Subscribe RSS
Home > Hijackthis Log > Help Understanding HiJackThis Log

Help Understanding HiJackThis Log


Now that we know how to interpret the entries, let's learn how to fix them. Each line in a HijackThis log starts with a section name, in the form of two-charecter numeric or alpha numeric code. There is a program called SpywareBlaster that has a large database of malicious ActiveX objects. Several trojan hijackers use a homemade service in adittion to other startups to reinstall themselves. you could check here

There are many legitimate plugins available such as PDF viewing and non-standard image viewers. Click on File and Open, and navigate to the directory where you saved the Log file. Starting Screen of Hijack This You should first click on the Config button, which is designated by the blue arrow in Figure 2, and confirm that your settings match those O9 - Extra buttons on main IE toolbar, or extra items in IE 'Tools' menu What it looks like: O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Messenger

Hijackthis Log Analyzer

Spyware removal software such as Adaware or Spybot S&D do a good job of detecting and removing most spyware programs, but some spyware and browser hijackers are too insidious for even Finally we will give you recommendations on what to do with the entries. Firewalls and other important programs but rogue cleaning programs like AlfaCleaner may also load here. Domain hacks are when the Hijacker changes the DNS servers on your machine to point to their own server, where they can direct you to any site they want.

Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLLO2 - BHO: (no name) - {1A214F62-47A7-4CA3-9D00-95A3965A8B4A} - C:\PROGRAM FILES\POPUP ELIMINATOR\AUTODISPLAY401.DLL (file missing)O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\PROGRAM FILES\MEDIALOADS ENHANCED\ME1.DLLWhat to do:If Figure 3. To determine which sections are mapped in this way, refer to the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IniFileMapping

Note that although Windows NT based systems retains the Win.ini file for compatibility with older Hijackthis Windows 10 It is a malware cleaning forum, and there is much more to cleaning malware than just HijackThis.

They might find something to help YOU, and they might find something that will help the next guy.Interpret The Log YourselfThere are several tutorials to teach you how to read the F2 - Reg:system.ini: Userinit= For those who are interested, you can learn more about Alternate Data Streams and the Home Search Assistant by reading the following articles: Windows Alternate Data Streams [Tutorial Link] Home Search O3 - IE toolbars What it looks like: O3 - Toolbar: &Yahoo! The Global Startup and Startup entries work a little differently.

They can be used by spyware as well as legitimate programs such as Google Toolbar and Adobe Acrobat Reader. Reg System Ini Userinit Userinit Exe HijackThis Tutorial - Analyze, Understand and Interpret HijackThis logs The first part of the log is commonly referred as the "Header" information. Select an item to Remove Once you have selected the items you would like to remove, press the Fix Checked button, designated by the blue arrow, in Figure 6. Other things that show up are either not confirmed safe yet, or are hijacked by spyware.

F2 - Reg:system.ini: Userinit=

Have HijackThis fix them.O14 - 'Reset Web Settings' hijackWhat it looks like: O14 - IERESET.INF: START_PAGE_URL=http://www.searchalot.comWhat to do:If the URL is not the provider of your computer or your ISP, have my review here If you did not install some alternative shell, you need to fix this. Hijackthis Log Analyzer What to do: If you recognize the URL at the end as your homepage or search engine, it's OK. How To Use Hijackthis F3 } Only present in NT based systems.

This makes it very difficult to remove the DLL as it will be loaded within multiple processes, some of which can not be stopped without causing system instability. There were some programs that acted as valid shell replacements, but they are generally no longer used. If you are unsure as to what to do, it is always safe to Toggle the line so that a # appears before it. O7 - Regedit access restricted by Administrator What it looks like: O7 - HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem, DisableRegedit=1 What to do: Always have HijackThis fix this. Hijackthis Download Windows 7

So you can always have HijackThis fix this.O12 - IE pluginsWhat it looks like: O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dllO12 - Plugin for .PDF: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dllWhat to do:Most So you can always have HijackThis fix this. -------------------------------------------------------------------------- O12 - IE plugins What it looks like: O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O12 - Plugin for .PDF: C:\Program It is meant to be more educational for intermediate to advanced PC users. Continued Other things that show up are either not confirmed safe yet, or are hijacked (i.e.

The known baddies are 'cn' (CommonName), 'ayb' ( and 'relatedlinks' (Huntbar), you should have HijackThis fix those. Trend Micro Hijackthis Only OnFlow adds a plugin here that you don't want (.ofb).O13 - IE DefaultPrefix hijackWhat it looks like: O13 - DefaultPrefix: - WWW Prefix: - WWW. Press Yes or No depending on your choice.

Please Protect Yourself!

Any program listed after the shell statement will be loaded when Windows starts, and act as the default shell. When a user, or all users, logs on to the computer each of the values under the Run key is executed and the corresponding programs are launched. This will comment out the line so that it will not be used by Windows. Hijackthis Portable O4 Section This section corresponds to certain registry keys and startup folders that are used to automatically start an application when Windows starts.

In the BHO List, 'X' means spyware and 'L' means safe. -------------------------------------------------------------------------- O3 - IE toolbars What it looks like: O3 - Toolbar: &Yahoo! F2 entries - The Shell registry value is equivalent to the function of the Shell= in the system.ini file as described above. How to use the Hosts File Manager HijackThis also has a rudimentary Hosts file manager. More Help A better online tool to analyze the Hijackthis logs is found at

F2 and F3 entries correspond to the equivalent locations as F0 and F1, but they are instead stored in the registry for Windows versions XP, 2000, and NT. Windows (at least Windows XP) is very protective of known system components, and will ensure that "C: \Windows \Explorer.exe", for instance, is not modified, or replaced, by malware in any way.However, To access the Uninstall Manager you would do the following: Start HijackThis Click on the Config button Click on the Misc Tools button Click on the Open Uninstall Manager button. Spend a while reading them, practice a bit, and you can be at least as good as I am at spotting the bad stuff.Merijn Belekom, author of HijackThis, gives a good

So verify their output, against other sources as noted, before using HJT to remove something.Heuristic AnalysisIf you do all of the above, try any recommended removals, and still have symptoms, there Certain ones, like "Browser Pal" should always be removed, and the rest should be researched using Google.


© Copyright 2017 All rights reserved.