www bleepingcomputer com tutorials how to use hijackthis
TRANSCRIPT
-
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
1/46
pdfcrowd comopen in browser PRO version Are you a developer? Try out the HTML to PDF API
Welcome Guest (Log In | Create Account) New Member? Join for free.
Welcome Guide Chat Help Search RSS
HijackThis Tutorial - How to use HijackThis to remove Browser Hijackers
&Spyware
By Lawrence Abrams on March 25, 2004 | Last Updated: June 12 , 2012 | Read 2,059,535 times.4 Like 30 Tweet 12
Search for a Tutorial
Search
Tutorials Navigation
Tutorials Home
New Tutorials
Popular Tutorials
RSS Feed
Home > Computer Tutorials > Security Tutorials > HijackThis Tutorial - How to use HijackThis to remove Browser Hijackers & Spyware
This tutorial is also available in Spanish.
This tutorial is also available in German.
This tutorial is also available in Dutch.
Ce tutoriel est aussi traduit en franais ici.
Table of Contents
1. Warning
2. Introduction
3. How to use HijackThis
4. How to restore items mistakenly deleted
5. How to Generate a Startup Listing
6. How to use the Process Manager
7. How to use the Hosts File Manager
8. How to use the Delete on Reboot tool
9. How to use ADS Spy
10. How to use the Uninstall Manager
11. How to interpret the scan listings
12. R0, R1, R2, R3 Sections
13. F0, F1, F2,F3 Sections
14. N1, N2, N3, N4 Sections
bleepingcomputer.com
Home Forums Downloads Tutorials Startup List Virus Removal Uninstall List File Database Glossary
Share
http://www.bleepingcomputer.com/http://www.bleepingcomputer.com/tutorials/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7https://twitter.com/intent/tweet?original_referer=http%3A%2F%2Fwww.bleepingcomputer.com%2Ftutorials%2Fhow-to-use-hijackthis%2F&text=HijackThis%20Tutorial%20-%20How%20to%20use%20HijackThis%20to%20remove%20Browser%20Hijackers%20%26%20Spyware&tw_p=tweetbutton&url=http%3A%2F%2Fwww.bleepingcomputer.com%2Ftutorials%2Fhow-to-use-hijackthis%2F&via=BleepinComputerhttp://twitter.com/search?q=http%3A%2F%2Fwww.bleepingcomputer.com%2Ftutorials%2Fhow-to-use-hijackthis%2Fhttp://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=login&return=http://www.bleepingcomputer.comhttp://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=registerhttp://www.bleepingcomputer.com/http://www.bleepingcomputer.com/forums/http://www.bleepingcomputer.com/download/http://adclick.g.doubleclick.net/aclk?sa=L&ai=B7Za0MpN9UYmcAcGj6QHa3oCYDuTW75QFAAAAEAEgADgAUL3j3LD-_____wFY5JvS0X5gyQaCARdjYS1wdWItNTUwNTkwNTU3OTU5OTkwNbIBGHd3dy5ibGVlcGluZ2NvbXB1dGVyLmNvbboBCWdmcF9pbWFnZcgBCdoBQGh0dHA6Ly93d3cuYmxlZXBpbmdjb21wdXRlci5jb20vdHV0b3JpYWxzL2hvdy10by11c2UtaGlqYWNrdGhpcy-YAsA-wAIC4AIA6gIiNDU4NS9ucy5ibGVlcGluZ2NvbXB1dGVyL3R1dG9yaWFsc_gC_tEekAPQBZgD4AOoAwHgBAGgBh4&num=0&sig=AOD64_0bufelJUfnff8VfS75qIt9pnPprA&client=ca-pub-5505905579599905&adurl=http%3A%2F%2Fad.doubleclick.net/click%3Bh%3Dv8/3dd2/3/0/%2a/a%3B271083553%3B0-0%3B0%3B96950667%3B4986-300/600%3B53859237/53769856/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://d.p-td.com/r/dc/id/L21rdC80L21waWQvMjM5MDcyMzk/segid/-99/advid/1052241/pkgid/96950667/crid/53859237/url/http://www.intel.com/content/www/us/en/enterprise-security/shop-ultrabook-for-business.html?dfaid=1&crtvid=53859237;http://googleads.g.doubleclick.net/aclk?sa=l&ai=Cb3MHMJN9UYzoEsWj6QGF_4GYA5TI37kD5LuAtkTBoY-VARABIOXP6xZQg7Wv9f7_____AWDJBqABlo_27gPIAQLgAgCoAwGqBK8BT9DvLlWxf_-iSlYCz8Rta7jT2LPwmEiDZRoWpg-AKsIrD6YJR0XDBEC0prTlx6-UW95Mfur72NsAaVZxJGr5FL20u502HKcre1f66wvGLqmiYopAs09GUjHJMpoFjDdujQ1KSBglh7CpT3uo3GxDsK5dgVYJi6SACztEkX8jMbQX6FNtVlBne_Avx-jQMe4WPW5zMxTBU3WaIZAfvq2vLY2nNHXdVI9ju8MLkcrFmuAEAaAGAoAH0vCJEQ&num=1&sig=AOD64_06Ba-Vh8qpIPGozj3VpGWCzPPnPw&client=ca-pub-9914992914910847&adurl=http://www.reimageplus.com/includes/router_land.php%3Ftracking%3Dga1%26banner%3DDisp_US_M_Top_Bleepingcomputer%26adgroup%3Dplacement_only%26lpx%3Dlp-14%26mt%3D%26ne%3Dd%26im%3D%26ads_name%3D18282073828%26keyword%3Dbleepingcomputer.com%26ac%3D%26ap%3Dnone%26sl%3D%5Bname%5D%26cv%3D01%26sd%3D28112011http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdfhttp://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=login&return=http://www.bleepingcomputer.comhttp://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=registerhttp://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=registerhttp://www.bleepingcomputer.com/welcome-guide/http://www.bleepingcomputer.com/chat/http://www.bleepingcomputer.com/forums/index.php?app=core&module=helphttp://www.bleepingcomputer.com/forums/index.php?app=core&module=search&search_in=forumshttp://www.bleepingcomputer.com/rss-feeds/http://www.bleepingcomputer.com/author/lawrence-abrams/https://twitter.com/intent/tweet?original_referer=http%3A%2F%2Fwww.bleepingcomputer.com%2Ftutorials%2Fhow-to-use-hijackthis%2F&text=HijackThis%20Tutorial%20-%20How%20to%20use%20HijackThis%20to%20remove%20Browser%20Hijackers%20%26%20Spyware&tw_p=tweetbutton&url=http%3A%2F%2Fwww.bleepingcomputer.com%2Ftutorials%2Fhow-to-use-hijackthis%2F&via=BleepinComputerhttp://twitter.com/search?q=http%3A%2F%2Fwww.bleepingcomputer.com%2Ftutorials%2Fhow-to-use-hijackthis%2Fhttp://www.bleepingcomputer.com/tutorials/http://www.bleepingcomputer.com/tutorials/new/http://www.bleepingcomputer.com/tutorials/popular/http://www.bleepingcomputer.com/rss-feeds/http://adclick.g.doubleclick.net/aclk?sa=L&ai=B7Za0MpN9UYmcAcGj6QHa3oCYDuTW75QFAAAAEAEgADgAUL3j3LD-_____wFY5JvS0X5gyQaCARdjYS1wdWItNTUwNTkwNTU3OTU5OTkwNbIBGHd3dy5ibGVlcGluZ2NvbXB1dGVyLmNvbboBCWdmcF9pbWFnZcgBCdoBQGh0dHA6Ly93d3cuYmxlZXBpbmdjb21wdXRlci5jb20vdHV0b3JpYWxzL2hvdy10by11c2UtaGlqYWNrdGhpcy-YAsA-wAIC4AIA6gIiNDU4NS9ucy5ibGVlcGluZ2NvbXB1dGVyL3R1dG9yaWFsc_gC_tEekAPQBZgD4AOoAwHgBAGgBh4&num=0&sig=AOD64_0bufelJUfnff8VfS75qIt9pnPprA&client=ca-pub-5505905579599905&adurl=http%3A%2F%2Fad.doubleclick.net/click%3Bh%3Dv8/3dd2/3/0/%2a/a%3B271083553%3B0-0%3B0%3B96950667%3B4986-300/600%3B53859237/53769856/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://d.p-td.com/r/dc/id/L21rdC80L21waWQvMjM5MDcyMzk/segid/-99/advid/1052241/pkgid/96950667/crid/53859237/url/http://www.intel.com/content/www/us/en/enterprise-security/shop-ultrabook-for-business.html?dfaid=1&crtvid=53859237;http://googleads.g.doubleclick.net/aclk?sa=l&ai=Cb3MHMJN9UYzoEsWj6QGF_4GYA5TI37kD5LuAtkTBoY-VARABIOXP6xZQg7Wv9f7_____AWDJBqABlo_27gPIAQLgAgCoAwGqBK8BT9DvLlWxf_-iSlYCz8Rta7jT2LPwmEiDZRoWpg-AKsIrD6YJR0XDBEC0prTlx6-UW95Mfur72NsAaVZxJGr5FL20u502HKcre1f66wvGLqmiYopAs09GUjHJMpoFjDdujQ1KSBglh7CpT3uo3GxDsK5dgVYJi6SACztEkX8jMbQX6FNtVlBne_Avx-jQMe4WPW5zMxTBU3WaIZAfvq2vLY2nNHXdVI9ju8MLkcrFmuAEAaAGAoAH0vCJEQ&num=1&sig=AOD64_06Ba-Vh8qpIPGozj3VpGWCzPPnPw&client=ca-pub-9914992914910847&adurl=http://www.reimageplus.com/includes/router_land.php%3Ftracking%3Dga1%26banner%3DDisp_US_M_Top_Bleepingcomputer%26adgroup%3Dplacement_only%26lpx%3Dlp-14%26mt%3D%26ne%3Dd%26im%3D%26ads_name%3D18282073828%26keyword%3Dbleepingcomputer.com%26ac%3D%26ap%3Dnone%26sl%3D%5Bname%5D%26cv%3D01%26sd%3D28112011http://www.bleepingcomputer.com/http://www.bleepingcomputer.com/tutorials/http://www.bleepingcomputer.com/tutorials/security/http://www.bleepingcomputer.com/tutorials/como-usar-hijackthis/http://www.bleepingcomputer.com/tutorials/wie-hijackthis-genutzt-wird-um/http://www.bleepingcomputer.com/tutorials/hoe-gebruik-je-hijackthis/http://www.bleepingcomputer.com/tutorials/comment-utiliser-hijackthis/http://www.bleepingcomputer.com/http://www.bleepingcomputer.com/forums/http://www.bleepingcomputer.com/download/http://www.bleepingcomputer.com/tutorials/http://www.bleepingcomputer.com/startups/http://www.bleepingcomputer.com/virus-removal/http://www.bleepingcomputer.com/uninstall/http://www.bleepingcomputer.com/filedb/http://www.bleepingcomputer.com/glossary/ -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
