HJT Tutorial - DO NOT POST HIJACKTHIS LOGS

Discussion in 'Malware Removal FAQ' started by Major Attitude, Aug 1, 2004.

Thread Status:
Not open for further replies.
  1. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Special notes about posting HijackThis log files on MajorGeeks.Com

    Note: This is not a HijackThis log reading forum. It is a malware cleaning forum, and there is much more to cleaning malware than just HijackThis.

    Malware cannot be completely removed just by seeing a HijackThis log. If you need our help to remove malware DO NOT simply post a HijackThis log which will be deleted. You must follow the instructions in the below link.

    READ & RUN ME FIRST Before Asking for Support

    You will notice that no where in this procedure does it ask you to attach a HijackThis log. This is because it is embedded within our procedures. When you follow them properly, a HijackThis log will automatically be obtained from a properly installed HijackThis progam. And the log will be put into a MGlogs.zip file with a few other required logs. This MGlogs.zip will then be attached to a message. This in all explained in the READ ME.


    Below this point is a tutorial about HijackThis. This is not meant for novices. And it does not mean that
    you should run HijackThis and attach a log. It is a reference for intermediate to advanced users.
    -------------------------------------------------------------------------------------------------------------------------

    From this point on the information being presented is meant for those wishing to learn more about what HijackThis is showing you and how to analyze logs yourself. It is not really meant for novices. It is meant to be more educational for intermediate to advanced PC users.

    Below explains what each section means and each of these sections are broken down with examples to help you understand what is safe and what should be removed. Optionally these online analyzers Help2Go Detective and Hijack This analysis do a fair job of figuring out many potential problems for you. Simply paste your logfile there and click analyze. But please note they are far from perfect and should be used with extreme caution!!!

    The below information was originated from Merijn's official tutorial to using Hijack This. Merjin's link no longer exists since TrendMicro now owns HijackThis.

    --------------------------------------------------------------------------

    Official Hijack This Tutorial:

    --------------------------------------------------------------------------

    Each line in a HijackThis log starts with a section name, for example;

    R0, R1, R2, R3 - Internet Explorer Start/Search pages URLs
    F0, F1, F2, F3 - Autoloading programs
    N1, N2, N3, N4 - Netscape/Mozilla Start/Search pages URLs
    O1 - Hosts file redirection
    O2 - Browser Helper Objects
    O3 - Internet Explorer toolbars
    O4 - Autoloading programs from Registry
    O5 - IE Options icon not visible in Control Panel
    O6 - IE Options access restricted by Administrator
    O7 - Regedit access restricted by Administrator
    O8 - Extra items in IE right-click menu
    O9 - Extra buttons on main IE button toolbar, or extra items in IE 'Tools' menu
    O10 - Winsock hijacker
    O11 - Extra group in IE 'Advanced Options' window
    O12 - IE plugins
    O13 - IE DefaultPrefix hijack
    O14 - 'Reset Web Settings' hijack
    O15 - Unwanted site in Trusted Zone
    O16 - ActiveX Objects (aka Downloaded Program Files)
    O17 - Lop.com domain hijackers
    O18 - Extra protocols and protocol hijackers
    O19 - User style sheet hijack
    O20 - AppInit_DLLs Registry value autorun
    O21 - ShellServiceObjectDelayLoad Registry key autorun
    O22 - SharedTaskScheduler Registry key autorun
    O23 - Windows NT Services
    O24 - Windows Active Desktop Components

    --------------------------------------------------------------------------

    R0, R1, R2, R3 - IE Start & Search pages

    What it looks like:

    What to do:
    If you recognize the URL at the end as your homepage or search engine, it's OK. If you don't, check it and have HijackThis fix it.
    For the R3 items, always fix them unless it mentions a program you recognize, like Copernic.

    --------------------------------------------------------------------------


    F0, F1, F2, F3 - Autoloading programs from INI files

    What it looks like:

    What to do:
    • F0 entries - Any program listed after the shell statement will be loaded when Windows starts, and act as the default shell. If you see anything more than just explorer.exe, you need to determine if you know what the additional entry is. If you did not install some alternative shell, you need to fix this.
    • F1 entries - Any programs listed after the run= or load= will load when Windows starts. These can be either valid or bad. You need to determine which.
    • F2 entries - The Shell registry value is equivalent to the function of the Shell= in the system.ini file as described above. The Userinit= value specifies what program should be launched right after a user logs into Windows. The F2 entry will only show in HijackThis if something unknown is found. This does not necessarily mean it is bad, but in most cases, it will be malware. You need to investigate what you see. The below registry key\\values are used:
      • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit
      • HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
    • F3 entries - This is a registry equivalent of the F1 entry above. The F3 entry will only show in HijackThis if something unknown is found. This does not necessarily mean it is bad, but in most cases, it will be malware. You need to investigate what you see. The below registry key\\values are used:
      • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\\load
      • HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\\run
    --------------------------------------------------------------------------

