1. Technology
You can opt-out at any time. Please refer to our privacy policy for contact information.

How To Analyze HijackThis Logs

Interpreting Log Data To Help Remove Spyware and Browser Hijackers

By

R0, R1, R2, R3 - IE Start and Search pages


What it looks like:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKLM\Software\Microsoft\InternetExplorer\Main,Default_Page_URL = http://www.google.com/
R2 - (this type is not used by HijackThis yet)
R3 - Default URLSearchHook is missing

What to do:
If you recognize the URL at the end as your homepage or search engine, it's OK. If you don't, check it and have HijackThis fix it. For the R3 items, always fix them unless it mentions a program you recognize, like Copernic.

F0, F1, F2, F3 - Autoloading programs from INI files


What it looks like:
F0 - system.ini: Shell=Explorer.exe Openme.exe
F1 - win.ini: run=hpfsched

What to do:
The F0 items are always bad, so fix them. The F1 items are usually very old programs that are safe, so you should find some more info on the filename to see if it's good or bad. Pacman's Startup List can help with identifying an item.

N1, N2, N3, N4 - Netscape/Mozilla Start & Search page


What it looks like:
N1 - Netscape 4: user_pref "browser.startup.homepage", "www.google.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\defaulto9t1tfl.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%206%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\defaulto9t1tfl.slt\prefs.js)

What to do:
Usually the Netscape and Mozilla homepage and search page are safe. They rarely get hijacked, only Lop.com has been known to do this. Should you see an URL you don't recognize as your homepage or search page, have HijackThis fix it.

O1 - Hostsfile redirections


What it looks like:
O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch
O1 - Hosts file is located at C:\Windows\Help\hosts

What to do:
This hijack will redirect the address to the right to the IP address to the left. If the IP does not belong to the address, you will be redirected to a wrong site everytime you enter the address. You can always have HijackThis fix these, unless you knowingly put those lines in your Hosts file.

The last item sometimes occurs on Windows 2000/XP with a Coolwebsearch infection. Always fix this item, or have CWShredder repair it automatically.

O2 - Browser Helper Objects

What it looks like:
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
O2 - BHO: (no name) - {1A214F62-47A7-4CA3-9D00-95A3965A8B4A} - C:\PROGRAM FILES\POPUP ELIMINATOR\AUTODISPLAY401.DLL (file missing)
O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\PROGRAM FILES\MEDIALOADS ENHANCED\ME1.DLL

What to do:
If you don't directly recognize a Browser Helper Object's name, use TonyK's BHO & Toolbar List to find it by the class ID (CLSID, the number between curly brackets) and see if it's good or bad. In the BHO List, 'X' means spyware and 'L' means safe.

O3 - IE toolbars


What it looks like:
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
O3 - Toolbar: Popup Eliminator - {86BCA93E-457B-4054-AFB0-E428DA1563E1} - C:\PROGRAM FILES\POPUP ELIMINATOR\PETOOLBAR401.DLL (file missing)
O3 - Toolbar: rzillcgthjx - {5996aaf3-5c08-44a9-ac12-1843fd03df0a} - C:\WINDOWS\APPLICATION DATA\CKSTPRLLNQUL.DLL

What to do:
If you don't directly recognize a toolbar's name, use TonyK's BHO & Toolbar List to find it by the class ID (CLSID, the number between curly brackets) and see if it's good or bad. In the Toolbar List, 'X' means spyware and 'L' means safe. If it's not on the list and the name seems a random string of characters and the file is in the 'Application Data' folder (like the last one in the examples above), it's probably Lop.com, and you definately should have HijackThis fix it.

O4 - Autoloading programs from Registry or Startup group


What it looks like:
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: winlogon.exe

What to do:
Use PacMan's Startup List to find the entry and see if it's good or bad.

If the item shows a program sitting in a Startup group (like the last item above), HijackThis cannot fix the item if this program is still in memory. Use the Windows Task Manager (TASKMGR.EXE) to close the process prior to fixing.

©2014 About.com. All rights reserved.