HijackThis

From CastleCopsWiki

Contents 1 General 2 R0, R1, R2, R3 - Internet Explorer Start/Search pages URLs 3 F0, F1, F2, F3 - Autoloading programs 4 N1, N2, N3, N4 - Netscape/Mozilla Start/Search pages URLs 5 O1 - Hosts file redirection 6 O2 - Browser Helper Objects 7 O3 - Internet Explorer toolbars 8 O4 - Autoloading programs from Registry 9 O5 - IE Options icon not visible in Control Panel 10 O6 - IE Options access restricted by Administrator 11 O7 - Regedit access restricted by Administrator 12 O8 - Extra items in IE right-click menu 13 O9 - Extra buttons on main IE button toolbar, or extra items in IE 'Tools' menu 14 O10 - Winsock hijacker 15 O11 - Extra group in IE 'Advanced Options' window 16 O12 - IE plugins 17 O13 - IE DefaultPrefix hijack 18 O14 - Reset Web Settings' hijack 19 O15 - Unwanted site in Trusted Zone 20 O16 - ActiveX Objects (aka Downloaded Program Files) 21 O17 - Lop.com domain hijackers 22 O18 - Extra protocols and protocol hijackers 23 O19 - User style sheet hijack 24 O20 - AppInit_DLLs Registry value autorun 25 O21 - ShellServiceObjectDelayLoad 26 O22 - SharedTaskScheduler 27 O23 - Windows NT Services

[edit] General

Hijackthis is an application developed by Merijn Bellekom.

HijackThis should be used only if your computer is still having problems after trying all methods of disinfection, including running anti-spyware programs. If you allow HijackThis to remove entries before using general cleaning tools, the malicious files may still be left on your computer and future cleaning tools may not be able to detect and remove them.

This is a basic guide meant to better help you understand what the log means. This is not meant as a replacement for asking for help, nor are we encouraging you to fix entries yourself if you are not an expert. If you suspect or know that you have Malware on your computer please go through the steps in our Malware_Removal_and_Prevention:_Overview.

CastleCops provides several databases which may be used to help you better understand your Hijackthis log. Those database lists will be linked to below.

If you would like to download a copy of Hijackthis please choose one of the following:

HijackThis Zipped Version

HijackThis Executable Version

Once you have your chosen version of HijackThis please follow the instructions on the Malware_Removal:_Reference_HijackThis_Log page.

[edit] R0, R1, R2, R3 - Internet Explorer Start/Search pages URLs

[edit] F0, F1, F2, F3 - Autoloading programs

[edit] N1, N2, N3, N4 - Netscape/Mozilla Start/Search pages URLs

[edit] O1 - Hosts file redirection

[edit] O2 - Browser Helper Objects

Browser helperer objects, also known as BHOs, are plugins to your web browser that offers extended functionality. They can be used by malware as well as by legitimate programs such as Google Toolbar or Norton Antivirus. Research must be done thoroughly to be sure which O2 entry is to be removed.

CastleCops host a splendid list of known CLSIDs associated with BHOs and Toolbars:
CLSID List Database

Type in the CLSID (which is the list of numbers between the curly brackets) and you will get information on the BHOs or Toolbars.

HijackThis will attempt to delete the offending file at hand when you fix O2 entries with HijackThis. However, the file may still be in use even if all windows except HijackThis are closed. If this happens, just boot into safe mode and delete the offending file.

[edit] O3 - Internet Explorer toolbars

Internet Explorer Toolbars are the toolbars that are underneath your navigation bar and menu in Internet Explorer. They can be used by malware as well as legitimate programs. Research must be done thoroughly to be sure which O3 entry is to be removed.

CastleCops host a splendid list of known CLSIDs associated with BHOs and Toolbars:
CLSID List Database

Type in the CLSID (which is the list of numbers between the curly brackets) and you will get information on the BHOs or Toolbars.

When you fix 03 entries, HijackThis will not delete the offending file listed. Please boot into safe mode and delete the offending file.

[edit] O4 - Autoloading programs from Registry

StartUp List Database

[edit] O5 - IE Options icon not visible in Control Panel

05 entry is a sign that a piece of software (not always malicious) is trying to make it difficult for you to change your Internet Explorer settings. You can have HijackThis fix this unless it is there intentionally, such as your administrator's policy or Spybot Search and Destroy putting the restriction in place.

[edit] O6 - IE Options access restricted by Administrator

[edit] O7 - Regedit access restricted by Administrator

[edit] O8 - Extra items in IE right-click menu

[edit] O9 - Extra buttons on main IE button toolbar, or extra items in IE 'Tools' menu

Extra Internet Explorer Buttons List Database

[edit] O10 - Winsock hijacker

Layered Service Providers Database

[edit] O11 - Extra group in IE 'Advanced Options' window

[edit] O12 - IE plugins

[edit] O13 - IE DefaultPrefix hijack

[edit] O14 - Reset Web Settings' hijack

[edit] O15 - Unwanted site in Trusted Zone

[edit] O16 - ActiveX Objects (aka Downloaded Program Files)

ActiveX objects, also known as Downloaded Program Files, are programs that are downloaded from the web and stored on your computer. The default storage folder for them are in C:\Windows\Downloaded Program Files. They are also referenced in the registry by their CLSID (which is the long strings of numbers between the curly braces). As with most sections, there are many legitimate 016 entries.

Here at CastleCops we host a marvellous 016 database:
ActiveX Objects (Downloaded Program Files) Database

You can also check up suspicious 016 entries with a program called SpywareBlaster. It has a enormous database of ActiveX objects.

When using HijackThis to fix 016 entries, the offending files should be deleted from the hard drive. However, the file may still be in use even if all windows except HijackThis are closed. If this happens, just boot into safe mode and delete the offending file.

[edit] O17 - Lop.com domain hijackers

[edit] O18 - Extra protocols and protocol hijackers

Extra Protocols and Protocol Hijackers

[edit] O19 - User style sheet hijack

[edit] O20 - AppInit_DLLs Registry value autorun

AppInit_DLLs and Winlogon Notify Database

[edit] O21 - ShellServiceObjectDelayLoad

ShellServiceObjectDelayLoad Database

[edit] O22 - SharedTaskScheduler

Shared Task Scheduler Database

[edit] O23 - Windows NT Services

Services are programs that are loaded automatically by Windows on start-up. They start running whether or not anyone logs into the computer, unlike a program that is launched from the Startup Folder under All Programs. Some malware may use services to infect a computer.

Do note that the majority of Microsoft services have been added to the white list so that they will not be listed when you run HijackThis. If you want to see these services please start HijackThis in this method instead: hijackthis.exe /ihatewhitelists.

When an 023 entry is fixed in HijackThis, the startup for the offending service will be disabled and the service stopped. The user will be asked to reboot the computer. The actual service will not be deleted from the registry or the file which it points to. Before you delete the service, you will need to know the service name. This name is shown in the text between the parenthesis.

3 methods that can be used to delete the service key itself:
1) Delete it using the SC command included in XP. Type the following from a command prompt:
sc delete servicename
2) Use a registry file to delete the offending service.
3) HijackThis can also delete a service. Click on Config, then Misc Tools, and then press "Delete an NT service.." button. When it opens, enter the service name and press OK.

Again, be careful when removing services as most of them are legitimate.

Here at CastleCops we host an 023 database:
List of Windows XP/NT Services Database