How To Analyse A HijackThis Log

**Doctor Inferno** · by **Doctor Inferno** on Tue 07 Oct 2008, 3:22 am

Here is a short guide on how to analyse a HijackThis and understand what the entries mean.

Before we begin, always remember to consult a professional before dealing with HijackThis.

Each line in a HijackThis log starts with a section name:

R0, R1, R2, R3 - Internet Explorer Start/Search pages URLs
F0, F1 - Autoloading programs
F2, F3 - Autoloading programs mapped to the Registry
N1, N2, N3, N4 - Netscape/Mozilla Start/Search pages URLs
O1 - Hosts file redirection
O2 - Browser Helper Objects
O3 - Internet Explorer toolbars
O4 - Autoloading programs from Registry
O5 - IE Options icon not visible in Control Panel
O6 - IE Options access restricted by Administrator
O7 - Regedit access restricted by Administrator
O8 - Extra items in IE right-click menu
O9 - Extra buttons on main IE button toolbar, or extra items in IE ‘Tools’ menu
O10 - Winsock hijacker
O11 - Extra group in IE ‘Advanced Options’ window
O12 - IE plugins
O13 - IE DefaultPrefix hijack
O14 - ‘Reset Web Settings’ hijack
O15 - Unwanted site in Trusted Zone
O16 - ActiveX Objects (aka Downloaded Program Files)
O17 - Lop.com domain hijackers
O18 - Extra protocols and protocol hijackers
O19 - User style sheet hijack
O20 - AppInit_DLLs Registry value autorun
O21 - ShellServiceObjectDelayLoad (SSODL) autorun Registry key
O22 - SharedTaskScheduler autorun Registry key
O23 - Services
O24 - ActiveX Desktop Components

R0, R1, R2, R3 - IE Start & Search pages

What are these?
R0 items are changed Registry values.
R1 items are created Registry values.
R2 items are created Registry keys.
R3 items are created extra Registry values where only one should exist.

What to do:
If you recognize the URL at the end as your homepage or search engine, it’s OK. If you don’t, then use HijackThis to fix it.
For the R3 items, always fix them unless it mentions a program you recognize.

F0, F1, F2, F3 - Autoloading programs from INI files

What are these?
F0 items are changed INI file values.
F1 items are created INI file values.
F2 items are changed INI file values mapped to the Registry.
F3 items are created INI file values mapped to the Registry.

What to do:
The F0 items are always bad, so fix them.
The F1 items are usually very old programs that are safe, so you should find some more info on the file name to see if it’s good or bad.

N1, N2, N3, N4 - Netscape/Mozilla Start & Search page

What are these?
N0 items are changes in prefs.js of Netscape 4.x.
N1 items are changes in prefs.js of Netscape 6.
N2 items are changes in prefs.js of Netscape 7.
N3 items are changes in prefs.js of Mozilla.

What to do:
Usually the Netscape and Mozilla homepage and search page are safe. Should you see a URL you don’t recognize as your homepage or search page, use HijackThis to fix it.

O1 - Hostsfile redirections

What to do:
This hijack will redirect the address to the right to the IP address to the left. If the IP does not belong to the address, you will be redirected to a wrong site every time you enter the address. You can always have HijackThis fix these, unless you knowingly put those lines in your Hosts file.
The last item sometimes occurs on Windows 2000/XP with a Coolwebsearch infection. Always fix this item, or have CWShredder repair it automatically.

O2 - Browser Helper Objects (BHOs)

Browser helper objects are plugins to your browser that extend the functionality of it. They can be used by spyware as well as legitimate programs such as Google Toolbar and Adobe Acrobat Reader. You must do your research when deciding whether or not to remove any of these as some may be legitimate.

O3 - IE toolbars

These are the toolbars that are underneath your navigation bar and menu in Internet Explorer.

O4 - Autoloading programs from Registry or Startup group

This section corresponds to certain registry keys and startup folders that are used to automatically start an application when Windows starts. O4 keys are the HijackThis entries that the majority of programs use to autostart, so particular care must be used when examining these keys. The O4 Registry keys and directory locations are listed below and apply, for the most part, to all versions of Windows.

As of HijackThis version 2.0.2, HijackThis will also list entries for other users that are actively logged into a computer at the time of the scan by reading the information from the HKEY_USERS registry key. If a user is not logged on at the time of the scan, their user key will not be loaded, and therefore HijackThis will not list their autoruns. When working on HijackThis logs it is not advised to use HijackThis to fix entries in a person's log when the user has multiple accounts logged in. We advise this because the other user's processes may conflict with the fixes we are having the user run.

O5 - IE Options not visible in Control Panel

It is possible to disable the seeing of a control in the Control Panel by adding an entry into the file called control.ini which is stored, for Windows XP at least, in c:\windows\control.ini. From within that file you can specify which specific control panels should not be visible.

What to do:
Unless you or your system administrator have knowingly hidden the icon from Control Panel, have HijackThis fix it.

O6 - IE Options access restricted by Administrator

These options should only appear if your administrator set them on purpose or if you used Spybots Home Page and Option Lock down features in the Mode -> Advanced Mode -> Tools -> IE Tweaks section.

