How to Analyze HijackThis Logs

Interpreting Log Data To Help Remove Spyware and Browser Hijackers

HijackThis is written specifically to detect and remove browser hijacks, or software that takes over your web browser, alters your defaut home page and search engine and other malicious things. Unlike typical anti-spyware software, HijackThis does not use signatures or target any specific programs or URL's to detect and block. Rather, HijackThis looks for the tricks and methods used by malware to infect your system and redirect your browser.

Not everything that shows up in the HijackThis logs is bad stuff and it should not all be removed. In fact, quite the opposite. It is almost guaranteed that some of the items in your HijackThis logs will be legitimate software and removing those items may adversely impact your system or render it completely inoperable. Using HijackThis is a lot like editing the Windows Registry yourself. It is not rocket science, but you should definitely not do it without some expert guidance unless you really know what you are doing.

Once you install HijackThis and run it to generate a log file, there are a wide variety of forums and sites where you can post or upload your log data. Experts who know what to look for can then help you analyze the log data and advise you on which items to remove and which ones to leave alone. One of the best places to go is the official HijackThis forums at SpywareInfo. The HijackThis web site also has a comprehensive listing of sites and forums that can help you out.

To download the current version of HijackThis, you can visit any of these sites:

• Merijn.org
• ComputerCops
• BleepingComputer
• Download.com

Here is an overview of the HijackThis log entries.

•  Internet Explorer Start/Search pages URLs
•  Autoloading programs
•  Netscape/Mozilla Start/Search pages URLs
•  Hosts file redirection
•  Browser Helper Objects
•  Internet Explorer toolbars
•  Autoloading programs from Registry
•  IE Options icon not visible in Control Panel
•  IE Options access restricted by Administrator
•  Regedit access restricted by Administrator
•  Extra items in IE right-click menu
•  Extra buttons on main IE button toolbar, or extra items in IE 'Tools' menu
•  Winsock hijacker
•  Extra group in IE 'Advanced Options' window
•  IE plugins
•  IE DefaultPrefix hijack
•  'Reset Web Settings' hijack
•  Unwanted site in Trusted Zone
•  ActiveX Objects (aka Downloaded Program Files)
•  Lop.com domain hijackers
•  Extra protocols and protocol hijackers
•  User style sheet hijack
•  AppInit_DLLs Registry value autorun
•  ShellServiceObjectDelayLoad Registry key autorun
• SharedTaskScheduler Registry key autorun
• Windows NT Services

Interpreting Log Data To Help Remove Spyware and Browser Hijackers

R0, R1, R2, R3 - IE Start and Search pages

What to do:
If you recognize the URL at the end as your homepage or search engine, it's OK. If you don't, check it and have HijackThis fix it. For the R3 items, always fix them unless it mentions a program you recognize, like Copernic.

F0, F1, F2, F3 - Autoloading programs from INI files

What to do:
The F0 items are always bad, so fix them.

N1, N2, N3, N4 - Netscape/Mozilla Start & Search page

What to do:
Usually the Netscape and Mozilla homepage and search page are safe. They rarely get hijacked, only Lop.com has been known to do this. Should you see an URL you don't recognize as your homepage or search page, have HijackThis fix it.

O1 - Hostsfile redirections

What to do:
This hijack will redirect the address to the right to the IP address to the left. If the IP does not belong to the address, you will be redirected to a wrong site everytime you enter the address. You can always have HijackThis fix these, unless you knowingly put those lines in your Hosts file.

The last item sometimes occurs on Windows 2000/XP with a Coolwebsearch infection. Always fix this item, or have CWShredder repair it automatically.

O2 - Browser Helper Objects

What to do:
If you don't directly recognize a Browser Helper Object's name, use TonyK's BHO & Toolbar List to find it by the class ID (CLSID, the number between curly brackets) and see if it's good or bad. In the BHO List, 'X' means spyware and 'L' means safe.

O3 - IE toolbars

What to do:
If you don't directly recognize a toolbar's name, use TonyK's BHO & Toolbar List to find it by the class ID (CLSID, the number between curly brackets) and see if it's good or bad. In the Toolbar List, 'X' means spyware and 'L' means safe. If it's not on the list and the name seems a random string of characters and the file is in the 'Application Data' folder (like the last one in the examples above), it's probably Lop.com, and you definately should have HijackThis fix it.

O4 - Autoloading programs from Registry or Startup group

What to do:
Use PacMan's Startup List to find the entry and see if it's good or bad.

If the item shows a program sitting in a Startup group (like the last item above), HijackThis cannot fix the item if this program is still in memory. Use the Windows Task Manager (TASKMGR.EXE) to close the process prior to fixing.

O5 - IE Options not visible in Control Panel

What to do:
Unless you or your system administrator have knowingly hidden the icon from Control Panel, have HijackThis fix it.

O6 - IE Options access restricted by Administrator

What to do:
Unless you have the Spybot S&D option 'Lock homepage from changes' active, or your system administrator put this into place, have HijackThis fix this.

O7 - Regedit access restricted by Administrator

What to do:
Always have HijackThis fix this, unless your system administrator has put this restriction into place.

O8 - Extra items in IE right-click menu

What to do:
If you don't recognize the name of the item in the right-click menu in IE, have HijackThis fix it.

O9 - Extra buttons on main IE toolbar, or extra items in IE 'Tools' menu

What to do:
If you don't recognize the name of the button or menuitem, have HijackThis fix it.

O10 - Winsock hijackers

What to do:
It's best to fix these using LSPFix from Cexx.org, or Spybot S&D from Kolla.de.

Note that 'unknown' files in the LSP stack will not be fixed by HijackThis, for safety issues.

O11 - Extra group in IE 'Advanced Options' window

What to do:
The only hijacker as of now that adds its own options group to the IE Advanced Options window is CommonName. So you can always have HijackThis fix this.

O12 - IE plugins

What to do:
Most of the time these are safe. Only OnFlow adds a plugin here that you don't want (.ofb).

O13 - IE DefaultPrefix hijack

What to do:
These are always bad. Have HijackThis fix them.

O14 - 'Reset Web Settings' hijack

What to do:
If the URL is not the provider of your computer or your ISP, have HijackThis fix it.

O15 - Unwanted sites in Trusted Zone

What to do:
Most of the time only AOL and Coolwebsearch silently add sites to the Trusted Zone. If you didn't add the listed domain to the Trusted Zone yourself, have HijackThis fix it.

O16 - ActiveX Objects (aka Downloaded Program Files)

What to do:
If you don't recognize the name of the object, or the URL it was downloaded from, have HijackThis fix it. If the name or URL contains words like 'dialer', 'casino', 'free_plugin' etc, definitely fix it. Javacool's SpywareBlaster has a huge database of malicious ActiveX objects that can be used for looking up CLSIDs. (Right-click the list to use the Find function.)

O17 - Lop.com domain hijacks

What to do:
If the domain is not from your ISP or company network, have HijackThis fix it. The same goes for the 'SearchList' entries. For the 'NameServer' (DNS servers) entries, Google for the IP or IPs and it will be easy to see if they are good or bad.

O18 - Extra protocols and protocol hijackers

What to do:
Only a few hijackers show up here. The known baddies are 'cn' (CommonName), 'ayb' (Lop.com) and 'relatedlinks' (Huntbar), you should have HijackThis fix those. Other things that show up are either not confirmed safe yet, or are hijacked (i.e. the CLSID has been changed) by spyware. In the last case, have HijackThis fix it.

O19 - User style sheet hijack

What to do:
In the case of a browser slowdown and frequent popups, have HijackThis fix this item if it shows up in the log. However, since only Coolwebsearch does this, it's better to use CWShredder to fix it.

O20 - AppInit_DLLs Registry value autorun

What to do:
This Registry value located at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows loads a DLL into memory when the user logs in, after which it stays in memory until logoff. Very few legitimate programs use it (Norton CleanSweep uses APITRAP.DLL), most often it is used by trojans or agressive browser hijackers.

In case of a 'hidden' DLL loading from this Registry value (only visible when using 'Edit Binary Data' option in Regedit) the dll name may be prefixed with a pipe '|' to make it visible in the log.

O21 - ShellServiceObjectDelayLoad

What to do:
This is an undocumented autorun method, normally used by a few Windows system components. Items listed at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ ShellServiceObjectDelayLoad are loaded by Explorer when Windows starts. HijackThis uses a whitelist of several very common SSODL items, so whenever an item is displayed in the log it is unknown and possibly malicious. Treat with extreme care.

O22 - SharedTaskScheduler

What to do:
This is an undocumented autorun for Windows NT/2000/XP only, which is used very rarely. So far only CWS.Smartfinder uses it. Treat with care.

O23 - NT Services

What to do:
This is the listing of non-Microsoft services. The list should be the same as the one you see in the Msconfig utility of Windows XP. Several trojan hijackers use a homemade service in adittion to other startups to reinstall themselves. The full name is usually important-sounding, like 'Network Security Service', 'Workstation Logon Service' or 'Remote Procedure Call Helper', but the internal name (between brackets) is a string of garbage, like 'O?’ŽrtñåȲ$Ó'. The second part of the line is the owner of the file at the end, as seen in the file's properties.

Note that fixing an O23 item will only stop the service and disable it. The service needs to be deleted from the Registry manually or with another tool. In HijackThis 1.99.1 or higher, the button 'Delete NT Service' in the Misc Tools section can be used for this.

Thanks to http://netsecurity.about.com/od/popupsandspyware/a/aahijackthis_4.htm for this how-to. Please take note that thehotfix.net bears no responsibility for any loss of damage cause by this how-to. All actions are to be done at your own risks.