HijackThis tutorial

Table of contents.
Introduction
Installing HijackThis
Starting HijackThis for the first time
Scanning the system
Interpreting scan results
Eliminating threats
Using miscellaneous HijackThis tools
Conclusion

HijackThis is a powerful security tool that finds practically all known malicious web browser plug-ins, toolbars and hijackers, harmful ActiveX controls, parasitic services and many other types of pests. HijackThis is not a common anti-spyware program. It is rather a special tool for deep system inspection, which finds infections that cannot be detected by other spyware removers. HijackThis doesn’t eliminate threats by itself. It requires advanced knowledge about operating systems and software and is really quite difficult to use.

More information about HijackThis can be found on the official site.

The following guide will help you to master HijackThis.

HijackThis is a freeware piece of software. You can download and use it free of charge. HijackThis can be obtained from the official site. Size of the most recent version (v1.99.1, released in February, 2005) is about 250KB, so the download shouldn’t take more than a few seconds.

HijackThis doesn’t have the installer. It consists only of single executable file named HijackThis.exe, which comes packed in a ZIP archive. First of all you have to extract the executable into a folder where you would like have HijackThis installed. This directory can reside practically anywhere, just don’t forget its location. Use standard Windows tools or third-party archiver (WinZip, WinRAR or other) to extract the file into then preferred directory. Then you can create a desktop shortcut to HijackThis.exe. This will help you to quickly start the program.

To start the program you have to open the folder containing HijackThis.exe executable and double-click on it. You also can launch HijackThis by double-clicking on its desktop shortcut, if you have created it earlier. Now the welcome screen should appear. It contains short HijackThis description and links to often used program tools. It is not essential and simply duplicates program controls, so you should disable it at startup. Place a checkmark next to the Don’t show this frame again when I start HijackThis option (on Image 1 it is designated by the red box) and click on the None of the above, just start the program button (it is in the green box).


Image 1. Start the application

This will open main HijackThis screen.


Image 2. HijackThis main screen

Now you should configure the application. The configuration is very easy and involves changing of only two options. Within the program’s main screen click on the Config button (on Image 2 it is designated by the green box). The Configuration screen will appear. Uncheck Ignore non-standard but safe domains in IE (e.g. msn.com, microsoft.com) (on Image 3 it is in the red box) and Show intro frame at startup (on Image 3 in the blue box) options. This will help to exclude safe entries from scan reports and apply the change made earlier. To return to main screen click on the Back button (it is in the green box).


Image 3. Configure HijackThis

To perform your first system scan click on the Scan button located in the main HijackThis screen (on Image 1 it is designated by the red box). Your computer will be scanned for running malware, installed parasites, harmful scripts, modified essential system and networking settings. Your web browser will be checked for hijackers, suspicious toolbars and malicious plug-ins. System scan is really fast and doesn’t take more than a few seconds. After it is over HijackThis will display results.

Analysing HijackThis reports is a difficult task, that is why you should save the scan log, so you could examine it earlier (interpreting HijackThis scan results will be described in the next section). Click on the Save log button (on Image 4 it is in the red box). The Save logfile dialog will appear, where you will have to select the log file location and choose a name for it. I suggest saving the file in the main HijackThis directory.


Image 4. Save the log

HijackThis is not a user-friendly anti-spyware tool. It doesn’t remove parasites for you, so you should learn how to interpret its scan results. Simply deleting all detected objects is an extremely dangerous practice! HijackThis lists lots of legitimate objects, blindly removing them all may corrupt installed software and even the entire system.

All detected objects are divided into 26 types. Each type has a unique name. For instance, it can be something like R0, 01, F1, 022, etc. Below is the complete list of HijackThis object types and their descriptions.

F0, F1, F2, F3 types

These types items are programs that run on every Windows startup. Such programs are loaded from system.ini and win.ini configuration files or from the registry.

F0 items correspond to the Shell= option in the system.ini file. These items can be found only in Windows 95, 98 and Me operating systems. They are always dangerous and must be fixed.

F1 items correspond to the Run= or Load= options in the win.ini file. In most cases they belong to legitimate outdated software that requires them for backward compatibility. You should leave them alone, unless you know for sure that some of them are associated with malicious files.

