companion BHO - - C:PROGRAM FILESYAHOO!COMPANIONYCOMP5_0_2_4.DLL
O2 - BHO: AcroIEHlprObj Class - - C:AdobeAcrobat 5.0AcrobatActiveXAcroIEHelper.ocx
O2 - BHO: (no name) - - C:Program FilesSiber SystemsAI RoboFormRoboForm.dll

What to do:

If you don't directly recognize a Browser Helper Object's name, use TonyK's BHO List to find it by the class ID (CLSID, the number between curly brackets) and see if it is good or bad. In the BHO List, 'X' means Spyware and 'L' means safe.

________________________________________
O3 - IE toolbars

What it looks like:

O3 - Toolbar: &Yahoo! Companion - - C:PROGRAM FILESYAHOO!COMPANIONYCOMP5_0_2_4.DLL
O3 - Toolbar: Popup Eliminator - - C:PROGRAM FILESPOPUP ELIMINATORPETOOLBAR401.DLL (file missing)
O3 - Toolbar: &RoboForm - - C:Program FilesSiber SystemsAI RoboFormRoboForm.dll

What to do:

If you don't directly recognize a toolbar's name, use TonyK's Toolbar List to find it by the class ID (CLSID, the number between curly brackets) and see if it is good or bad. In the Toolbar List, 'X' means Spyware and 'L' means safe.
If it's not on the list and the name seems a random string of characters and the file is somewhere in a folder named 'Application Data', it is definitely bad, and you should have HijackThis fix it.

________________________________________
O4 - Autoloading programs from Registry

What it looks like:

O4 - HKLM..Run: [ScanRegistry] C:WINDOWSscanregw.exe /autorun
O4 - HKLM..Run: [SystemTray] SysTray.Exe
O4 - HKLM..Run: [ccApp] "C:Program FilesCommon FilesSymantec SharedccApp.exe"
O4 - Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOfficeOSA9.EXE

What to do:

Use PacMan's Startup List to find the entry and see if it is good or bad.

________________________________________
O5 - IE Options not visible in Control Panel

What it looks like:

O5 - control.ini: inetcpl.cpl=no

What to do:

Unless you have knowingly hidden the icon from Control Panel, have HijackThis fix it.

________________________________________
O6 - IE Options access restricted by Administrator
What it looks like:

O6 - HKCUSoftwarePoliciesMicrosoftInternet ExplorerRestrictions present

What to do:

Unless you have the Spybot S&D option 'Lock homepage from changes' active, have HijackThis fix it.

________________________________________
O7 - Regedit access restricted by Administrator

What it looks like:

O7 - HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem, DisableRegedit=1

What to do:

Always have HijackThis fix it.

________________________________________
O8 - Extra items in IE right-click menu

What it looks like:

O8 - Extra context menu item: &Google Search - res://C:WINDOWSDOWNLOADED PROGRAM FILESGOOGLETOOLBAR_EN_1.1.68-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Yahoo! Search - file:///C:Program FilesYahoo!Common/ycsrch.htm

What to do:

If you do not recognize the name of the item in the right-click menu in Internet Explorer, have HijackThis fix it.

________________________________________
O9 - Extra buttons on main IE toolbar, or extra items in IE 'Tools' menu

What it looks like:

O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: AIM (HKLM)

What to do:

If you do not recognize the name of the button or menu item, have HijackThis fix it.

________________________________________
O10 - Winsock hijackers

What it looks like:

O10 - Hijacked Internet access by New.Net
O10 - Broken Internet access because of LSP provider 'c:progra~1common~2toolbarcnmib.dll' missing
O10 - Unknown file in Winsock LSP: c:program filesNewton knowsvmain.dll

What to do:

It's best to fix these using Spybot Search and Destroy

________________________________________
O11 - Extra group in IE 'Advanced Options' window

What it looks like:

O11 - Options group: [CommonName] CommonName

What to do:

The only hijacker as of now that adds its own options group to the IE Advanced Options window is CommonName. So you can always have HijackThis fix it.

________________________________________
O12 - IE plugins

What it looks like:

O12 - Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dll
O12 - Plugin for .PDF: C:Program FilesInternet ExplorerPLUGINSppdf32.dll

What to do:

Most of the time these are safe. Only OnFlow adds a plugin here that you don't want (.ofb).

________________________________________
O13 - IE DefaultPrefix hijack

What it looks like:

O13 - DefaultPrefix: http://www.pixpox.com/cgi-bin/click.pl?url=
O13 - WWW Prefix: http://prolivation.com/cgi-bin/r.cgi?

What to do:

These are always bad. Have HijackThis fix them.

________________________________________
O14 - 'Reset Web Settings' hijack

What it looks like:

O14 - IERESET.INF: START_PAGE_URL=http://www.searchalot.com

What to do:

If the URL is not the provider of your computer or your ISP, have HijackThis fix it.

________________________________________
O15 - Unwanted site in Trusted Zone

What it looks like:

O15 - Trusted Zone: http://free.aol.com

What to do:

So far, only AOL has the tendency to add itself to your Trusted Zone, allowing it to run any ActiveX it wants. Always have HijackThis fix it.

________________________________________
O16 - ActiveX Objects (aka Downloaded Program Files)

What it looks like:

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

What to do:

If you don't recognize the name of the object, or the URL it was downloaded from, have HijackThis fix it. If the name or URL contains words like 'dialer', 'casino', 'free_plugin' etc, definitely fix it.

________________________________________
O17 - Lop.com domain hijacks

What it looks like:

O17 - HKLMSystemCCSServicesVxDMSTCP: Domain = aoldsl.net
O17 - HKLMSystemCCSServicesTcpipParameters: Domain = W21944.find-quick.com
O17 - HKLMSoftware..Telephony: DomainName = W21944.find-quick.com
O17 - HKLMSystemCCSServicesTcpip..{D196AB38-4D1F-45C1-9108- 46D367F19F7E}: Domain = W21944.find-quick.com

What to do:

If the domain is not from your ISP or company network, have HijackThis fix them.

________________________________________
O18 - Extra protocols and protocol hijackers

What it looks like:

O18 - Protocol: relatedlinks - - C:PROGRA~1COMMON~1MSIETSmsielink.dll
O18 - Protocol: mctp -
O18 - Protocol hijack: http -

What to do:

Only a few hijackers show up here. The known bad hijackers are 'cn' (CommonName), 'ayb' (Lop.com) and 'relatedlinks' (Huntbar), you should have HijackThis fix all of those. Other things that show up are either not confirmed safe yet, or are hijacked by Spyware. In the last case, have HijackThis fix it.

________________________________________
O19 - User style sheet hijack

What it looks like:

O19 - User style sheet: c:WINDOWSJavamy.css
What to do:

In the case of a browser slowdown and frequent popups, have HijackThis fix this item if it shows up in the log. You can do one of two things with the Log file that was created. You can manually repair the Spyware objects by using the tutorial that is provided in this e-book

Back to Hijack This Tutorial Page

Remove Spyware - Prevent New Spyware From Installing

Spyware's Most Wanted

The How-To-Guide on Spyware Removal and Preventative Maintenance

All rights reserved and all copyrights are registered to the www.removingspywareforfree.com © 2005-2006

Removing Spyware For Free
http://www.removingspywareforfree.com/article.php/Hijack_This

