How look at the Hijackthis log file

Understanding the Hijackthis log file

For practical information, click the section name you need help with:

R0, R1, R2, R3 - Internet Explorer Start/Search pages URLs
F0, F1, F2, F3 - Autoloading programs
N1, N2, N3, N4 - Netscape/Mozilla Start/Search pages URLs
O1 - Hosts file redirection
O2 - Browser Helper Objects
O3 - Internet Explorer toolbars
O4 - Autoloading programs from Registry
O5 - IE Options icon not visible in Control Panel
O6 - IE Options access restricted by Administrator
O7 - Regedit access restricted by Administrator
O8 - Extra items in IE right-click menu
O9 - Extra buttons on main IE button toolbar, or extra items in IE 'Tools' menu
O10 - Winsock hijacker
O11 - Extra group in IE 'Advanced Options' window
O12 - IE plugins
O13 - IE DefaultPrefix hijack
O14 - 'Reset Web Settings' hijack
O15 - Unwanted site in Trusted Zone
O16 - ActiveX Objects (aka Downloaded Program Files)
O17 - Lop.com domain hijackers
O18 - Extra protocols and protocol hijackers
O19 - User style sheet hijack
020 - AppInit_DLLs Registry value autorun
021 - ShellServiceObjectDelayLoad
022 - SharedTaskScheduler
022 - NT Services

R0, R1, R2, R3 - IE Start & Search page

What it looks like:

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page=http://www.google.com/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL=http://www.google.com/
R3 - Default URLSearchHook is missing

What to do:
If you recognize the URL at the end as your homepage or search engine, it's OK. If you don't, check it and have HijackThis fix it.
For the R3 items, always fix them unless it mentions a program you recognize, like Copernic.

F0, F1 - Autoloading programs

What it looks like:

F0 - system.ini: Shell=Explorer.exe Openme.exe
F1 - win.ini: run=hpfsched

What to do:
The F0 items are always bad, so fix them.
The F1 items are usually very old programs that are safe, so you should find some more info on the filename to see if it's good or bad.

N1, N2, N3, N4 - Netscape/Mozilla Start & Search page

What it looks like:

N1 - Netscape 4: user_pref("browser.startup.homepage", "www.google.com"); (C:Program FilesNetscapeUsersdefaultprefs.js)
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.google.com"); (C:Documents and SettingsUserApplication DataMozillaProfilesdefaulto9t1tfl.sltprefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%206%5Csearchplugins%5CSBWeb_02.src"); (C:Documents and SettingsUserApplication DataMozillaProfilesdefaulto9t1tfl.sltprefs.js)

What to do:
Usually the Netscape and Mozilla homepage and search page are safe. They rarely get hijacked. Should you see an URL you don't recognize as your homepage or search page, have HijackThis fix it.

O1 - Hostsfile redirection

What it looks like:

O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch

What to do:
This hijack will redirect the address to the right to the IP address to the left. If the IP does not belong to the address, you will be redirected to a wrong site everytime you enter the address. You can always have HijackThis fix these, unless you knowingly put those lines in your Hosts file.

O2 - Browser Helper Objects

What it looks like:

O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:PROGRAM FILESYAHOO!COMPANIONYCOMP5_0_2_4.DLL
O2 - BHO: (no name) - {1A214F62-47A7-4CA3-9D00-95A3965A8B4A} - C:PROGRAM FILESPOPUP ELIMINATORAUTODISPLAY401.DLL (file missing)
O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:PROGRAM FILESMEDIALOADS ENHANCEDME1.DLL

What to do:
If you don't directly recognize a Browser Helper Object's name, use TonyK's BHO List to find it by the class ID (CLSID, the number between curly brackets) and see if it's good or bad. In the BHO List, 'X' means spyware and 'L' means safe.

O3 - IE toolbars

What it looks like:

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:PROGRAM FILESYAHOO!COMPANIONYCOMP5_0_2_4.DLL
O3 - Toolbar: Popup Eliminator - {86BCA93E-457B-4054-AFB0-E428DA1563E1} - C:PROGRAM FILESPOPUP ELIMINATORPETOOLBAR401.DLL (file missing)
O3 - Toolbar: rzillcgthjx - {5996aaf3-5c08-44a9-ac12-1843fd03df0a} - C:WINDOWSAPPLICATION DATACKSTPRLLNQUL.DLL

What to do:
If you don't directly recognize a toolbar's name, use TonyK's Toolbar List to find it by the class ID (CLSID, the number between curly brackets) and see if it's good or bad. In the Toolbar List, 'X' means spyware and 'L' means safe.
If it's not on the list and the name seems a random string of characters and the file is somewhere in a folder named 'Application Data' (like the last one in the examples above), it's definitely bad, and you should have HijackThis fix it.

O4 - Autoloading programs from Registry

What it looks like:

O4 - HKLM..Run: [ScanRegistry] C:WINDOWSscanregw.exe /autorun
O4 - HKLM..Run: [SystemTray] SysTray.Exe
O4 - HKLM..Run: [ccApp] "C:Program FilesCommon FilesSymantec SharedccApp.exe"
O4 - Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOfficeOSA9.EXE

What to do:
Use PacMan's Startup List to find the entry and see if it's good or bad.

O5 - IE Options not visible in Control Panel

What it looks like:

O5 - control.ini: inetcpl.cpl=no

What to do:
Unless you've knowingly hidden the icon from Control Panel, have HijackThis fix it.

O6 - IE Options access restricted by Administrator

What it looks like:

O6 - HKCUSoftwarePoliciesMicrosoftInternet ExplorerRestrictions present

What to do:
Unless you have the http://security.kolla.de/">Spybot S&D option 'Lock homepage from changes' active, have HijackThis fix this.

O7 - Regedit access restricted by Administrator

What it looks like:

O7 - HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem, DisableRegedit=1

What to do:
Always have HijackThis fix this.

O8 - Extra items in IE right-click menu

What it looks like:

O8 - Extra context menu item: &Google Search - res://C:WINDOWSDOWNLOADED PROGRAM FILESGOOGLETOOLBAR_EN_1.1.68-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Yahoo! Search - file:///C:Program FilesYahoo!Common/ycsrch.htm
O8 - Extra context menu item: Zoom &In - C:WINDOWSWEBzoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:WINDOWSWEBzoomout.htm

What to do:
If you don't recognize the name of the item in the right-click menu in IE, have HijackThis fix it.

O9 - Extra buttons on main IE toolbar, or extra items in IE 'Tools' menu

What it looks like:

O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: AIM (HKLM)

What to do:
If you don't recognize the name of the button or menuitem, have HijackThis fix it.

O10 - Winsock hijackers

What it looks like:

O10 - Hijacked Internet access by New.Net
O10 - Broken Internet access because of LSP provider 'c:progra~1common~2 oolbarcnmib.dll' missing
O10 - Unknown file in Winsock LSP: c:program files ewton knowsvmain.dll

What to do:
It's best to fix these using http://www.cexx.org/lspfix.htm"> LSPFix from Cexx.org, or http://security.kolla.de/"> Spybot S&D from Kolla.de.

O11 - Extra group in IE 'Advanced Options' window

What it looks like:

O11 - Options group: [CommonName] CommonName

What to do:
The only hijacker as of now that adds its own options group to the IE Advanced Options window is CommonName. So you can always have HijackThis fix this.

O12 - IE plugins

What it looks like:

O12 - Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dll
O12 - Plugin for .PDF: C:Program FilesInternet ExplorerPLUGINS ppdf32.dll

What to do:
Most of the time these are safe. Only OnFlow adds a plugin here that you don't want (.ofb).

O13 - IE DefaultPrefix hijack

What it looks like:

O13 - DefaultPrefix: http://www.pixpox.com/cgi-bin/click.pl?url=
O13 - WWW Prefix: http://prolivation.com/cgi-bin/r.cgi?

What to do:
These are always bad. Have HijackThis fix them.

O14 - 'Reset Web Settings' hijack

What it looks like:

O14 - IERESET.INF: START_PAGE_URL=http://www.searchalot.com

What to do:
If the URL is not the provider of your computer or your ISP, have HijackThis fix it.

O15 - Unwanted site in Trusted Zone

What it looks like:

O15 - Trusted Zone: http://free.aol.com

What to do:
So far, only AOL has the tendency to add itself to your Trusted Zone, allowing it to run any ActiveX it wants. Always have HijackThis fix this.

O16 - ActiveX Objects (aka Downloaded Program Files)

What it looks like:

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

What to do:
If you don't recognize the name of the object, or the URL it was downloaded from, have HijackThis fix it. If the name or URL contains words like 'dialer', 'casino', 'free_plugin' etc, definitely fix it.

O17 - Lop.com domain hijacks

What it looks like:

O17 - HKLMSystemCCSServicesVxDMSTCP: Domain = aoldsl.net
O17 - HKLMSystemCCSServicesTcpipParameters: Domain = W21944.find-quick.com
O17 - HKLMSoftware..Telephony: DomainName = W21944.find-quick.com
O17 - HKLMSystemCCSServicesTcpip..{D196AB38-4D1F-45C1-9108-46D367F19F7E}: Domain = W21944.find-quick.com

What to do:
If the domain is not from your ISP or company network, have HijackThis fix it.

O18 - Extra protocols and protocol hijackers

What it looks like:

O18 - Protocol: relatedlinks - {5AB65DD4-01FB-44D5-9537-3767AB80F790} - C:PROGRA~1COMMON~1MSIETSmsielink.dll
O18 - Protocol: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82}
O18 - Protocol hijack: http - {66993893-61B8-47DC-B10D-21E0C86DD9C8}

What to do:
Only a few hijackers show up here. The known baddies are 'cn' (CommonName), 'ayb' (Lop.com) and 'relatedlinks' (Huntbar), you should have HijackThis fix those.
Other things that show up are either not confirmed safe yet, or are hijacked by spyware. In the last case, have HijackThis fix it.

O19 - User style sheet hijack

What it looks like:

O19 - User style sheet: c:WINDOWSJavamy.css

What to do:
In the case of a browser slowdown and frequent popups, have HijackThis fix this item if it shows up in the log.

O20 - AppInit_DLLs Registry value autorun

What it looks like:

O20 - AppInit_DLLs: msconfd.dll my.css

What to do:
This Registry value located at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows loads a DLL into memory when the user logs in, after which it stays in memory until logoff. Very few legitimate programs use it (Norton CleanSweep uses APITRAP.DLL), most often it is used by trojans or agressive browser hijackers. In case of a ‘hidden’ DLL loading from this Registry value (only visible when using ‘Edit Binary Data’ option in Regedit) the dll name may be prefixed with a pipe ‘|’ to make it visible in the log.

O21 - ShellServiceObjectDelayLoad

What it looks like:

O21 - SSODL - AUHOOK - {11566B38-955B-4549-930F-7B7482668782} -C:\WINDOWS\System\auhook.dll

What to do:
This is an undocumented autorun method, normally used by a few Windows system components. Items listed at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad are loaded by Explorer when Windows starts. HijackThis uses a whitelist of several very common SSODL items, so whenever an item is displayed in the log it is unknown and possibly malicious. Treat with extreme care.

O22 - SharedTaskScheduler

What it looks like:

O22 - SharedTaskScheduler: (no name) - {3F143C3A-1457-6CCA-03A7-7AA23B61E40F} - c:\windows\system32\mtwirl32.dll

What to do:
This is an undocumented autorun for Windows NT/2000/XP only, which is used very rarely. So far only CWS.Smartfinder uses it. Treat with care.

O23 - All non Microsoft NT services

What it looks like:

O23 - Service: avast! Antivirus - Unknown - C:\Program Files\Alwil Software\Avast4\ashserv.exe

What to do:
If it shows "file missing" - Let HijackThis Fix it.
If you don't know the service - Find out what it is and keep/remove it according to your wishes. Be carefull with what you do with this section !

NT Services, which lists all (non-disabled, non-Microsoft) services, like Msconfig.