F2 and F3 items are very similar to F0 and F1, but they are associated with programs loaded from the Windows registry. F2 and F3 items can be detected on Windows NT4, 2000 and XP systems. They can be related with both parasites and fully legitimate applications. You should make searches in special Internet resources to find out which items are bad and have to be fixed. Do not fix objects, which purpose is unknown to you.

Example:
F0 – system.ini: Shell=[file name]
F1 – win.ini: Run=[file name]

R0, R1, R2, R3 types

These types items are Internet Explorer current start and search pages. R0 is for Internet Explorer start and search pages. R1 is for IE search settings. R2 is not implemented yet. R3 is for so-called “search hooks”, i.e. Internet Explorer features that allow to search the web by using a keyword entered directly into the IE Address field.


Image 5. Example of R0, R1 and R3 items

R3 type always indicate malicious objects that need to be fixed. R0 and R1 can be both malicious or legitimate. Fix them only if you don’t recognize the address shown in the entry. For instance, in the example on Image 5 you should fix an item marked with the red dot, because unlike other items it contains the illegitimate site’s address.

N1, N2, N3, N4 types

These types items are Netscape and Mozilla web browsers current start and search pages. N1 is for Netscape 4 series, N2 is for Netscape 6 series, N3 – Netscape 7 series, N4 – for Mozilla products. In most cases you do not have to fix N1, N2, N3 or N4 entries. Netscape and Mozilla are safe programs and rarely get hijacked. The only parasite that affects them is Lop.com hijacker related with the same named domain. Nevertheless, if you see addresses you don’t know, let HijackThis fix this.

01 type

This type is for Hosts file redirections. The Hosts file is a system special configuration file that contains mappings for hostnames to numeric IP addresses. By default it contains only one entry 127.0.0.1 localhost, which allows to use the localhost hostname for your computer instead of its numeric address. Some browser hijackers and spyware parasites add other entries to the file. For instance, if your Hosts file would contain the 192.168.0.1 www.microsoft.com entry, you would be unable to access the official Microsoft web site. Instead your browser would be redirected to 192.168.0.1 host that has nothing in common with actual Microsoft resources.

Example:
O1 – Hosts: 172.16.5.134 www.bankofamerica.com

In most cases 01 items are harmful. The Hosts file shouldn’t contain additional redirection instructions. Let HijackThis fix these items.

02 type

This type covers Browser Helper Objects (BHO). These objects are web browser plugins with certain functionality. They can be used by both legitimate and malicious programs, so you shouldn’t fix items which purpose is unknown to you. I suggest searching special anti-spyware sites containing lists of known BHOs, related registry entries and files.


Image 6. Example of 02 items

On Image 6 you can see an example of 02 entries. BHO marked with the red point is a malicious one that should be fixed. Other BHOs belong to legitimate products Adobe Acrobat Reader and Google Toolbar.

03 type

The 03 type corresponds to Internet Explorer toolbars. These are special browser plugins that extend IE functionality. Some of them provide Internet search services, link collections, embedded tools, etc. Toolbars can be absolutely legitimate or malicious. Many browser hijackers, spyware and adware programs install IE toolbars. Fix only those items, which purpose is known to you. If you are in doubt, search special anti-spyware resources that contain lists of known browser plugins, BHOs, related registry entries and files.


Image 7. Example of 03 items

In the example above you can see the 03 entry that corresponds to fully legitimate Google Toolbar. It shouldn’t be removed. Fixing such entry would corrupt the program it belongs to.

04 type

This type is for programs that automatically run on every Windows startup. Such applications can be either fully legitimate software or dangerous parasites. HijackThis doesn’t show which items are malicious, so you have to decide yourself. Pay attention to program paths and file names. If you don’t recognize certain file, search for it in our Database of files https://www.2-spyware.com/files.php. Fix an item only if you know for sure that it belongs to a parasite.


Image 8. Example of 04 items

In the example above none of 04 items are harmful. All them belong to legitimate software and should not be fixed.

Note that HijackThis doesn’t removes files associated with the 04 item. You have to manually delete them.

05 type

This type items indicate that the Internet Options control that normally is located in Control Panel is hidden. 05 items can be found on some office computers or systems where the user doesn’t have administrator rights. If HijackThis found such items on your home PC, you should fix them.

06 type

The 06 type items indicate that access to some or all Internet Explorer options has been restricted by system administrator. You cannot change any IE settings. 06 items can be found on some office computers or systems where the user doesn’t have administrator rights. If HijackThis found such items on your home PC, you should fix them.

Example:
O6 – HKCU\Software\Policies\Microsoft\Internet Explorer\ Restrictions present

07 type

The 07 type items indicate that the current user cannot run the Windows Registry Editor utility. You cannot access and modify the registry. 07 items can be found on some office computers or systems where the user doesn’t have administrator rights. Fix items detected only on your own home computer.

Example:
O7 – HKCU\Software\Microsoft\Windows\CurrentVersion\ Policies\System, DisableRegedit=1

08 type

This type items are special objects that appear in the context menu of Internet Explorer. The context menu is a special menu that can be opened by clicking the right mouse button anywhere within a web page opened with Internet Explorer.


Image 9. Example of the context menu of Internet Explorer

Some legitimate applications modify this menu to add useful shortcuts like Export to Microsoft Excel, Google Search, etc. (on Image 9 similar context shortcuts are designated by the red box). Certain parasites also may add similar shortcuts that may redirect a web browser to unsafe web sites, change essential IE settings, launch malicious scripts, run unsafe applications or perform other undesirable actions. HijackThis doesn’t show which items are malicious, so you have to decide yourself. Pay attention to program paths and file names.


Image 10. Example of 08 items

In the example above none of 08 items are harmful. All of them belong to legitimate software and shouldn’t be fixed.

Note that HijackThis doesn’t remove files associated with 08 items. You have to manually delete them.

09 type

This type covers additional Internet Explorer buttons and extra options in the Internet Explorer Tools menu. The 09 items are third-party add-ons that weren’t installed during the IE installation. Such objects can be added by various software. The best way to figure out which item is bad, is to open Internet Explorer and take a look on its Standard Buttons toolbar and the Tools menu. You also should pay attention to paths and file names associated with certain button or menu item. Fix only those objects that you don’t need or which do not belong to legitimate software.


Image 11. Example of 09 items

On Image 11 none of listed buttons and menu options are harmful. However, all them aren’t required and can be safely fixed.

Note that HijackThis doesn’t remove files associated with 09 items. You have to manually delete them.

010 type

The 010 type is for Winsock hijackers. These dangerous parasites work as essential networking services tracking all outgoing and incoming Internet traffic. They are able to steal your sensitive information and therefore are often used by different spyware threats. In most cases you should allow HijackThis to fix 010 items. However, be extremely careful. Deleting legitimate items or objects marked as Unknown can leave you without operatable Internet connection.

Example:
O10 – Broken Internet access because of LSP provider
O10 – Unknown file in Winsock LSP: [file name]

011 type

The 011 type item indicates an extra option group that has been added to the Advanced tab in Internet Explorer Tools>Internet Options menu. Such group can be created only by one known hijacker called CommonName, so you should always delete 011 items.

Example:
O11 – Options group: [CommonName] CommonName

012 type

This type items are Internet Explorer plugins that extend browser functionality. Most 012 items are harmless components associated with legitimate applications. They allow to view PDF documents, display images of non-standard formats, etc. Normally you should leave them alone. However, if the 012 item contains .ofb or OnFlow, you have to fix it. Such plug-in is always bad, as it belongs to OnFlow parasite.

Example:
O12 – Plugin for .PDF: C:\Program Files\Internet Explorer\ PLUGINS\nppdf32.dll

O13 type

The 013 type corresponds to Internet Explorer DefaultPrefix hijacks. 013 items belong to web browser hijackers that change usual protocol names like http://, ftp://, etc. to predefined web site addresses such as http://[malicious web site address]. Such technique allows to redirect a web browser to malicious sites. Typing known legitimate address redirects you web browser to different potentially unsafe Internet resource without your knowledge. 013 items always posses threat and must be fixed.

Example:
013 – Default Prefix: http://[malicious web site address]
013 – WWW Prefix: http://[malicious web site address]

014 type

This type is for so-called Reset Web Settings hijacks. 014 items usually belong to various web browser hijackers that change default start page and other browser settings. You should allow HijackThis to fix such items, unless they contain known Internet addresses of your company or Internet connection provider.

Example:
O14 – IERESET.INF: START_PAGE_URL= http://[unknown potentially unsafe web site]

015 type

Presence of this type items indicates that some unwanted web sites were added to the Trusted Zone. Internet Explorer Trusted Zone is a special list of sites that are recognized as absolutely safe, so they can perform practically any actions, i.e. install ActiveX controls, execute certain code, etc. Having potentially dangerous Internet resources in the Trusted Zone is a great security and privacy risk. You should fix all 015 items associated with sites you don’t recognize.