HijackThis is a program developed by Merijn Bellekom, a Dutch student studying chemistry and computer science. One of Merijn's programs, HijackThis, is an essential utility to help find and remove spyware, viruses, worms, trojans and other pests. This is a basic guide to understanding HijackThis usefulness and what specific sections mean and some tips on reading it yourself. Although its best to have a knowledge person help you examine the HijackThis logs, knowing more about the logs help individuals understand more about them and their use. Installing HijackThis: First, create a folder for HijackThis in the root folder of your hard drive. Click START>My Computer>right click Local Disk usually (C:) for most people)> Explore.. Right click an open area in the main pane. Select New>Folder. Type in HJT & press Enter. Now download HijackThis from www.download.com. When given a choice of whether to Save or Open this file: choose Save. Save the file to the HJT folder you just made. When the download is complete, click "Open Containing Folder". Now you need to unzip HijackThis. This is easily done with XP. Double click HijackThis.zip. In the left hand column, click "Extract all Files". The Extraction Wizard will pop up. Click Next, then Browse. Select the HJT folder you created, then OK. HijackThis is now in a proper permanent folder. To put a shortcut on your Desktop for HijackThis: Navigate to your HJT folder and double click to open it. Right click HijackThis.exe. Select "Create Shortcut". An icon with an arrow in a box should now appear in the HJT folder's main pane. Right click the shortcut icon. Select "Send To">Desktop. Running the program HijackThis: After clicking on “HijackThis.exe” you will see:
Click “Scan”.
To the novice, the log that was generated looks foreign, DON’T BE AFRAID!! HijackThis directly accesses common areas of your PC that spyware can affect. The log file also provides useful settings, for example: Your homepage settings, common buttons within your preferred web browser (internet explorer, Netscape, etc.). This will override your Windows and Browser settings. The beginning of each line of the log file is an identifier for what type of setting it effects. To remove these items it’s as easy as checking the check box to the left of the identifier and click on “Fix checked”. This will permanently remove anything that you have selected. To ensure that HijackThis creates a back up, you need to click on “Config” on the bottom right of the menu. If you have an item that is known not to be harmful, you can ensure that only safe items are selected, then click “Add to ignore list”. This will prevent them from coming up in future scans. If you feel that you added it to your ignore list by accident, you can always remove it from your ignore list.
Be sure that “Make backups before fixing items” is checked off. While we're on this Configuration Main Menu, we’ll go over an explanation of each setting. One quick way of totally messing up your computer and not recommended, is to check “Mark everything found for fixing after scan”. Your consequence’s consists of removing every program that you have set to startup at Startup, removing your homepage from IE, remove all of your Internet Explorer buttons, and your toolbars. This is a Big No-No and you definitely will not be pleased with the results. One of the steps of a clean removal is to run these Spyware tools in Safe Mode. The box “Confirm fixing and ignoring items (safe mode)” is a re-assurance that it is not removing items that you have selected to ignore and also a confirmation that you have fixed the selected entries. Built into HijackThis is a list of safe web pages (domains) that will be picked up in a scan. You can select “Ignore non-standard but safe domains in IE(e.g. MSN.Com microsoft.com)”. This will make sure that you do not remove safe entries. “Include list of running processes in log files”- If need be you can post your log files to our forums in the HijackThis section. And by having this selected, we can further can examine your pc for start-up items. On the bottom part of this screen you will see settings that will lock your homepage. This is a very good feature to ensure that your internet start page never changes. If your having difficulties on determining on what to remove, you can create a log file from the “Misc Tools” button and when you request it, you can post it to our forums. Also, from this screen you can update your version of HijackThis by clicking on “Check for update online”, a pop-up will appear stating that it is going to ‘phone home’.
Click “OK”. If you’re always connected to the internet either through cable, DSL, or a company network, just click “OK”. If you have a firewall installed, it may prompt you to allow HijackThis to connect to the internet. Just permit it. This will ensure that HijackThis will detect any new Spyware and also possibly add new features to the software.
Restoring Backups Click “Config” on the bottom right, than click on the “Backups” button on the top center. You can restore any items that you may have backed up.
BHO (Browser Help Objects): is just a small program that runs automatically every time you start your Internet Browser. Usually, a BHO is installed on your system by another software program. For example, Go!Zilla, the downloading utility, installs a BHO created by Radiate (formerly Aureate Media); this BHO tracks which advertisements you see as you surf the Web. The natural question is, what do BHO’s do? The technical answer is "anything", but generally, it will have something to do with "helping" you browse the Internet. Of course, many BHO’s are called “”Ad-ware” or “Spyware””: they do things like monitor the websites you visit and report this data back to their creators. Toolbars: seem that they are a part of your browser. Toolbars that are provided from Google and Yahoo also perform functions such as Pop-up blockers and a field to conduct a search using their search engine. Then there’s Toolbars such as HotBar, Cool Search, and many more. These toolbars are browser hijackers. They will make you use there search technologies, unknowingly, and will restrict your search results to companies that they are affiliated with. These companies are making huge amounts of money off of your web browsing. HijackThis, will remove these nasty toolbars and put an end to their mischievous scheme. OVERVIEW Each line in a HijackThis log starts with a section name. (For technical information on this, click “Info” in the main window and scroll down. “Highlight a line” and click “More info on this item”). R0, R1, R2, R3 - IE Start & Search page What it looks like: R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page=http://www.google.com/ R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL=http://www.google.com/ R3 - Default URLSearchHook is missing What to do: If you recognize the URL at the end as your homepage or search engine, it's OK. If you don't, check it and have HijackThis fix it. In cases like the random.dll hijacker you may want to leave them until later but in general if you don’t recognize it, fix it. For the R3 items, always fix them unless it mentions a program you recognize. ________________________________________ F0, F1 - Autoloading programs What it looks like: F0 - system.ini: Shell=Explorer.exe Openme.exe F1 - win.ini: run=hpfsched What to do: The F0 items are always bad, so fix them. The F1 items are usually very old programs that are safe, so you should find some more information on the filename to see if it is good or bad. ________________________________________ N1, N2, N3, N4 - Netscape/Mozilla Start & Search page What it looks like: N1 - Netscape 4: user_pref("browser.startup.homepage", "www.google.com"); (C:Program FilesNetscapeUsersdefaultprefs.js) N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.google.com"); (C:Documents and SettingsUserApplication DataMozillaProfilesdefaulto9t1tfl.sltprefs.js) N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%206%5Csearchplugins%5CSBWeb_02.src"); (C:Documents and SettingsUserApplication DataMozillaProfilesdefaulto9t1tfl.sltprefs.js) What to do: Usually the Netscape and Mozilla homepage and search page are safe. They rarely get hijacked. Should you see an URL you don't recognize as your homepage or search page, have HijackThis fix it. ________________________________________ O1 - Hosts file redirection What it looks like: O1 - Hosts: 216.177.73.139 auto.search.msn.com O1 - Hosts: 216.177.73.139 search.netscape.com O1 - Hosts: 216.177.73.139 ieautosearch What to do: This hijack will redirect the address to the right to the IP address to the left. If the IP does not belong to the address, you will be redirected to a wrong site every time you enter the address. You can always have HijackThis fix these, unless you knowingly put those lines in your Hosts file. ________________________________________ O2 - Browser Helper Objects What it looks like: O2 - BHO: Yahoo! Companion BHO - - C:PROGRAM FILESYAHOO!COMPANIONYCOMP5_0_2_4.DLL O2 - BHO: AcroIEHlprObj Class - - C:AdobeAcrobat 5.0AcrobatActiveXAcroIEHelper.ocx O2 - BHO: (no name) - - C:Program FilesSiber SystemsAI RoboFormRoboForm.dll What to do: If you don't directly recognize a Browser Helper Object's name, use TonyK's BHO List to find it by the class ID (CLSID, the number between curly brackets) and see if it is good or bad. In the BHO List, 'X' means Spyware and 'L' means safe. ________________________________________ O3 - IE toolbars What it looks like: O3 - Toolbar: &Yahoo! Companion - - C:PROGRAM FILESYAHOO!COMPANIONYCOMP5_0_2_4.DLL O3 - Toolbar: Popup Eliminator - - C:PROGRAM FILESPOPUP ELIMINATORPETOOLBAR401.DLL (file missing) O3 - Toolbar: &RoboForm - - C:Program FilesSiber SystemsAI RoboFormRoboForm.dll What to do: If you don't directly recognize a toolbar's name, use TonyK's Toolbar List to find it by the class ID (CLSID, the number between curly brackets) and see if it is good or bad. In the Toolbar List, 'X' means Spyware and 'L' means safe. If it's not on the list and the name seems a random string of characters and the file is somewhere in a folder named 'Application Data', it is definitely bad, and you should have HijackThis fix it. ________________________________________ O4 - Autoloading programs from Registry What it looks like: O4 - HKLM..Run: [ScanRegistry] C:WINDOWSscanregw.exe /autorun O4 - HKLM..Run: [SystemTray] SysTray.Exe O4 - HKLM..Run: [ccApp] "C:Program FilesCommon FilesSymantec SharedccApp.exe" O4 - Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOfficeOSA9.EXE What to do: Use PacMan's Startup List to find the entry and see if it is good or bad. ________________________________________ O5 - IE Options not visible in Control Panel What it looks like: O5 - control.ini: inetcpl.cpl=no What to do: Unless you have knowingly hidden the icon from Control Panel, have HijackThis fix it. ________________________________________ O6 - IE Options access restricted by Administrator What it looks like: O6 - HKCUSoftwarePoliciesMicrosoftInternet ExplorerRestrictions present What to do: Unless you have the Spybot S&D option 'Lock homepage from changes' active, have HijackThis fix it. ________________________________________ O7 - Regedit access restricted by Administrator What it looks like: O7 - HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem, DisableRegedit=1 What to do: Always have HijackThis fix it. ________________________________________ O8 - Extra items in IE right-click menu What it looks like: O8 - Extra context menu item: &Google Search - res://C:WINDOWSDOWNLOADED PROGRAM FILESGOOGLETOOLBAR_EN_1.1.68-DELEON.DLL/cmsearch.html O8 - Extra context menu item: Yahoo! Search - file:///C:Program FilesYahoo!Common/ycsrch.htm What to do: If you do not recognize the name of the item in the right-click menu in Internet Explorer, have HijackThis fix it. ________________________________________ O9 - Extra buttons on main IE toolbar, or extra items in IE 'Tools' menu What it looks like: O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger (HKLM) O9 - Extra button: AIM (HKLM) What to do: If you do not recognize the name of the button or menu item, have HijackThis fix it. ________________________________________ O10 - Winsock hijackers What it looks like: O10 - Hijacked Internet access by New.Net O10 - Broken Internet access because of LSP provider 'c:progra~1common~2toolbarcnmib.dll' missing O10 - Unknown file in Winsock LSP: c:program filesNewton knowsvmain.dll What to do: It's best to fix these using Spybot Search and Destroy ________________________________________ O11 - Extra group in IE 'Advanced Options' window What it looks like: O11 - Options group: [CommonName] CommonName What to do: The only hijacker as of now that adds its own options group to the IE Advanced Options window is CommonName. So you can always have HijackThis fix it. ________________________________________ O12 - IE plugins What it looks like: O12 - Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dll O12 - Plugin for .PDF: C:Program FilesInternet ExplorerPLUGINSppdf32.dll What to do: Most of the time these are safe. Only OnFlow adds a plugin here that you don't want (.ofb). ________________________________________ O13 - IE DefaultPrefix hijack What it looks like: O13 - DefaultPrefix: http://www.pixpox.com/cgi-bin/click.pl?url= O13 - WWW Prefix: http://prolivation.com/cgi-bin/r.cgi? What to do: These are always bad. Have HijackThis fix them. ________________________________________ O14 - 'Reset Web Settings' hijack What it looks like: O14 - IERESET.INF: START_PAGE_URL=http://www.searchalot.com What to do: If the URL is not the provider of your computer or your ISP, have HijackThis fix it. ________________________________________ O15 - Unwanted site in Trusted Zone What it looks like: O15 - Trusted Zone: http://free.aol.com What to do: So far, only AOL has the tendency to add itself to your Trusted Zone, allowing it to run any ActiveX it wants. Always have HijackThis fix it. ________________________________________ O16 - ActiveX Objects (aka Downloaded Program Files) What it looks like: O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab O16 - DPF: (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab What to do: If you don't recognize the name of the object, or the URL it was downloaded from, have HijackThis fix it. If the name or URL contains words like 'dialer', 'casino', 'free_plugin' etc, definitely fix it. ________________________________________ O17 - Lop.com domain hijacks What it looks like: O17 - HKLMSystemCCSServicesVxDMSTCP: Domain = aoldsl.net O17 - HKLMSystemCCSServicesTcpipParameters: Domain = W21944.find-quick.com O17 - HKLMSoftware..Telephony: DomainName = W21944.find-quick.com O17 - HKLMSystemCCSServicesTcpip..{D196AB38-4D1F-45C1-9108- 46D367F19F7E}: Domain = W21944.find-quick.com What to do: If the domain is not from your ISP or company network, have HijackThis fix them. ________________________________________ O18 - Extra protocols and protocol hijackers What it looks like: O18 - Protocol: relatedlinks - - C:PROGRA~1COMMON~1MSIETSmsielink.dll O18 - Protocol: mctp - O18 - Protocol hijack: http - What to do: Only a few hijackers show up here. The known bad hijackers are 'cn' (CommonName), 'ayb' (Lop.com) and 'relatedlinks' (Huntbar), you should have HijackThis fix all of those. Other things that show up are either not confirmed safe yet, or are hijacked by Spyware. In the last case, have HijackThis fix it. ________________________________________ O19 - User style sheet hijack What it looks like: O19 - User style sheet: c:WINDOWSJavamy.css What to do: In the case of a browser slowdown and frequent popups, have HijackThis fix this item if it shows up in the log. You can do one of two things with the Log file that was created. You can manually repair the Spyware objects by using the tutorial that is provided in this e-book
Back to Hijack This Tutorial Page
Remove Spyware - Prevent New Spyware From Installing Spyware's Most Wanted The How-To-Guide on Spyware Removal and Preventative Maintenance All rights reserved and all copyrights are registered to the www.removingspywareforfree.com © 2005-2006