How to use Trend Micro HijackThis

After downloading and installing the latest version of Trend Micro HijackThis, open the file. If your computer cannot open the program, try renaming the file to something else (for example, sniper.exe) and running it again. Once open, you see a screen like the example pictured below.

Click the last button "None of the above, just start the program" and select the "Config.." button. Make sure check boxes for the following are checked.

• Make backups before fixing items
• Confirm fixing & ignoring of items
• Ignore non-standard but safe domains in IE (Internet Explorer)
• Include list of running processes in logfiles

Once checked or verified, click the Main Menu button.

Next, select the first button Do a system scan and save a logfile to start the system scan. Once completed, you see a screen like the example pictured below and a new Notepad window displaying the new HijackThis log.

If you are generating this log to be analyzed online, copy the complete log to the clipboard by pressing Ctrl+A to select all the text. Once highlighted, click Edit and Copy. Once done, this can be pasted into a forum page or a HijackThis tool, such as the Computer Hope Windows process tool.

The HijackThis log file is also saved on your computer in the default directory "C:\program files\Trend Micro\HijackThis\" and can be attached to a forum post or sent to another user in an e-mail to be analyzed.

Understanding the results

At first glance, the results can seem overwhelming, but the log contains all information and potential locations where malware may attack your computer. Below is a brief description of each of these sections for a general understanding of what they are.

R0 - R3 sections

Windows Registry values created and changed that relate to your Microsoft Internet Explorer browser. Often malware attack these Registry values to change your default homepage, search page, etc. Below is an example of an R0 value.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.computerhope.com/

F0 - F3 sections

An overview of anything displayed that's loading from the system.ini or win.ini files.

N1 - N4 sections

Like the R0-R3 sections, these sections are part of the prefs.js file that relate to the Netscape and Mozilla Firefox browsers. N1-N4 sections be attacked to change the default homepage, search page, etc.

O1 section

This section contains any host file redirections made to the Windows hosts file. Redirections are another type of attack that redirects a domain name to a different IP address. For example, an attack may use this to redirect your banking URL (Uniform Resource Locator) to another site to steal log in information. Below is an example of an O1 line.

O1 - Hosts: ::1 localhost

O2 section

This section contains any Internet BHO's (Browser Helper Object) with CLSID (CLaSs IDentifier) (enclosed in {}) installed on the computer. Below is an example of an O2 line.

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O3 section

This section shows any Microsoft Internet Explorer toolbars installed on the computer. Although there are plenty of legitimate browser toolbars, there are also plenty of malicious toolbars and toolbars installed by other programs you may not want. Below is an example of an O3 line.

O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll

O4 section

One of the most commonly looked at sections, the O4 section contains any programs that are automatically loading in the Windows Registry each time the computer starts. Below is an example of this line.

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O5 section

This section displays any Windows Control Panel icons disabled from being shown. Some malware may disable Windows Control Panel to help prevent you from troubleshooting issues caused by the program.

O6 section

If any Microsoft Internet Explorer options are disabled by the policies, they should be fixed.

O7 section

This section displays if accessing the Registry Editor (regedit) is disabled. If present should be fixed.

O8 section

Any additional features added into the Microsoft Internet Explorer right-click menu show in this section. Below is an example of this line.

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm.

O9 section

Any additional buttons or menu items added to Microsoft Internet Explorer are shown here. Below is an example of this line.

O9 - Extra button: StumbleUpon - {75C9223A-409A-4795-A3CA-08DE6B075B4B} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll.

O10 section

This section displays any Windows Winsock hijackers. Although these lines can be fixed from HijackThis because of how Winsock works, we suggest using LSP-Fix an alternative tool designed to fix this section, if found. Below is an example of this line.

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O11 section

Displays any extra group that's been added to the Microsoft Internet Explorer Advanced Options section.

O12 section

This section displays any Microsoft Internet Explorer plugins installed on the computer.

O13 section

Displays any changes made to Microsoft Internet Explorer's default http:// prefix. Used when a user types in a URL address, but doesn't add the "http://" in front.

O14 section

This section displays any changes in the iereset.inf file made. This file's used when restoring Microsoft Internet Explorer settings back to the default settings.

O15 section

Displays any Microsoft Internet Explorer Trusted Zone changes. Unless you've added or recognize this section, we suggest fixing it through HijackThis. Below is an example of an O15 line.

O15 - Trusted Zone: http://www.partypoker.com

O16 section

Displays all Microsoft Internet Explorer ActiveX objects. Below is an example of this line.

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab.

O17 section

This section displays any potential DNS (Domain Name System) and Domain hijacks. Below is an example of this line.

O17 - HKLM\System\CCS\Services\Tcpip\..\{F30B90D7-A542-4DAD-A7EF-4FF23D23587B}: Nameserver = 203.23.236.66 203.23.236.69.

O18 section

Any protocol hijackers are shown here. If this section is seen, we recommend it be fixed by HijackThis.

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll.

O19 section

This section displays any CSS (Cascading Style Sheets) style sheet changes made. Unless you're using a custom style sheet, we recommend you use HijackThis to fix this section.

O20 section

In this section, anything that's being loaded through APPInit_DLL or Winlogon show in this section. Below is an example of each of these lines.

O20 - AppInit_DLLs: avgrsstx.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL.

O21 section

Anything that's loading in the SSODL (ShellServiceObjectDelayLoad) Windows registry key is shown in this section.

O22 section

This section shows any SharedTaskScheduler autorun Windows registry keys. Below is an example of this line.

O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll.

O23 section

In this section, any Windows XP, NT, 2000, 2003, and Vista startup services show in this section. Below is an example of this line.

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe.

O24 section

Finally, the O24 section is any Microsoft Windows Active Desktop components that are installed on the computer. Unless you're using Active Desktop or recognize the name, we suggest you fix these as well. Below is an example of this line.

O24 - Desktop Component 1: (no name) - http://mbox.personals.yahoo.com/mbox/mboxlist.