Image 12. Example of 015 entries

On Image 12 you can see potentially unsafe web sites added to the Trusted Zone. These items should be fixed.

To access the Trusted Zone settings and see all its entries launch Internet Explorer. Click on the Tools menu and select Internet Options. Within the appeared window click on the Security tab. Select the Trusted Sites icon and press the Sites… button. This will open the Trusted Sites list.


Image 13. Take a look on the Trusted Sites list

016 type

This type is for downloaded ActiveX scripts stored in C:\Windows\Downloaded Program Files or C:\Winnt\Downloaded Program Files directory. Some of these scripts can be related to legitimate applications and Internet services. However, lots of malicious web resources and parasites secretly download and install harmful code of this type. You should fix items that you don’t recognize, especially if they contain words like “casino”, “porn”, “sex”, “dialer”, “adult”, “xxx”, etc. In most cases it is safe to fix fully legitimate 016 items, as ActiveX scripts can be downloaded once again.


Image 14. Example of the 016 item

017 type

The 017 type corresponds to so-called Lop.com Domain Hacks. Most of this type items belong to Lop.com web browser hijackers that change web browser default start and search pages and modify essential system networking settings. As a result a compromised computer can be configured to contact malicious servers every time the user accesses the Internet. In most cases you should allow HijackThis to fix 017 items. However, if they contain IP addresses of your company or Internet service provider, you must leave them unchanged.


Image 15. Example of 017 items

Addresses shown on Image 15 belong to my ISP name servers. I don’t have to fix them.

018 type

This type describes additional network protocols and web browser hijackers that use them. Normally you should allow HijackThis fix 018 items, because usually their presence indicates that your system is infected with dangerous CoolWebSearch, Lop.com or another hijacker. Clean uninfected system doesn’t have 018 objects.

Example:
O18 – Protocol: relatedlinks – {5AB65DD4-01FB-44D5-9537-3767AB80F790} – C:\PROGRA~1\COMMON~1\MSIETS\msielink.dll

Note that HijackThis doesn’t remove files associated with 018 items. You have to manually delete them.

019 type

The 019 type items usually are related to specific web browser hijackers that overwrite default user style sheets. In most cases you have to fix them, unless your computer and installed software, including Internet Explorer, are specially configured for handicapped users and detected 019 items are associated with legitimate style sheets.

Example:
O19 – User style sheet: [path to user style sheet]

Note that HijackThis doesn’t remove files associated with 019 items. You have to manually delete them.

020 type

The 020 type items are associated with library files that are loaded automatically on every Windows startup. These libraries remain in the memory and often cannot be manually unloaded. In most cases 020 items belong to dangerous parasites such as infamous CoolWebSearch family pests, which are very difficult to remove. Only few legitimate applications may use them. I suggest fixing all found 020 items.

Example:
O20 – AppInit_DLLs: [file name]

021 type

This type items are essential system services or potentially malicious applications that run automatically on every Windows startup using undocumented Windows feature called ShellServiceObjectDelayLoad. Such objects are not listed in Windows standard startup list or known registry startup locations. You can find their complete list in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
ShellServiceObjectDelayLoad registry key. HijackThis doesn’t show legitimate system components and detects only unknown or really harmful objects. In most cases you should fix 021 items. However, you are highly advised to search special Internet resources for detected registry keys and files. Even listed 021 items can be harmless and required by your system to function properly.

Example:
O21 – SSODL: System – [registry key] – [file]

Note that HijackThis doesn’t remove files associated with 021 items. You have to manually delete them.

022 type

This type items usually are essential system services that run automatically on every Windows startup using undocumented Windows feature called SharedTaskScheduler. Such objects are not listed in Windows standard startup list or known registry startup locations. You can find the complete list of them in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
SharedTaskScheduler registry key. In most cases you should leave 022 items unfixed. However, if the 022 item contains the name of mtwirl32.dll file, then you must fix it, because it belongs to the infamous CoolWebSearch hijacker.

Example:
O22 – SharedTaskScheduler: (no name) – {3F143C3A-1457-6CCA-
03A7-7AA23B61E40F} – C:\Windows\System\mtwirl32.dll

Note that HijackThis doesn’t remove files associated with 022 items. You have to manually delete them.