    N1, N2, N3, N4 - Netscape/Mozilla Start & Search page

    What it looks like:

    What to do:
    Usually the Netscape and Mozilla homepage and search page are safe. They rarely get hijacked, only Lop.com has been known to do this. Should you see an URL you don't recognize as your homepage or search page, have HijackThis fix it.

    --------------------------------------------------------------------------

    O1 - Hostsfile redirections

    What it looks like:

    What to do:
    This hijack will redirect the address to the right to the IP address to the left. If the IP does not belong to the address, you will be redirected to a wrong site everytime you enter the address. You can always have HijackThis fix these, unless you knowingly put those lines in your Hosts file.
    The last item sometimes occurs on Windows 2000/XP with a Coolwebsearch infection. Always fix this item, or have CWShredder repair it automatically.

    --------------------------------------------------------------------------

    O2 - Browser Helper Objects

    What it looks like:

    What to do:
    If you don't directly recognize a Browser Helper Object's name, use CLSID database to find it by the class ID (CLSID, the number between curly brackets) and see if it's good or bad. In the BHO List, 'X' means spyware and 'L' means safe.

    --------------------------------------------------------------------------

    O3 - IE toolbars

    What it looks like:

    What to do:
    If you don't directly recognize a toolbar's name, use CLSID database to find it by the class ID (CLSID, the number between curly brackets) and see if it's good or bad. In the Toolbar List, 'X' means spyware and 'L' means safe.
    If it's not on the list and the name seems a random string of characters and the file is in the 'Application Data' folder (like the last one in the examples above), it's probably Lop.com, and you definately should have HijackThis fix it.

    --------------------------------------------------------------------------

    O4 - Autoloading programs from Registry or Startup group

    What it looks like:

    What to do:
    Google the name of unknown processes. If the item shows a program sitting in a Startup group (like the last item above), HijackThis cannot fix the item if this program is still in memory. Use the Windows Task Manager (TASKMGR.EXE) to close the process prior to fixing.

    --------------------------------------------------------------------------

    O5 - IE Options not visible in Control Panel

    What it looks like:

    What to do:
    Unless you or your system administrator have knowingly hidden the icon from Control Panel, have HijackThis fix it.

    --------------------------------------------------------------------------

    O6 - IE Options access restricted by Administrator

    What it looks like:

    What to do:
    Unless you have the Spybot S&D option 'Lock homepage from changes' active, or your system administrator put this into place, have HijackThis fix this.

    --------------------------------------------------------------------------

    O7 - Regedit access restricted by Administrator

    What it looks like:

    What to do:
    Always have HijackThis fix this, unless your system administrator has put this restriction into place.

    --------------------------------------------------------------------------

    O8 - Extra items in IE right-click menu

    What it looks like:

    What to do:
    If you don't recognize the name of the item in the right-click menu in IE, have HijackThis fix it.

    --------------------------------------------------------------------------

    O9 - Extra buttons on main IE toolbar, or extra items in IE 'Tools' menu

    What it looks like:

    What to do:

    If you don't recognize the name of the button or menuitem, have HijackThis fix it.

    --------------------------------------------------------------------------

    O10 - Winsock hijackers

    What it looks like:

    What to do:

    It's best to fix these using LSPFix from Cexx.org, or Spybot S&D from Kolla.de.
    Note that 'unknown' files in the LSP stack will not be fixed by HijackThis, for safety issues.

    --------------------------------------------------------------------------

    O11 - Extra group in IE 'Advanced Options' window

    What it looks like:

    What to do:

    The only hijacker as of now that adds its own options group to the IE Advanced Options window is CommonName. So you can always have HijackThis fix this.

    --------------------------------------------------------------------------

    O12 - IE plugins

    What it looks like:

    What to do:

    Most of the time these are safe. Only OnFlow adds a plugin here that you don't want (.ofb).

    --------------------------------------------------------------------------

    O13 - IE DefaultPrefix hijack

    What it looks like:

    What to do:

    These are always bad. Have HijackThis fix them.