2/46
pdfcrowd comopen in browser PRO version Are you a developer? Try out the HTML to PDF API
Most Popular Tutorials
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or
other Malware
How to see hidden files in Windows
How to show hidden files in Windows 7
How to automatically repair Windows Vista
using Startup Repair
15. O1 Section
16. O2 Section
17. O3 Section
18. O4 Section
19. O5 Section
20. O6 Section
21. O7 Section
22. O8 Section
23. O9 Section
24. O10 Section
25. O11 Section
26. O12 Section27. O13 Section
28. O14 Section
29. O15 Section
30. O16 Section
31. O17 Section
32. O18 Section
33. O19 Section
34. O20 Section
35. O21 Section
36. O22 Section
37. O23 Section
38. O24 Section
39. Conclusion
Warning
HijackThis should only be used if your browser or computer is still having problems after running Spybot or
another Spyware/Hijacker remover. HijackThis is an advanced tool, and therefore requires advanced knowledge
about Windows and operating systems in general. If you delete items that it shows, without knowing what they
are, it can lead to other problems such as your Internet no longer working or problems with running Windows
itself. You should also attempt to clean the Spyware/Hijacker/Trojan with all other methods before using
HijackThis. If you allow HijackThis to remove entries before another removal tool scans your computer, the files
from the Hijacker/Spyware will still be left on your computer and future removal tools will not be able to find
them.
If you do not have advanced knowledge about computers you should NOT fix entries using HijackThis without
consulting an expert on using this program. If you have already run Spybot - S&D and Ad-Aware and are still
having problems, then please continue with this tutorial and post a HijackThis log in our HijackThis forum,
including details about your problem, and we will advise you on what to fix.
Introduction
HijackThis is a utility that produces a listing of certain settings found in your computer. HijackThis will scan your registry
and various othe r files for entries that are s imilar to what a Spywa re or Hijacker program would leave behind.
http://adclick.g.doubleclick.net/aclk?sa=L&ai=B7Za0MpN9UYmcAcGj6QHa3oCYDuTW75QFAAAAEAEgADgAUL3j3LD-_____wFY5JvS0X5gyQaCARdjYS1wdWItNTUwNTkwNTU3OTU5OTkwNbIBGHd3dy5ibGVlcGluZ2NvbXB1dGVyLmNvbboBCWdmcF9pbWFnZcgBCdoBQGh0dHA6Ly93d3cuYmxlZXBpbmdjb21wdXRlci5jb20vdHV0b3JpYWxzL2hvdy10by11c2UtaGlqYWNrdGhpcy-YAsA-wAIC4AIA6gIiNDU4NS9ucy5ibGVlcGluZ2NvbXB1dGVyL3R1dG9yaWFsc_gC_tEekAPQBZgD4AOoAwHgBAGgBh4&num=0&sig=AOD64_0bufelJUfnff8VfS75qIt9pnPprA&client=ca-pub-5505905579599905&adurl=http%3A%2F%2Fad.doubleclick.net/click%3Bh%3Dv8/3dd2/3/0/%2a/a%3B271083553%3B0-0%3B0%3B96950667%3B4986-300/600%3B53859237/53769856/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://d.p-td.com/r/dc/id/L21rdC80L21waWQvMjM5MDcyMzk/segid/-99/advid/1052241/pkgid/96950667/crid/53859237/url/http://www.intel.com/content/www/us/en/enterprise-security/shop-ultrabook-for-business.html?dfaid=1&crtvid=53859237;http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdfhttp://adclick.g.doubleclick.net/aclk?sa=L&ai=B7Za0MpN9UYmcAcGj6QHa3oCYDuTW75QFAAAAEAEgADgAUL3j3LD-_____wFY5JvS0X5gyQaCARdjYS1wdWItNTUwNTkwNTU3OTU5OTkwNbIBGHd3dy5ibGVlcGluZ2NvbXB1dGVyLmNvbboBCWdmcF9pbWFnZcgBCdoBQGh0dHA6Ly93d3cuYmxlZXBpbmdjb21wdXRlci5jb20vdHV0b3JpYWxzL2hvdy10by11c2UtaGlqYWNrdGhpcy-YAsA-wAIC4AIA6gIiNDU4NS9ucy5ibGVlcGluZ2NvbXB1dGVyL3R1dG9yaWFsc_gC_tEekAPQBZgD4AOoAwHgBAGgBh4&num=0&sig=AOD64_0bufelJUfnff8VfS75qIt9pnPprA&client=ca-pub-5505905579599905&adurl=http%3A%2F%2Fad.doubleclick.net/click%3Bh%3Dv8/3dd2/3/0/%2a/a%3B271083553%3B0-0%3B0%3B96950667%3B4986-300/600%3B53859237/53769856/1%3B%3B%7Eokv%3D%3Bpc%3D%5BTPAS_ID%5D%3B%3B%7Esscs%3D%3fhttp://d.p-td.com/r/dc/id/L21rdC80L21waWQvMjM5MDcyMzk/segid/-99/advid/1052241/pkgid/96950667/crid/53859237/url/http://www.intel.com/content/www/us/en/enterprise-security/shop-ultrabook-for-business.html?dfaid=1&crtvid=53859237;http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/http://www.bleepingcomputer.com/tutorials/how-to-remove-a-trojan-virus-worm-or-malware/http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/http://www.bleepingcomputer.com/tutorials/show-hidden-files-in-windows-7/http://www.bleepingcomputer.com/tutorials/repair-windows-with-windows-startup-repair/http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/http://googleads.g.doubleclick.net/aclk?sa=l&ai=CAOrDMpN9UY7SEtOF6wGgrIDIBM-d4sUDh6ed0m6C8a3zeBABIMeD_AFQvtGhhf3_____AWDJBqABkfDf2gPIAQOoAwHIA9EEqgSYAU_Q_Iyd7Np_Yc0JqGl8xgdcbLOHbB5qU1DUNf1GDXzCmHrwNkPKXg9MmgLL4puY-ABXgyT7ureQtCqDA1inz2ClurokK763MflA8YHHxVCq9y_4OhXDki1Xy6ALpnuLL5oSen4P5zyeTxH8RBljq6d8bGSfgpgp8k4t_IkO6oY4jxEd8qalAYKWVSpCUkHF4CRETfmbkjJ-oAYDgAfXj6Al&num=1&sig=AOD64_0Mj5KrwbZq-72kt-0-Aedoy0j-5w&client=ca-pub-0920899300397823&adurl=http://landesm.gfi.com/event-log-monitoring-sm/%3Fadv%3D28890%26loc%3D1http://googleads.g.doubleclick.net/aclk?sa=l&ai=CAOrDMpN9UY7SEtOF6wGgrIDIBM-d4sUDh6ed0m6C8a3zeBABIMeD_AFQvtGhhf3_____AWDJBqABkfDf2gPIAQOoAwHIA9EEqgSYAU_Q_Iyd7Np_Yc0JqGl8xgdcbLOHbB5qU1DUNf1GDXzCmHrwNkPKXg9MmgLL4puY-ABXgyT7ureQtCqDA1inz2ClurokK763MflA8YHHxVCq9y_4OhXDki1Xy6ALpnuLL5oSen4P5zyeTxH8RBljq6d8bGSfgpgp8k4t_IkO6oY4jxEd8qalAYKWVSpCUkHF4CRETfmbkjJ-oAYDgAfXj6Al&num=1&sig=AOD64_0Mj5KrwbZq-72kt-0-Aedoy0j-5w&client=ca-pub-0920899300397823&adurl=http://landesm.gfi.com/event-log-monitoring-sm/%3Fadv%3D28890%26loc%3D1 -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
3/46
pdfcrowd comopen in browser PRO version Are you a developer? Try out the HTML to PDF API
Interpreting these results can be tricky as the re are many legitimate programs that are installed in your operating
system in a similar manner that Hijackers get installed. Therefore you must use extreme caution when having
HijackThis fix any problems. I can not stress how important it is to follow the above w arning.
There are two prevalent tutorials abo ut HijackThis on the Internet currently, but neither of them explain what each of
the sections actually mean in a way that a layman can unde rstand. This tutorial, in addition, to show ing how to use
HijackThis, will also go into detail about each of the sections and what they actually mean. There is no reason w hy you
should not understand what it is you are fixing when people examine your logs and tell you what to do.
If you would like to first read a tutorial on how to use Spybot, you can click here: How to use Spybot - Search and
Destroy Tutorial
With that said, lets move on to the tutorial on how to use it. If you want to see normal sizes of the screen shots you
can click on them. Keep in mind, that a new window w ill open up when you do so, so if you have pop-up blockers it
may stop the image window from opening.
How to use HijackThis
HijackThis can be downloaded as a standalone executable or as an installer. The standalone application allows you to
save and run HijackThis.exe from any folder you wish, while the installer will install HijackThis in a specific location and
create desktop shortcuts to that executable. When using the standalone version you should not run it from your
Temporary Internet Files folder as your backup folder will not be saved after you close the program. In order to avoid
the deletion of your backups, please save the executable to a specific folder before running it. We suggest that you
use the HijackThis installer as that has become the standard way of using the program and provides a safe location forHijackThis ba ckups.
The first step is to dow nload HijackThis to your computer in a location that you know where to find it again. HijackThis
can be downloaded from the following link:
HijackThis Download Link
If you have dow nloaded the standalone application, then simply double-click on the HijackThis.exe file and then click
here to skip to the part whe re the program has started.
Otherwise, if you downloaded the installer, navigate to the location where it was saved and double-click on the
HiJackThis.msi file in orde r to sta rt the insta llation of HijackThis. When the install starts, click on the Install button to
have HijackThis installed into the C:\Program Files\Trend Micro\HijackThis folder, create a desktop shortcut that
can be us ed to run the program when you need to , and to automatically launch HijackThis for the first time.
You should now see a screen similar to the figure below:
http://googleads.g.doubleclick.net/aclk?sa=l&ai=CAOrDMpN9UY7SEtOF6wGgrIDIBM-d4sUDh6ed0m6C8a3zeBABIMeD_AFQvtGhhf3_____AWDJBqABkfDf2gPIAQOoAwHIA9EEqgSYAU_Q_Iyd7Np_Yc0JqGl8xgdcbLOHbB5qU1DUNf1GDXzCmHrwNkPKXg9MmgLL4puY-ABXgyT7ureQtCqDA1inz2ClurokK763MflA8YHHxVCq9y_4OhXDki1Xy6ALpnuLL5oSen4P5zyeTxH8RBljq6d8bGSfgpgp8k4t_IkO6oY4jxEd8qalAYKWVSpCUkHF4CRETfmbkjJ-oAYDgAfXj6Al&num=1&sig=AOD64_0Mj5KrwbZq-72kt-0-Aedoy0j-5w&client=ca-pub-0920899300397823&adurl=http://landesm.gfi.com/event-log-monitoring-sm/%3Fadv%3D28890%26loc%3D1http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdfhttp://www.bleepingcomputer.com/tutorials/using-spybot-to-remove-spyware/http://www.bleepingcomputer.com/download/hijackthis/http://googleads.g.doubleclick.net/aclk?sa=l&ai=CAOrDMpN9UY7SEtOF6wGgrIDIBM-d4sUDh6ed0m6C8a3zeBABIMeD_AFQvtGhhf3_____AWDJBqABkfDf2gPIAQOoAwHIA9EEqgSYAU_Q_Iyd7Np_Yc0JqGl8xgdcbLOHbB5qU1DUNf1GDXzCmHrwNkPKXg9MmgLL4puY-ABXgyT7ureQtCqDA1inz2ClurokK763MflA8YHHxVCq9y_4OhXDki1Xy6ALpnuLL5oSen4P5zyeTxH8RBljq6d8bGSfgpgp8k4t_IkO6oY4jxEd8qalAYKWVSpCUkHF4CRETfmbkjJ-oAYDgAfXj6Al&num=1&sig=AOD64_0Mj5KrwbZq-72kt-0-Aedoy0j-5w&client=ca-pub-0920899300397823&adurl=http://landesm.gfi.com/event-log-monitoring-sm/%3Fadv%3D28890%26loc%3D1 -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
4/46
pdfcrowd comopen in browser PRO version Are you a developer? Try out the HTML to PDF API
Figure 1. HijackThis Startup screen when run for the first time
We sugges t you put a checkmark in the checkbox labeled Do not show this windows when I start HijackThis,
designa ted by the blue arrow above, as most instructions you w ill given will not account for this screen. After you have
put a checkmark in that checkbox, click on the None of the above, just start the program button, designated by the
red arrow in the figure above. You will then be p resented with the main HijackThis screen as seen in Figure 2 below.
http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdf -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
5/46
pdfcrowd comopen in browser PRO version Are you a developer? Try out the HTML to PDF API
Figure 2. Starting Screen of Hijack This
You should first click on the Config button, which is designated by the blue arrow in Figure 2, and confirm that your
settings match those found in Figure 3 below. The options that should be checked are designated by the red arrow.
http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdf -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
6/46
pdfcrowd comopen in browser PRO version Are you a developer? Try out the HTML to PDF API
Figure 3. HijackThis Configuration Options
When you are done setting these options, press the back key and continue with the res t of the tutorial.
To have HijackThis scan your computer for possible Hijackers, click on the Scan button designated by the red a rrow in
Figure 2. You will then be presented with a screen listing all the items found by the program as seen in Figure 4.
http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdf -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
7/46
pdfcrowd comopen in browser PRO version Are you a developer? Try out the HTML to PDF API
Figure 4. Scan Results
At this point, you w ill have a listing o f all items found by HijackThis.
If what you see seems confusing and daunting to you, then click on the Save Log button, designated by the red
arrow, and save the log to your computer somewhe re you will remember later.
To open up the log and paste it into a forum, like ours, you should following these steps:
1. Click on Start then Run and type Notepad and press OK. Notepad will now be open on your computer.
2. Click on File and Open, and navigate to the directory where you saved the Log file.
3. When you see the file, double click on it. The log file should now be opened in your Notepad.
4. Click on Edit and then Select All. All the text should now be selected .
5. Click on Edit and then Copy, which will copy all the selected text into your clipboard.
http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdfhttp://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/ -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
8/46
pdfcrowd comopen in browser PRO version Are you a developer? Try out the HTML to PDF API
6. Go to the message forum and create a new message.
7. Title the message : HijackThis Log: Please help Diagnose
8. Right click in the message a rea where you would normally type your message , and click on the paste option. The
previously selected text should now be in the message.
9. Press Submit
If you would like to see information about any of the o bjects listed, you can click once on a listing, and then press the
"Info on selected item..." button. This will bring up a screen similar to Figure 5 below:
Figure 5. Object Information
When you a re done looking at the information for the various listings, and you fee l that you are knowledgeable
enough to continue, look through the listings and select the items you would like to remove by placing checkmarks in
the checkboxes next to ea ch listing as shown in Figure 6. At the end of the document we have included some basic
ways to interpret the information in these log files. By no means is this information extens ive enough to cover all
decisions, but should help you de termine what is legitimate o r not.
http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdfhttp://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/ -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
9/46
df d mi b PRO i Are you a developer? Try out the HTML to PDF API
Figure 6. Select an item to Remove
Once you have se lected the items you would like to remove, press the Fix Checked button, designated by the blue
arrow, in Figure 6. HijackThis w ill then prompt you to confirm if you would like to remove those items. Press Yes or No
depending on your choice.
How to restore items mistakenly deleted
HijackThis comes with a backup and restore procedure in the event that you erroneous ly remove an entry that is
actually legitimate. If you have configured HijackThis as was shown in this tutorial, then you should be able to restore
entries that you have previously deleted. If you have had your HijackThis program running from a temporary directory,
then the restore procedure will not work.
If the configuration setting Make backups before fixing items is checked, HijackThis will make a backup of any entries
http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdf -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
10/46
df di b PRO i Are you a developer? Try out the HTML to PDF API
that you fix in a directory called backups that resides in the same location as Hijackthis.exe.
If you start HijackThis and click on Config, and then the Backup button you will be presented w ith a screen like Figure
7 below . You will have a listing of all the items that you had fixed previously and have the option of restoring them.
Once you resto re an item that is listed in this screen, upon scanning again with HijackThis, the entries w ill show up
again.
Figure 7. Restoring a mistakenly removed entry
Once you are finished restoring those items that were mistakenly fixed, you can close the program.
http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdf -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
11/46
df di b PRO i A d l ? T t th HTML t PDF API
How to Generate a Startup Listing
At times when you pos t your log to a message forum asking for assistance, the pe ople helping may ask you to
generate a listing of all the programs that automatically start on your computer. HijackThis has a built in tool that will
allow you to do this.
In order to do this go into the Config option when you start HijackThis, which is des ignated by the blue arrow in Figure
2, and then click on the Misc Tools button at the top. You should see a screen similar to Figure 8 below .
Figure 8. Generating a StartupList Log.
http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdf -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
12/46df di b PRO i A d l ? T t th HTML t PDF API
You will then click on the button labeled Generate StartupList Log which is is designated by the red arrow in Figure 8.
Once you click that button, the program will automatically open up a notepad filled w ith the Startup items from your
computer. Copy and paste these entries into a message and submit it.
Hopefully with either your knowledge or help from others you will have cleaned up your computer. If you wo uld like to
learn more detailed information abo ut what exactly each section in a scan log means, then continue reading.
How to use the Process Manager
HijackThis has a built in process manager that can be used to e nd processes as well as see what DLLs are loaded in
that process. To access the process manage r, you should click on the Config button and then click on the Misc Toolsbutton. You should now see a new screen w ith one of the buttons being Open Process Manager. If you click on that
button you will see a new s creen similar to Figure 9 below.
http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdf -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
13/46df di b PRO i
Are you a developer? Try out the HTML to PDF API
Figure 9. HijackThis Process Manager
This window w ill list all open processe s running on your machine. You can then click once on a process to select it, and
then click on the Kill Process button designated by the red arrow in Figure 9 above. This will attempt to end the
process running on the computer.
If you would like to terminate multiple processes a t the same time, press and hold do wn the control key on your
keyboard. While that key is pressed, click once on each process that you want to be terminated. As long as you hold
down the control button while selecting the additional processes, you will be able to select multiple processes at one
time. When you have selected all the processes you would like to terminate you would then press the Kill Process
button.
If you would like to see what DLLs are loaded in a selected process, you can put a checkmark in the checkbox labe led
Show DLLs, designa ted by the blue a rrow in the figure above. This will split the process screen into two sections. The
fi t ti ill li t th lik b f b t h li k ti l th b tt ti ill
http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdf -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
14/46df di b PRO iAre you a developer? Try out the HTML to PDF API
first section will list the processes like be fore, but now w hen you click on a particular process , the bottom section will
list the DLLs loaded in that process.
To exit the process manager you need to click on the back button twice w hich will place you at the main screen.
How to use the Hosts File Manager
HijackThis also has a rudimentary Hosts file manage r. With this manager you can view your hosts file and de lete lines
in the file or toggle lines on o r off. To access the Hosts file manager, you should click on the Config button and then
click on the Misc Tools button. You should now see a new screen w ith one of the buttons being Hosts File Manage r. If
you click on that button you will see a new screen s imilar to Figure 10 be low.
Figure 10: Hosts File Manager
http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdf -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
15/46df di b PRO iAre you a developer? Try out the HTML to PDF API
Figure 10: Hosts File Manager
This window will list the contents of your HOSTS file. To delete a line in your hos ts file you wou ld click on a line like the
one de signated by the blue arrow in Figure 10 above. This will select that line of text. Then you can either de lete the
line, by clicking on the Delete line(s) button, or toggle the line on or o ff, by clicking on the Toggle line(s) button. It is
possible to select multiple lines a t once using the shift and control keys or dragging your mouse over the lines you
would like to interact with.
If you delete the lines, those lines w ill be deleted from your HOSTS file. If you toggle the lines, HijackThis will add a #
sign in front of the line. This will comment out the line so that it will not be use d by Windows. If you are unsure as to
what to do, it is always sa fe to Toggle the line so that a # appea rs before it.
To exit the Hosts file manager you ne ed to click on the back button tw ice which will place you at the main screen.
How to use the Delete on Reboot tool
At times you may find a file that stubbo rnly refuses to be deleted by conventional means. HijackThis introduced, in
version 1.98.2, a method to have Windows delete the file as it boots up, before the file has the chance to load. To do
this follow these steps:
1. Start Hijackthis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the button labe led Delete a file on reboot...
5. A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file
and click on it once, and then click on the Open button.
6. You will now be asked if you would like to reboot your computer to de lete the file. Click on the Yes button if you
would like to reboot now, otherwise click on the No button to reboot later.
How to use ADS Spy
There is a particular infection called Home Search Assistant o r CWS_NS3 that w ill sometimes us e a file called an
Alternate Data Stream File to infect your computer. These files can not be se en or deleted using normal methods .ADS Spy was designed to help in removing these types of files. For those w ho are interes ted, you can learn more
about Alternate Data Streams and the Home Sea rch Assistant by reading the following articles:
Windows Alternate Data Streams [Tutorial Link]
Home Search Assistant Analysis [Tutorial Link]
To use the ADS Spy utility you would start HijackThis and then click on the Config button. Then click on the Misc Tools
button and finally click on the ADS Spy button. When the ADS Spy utility opens you w ill see a screen similar to figure
11 below.
http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdfhttp://www.bleepingcomputer.com/tutorials/windows-alternate-data-streams/http://www.bleepingcomputer.com/tutorials/windows-alternate-data-streams/http://www.bleepingcomputer.com/forums/t/3141/home-search-assistant-cws-ns3-analysis/ -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
16/46
Are you a developer? Try out the HTML to PDF API
Figure 11: ADS Spy
Press the Scan button and the program will start to scan your Windows folder for any files that are Alternate Data
Streams. If it finds any, it will display them similar to figure 12 be low.
http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdf -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
17/46
pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API
Figure 12: Listing of found Alternate Data Streams
To remove one of the disp layed ADS files, simply place a checkmark next to its entry and click on the Remove selectedbutton. This will remove the ADS file from your computer. When you are done , press the Back button next to the
Remove selected until you are a t the main HijackThis screen.
How to use the Uninstall Manager
The Uninstall Manager allows you to manage the e ntries found in your control panel's Add/Remove Programs list.
When cleaning malware from a machine entries in the Add/Remove Programs list invariably get left behind. Many users
understandably like to have a clean Add/Remove Programs list and have difficulty removing these errant e ntries. Using
the Uninstall Manage r you can remove these entries from your uninstall list.
To access the Uninstall Manager you would do the following:
http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdf -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
18/46
pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API
g y g
1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
You will now be presented with a screen similar to the one below:
Figure 13: HijackThis Uninstall Manager
To deletean entry simply click on the entry you w ould like to remove and then click on the Delete this entry button. If
you want to change the program this entry is associated with you can click on the Edit uninstall command button and
enter the path to the program that should be run if you double-click on that entry in the Add/Remove Programs list.
http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdf -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
19/46
pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API
g
This last function should only be used if you know what you are doing.
If you are asked to save this list and post it so someone can examine it and advise you as to what you should remove,
you can click on the Save list... button and s pecify where you would like to save this file. When you press Save button
a notepad w ill open w ith the contents of that file. Simply copy and paste the contents of that notepad into a reply in
the topic you are getting he lp in.
How to interpret the scan listings
This next section is to help you diagnose the output from a HijackThis scan. If you are still unsure of wha t to do, or
would like to ask us to interpret your log, paste your log into a post in our Privacy Forum.
Every line on the Scan List for HijackThis starts with a section name. Below is a list of these se ction names and the ir
explanations. You can click on a section name to bring you to the appropriate section.
Section Name Description
R0, R1, R2, R3 Internet Explorer Start/Search pages URLs
F0, F1, F2,F3 Auto loading programs
N1, N2, N3, N4 Netscape/Mozilla Start/Search pages URLs
O1 Hosts file redirection
O2 Browser Helper Objects
O3 Internet Explorer toolbars
O4 Auto loading programs from Registry
O5 IE Options icon not visible in Control Panel
O6 IE Options access restricted by Administrator
O7 Regedit access restricted by Administrator
O8 Extra items in the IE right-click menu
O9 Extra buttons on main IE button toolbar, or extra items in IE 'Tools' menu
O10 Winsock hijacker
O11 Extra group in IE 'Advanced Options' window
O12 IE plugins
O13 IE Default Prefix hijack
O14 'Reset Web Settings' hijack
O15 Unwanted site in Trusted Zone
O16 ActiveX Objects (aka Downloaded Program Files)
O17 Lop.com/Domain Hijackers
O18 Extra protocols and protocol hijackers
O19 User style sheet hijack
O20 AppInit_DLLs Registry value Autorun
O21 ShellServiceObjectDelayLoad
O22 SharedTaskScheduler
O23 Windows XP/NT/2000 Services
O24 Windows Active Desktop Components
http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdfhttp://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/ -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
20/46
pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API
It is important to note that certain sections use an internal white list so that HijackThis will not show known leg itimate
files. To disable this white list you can start hijackthis in this method instead: hijackthis.exe /ihatewhitelists.
In our explanations of each section we w ill try to explain in layman terms what they mean. We will also tell you wha t
registry keys they usually use and/or files that they use. Finally we w ill give you recommenda tions on wha t to do with
the entries.
R0,R1,R2,R3 Sections
This section covers the Internet Explorer Start Page, Home Page , and Url Search Hooks.
R0 is for Internet Explorers starting page and search assistant.
R1 is for Internet Explorers Sea rch functions and other characteristics.
R2 is not used currently.
R3 is for a Url Search Hook. An Url Search Hook is used when you type an address in the location field of the brow ser,
but do not include a protocol such as http:// or ftp:// in the address. When you enter such an address, the brow ser
will attempt to figure out the correct protocol on its own, and if it fails to do so, will use the UrlSearchHook listed in the
R3 section to try to find the location you entered.
Some Registry Keys: HKLM\Software\Microsoft\Internet Explorer\Main,Start Page
HKCU\Software\Microsoft\Internet Explorer\Main: Start Page
HKLM\Software\Microsoft\Internet Explorer\Main: Default_Page_URL
HKCU\Software\Microsoft\Internet Explorer\Main: Default_Page_URL
HKLM\Software\Microsoft\Internet Explorer\Main: Search Page
HKCU\Software\Microsoft\Internet Explorer\Main: Search Page
HKCU\Software\Microsoft\Internet Explorer\SearchURL: (Default)
HKCU\Software\Microsoft\Internet Explorer\Main: Window Title
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: ProxyOverride
HKCU\Software\Microsoft\Internet Connection Wizard: ShellNext
HKCU\Software\Microsoft\Internet Explorer\Main: Search Bar
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch
HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant
Example
Listing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.google.com/
A common question is what does it mean when the word Obfuscated is next to one of these entries. When something
is obfuscated that means that it is being made difficult to perceive or understand. In Spyware te rms that means the
Spyware o r Hijacker is hiding an entry it made by converting the values into some other form that it understands
eas ily, but humans would have trouble recognizing, such as adding entries into the registry in Hexadecimal. This is just
http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdf -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
21/46
pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API
another method of hiding its presence and making it difficult to be removed.
If you do not recognize the web site that either R0 and R1 are pointing to, and you want to change it, then you can
have HijackThis sa fely fix these , as they will not be detrimental to your Internet Explorer install. If you would like to
see what s ites they are, you can go to the site, and if it's a lot of popups and links, you can almost always de lete it. It
is important to note tha t if an RO/R1 points to a file, and you fix the entry with HijackThis, Hijackthis will not delete that
particular file and you will have to do it manually.
There are certain R3 entries that end with a underscore ( _ ) . An example of what one would look like is:
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
Notice the CLSID, the numbers between the { }, have a _ a t the end of it and they may sometimes d ifficult to remove
with HijackThis. To fix this you w ill need to delete the pa rticular registry entry manually by going to the following key:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks
Then delete the CLSID entry under it that you w ould like to remove. Please leave the CLSID , CFBFAE00-17A6-11D0-
99CB-00C04FD64497, as it is the valid default one .
Unless you recognize the software being used as the UrlSearchHook, you should generally Google it and after doing
some research, allow HijackThis to fix it
F0, F1, F2, F3 Sections
These sections cover applications that are loaded from your .INI files, system.ini and win.ini, in Windows ME and be low
or their equivalent places in the registry for Windows NT based versions. The Windows NT based versions are XP,
2000, 2003, and Vista.
A F0 entry corresponds to the Shell= statement, under the [Boot] section, of the System.ini file. The Shell= statement
in the system.ini file is used to de signate w hat program would act as the she ll for the operating system.
Example
Listing:F0 - system.ini: Shell=Explorer.exe badprogram.exe
Files Used: c:\windows\system.ini
The Shell is the program that would load your desktop, handle window management, and allow the user to interact
with the system. Any program listed after the shell statement will be loaded when Windows starts, and act as the
default shell. There were some programs that acted as valid shell replacements, but they are generally no longer
used. Windows 95, 98, and ME all used Explorer.exe as their shell by default. Windows 3.X used Progman.exe as its
shell. It is also possible to list other programs that w ill launch as W indows loads in the same Shell = line, such as
Shell=explorer.exe badprogram.exe. This line will make both programs start when Window s loads.
A F1 entry corresponds to the Run= or Load= entry in the win.ini file. Like the system.ini file, the win.ini file is typically
only used in Windows ME and below.
http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdf -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
22/46
pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API
Example
Listing
F1 - win.ini: load=bad.pif
F1 - win.ini: run=evil.pif
Files Used: c:\windows\win.ini
Any programs listed a fter the run= or load= will load when Window s starts. This run= statement was used during the
Windows 3.1, 95, and 98 years and is kept for backwards compatibility with older programs. Most modern programs do
not use this ini setting, and if you do not use older program you can rightfully be suspicious. The load= statement was
used to load drivers for your hardware. On Window s NT based systems (Windows 2000, XP, etc) HijackThis will show
the entries found in win.ini and system.ini, but Windows NT base d systems will not execute the files listed there.
F2 and F3 entries correspond to the equivalent locations as F0 and F1, but they are instead stored in the registry forWindows versions XP, 2000, and NT. These versions of Window s do not use the system.ini and win.ini files. Instead for
backwards compatibility they use a function called IniFileMapping. IniFileMapping, puts all of the contents of an .ini file
in the registry, with keys for each line found in the .ini key stored there . Then when you run a program that normally
reads their settings from an .ini file, it will first check the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping for an .ini mapping, and if
found will read the se ttings from there instead. You can see that the se entries, in the examples below, are referring to
the reg istry as it will contain REG and then the .ini file which IniFileMapping is referring to.
F2 entries are displayed when there is a value that is not whitelisted, or considered safe, in the registry key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon under the values Shell
and Userinit.
ExampleListings:
F2 - REG:system.ini: UserInit=userinit,nddeagnt.exe
F2 - REG:system.ini: Shell=explorer.exe beta.exe
Registry Keys: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
The Shell registry value is equivalent to the function of the Shell= in the system.ini file as described above. The
Userinit value specifies what program should be launched right after a user logs into Windows. The default program
for this key is C:\windows\system32\userinit.exe. Userinit.exe is a program that res tores your profile, fonts, colors, etc
for your username. It is possible to add further programs that w ill launch from this key by sepa rating the programs
with a comma. For example: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
=C:\windows\system32\userinit.exe,c:\windows\badprogram.exe. This will make both programs launch when you login and is a common place for trojans, hijackers, and spyware to launch from. It should be no ted tha t the Userinit and
the Shell F2 entries will not show in HijackThis unless there is a non-whitelisted value listed.
F3 entries are displayed when there is a value that is not whitelisted in the registry key
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows under the values load and run.These entries
are the Windows NT equivalent of those found in the F1 entries as described above.
Example
Listings:F3 - REG:win.ini: load=chocolate.exe
F3 - REG:win.ini: run=beer.exe
R i t K HKCU\S ft \Mi ft\Wi d NT\C tV i \Wi d \l d
http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdf -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
23/46
pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API
Registry Keys: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\load
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\run
For F0 if you see a statement like Shell=Explorer.exe something.exe, then you can generally delete it, but you should
first consult Google and the s ites listed below .
For F1 entries you should google the entries found here to de termine if they are legitimate programs. You can also
search at the sites below for the entry to see what it does.
For F2, if you see UserInit=userinit.exe, with or without nddeagnt.exe, as in the above example, then you can leave
that entry alone. If you see UserInit=userinit.exe (notice no comma) that is still ok, so you should leave it alone . If you
see another entry with userinit.exe, then that could potentially be a trojan o r other malware. The same goes for F2Shell=; if you see explorer.exe by itse lf, it should be fine, if you don't, as in the above e xample listing, then it could be
a potential trojan or malware. You can generally delete these entries, but you should consult Google and the sites
listed below.
Please be aware that when these entries are fixed HijackThis does not delete the file associated with it. You must
manually delete these files.
Site to use for research on these entries:
Bleeping Computer Startup Database
Answers that work
Greatis Startup Application Database
Pacman's Startup Programs ListPacman's Startup Lists for Offline Reading
Kephyr File Database
Wintasks Process Library
N1, N2, N3, N4 Sections
These sections are for Netscape and Mozilla Browsers Start and default search pages.
These entries are stored in the prefs.js files stored in different places under the C:\Documents and
Settings\YourUserName\Application Data folder. Netscape 4's entries are s tored in the prefs.js file in the program
directory which is ge nerally, DriveLetter:\Program Files\Netscape\Users\default\prefs.js.
N1 corresponds to the Netscape 4's Startup Page and default search page.
N2 corresponds to the Netscape 6's Startup Page and default search page.
N3 corresponds to Netscape 7' Startup Page and default search page.
N4 corresponds to Mozilla's Startup Page and default search page.
Files Used: prefs.js
As most spyware and hijackers tend to target Internet Explorer these are usually safe. If you see web sites listed in
here that you have not set, you can use HijackThis to fix it. There is one known site that does change these se ttings,
and that is Lop com which is discussed here
http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdfhttp://www.bleepingcomputer.com/startups/http://www.answersthatwork.com/Tasklist_pages/tasklist.htmhttp://greatis.com/regrun3appdatabase.htmhttp://www.sysinfo.org/startuplist.phphttp://www.pacs-portal.co.uk/startup_content.php#THE_PROGRAMShttp://www.kephyr.com/filedb/index.phphttp://www.liutilities.com/products/wintaskspro/processlibrary/http://web.archive.org/web/20040213203639/doxdesk.com/parasite/lop.html -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
24/46
pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API
and that is Lop.com which is discussed here.
O1 Section
This section corresponds to Host file Redirection.
The hosts file contains mappings for hos tnames to IP addresses .For example, if I enter in my host file:
127.0.0.1 www.bleepingcomputer.com
and you try to go to ww w.bleep ingcomputer.com, it will check the hosts file, see the entry and convert that to the IP
address of 127.0.0.1 instead of its correct address.
Host file redirection is when a h ijacker changes your hosts file to redirect your attempts to reach a certain web site to
another site. So if someone added an e ntry like:
127.0.0.1 www.google.com
and you tried to go to www.goog le.com, you would instead get redirected to 127.0.0.1 which is your own computer.
Example
ListingO1 - Hosts: 192.168.1.1 www.google.com
Files Used: The hosts file is a text file that can be edited by any text editor and is stored by de fault in the following
places for each Operating System, unless you chose to install to different paths -
Operating System Location
Windows 3.1 C:\WINDOWS\HOSTS
Windows 95 C:\WINDOWS\HOSTS
Windows 98 C:\WINDOWS\HOSTS
Windows ME C:\WINDOWS\HOSTS
Windows XP C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
Windows NT C:\WINNT\SYSTEM32\DRIVERS\ETC\HOSTS
Windows 2000 C:\WINNT\SYSTEM32\DRIVERS\ETC\HOSTS
Windows 2003 C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS
The location of the Hosts file can be changed by modifying the Registry key below for Windows NT/2000/XP.
Registry Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\: DatabasePath
If you see entries like the above e xample, and they are not the ir for a specific reason that you know about, you can
safely remove them.
If you see an entry Hosts file is located at C:\Windows\Help\hosts , that means you are infected with the
CoolWebSearch. If the Hosts file is located in a location that is not the default for your operating system, see tab le
above , then you should have HijackThis fix this as it is most likely caused by an infection.
You can also download the program HostsXpert which gives you the ability to restore the defau lt host file back onto
your machine To do so download the Hos tsXpert program and run it When it opens click on the Restore Original
http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdfhttp://web.archive.org/web/20040213203639/doxdesk.com/parasite/lop.htmlhttp://www.funkytoad.com/download/HostsXpert.zip -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
25/46
pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API
your machine. To do so , download the Hos tsXpert program and run it. When it opens, click on the Restore Original
Hosts button and then exit HostsXpert.
O2 Section
This section corresponds to Browser Helper Objects.
Browser helper objects are plugins to your browser that extend the functionality of it. They can be used by spyware as
well as legitimate programs such as Google Toolbar and Adobe Acrobat Reader. You must do your research whendeciding whethe r or not to remove any of these as some may be legitimate.
Registry Keys: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
Example
Listing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} -
C:\Program Files\Norton Antivirus\NavShExt.dll
There is an excellent list of known CSLIDs associated with Browse r Helper Objects and Toolbars, compiled by Tony
Klein, here: CLSID List . When consu lting the list, using the CLSID which is the number between the curly brackets in
the listing. The CLSID in the listing refer to registry entries that conta in information about the Browser He lper Objects
or Toolbars.
When you fix these types of entries with HijackThis, HijackThis will attempt to the delete the offending file listed. There
are times that the file may be in use even if Internet Explorer is shut down. If the file still exists after you fix it with
HijackThis, it is recommended that you reboot into sa fe mode and delete the offending file.
O3 Section
This section corresponds to Internet Explorer toolbars.
These are the toolbars that are underneath your navigation bar and menu in Internet Explorer.
Registry Keys: HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar
Example
Listing
O3 - Toolbar: Norton Antivirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program
Files\Norton Antivirus\NavShExt.dll
There is an excellent list of known CSLIDs associated with Browse r Helper Objects and Toolbars, compiled by Tony
Klein, here: CLSID List . When consu lting the list, using the CLSID which is the number between the curly brackets in
the listing. The CLSID in the listing refer to registry entries that conta in information about the Browser He lper Objects
or Toolbars.
When you fix these types of entries, HijackThis will not de lete the o ffending file listed. It is recommended that you
reboot into safe mode and delete the offending file.
O4 Section
http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdfhttp://www.systemlookup.com/lists.php?list=1http://www.systemlookup.com/lists.php?list=1 -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
26/46
pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API
O4 Section
This section corresponds to certain registry keys and startup folders that are used to automatically start an application
when Windows starts. O4 keys are the HJT entries that the majority of programs use to autos tart, so particular care
must be used w hen examining these keys. The O4 Registry keys and directory locations are listed below and app ly, for
the most part, to all versions of Windows.
As of HijackThis version 2.0, HijackThis will also list entries for other users that a re actively logged into a computer at
the time of the scan by reading the information from the HKEY_USERS registry key. If a user is not logged on at the
time of the scan, their user key will not be loaded, and therefore HijackThis will not list their autoruns. When working
on HijackThis logs it is not advised to use HijackThis to fix entries in a pe rson's log when the user has multipleaccounts logged in. We advise this because the other user's processes may conflict with the fixes we are having the
user run.
The current locations that O4 entries are listed from are:
Directory Locations:
User's Startup Folder: Any files located in a user's Start Menu Startup folder will be listed as a O4 -
Startup. This location, for the new er versions of Window s, are C:\Documents and
Settings\USERNAME\Start Menu\Programs\Startup or under
C:\Users\USERNAME\AppData\Roaming\Microsoft\Windows\Start Menu in Vista. These entries will be
executed when the particular user logs onto the computer.
All Users Startup Folder: These items refer to app lications that load by having them in the All Users
profile Start Menu Startup Folder and will be listed as O4 - Global Startup. This location, for the newe r
versions of Windows, are C:\Documents and Se ttings\All Users\Start Menu\Programs\Startup or under
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup in Vista. These entries will be executed
when any user logs onto the computer.
Startup Registry Keys: O4 entries that utilize registry keys will start with the abbreviated registry key in the entry
listing. Examples and their descriptions can be seen be low. For all of the keys be low, if the key is located under HKCU,
then that means the program will only be launched w hen that pa rticular user logs on to the computer. If the entry is
located under HKLM, then the program will be launched for all users that log on to the computer.
Note: In the listing below, HKLM stands for HKEY_LOCAL_MACHINE and HKCU stands for HKEY_CURRENT_USER.
The Run keys are used to launch a program automatically when a user, or all users, logs on to the machine.
Run keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
The RunOnce keys are used to launch a service or background process whenever a user, or all users, logs on to the
computer. Once the program is successfully launched for the first time its entry will be removed from the Registry so it
does not run again on subsequent logons.
RunOnce keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdf -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
27/46
pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
The RunServices keys are used to launch a service or background process whenever a user, or all users, logs on to
the computer.
RunServices keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
The RunServicesOnce keys are used to launch a service or background process whenever a user, or all users, logs on
to the computer. Unlike the RunServices keys, when a program is launched from the RunServicesOnce key its en try will
be removed from the Registry so it does not run again on subsequent logons.
RunServicesOnce keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
The RunOnceEx keys are us ed to launch a program once and then remove itself from the Registry. This particular key
is typically used by installation or update programs.
RunOnceEx key:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
The Policies\Explorer\Run keys are used by network administrator's to set a group policy settings that has a
program automatically launch when a user, or all users, logs on to the computer. Under the Policies\Explorer\Run key
are a series of values, which have a program name as their data. When a user, or all users, logs on to the computer
each of the values under the Run key is executed and the corresponding programs are launched.
Policies\Explorer\Run keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
A complete listing of other sta rtup locations that are not necessarily included in HijackThis can be found here :
Windows Program Automatic Startup Locations
A sample of the type of O4 listings that you can se e in HijackThis can be seen below:
04 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 Gl b l S Ad b R d S d L h l k D \P Fil \Ad b \A b
http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdfhttp://www.bleepingcomputer.com/tutorials/windows-program-automatic-startup-locations/ -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
28/46
pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API
Example
Listings:
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat
7.0\Reader\reader_sl.exe
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Access\iesmn.exe
O4 - S-1-5-21-1222272861-2000431354-1005 Startup: numlock.vbs (User 'BleepingC omputer.com')
O4 - HKUS\S-1-5-21-1229272821-2000478354--1005\..\Run: [Windows Defender] "C:\Program Files\Windows
Defender\MSASCui.exe" -hide (User 'BleepingComputer.com')
Looking at the examples above, we see 5 different startup entries, with 2 of them being for users who are logged on
in the background. If an entry starts with a long series of numbers and contains a username surrounded byparenthesis at the end, then this is a O4 entry for a user logged on in the background. Let's break down the examples
one by one.
04 - HKLM\..\Run: [nwiz] nwiz.exe /install - This entry corresponds to a startup launching from
HKLM\Software\Microsoft\Windows\CurrentVersion\Runfor the currently logged in user. The name of the
Registry value is nwiz and w hen the entry is started it will launch the nwiz.exe /install command.
O4 - Global Startup: Adobe Reader Speed Launch.lnk = D:\Program Files\Adobe\Acrobat
7.0\Reader\reader_sl.exe - This entry corresponds to a program started by the All Users Startup Folder
located a t C:\Documents and Settings\All Users\Start Menu\Programs\Startup.
O4 - HKLM\..\Policies\Explorer\Run: [user32.dll] C:\Program Files\Video ActiveX Access\iesmn.exe - This
entry corresponds to a value located under the
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run key. The name of the Registry value is
user32.dll and its data is C:\Program Files\Video ActiveX Access\iesmn.exe. This particular example happens to
be malware related.
O4 - S-1-5-21-1222272861-2000431354-1005 Startup: numlock.vbs (User 'BleepingComputer.com') -
This particular entry is a little different. As you can see the re is a long se ries of numbers before and it state s at
the end of the entry the user it belongs to. Those numbers in the beginning are the user's SID, or security
identifier, and is a number that is unique to each use r on your computer. This SID translates to the
BleepingComputer.com Windows user as shown at the end of the entry. The rest of the entry is the same as a
normal one, with the program being launched from a user's Start Menu Startup folder and the program being
launched is numlock.vbs.
O4 - HKUS\S-1-5-21-1222272861-2000431354-1005\..\Run: [Windows Defender] "C:\Program
Files\Windows Defender\MSASCui.exe" -hide (User 'BleepingComputer.com') - This type of entry is similar
to the first example, except that it belongs to the BleepingComputer.com user. This is just anothe r example of
HijackThis listing other logge d in user's au tostart entries.
Now that w e know how to interpret the entries, let's learn how to fix them. When you fix O4 entries, Hijackthis will not
delete the files associated w ith the entry. Instead, you must delete these manually afterwards, usually by having the
user first reboo t into safe mode. The Global Startup and Startup entries work a little d ifferently. HijackThis w ill delete
the shortcuts found in these e ntries, but not the file they are pointing to. If an actual executab le resides in the Global
Startup or Startup directories then the offending file WILL be deleted.
When e xamining O4 entries and trying to de termine what they are for you should consult one o f the following lists:
Bleeping Computer Startup Database
http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdfhttp://www.bleepingcomputer.com/startups/ -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
29/46
pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API
Bleeping Computer Startup Database
Answers that work
Greatis Startup Application Database
Pacman's Startup Programs List
Pacman's Startup Lists for Offline Reading
Kephyr File Database
Wintasks Process Library
Windows Startup Online Database
O5 Section
This section corresponds to having your Internet Explorer control show in the Control Pane l.
It is possible to disable the see ing of a control in the Control Panel by adding an entry into the file called control.ini
which is stored , for Windows XP at least, in c:\windows\control.ini. From within that file you can specify which spe cific
control panels should not be visible.
Files User: control.ini
Example
ListingO5 - control.ini: inetcpl.cpl=no
If you see a line like abo ve then tha t may be a s ign that a p iece of software is trying to make it difficult for you to
change your se ttings. Unless it is there for a specific known reason, like the administrator set that policy or Spybot -
S&D put the restriction in p lace, you can have HijackThis fix it.
O6 Section
This section corresponds to an Administrative lock down for changing the options o r homepage in Internet e xplorer by
changing certain settings in the registry.
Registry Key: HKCU\Software\Po licies\Microsoft\Internet Explorer\Restrictions
Example
ListingO6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions
These options should only appear if your administrator set them on purpose or if you used Spybots Home Page and
Option Lock down features in the Mode -> Advanced Mode -> Tools -> IE Tweaks section.
O7 Section
This section corresponds to Reged it not being allowed to run by changing an entry in the registry.
Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdfhttp://www.bleepingcomputer.com/startups/http://www.answersthatwork.com/Tasklist_pages/tasklist.htmhttp://greatis.com/regrun3appdatabase.htmhttp://www.sysinfo.org/startuplist.phphttp://www.pacs-portal.co.uk/startup_content.php#THE_PROGRAMShttp://www.kephyr.com/filedb/index.phphttp://www.liutilities.com/products/wintaskspro/processlibrary/http://www.windowsstartup.com/wso/search.php -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
30/46
pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API
Registry Key: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Example
Listing
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System:
DisableRegedit=1
Please note that many Administrators at offices lock this dow n on purpose so having HijackThis fix this may be a
breach of corporate po licy. If you are the Administrator and it has been enabled w ithout your permission, then have
HijackThis fix it.
O8 Section
This section corresponds to extra items being found in the in the Context Menu of Internet Explorer.
Registry Key: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt
Example
Listing
O8 - Extra context menu item: &Google Search -
res://c:\windows\GoogleToolbar1.dll/cmsearch.html
Each O8 en try will be a menu option that is shown w hen you right-click on Internet Explorer. The program shown in
the entry will be what is launched w hen you actually select this menu option. Certain ones, like "Browse r Pal" should
always be removed, and the rest should be researched using Google. An example of a legitimate program that you
may find here is the Google Toolbar.
When you fix these types of entries, HijackThis does no t delete the file listed in the entry. If you need to remove this
file, it is recommended that you reboot into safe mode and delete the file there.
O9 Section
This section corresponds to having buttons on main Internet Explorer toolbar or items in the Internet Explorer 'Tools'
menu that are not pa rt of the default installation.
Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions registry key.
Example
ListingO9 - Extra Button: AIM (HKLM)
If you do not need these buttons or menu items or recognize them as malware, you can remove them safely.
When you fix these types of entries, HijackThis will not de lete the o ffending file listed. It is recommended that you
reboot into safe mode and delete the offending file.
O10 Section
This section corresponds to Winsock Hijackers or otherwise known as LSP (Layered Service Provider).
http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdf -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
31/46
pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API
LSPs are a way to chain a piece o f software to your Winsock 2 implementation on your computer. Since the LSPs are
chained together, when Winsock is used, the data is also transported through each of the LSPs in the chain. Spyware
and Hijackers can use LSPs to s ee a ll traffic being transported over your Internet connection.
You should use e xtreme caution when deleting these objects if it is removed without prope rly fixing the gap in the
chain, you can have loss o f Internet access.
Example
ListingO10 - Broken Internet access because of LSP provider 'spsublsp.dll' missing
Many Virus Scanners a re starting to s can for Viruses , Trojans, etc at the Winsock level. The prob lem is that many tend
to not recreate the LSPs in the right order after deleting the o ffending LSP. This can cause HijackThis to see a problem
and issue a wa rning, which may be similar to the example above, even though the Internet is indeed s till working. You
should therefore seek advice from an experienced user when fixing these errors. It is also advised that you use
LSPFix, see link below, to fix these.
Spybot can generally fix these but make sure you get the latest version as the older ones had prob lems. There is a
tool designed for this type of issue that would probably be better to use, called LSPFix. For a great list of LSP and
whether or not they are valid you can visit SystemLookup's LSP List Page.
O11 Section
This section corresponds to a non-default option group that has been added to the Advanced Options Tab in Internet
Options on IE.
If you look in your Internet Options for Internet Explorer you will see an Advanced Options tab. It is poss ible to add an
entry under a registry key so that a new group would appea r there.
Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOp tions
Example
ListingO11 - Options group: [CommonName] CommonName
According to Merijn, of HijackThis, there is only one known Hijacker that us es this and it is CommonName. If you seeCommonName in the listing you can sa fely remove it. If it is another entry, you should Google to do some research.
O12 Section
This section corresponds to Internet Explorer Plugins.
Internet Explorer Plugins are pieces of software that get loaded when Internet Explorer starts to add functionality to
the browser. There are many legitimate plugins available such as PDF viewing and non-standard image viewers.
Registry key: HKEY_LOCAL_MACHINE\software\microsoft\internet explorer\plugins
http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdfhttp://www.safer-networking.org/http://www.cexx.org/lspfix.htmhttp://www.systemlookup.com/lists.php?list=9 -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
32/46
pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API
Example
ListingPlugin for .PDF: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
Most plugins are legitimate, so you should definitely Google the o nes you do not recognize be fore you delete them.
One known plugin that you should delete is the Onflow plugin that has the extension of .OFB.
When you fix these types of entries with HijackThis, HijackThis will attempt to the delete the offending file listed. There
are times that the file may be in use even if Internet Explorer is shut down. If the file still exists after you fix it with
HijackThis, it is recommended that you reboot into sa fe mode and delete the offending file.
O13 Section
This section corresponds to an IE DefaultPrefix hijack.
The default prefix is a se tting on Windows that spe cifies how URLs that you enter w ithout a preceding, http://, ftp://,
etc are hand led. By default Windows w ill attach a http:// to the beginning, as that is the de fault Windows P refix. It is
possible to change this to a de fault prefix of your choice by editing the registry. The Hijacker known as CoolWebSearch
does this by changing the default prefix to a http://ehttp.cc/? . That means w hen you connect to a url, such as
www.google.com, you will actually be going to http://ehttp.cc/?www.google.com, which is actually the web s ite for
CoolWebSearch.
Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix\
Example
ListingO13 - WWW. Prefix: http://ehttp.cc/?
If you are experiencing problems similar to the one in the example above, you should run CW Shredder. This program is
used to remove all the known varieties of CoolWebSearch that may be on your machine. You can read a tutorial on
how to use CW Shredder here:
How to remove CoolWebSearch with CoolWeb Shredder
If CWShredder does not find and fix the problem, you should always let HijackThis fix this entry when it is found.
O14 Section
This section corresponds to a 'Reset W eb Settings' hijack.
There is a file on your computer that Internet Explorer uses w hen you rese t options back to their Windows default.
That file is stored in c:\window s\inf\iereset.inf and contains all the default settings tha t will be used. When you reset a
setting, it will read tha t file and change the particular setting to wha t is stated in the file. If a Hijacker change s the
information in that file, then you will get re infected when you res et that setting, as it will read the incorrect
information from the iereset.inf file.
http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdfhttp://www.bleepingcomputer.com/tutorials/remove-coolwebsearch-with-cwshredder/ -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
33/46
pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API
Example
ListingO14 - IERESET.INF: START_PAGE_URL=http://www.searchalot.com
Please be aware that it is possible for this setting to have been legitimately changed by a Computer Manufacturer or
the Administrator of machine. If you do not recognize the address, then you should have it fixed.
O15 Section
This section corresponds to sites or IP addresses in the Internet Explorer Trusted Zone and Protocol Defaults.
Trusted Zone
Internet Explorer's security is based upon a set of zone s. Each zone has different security in terms of what scripts and
applications can be run from a site that is in that zone. There is a security zone called the Trusted Zone. This zone has
the lowest security and allows scripts and applications from sites in this zone to run without your knowledge. It is
therefore a popular setting for malware sites to us e so that future infections can be ea sily done on your computer
without your knowledge as these sites will be in the Trusted Zone..
Registry KeysHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Domains
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\InternetSettings\ZoneMap\Domains
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Ranges
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Ranges
Example Listing O15 - Trusted Zone: http://www.bleepingcomputer.com
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
Which key, Domains or Range s, is used by Internet Explorer is dete rmined by the URL that the use r is trying to rea ch.
If the URL contains a domain name then it will search in the Domains subkeys for a match. If it contains an IP address
it will search the Ranges subkeys for a match. When domains are adde d as a Trusted Site or Restricted they are
assigned a value to signify that. If they are assigned a *=4 value, that domain will be entered into the Res tricted Sites
zone. If they are given a *=2 value, then that domain will be added to the Trusted Sites zone.
Adding an IP address works a bit differently. Under the SOFTWARE\Microsoft\Windows\CurrentVersion\Internet
Settings\ZoneMap\Ranges key you may find other keys called Range s1, Ranges2, Ranges 3, Ranges4,... Each of these
subkeys correspond to a pa rticular security zone/protocol. If you add an IP address to a security zone, Window s will
create a subkey starting with Ranges1 and designate that subkey as the one that will contain all IP addresses of a
particular security zone for a particular protocol. For example, if you added h ttp://192.168.1.1 as a trusted sites,
Windows would create the first available Ranges key (Ranges1) and add a value of http=2. Any future trusted h ttp://
IP addresses will be added to the Range1 key. Now if you added an IP address to the Restricted sites using the http
http://pdfcrowd.com/http://pdfcrowd.com/redirect/?url=http%3a%2f%2fwww.bleepingcomputer.com%2ftutorials%2fhow-to-use-hijackthis%2f&id=ma-130428172259-2c2df1f7http://pdfcrowd.com/customize/http://pdfcrowd.com/html-to-pdf-api/?ref=pdf -
7/30/2019 Www Bleepingcomputer Com Tutorials How to Use Hijackthis
34/46
pdfcrowd.comopen in browser PRO version Are you a developer? Try out the HTML to PDF API
g y y g p
protocol (ie. http://192.16.1.10), Windows would create another key in sequential order, called Range 2. This would
have a va lue of http=4 and any future IP addresses added to the restricted sites w ill be placed in that key. This
continues on for each protocol and se curity zone se tting combination.
If you ever see any domains or IP addresses listed here you should generally remove it unless it is a recognizable URL
such as one your company uses. The most common listing you will find here are free.aol.com which you can have fixed
if you want. I personally remove all entries from the Trusted Zone a s they are ultimately unnecessary to be there.
ProtocolDefaults
When you us e IE to connect to a site, the security permissions that a re granted to that site are determined by the
Zone it is in. There are 5 zones w ith each being as sociated w ith a specific identifying number. These zones with their
associated numbers are:
Zone Zone Mapping
My Computer 0
Intranet 1
Trusted 2
Internet 3
Restricted 4
Each of the protocols that you use to connect to a site, such as HTTP, FTP, HTTPS, are then mapped to a one of these