O7 - Regedit access restricted by Administrator

These items depict the disabling of Regedit via Policy controls. Always have HijackThis fix this, unless your system administrator has put this restriction into place.

O8 - Extra items in IE right-click menu

Each O8 entry will be a menu option that is shown when you right-click on Internet Explorer. The program shown in the entry will be what is launched when you actually select this menu option. Certain ones, like "Browser Pal" should always be removed, and the rest should be researched using Google. An example of a legitimate program that you may find here is the Google Toolbar.

When you fix these types of entries, HijackThis does not delete the file listed in the entry. If you need to remove this file, it is recommended that you reboot into safe mode and delete the file there.

O9 - Extra buttons on main IE toolbar, or extra menu items

If you do not need these buttons or menu items or recognize them as malware, you can remove them safely.

What to do:
When you fix these types of entries, HijackThis not delete the offending file listed. It is recommended that you reboot into safe mode and delete the offending file.

O10 - Winsock hijackers

LSPs are a way to chain a piece of software to your Winsock 2 implementation on your computer. Since the LSPs are chained together, when Winsock is used, the data is also transported through each of the LSPs in the chain. Spyware and Hijackers can use LSPs to see all traffic being transported over your Internet connection.

You should use extreme caution when deleting these objects if it is removed without properly fixing the gap in the chain, you can have loss of Internet access.

What to do:
It’s best to fix these using LSPFix from Cexx.org.

O11 - Extra group in IE ‘Advanced Options’ window

If you look in your Internet Options for Internet Explorer you will see an Advanced Options tab. It is possible to add an entry under a registry key so that a new group would appear there.

What to do:
According to Merijn, of HijackThis, there is only one known Hijacker that uses this and it is CommonName. If you see CommonName in the listing you can safely remove it. If it is another entry, you should Google it to do some research.

**Doctor Inferno** · by **Doctor Inferno** on Tue 07 Oct 2008, 8:27 pm

O12 - IE plugins for file extensions or MIME types

Internet Explorer Plugins are pieces of software that get loaded when Internet Explorer starts to add functionality to the browser. There are many legitimate plugins available such as PDF viewing and non-standard image viewers.

What to do:
When you fix these types of entries with HijackThis, HijackThis will attempt to the delete the offending file listed. There are times that the file may be in use even if Internet Explorer is shut down. If the file still exists after you fix it with HijackThis, it is recommended that you reboot into safe mode and delete the offending file.

O13 - IE DefaultPrefix hijack

What to do:
This shows changes made in how Windows interprets URLs entered without a preceding http:// etc. One tactic of some malware is to change these as a form of browser redirection. These are always bad unless you have knowingly made a change in browser behavior. Have HijackThis fix any changes that you didn’t make.

O14 - ‘Reset Web Settings’ hijack

There is a file on your computer that Internet Explorer uses when you reset options back to their Windows default. That file is stored in c:\windows\inf\iereset.inf and contains all the default settings that will be used. When you reset a setting, it will read that file and change the particular setting to what is stated in the file. If a Hijacker changes the information in that file, then you will get re infected when you reset that setting, as it will read the incorrect information from the iereset.inf file.

What to do:
If the URL is not the provider of your computer or your ISP, have HijackThis fix it.

O15 - Unwanted sites in Trusted Zone

Internet Explorer's security is based upon a set of zones. Each zone has different security in terms of what scripts and applications can be run from a site that is in that zone. There is a security zone called the Trusted Zone. This zone has the lowest security and allows scripts and applications from sites in this zone to run without your knowledge. It is therefore a popular setting for malware sites to use so that future infections can be easily done on your computer without your knowledge as these sites will be in the Trusted Zone.

What to do:
Most of the time only AOL and Coolwebsearch silently add sites to the Trusted Zone. If you didn’t add the listed domain to the Trusted Zone yourself, have HijackThis fix it.

O16 - ActiveX Objects (aka Downloaded ActiveX Program Files)

ActiveX objects are programs that are downloaded from web sites and are stored on your computer. These objects are stored in C:\windows\Downloaded Program Files. They are also referenced in the registry by their CLSID which is the long string of numbers between the curly braces. There are many legitimate ActiveX controls such as the one in the example which is an iPix viewer.

What to do:
In general, if you don’t recognize the name of the object, or the URL it was downloaded from, have HijackThis fix it. If the name or URL contains words like ‘dialer’, ‘casino’, ‘free_plugin’ etc. fix it.

O17 - Lop.com domain hijacks

When you go to a web site using an hostname, like www.geekpolice.net, instead of an IP address, your computer uses a DNS server to resolve the hostname into an IP address like 192.168.1.0. Domain hacks are when the Hijacker changes the DNS servers on your machine to point to their own server, where they can direct you to any site they want. By adding google.com to their DNS server, they can make it so that when you go to www.google.com, they redirect you to a site of their choice.

What to do:
If the domain is not from your ISP or company network, have HijackThis fix it. The same goes for the ‘SearchList’ entries.
For the ‘NameServer’ (DNS servers) entries, Google for the IP or IPs and it will be easy to see if they are good or bad.

O18 - Extra protocols and protocol hijackers

This method is used by changing the standard protocol drivers that your computer users to ones that the Hijacker provides. This allows the Hijacker to take control of certain ways your computer sends and receives information.

What to do:

(Lop.com) and ‘relatedlinks’ (Huntbar), you should have HijackThis fix those.
Other things that show up as O18 in HijackThis are either not confirmed safe yet, or are hijacked (i.e. the CLSID has been changed) by spyware. In the last case, have HijackThis fix it.

O19 - User style sheet hijack

A style sheet is a template for how page layouts, colors, and fonts are viewed from an html page. This type of hijacking overwrites the default style sheet which was developed for handicapped users, and causes large amounts of popups and potential slowdowns.

What to do:
In the case of a browser slowdown and frequent popups, have HijackThis fix this item if it shows up in the log. However, since only Coolwebsearch does this, it’s better to use CWShredder to fix it.

O20 - AppInit_DLLs Registry value autorun

This Registry value located at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows loads a DLL into memory when the user logs in, after which it stays in memory until logoff. Very few legitimate programs use it (Norton CleanSweep uses APITRAP.DLL), most often it is used by trojans or agressive browser hijackers.
In case of a ‘hidden’ DLL loading from this Registry value (only visible when using ‘Edit Binary Data’ option in Regedit) the dll name may be prefixed with a pipe ‘|’ to make it visible in the log.

O21 - ShellServiceObjectDelayLoad (SSODL) autorun

This Registry contains values in a similar way as the Run key does. The difference is that instead of pointing to the file itself, it points to the CLSID's InProcServer, which contains the information about the particular DLL file that is being used.

The files under this key are loaded automatically by Explorer.exe when your computer starts. Because Explorer.exe is the shell for your computer, it will always start, thus always loading the files under this key. These files are therefore loaded early in the startup process before any human intervention occurs.

What to do:
ShellServiceObjectDelayLoad is an undocumented autorun method, normally used by a few Windows system components. Items listed at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad are loaded by Explorer when Windows starts. HijackThis uses a whitelist of several very common SSODL items, so whenever an item is displayed in the log it is unknown and possibly malicious. Treat with extreme care.

O22 - SharedTaskScheduler autorun

The entries in this registry run automatically when you start windows. This key is commonly used by SmitFraud variants to display fake security alerts and to download rogue anti-spyware programs.

What to do:
Shared Task Scheduler is an undocumented autorun for Windows NT/2000/XP only, which is used very rarely. So far only CWS.Smartfinder uses it. Treat with care.

O23 - Services

Services are programs that are loaded automatically by Windows on startup. These services are loaded regardless of whether or not a user logs on to the the computer and tend to be used to handle system wide tasks such as Windows operating system features, antivirus software, or application servers. Lately there has been an increased trend for malware to use services to infect a computer. It is therefore important to examine each of the services listed for ones that do not look correct. Common malware services you may find are Home Search Assistant and the new Bargain Buddy variant.

What to do:
This is the listing of non-Microsoft services. The list should be the same as the one you see in the MSCONFIG utility of Windows XP. If you don’t directly recognize an O23 item, use the CastleCops Windows XP/NT Services List to find it. In the list, ‘X’ means spyware and ‘L’ means safe. (See the Key at the top of the page for explanations of the other status codes.)

Several Trojan hijackers use a homemade service in addition to other startups to reinstall themselves. The full name is usually important-sounding, like “Network Security Service,” “Workstation Logon Service,” or “Remote Procedure Call Helper,” but the internal name (between brackets) is a string of garbage, like 'O?’ŽrtñåÈ²$Ó'. The second part of the line is the owner of the file at the end, as seen in the file’s properties. NOTE: Fixing an O23 item will only stop the service and disable it. The service needs to be deleted from the Registry manually or with another tool. In HijackThis 1.99.1 or higher, the button “Delete NT Service” in the Misc Tools section can be used for this.

“Services” in Windows NT 4, Windows 2000, Windows XP, and Windows Server 2003 are a special type of program essential to the system and required for proper system functioning. Service processes are started before the user logs in and are protected by Windows. They can only be stopped from the Services dialogue in the Administrative Tools window (or from a Run box, just type SERVICES.MSC). Accordingly, malware that registers itself as a service is subsequently also harder to kill.

O24 - ActiveX Desktop Components

Active Desktop Components are local or remote html files that are embedded directly onto your desktop as a background. Infections use this method to embed messages, pictures, or web pages directly on to a users desktop. Common examples of infections that use this method are the SmitFraud family of rogue anti-spyware programs. These infections use Active Desktop Components to display fake security warnings as the background of a user's desktop.

What to do:
Remove it using HijackThis if you don't recognise them.

Conclusion

HijackThis is a powerful software for finding out the specifics of your browser and what is running in Windows. This program should be used with caution, as incorrectly removing some items can cause problems with legitimate programs. If you have any questions please feel free to post them in our Malware Removal Support & HijackThis logs forum.

Regards

How To Analyse A HijackThis Log

How To Analyse A HijackThis Log

Re: How To Analyse A HijackThis Log