023 type

This type items are third-party services for Windows NT, 2000, XP and 2003 operating systems. Such services are special programs that automatically run on every Windows startup and remain active in the background. Usually 023 items belong to antivirus software, special security applications or some device drivers. HijackThis doesn’t show genuine Microsoft services. Some dangerous parasites install their own services that act like legitimate applications. Of course, they must be fixed. To find out which service is malicious and which is not, you have to look on files and names related with the service. Fix only known malicious items.


Image 16. Example of 023 items

None of the services shown on the example above are malicious. They do not have to be fixed.

Eliminating threats

1. Fixing malicious entries

After the system scan is over HijackThis will display a scan report consisting of numerous entries. At this point you should already know how to interpret scan results. Now you have to select potentially malicious items and fix them. To do this place a checkmark next to items you want to fix and click on the Fix checked button (on Image 17 it is designated by the red box).


Image 17. Select items you want to fix

Now the program will ask you for confirmation. In the appeared dialog press Yes.

Image 18. Fix and eliminate selected threats

2. Restoring previously fixed objects

After each system clean up HijackThis backups fixed objects, so that they could be easily restored later. This feature can help to repair the system in case harmless essential system objects were accidentally removed. However, if you are sure that all eliminated items were malicious, you can delete them from the Backups list. This list is HijackThis tool that allows to delete or restore items from backup. To access it, within the main program window click on the Config button (on Image 2 it is designated by the green box), then in the appeared section press the Backups button (on Image 19 it is in the blue box).


Image 19. Delete or restore backed up items

To delete all listed items from the backup click on the Delete all button (in the yellow box). To remove only few objects place checkmarks next to them and click on the Delete button (it is in the red box). To restore certain items, select them and press the Restore button (in the green box). HijackThis will display a dialog asking you to confirm the action. If you want to restore or delete an item, reply positively by clicking on the Yes button.

HijackThis includes additional useful tools that may help you to get rid of some parasites. To access these tools you have to click on the Config button (it is located in the main program screen; on Image 2 it is in the green box) and then in the appeared section click on the Misc Tools button.


Image 20. Miscellaneous HijackThis tools

1. Using the Process manager

The Process manager lists all currently running processes and allows to easily kill any of them. This tool can be very useful for those still running Windows 95, 98, Me or users, who do not have access to the Windows Task Manager.

To open the Process manager click on the Open process manager button (on Image 20 it is designated by the red box). You will be presented with the list of running processes.


Image 21. The Process Manager

To kill certain process select it with your mouse or keyboard and press the Kill process button (on Image 21 it is in the red box). Be extremely careful! Do not kill processes, which purpose is unclear to you!

If you want to know what library files are used by certain process, place a checkmark next to the Show DLLs option (it is in the blue box) and select a process with your mouse or keyboard.

2. Using the Hosts file manager

The Hosts file manager shows current system Hosts file and allows to easily delete any entries in it. This tool can be very useful for manual removal of 01 items related with the Hosts file redirections.

To open the Hosts file manager click on the Open hosts file manager button (on Image 20 it is designated by the blue box). You will be presented with the Hosts file content.


Image 22.The Hosts file manager

To delete certain line select it with your mouse or keyboard and click on the Delete line(s) button (on Image 22 it is in the red box). Home users should delete all lines except for 127.0.0.1 localhost.

3. Using the Delete a file on reboot tool

The Delete a file on reboot tool allows to delete files that cannot be normally removed. Usually such files are used by parasites to run hidden processes, system services, etc. They always are in use and cannot be deleted.

To open the Delete a file on reboot tool click on the Delete a file on reboot button (on Image 20 it is designated by the green box). You will be presented with the Enter file to delete on reboot… dialog. Within it navigate to a file, select it and click on the Open button (on Image 23 it is in the red box). HijackThis will display a message asking you to reboot a computer. Save your work and click on the Yes button. Your computer will be restarted and the chosen file will be erased.


Image 23. Delete selected file on the next reboot

HijackThis is an outstanding tool for finding hard to detect parasites, especially complex browser hijackers and malicious add-ons. However, it produces unreadable scan results, doesn’t provide useful details on found pests and definitely is not a user-friendly software. HijackThis should be used only in case your basic spyware remover doesn’t detect certain threats.


  • jeff shaw

    This is crude I need this fixed

Files
Software
Compare
Like us on Facebook