    --------------------------------------------------------------------------

    O14 - 'Reset Web Settings' hijack

    What it looks like:

    What to do:

    If the URL is not the provider of your computer or your ISP, have HijackThis fix it.

    --------------------------------------------------------------------------

    O15 - Unwanted sites in Trusted Zone

    What it looks like:

    What to do:

    Most of the time only AOL and Coolwebsearch silently add sites to the Trusted Zone. If you didn't add the listed domain to the Trusted Zone yourself, have HijackThis fix it.

    --------------------------------------------------------------------------

    O16 - ActiveX Objects (aka Downloaded Program Files)

    What it looks like:

    What to do:

    If you don't recognize the name of the object, or the URL it was downloaded from, have HijackThis fix it. If the name or URL contains words like 'dialer', 'casino', 'free_plugin' etc, definitely fix it.
    Javacool's SpywareBlaster has a huge database of malicious ActiveX objects that can be used for looking up CLSIDs. (Right-click the list to use the Find function.)

    --------------------------------------------------------------------------

    O17 - Lop.com domain hijacks

    What it looks like:

    What to do:

    If the domain is not from your ISP or company network, have HijackThis fix it. The same goes for the 'SearchList' entries.
    For the 'NameServer' (DNS servers) entries, Google for the IP or IPs and it will be easy to see if they are good or bad.

    --------------------------------------------------------------------------

    O18 - Extra protocols and protocol hijackers

    What it looks like:

    What to do:

    Only a few hijackers show up here. The known baddies are 'cn' (CommonName), 'ayb' (Lop.com) and 'relatedlinks' (Huntbar), you should have HijackThis fix those.
    Other things that show up are either not confirmed safe yet, or are hijacked (i.e. the CLSID has been changed) by spyware. In the last case, have HijackThis fix it.

    --------------------------------------------------------------------------

    O19 - User style sheet hijack

    What it looks like:

    What to do:

    In the case of a browser slowdown and frequent popups, have HijackThis fix this item if it shows up in the log. However, since only Coolwebsearch does this, it's better to use CWShredder to fix it.

    --------------------------------------------------------------------------
    O20 - AppInit_DLLs Registry value autorun

    What it looks like:

    What to do:
    This Registry value located at

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

    loads a DLL into memory when the user logs in, after which it stays in memory
    until logoff. Very few legitimate programs use it (Norton CleanSweep uses
    APITRAP.DLL), most often it is used by trojans or agressive browser hijackers.

    In case of a 'hidden' DLL loading from this Registry value (only visible when
    using 'Edit Binary Data' option in Regedit) the dll name may be prefixed with
    a pipe '|' to make it visible in the log.

    --------------------------------------------------------------------------
    O21 - ShellServiceObjectDelayLoad Registry key autorun

    What it looks like:
    What to do:
    This is an undocumented autorun method, normally used by a few Windows system
    components. Items listed at

    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
    ShellServiceObjectDelayLoad

    are loaded by Explorer when Windows starts. HijackThis uses a whitelist
    of several very common SSODL items, so whenever an item is displayed in
    the log it is unknown and possibly malicious. Treat with extreme care.

    --------------------------------------------------------------------------
    O22 - SharedTaskScheduler Registry key autorun

    What it looks like:
    What to do:
    This is an undocumented autorun for Windows NT/2000/XP only, which
    is used very rarely. So far only CWS.Smartfinder uses it. Treat with care.

    --------------------------------------------------------------------------
    O23 - Windows NT Services

    What it looks like:
    What to do:
    --------------------------------------------------------------------------

    O24 - Windows Active Desktop Components

    Active Desktop Components are local or remote html files that are embedded directly onto your desktop as a background. SmitFraud infections commonly use this method to embed messages, pictures, or web pages directly on to a user's Active Desktop to display fake security warnings as the Desktop background. There are hundreds of rogue anti-spyware programs that have used this method of displaying fake security warnings. New infections appear frequently.

    What it may look like:

    The registry key associated with Active Desktop Components is:
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components
    Each specific component is then listed as a numeric subkey of the above Key starting with the number 0. For example:
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1
    HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2

    What to do:

    If you did not add these Active Desktop Components yourself, you should run a good anti-spyware removal program and also remove these numeric subkeys if they still exist afterwards.
     
    Last edited by a moderator: Mar 12, 2009
Thread Status:
Not open for further replies.

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds