Credit: HijackThis, a great protection program known the world over, was created by Merijn Bellekom. He has also created some other really good programs (like CWShredder). Click here to visit his website. If you like his FREE programs, you can donate here.

Caution: Do NOT fix any items in your HijackThis log unless you are absolutely sure of what you are fixing. Many of the list items are necessary for the functioning of your PC.

This is a simple guide to explain what the notations mean in your HijackThis log and is not meant to replace asking for help. However, study of this list, along with the mentioned web sites can help with understanding the log and learning how to do the fixes.

Listed below are the possible entries into your log. A more in-depth explanation will follow.

R0, R1, R2, R3 - Internet Explorer Start/Search pages URLs
F0, F1 - Autoloading programs
N1, N2, N3, N4 - Netscape/Mozilla Start/Search pages URLs
O1 - Hosts file redirection
O2 - Browser Helper Objects
O3 - Internet Explorer toolbars
O4 - Autoloading programs from Registry
O5 - IE Options icon not visible in Control Panel
O6 - IE Options access restricted by Administrator
O7 - Regedit access restricted by Administrator
O8 - Extra items in IE right-click menu
O9 - Extra buttons on main IE button toolbar, or extra items in IE 'Tools' menu
O10 - Winsock hijacker
O11 - Extra group in IE 'Advanced Options' window
O12 - IE plugins
O13 - IE DefaultPrefix hijack
O14 - 'Reset Web Settings' hijack
O15 - Unwanted site in Trusted Zone
O16 - ActiveX Objects (aka Downloaded Program Files)
O17 - Lop.com domain hijackers
O18 - Extra protocols and protocol hijackers
O19 - User style sheet hijack

Included in the HijackThis program is a listing of all possible log items.

The different sections of hijacking possibilities have been separated into these groups:
R - Registry, StartPage/SearchPage changes
R0 - Changed registry value
R1 - Created registry value
R2 - Created registry key
R3 - Created extra registry value where only one should be
F - IniFiles, autoloading entries
F0 - Changed inifile value
F1 - Created inifile value
F2 - Changed inifile value, mapped to Registry
F3 - Created inifile value, mapped to Registry
N - Netscape/Mozilla StartPage/SearchPage changes
N1 - Change in prefs.js of Netscape 4.x
N2 - Change in prefs.js of Netscape 6
N3 - Change in prefs.js of Netscape 7
N4 - Change in prefs.js of Mozilla
O - Other, several sections which represent:
O1 - Hijack of auto.search.msn.com with Hosts file
O2 - Enumeration of existing MSIE BHO's
O3 - Enumeration of existing MSIE toolbars
O4 - Enumeration of suspicious autoloading Registry entries
O5 - Blocking of loading Internet Options in Control Panel
O6 - Disabling of 'Internet Options' Main tab with Policies
O7 - Disabling of Regedit with Policies
O8 - Extra MSIE context menu items
O9 - Extra 'Tools' menuitems and buttons
O10 - Breaking of Internet access by New.Net or WebHancer
O11 - Extra options in MSIE 'Advanced' settings tab
O12 - MSIE plugins for file extensions or MIME types
O13 - Hijack of default URL prefixes
O14 - Changing of IERESET.INF
O15 - Trusted Zone Autoadd
O16 - Download Program Files item
O17 - Domain hijack
O18 - Enumeration of existing protocols and filters
O19 - User stylesheet hijack
O20 - AppInit_DLLs autorun Registry value
O21 - ShellServiceObjectDelayLoad (SSODL) autorun Registry key
O22 - SharedTaskScheduler autorun Registry key
O23 - This section corresponds to XP,NT, 2003, and 2003 services




Work in progress....more information to follow about the list items.

Dave

R0, R1, R2, R3 - IE Start & Search page

Sample list items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.google.com/
R3 - Default URLSearchHook is missing

Instructions:
If you recognize the url at the end (as either your homepage or a search engine), then it's okay. If you don't recognize it, check it to be fixed. R3 items should always be fixed unless it mentions a program that you recognize/use.

------------------------------------------------------------

F0, F1 - Autoloading programs

Sample list items:

F0 - system.ini: Shell=Explorer.exe Openme.exe
F1 - win.ini: run=hpfsched

Instructions:
F0 list items are always bad and should be fixed. The F1 list items are usually old programs that are safe, but you should obtain more information on the filename to see if it needs fixed.

N1, N2, N3, N4 - Netscape/Mozilla Start & Search page

Sample list items:

N1 - Netscape 4: user_pref("browser.startup.homepage", "www.google.com"); (C:\Program Files\Netscape\Users\default\prefs.js)
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.google.com"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\defaulto9t1tfl.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine:// C%3A%5CProgram%20Files%5CNetscape%206%5Csearchplug
ins%5CSBWeb_02.src"); (C:\Documents and Settings\User\Application Data\Mozilla\Profiles\defaulto9t1tfl.slt\prefs.js)

Instructions:
The Netscape and Mozilla homepage and search page are really safe because they rarely get hijacked. However, if you don't recognize the url as your homepage or search page, have HJT fix it.

-------------------------------------------------------------------------

O1 - Hostsfile redirection

Sample list items:

O1 - Hosts: 216.177.73.139 auto.search.msn.com
O1 - Hosts: 216.177.73.139 search.netscape.com
O1 - Hosts: 216.177.73.139 ieautosearch

Instructions:
This is a hijack that on the list item will redirect the adress on the right to the IP on the left. If the IP does NOT belong to the address, then you will be redirected to the wrong site everytime the url is entered. Unless you have entered those lines in your hosts file, have HJT fix them.

O2 - Browser Helper Objects

Sample list items:

O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
O2 - BHO: (no name) - {1A214F62-47A7-4CA3-9D00-95A3965A8B4A} - C:\PROGRAM FILES\POPUP ELIMINATOR\AUTODISPLAY401.DLL (file missing)
O2 - BHO: MediaLoads Enhanced - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\PROGRAM FILES\MEDIALOADS ENHANCED\ME1.DLL

Instructions:
If you don't readily recognize a Browser Helper Object's name, use TonyK's BHO List (official list here) to find it by the class ID (CLSID, the number between curly brackets) to see if it's good or bad. Listed BHO's are tagged X for certified spyware or other malware, L for legitimate items, O for 'open to debate' and ? for BHOs of unknown status.

BHO List Zip File
SpywareInfo BHOs information

-------------------------------------------------------------------------

O3 - IE toolbars

Sample list items:

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_4.DLL
O3 - Toolbar: Popup Eliminator - {86BCA93E-457B-4054-AFB0-E428DA1563E1} - C:\PROGRAM FILES\POPUP ELIMINATOR\PETOOLBAR401.DLL (file missing)
O3 - Toolbar: rzillcgthjx - {5996aaf3-5c08-44a9-ac12-1843fd03df0a} - C:\WINDOWS\APPLICATION DATA\CKSTPRLLNQUL.DLL

Instructions:
If you don't readily recognize a toolbar's name, use TonyK's Toolbar List (link above) to find it by the class ID (CLSID, the number between the curly brackets) to see if it's good or bad. Listed BHO's are tagged X for certified spyware or other malware, L for legitimate items, O for 'open to debate' and ? for BHOs of unknown status.

If it is not on the list, and (1) the name seems to be a random string of characters, and (2) the file is somewhere in a folder named "Application Data", then it is definitely bad and you should have HJT fix it.

O4 - Autoloading Programs from Registry

Sample list items:

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorunO4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: winlogon.exe

Instructions:
Use PacMan's Startup List to find the entry and see if it's good or bad. If the item shows a program sitting in a Startup group (like the last item above), HijackThis cannot fix the item if this program is still in memory. Use the Windows Task Manager to close the process prior to fixing.

To use the startup list, copy the information between the [ ] brackets and paste into the search box.

PacMan's Startup List http://www.sysinfo.org/startupinfo.html

-------------------------------------------------------------------------

O5 - IE Options icon not visible in Control Panel

Sample list items:

O5 - control.ini: inetcpl.cpl=no

Instructions:
Unless you, or your system administrator, have knowingly hidden the icon from Control Panel, have HijackThis fix it.

-------------------------------------------------------------------------

O6 - IE Options access restricted by Administrator

Sample list items:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

Instructions:
Unless you have the Spybot S&D option 'Lock homepage from changes' active, or your system administrator put this into place, have HijackThis fix this.