1. Technology
You can opt-out at any time. Please refer to our privacy policy for contact information.

How To Analyze HijackThis Logs

Interpreting Log Data To Help Remove Spyware and Browser Hijackers


Updated May 23, 2008
HijackThis is a free tool from Trend Micro. It was orgiginally developed by Merijn Bellekom, a student in The Netherlands. Spyware removal software such as Adaware or Spybot S&D do a good job of detecting and removing most spyware programs, but some spyware and browser hijackers are too insidious for even these great anti-spyware utilities.

HijackThis is written specifically to detect and remove browser hijacks, or software that takes over your web browser, alters your defaut home page and search engine and other malicious things. Unlike typical anti-spyware software, HijackThis does not use signatures or target any specific programs or URL's to detect and block. Rather, HijackThis looks for the tricks and methods used by malware to infect your system and redirect your browser.

Not everything that shows up in the HijackThis logs is bad stuff and it should not all be removed. In fact, quite the opposite. It is almost guaranteed that some of the items in your HijackThis logs will be legitimate software and removing those items may adversely impact your system or render it completely inoperable. Using HijackThis is a lot like editing the Windows Registry yourself. It is not rocket science, but you should definitely not do it without some expert guidance unless you really know what you are doing.

Once you install HijackThis and run it to generate a log file, there are a wide variety of forums and sites where you can post or upload your log data. Experts who know what to look for can then help you analyze the log data and advise you on which items to remove and which ones to leave alone. One of the best places to go is the official HijackThis forums at SpywareInfo. The HijackThis web site also has a comprehensive listing of sites and forums that can help you out.

To download the current version of HijackThis, you can visit the official site at Trend Micro, or click here.

Here is an overview of the HijackThis log entries which you can use to jump to the information you are looking for:

  • R0, R1, R2, R3 - Internet Explorer Start/Search pages URLs
  • F0, F1 - Autoloading programs
  • N1, N2, N3, N4 - Netscape/Mozilla Start/Search pages URLs
  • O1 - Hosts file redirection
  • O2 - Browser Helper Objects
  • O3 - Internet Explorer toolbars
  • O4 - Autoloading programs from Registry
  • O5 - IE Options icon not visible in Control Panel
  • O6 - IE Options access restricted by Administrator
  • O7 - Regedit access restricted by Administrator
  • O8 - Extra items in IE right-click menu
  • O9 - Extra buttons on main IE button toolbar, or extra items in IE 'Tools' menu
  • O10 - Winsock hijacker
  • O11 - Extra group in IE 'Advanced Options' window
  • O12 - IE plugins
  • O13 - IE DefaultPrefix hijack
  • O14 - 'Reset Web Settings' hijack
  • O15 - Unwanted site in Trusted Zone
  • O16 - ActiveX Objects (aka Downloaded Program Files)
  • O17 - Lop.com domain hijackers
  • O18 - Extra protocols and protocol hijackers
  • O19 - User style sheet hijack
  • O20 - AppInit_DLLs Registry value autorun
  • O21 - ShellServiceObjectDelayLoad Registry key autorun
  • O22 - SharedTaskScheduler Registry key autorun
  • O23 - Windows NT Services

©2014 About.com. All rights reserved.