Full Version of this article can be found here

HijackThis Users Guide

We have been running a forum dedicated to helping you remove malware for a while now. There are quite a few questions as to how to use HJT. Things like creating the log file, backing data up and removing objects that we suggest removing. After seeing guys like MikeBlane walk so many people through these steps I decided I should put together a step by step guide complete with pictures! Pictures say so much more than text ever does.

This guide is based upon HijackThis v1.98.2.

http://www.merijn.org/files/hijackthis.zip
http://www.merijn.org/index.html

1.) We're trying to keep the latest version available for download here. Step #1 is of course to download this file :)

2.) Most of the time people download and extract this file to their desktop. I'm going to tell you NOT to do this! Windows often changes the location of this folder so it is a good idea to extract the files to something like C:\HJT.

3.) After doing that browse to the directory you just created and open the file called HijackThis.exe.

4.) Click Scan and it will scan your system and give you a list. The picture below is a scan of my system. Click on it to get the non thumbnail version.

If you're wondering what the different things such as 04 mean you can either look at the Info box or I have the list later in this article. I will be updating this guide with some various examples as time permits.

5.) After you've clicked on Scan that box will change and say Save Log. If you still see scan then simply run the scan again. From here you will be asked where you would like to save the log file to. Browse to where you want it to be saved and click on save. For me it automatically opened in Notepad. If this does not happen for you then simply browse to where you saved it and open it in notepad.

6.) Here's an example of my log file:
Logfile of HijackThis v1.98.2
Scan saved at 5:14:43 PM, on 11/11/2004
Platform: Unknown Windows (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 (6.00.3790.0000)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\AVPersonal\AVWUPSRV.EXE
D:\WINDOWS\system32\Dfssvc.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Microsoft Office\OFFICE11\FRONTPG.EXE
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\WINDOWS\system32\ZoneLabs\vsmon.exe
D:\WINDOWS\system32\ZoneLabs\isafe.exe
D:\Program Files\Trillian\trillian.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Macromedia\Dreamweaver MX 2004\Dreamweaver.exe
D:\DOCUME~1\ADMINI~1.MAR\LOCALS~1\Temp\~e5d141.tmp
D:\DOCUME~1\ADMINI~1.MAR\LOCALS~1\Temp\~e5d141.tmp
D:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
D:\Program Files\Adobe\Photoshop CS\ImageReady.exe
D:\Documents and Settings\Administrator.MARTIN-85M34JRY\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iamnotageek.com/index.php?
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://iamnotageek.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.0.1:87
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.shorelinedining.com;*.iamnotageek.com
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\system32\msdxm.ocx
O3 - Toolbar: Alexa - {3CEFF6CD-6F08-4e4d-BCCD-FF7415288C3B} - D:\WINDOWS\system32\SHDOCVW.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTasInitInit
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - Global Startup: C Cal Calibration.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Download with &DAP - D:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Alexa Web Search - http://client.alexa.com/holiday/script/actions/search.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Get Alexa Data - http://client.alexa.com/holiday/script/actions/sitedata.htm
O8 - Extra context menu item: Mail to a Friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
O8 - Extra context menu item: See Related Links - http://client.alexa.com/holiday/script/actions/related.htm
O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Alexa - {9D74677A-E227-40fb-9511-F7E92EA4083A} - D:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra 'Tools' menuitem: Alexa Toolbar - {9D74677A-E227-40fb-9511-F7E92EA4083A} - D:\WINDOWS\system32\SHDOCVW.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - D:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1090006050562
O17 - HKLM\System\CCS\Services\Tcpip\..\{2D24B580-998E-4E50-BC46-5B28E1F9B048}: NameServer = 166.102.165.11,166.102.165.13
O17 - HKLM\System\CS1\Services\Tcpip\..\{2D24B580-998E-4E50-BC46-5B28E1F9B048}: NameServer = 166.102.165.11,166.102.165.13
O17 - HKLM\System\CS2\Services\Tcpip\..\{2D24B580-998E-4E50-BC46-5B28E1F9B048}: NameServer = 166.102.165.11,166.102.165.13
O18 - Protocol: {ms-its,ms-itss,its,mk} - (no CLSID) - (no file)

You will want to post the ENTIRE log in any forum thread you start. Everything is potentially important INCLUDING your OS version. After posting this we will analyze it and tell you what you should do for cleaning up your system.

7.) Once we've told you which ones to remove you will want to make sure that a backup is being created for everything that is cleaned up. Click on the Config box. This next image is what you'll see:

Double check to make sure that the "Make backups before fixing items" box is checked. If it is then you can delete anything that we suggest you delete. We always want you to be able to restore something in case there are any slip ups.

8.) Where that config box was before it now says back. Click on this to get back to the scan page. You will see check boxes next to each and every item that it found. Go through the list and check anything that you'd like to remove. When you're done click on the Fix checked box. A box will pop up that will force you to confirm that you'd really like to delete some items. It looks something like this:

You're system is now cleaned up! You will now want to reboot and see if the problem still exists. If it does then please post another log because we missed something or there's something much harder to remove. If your system is acting right now all is good!

Here is a list of what the various items mean. I will be expanding on these and giving examples as I find the time.

The different sections of hijacking possibilities have been separated into these groups:
R - Registry, StartPage/SearchPage changes
R0 - Changed registry value
R1 - Created registry value
R2 - Created registry key
R3 - Created extra registry value where only one should be
F - IniFiles, autoloading entries
F0 - Changed inifile value
F1 - Created inifile value
F2 - Changed inifile value, mapped to Registry
F3 - Created inifile value, mapped to Registry
N - Netscape/Mozilla StartPage/SearchPage changes
N1 - Change in prefs.js of Netscape 4.x
N2 - Change in prefs.js of Netscape 6
N3 - Change in prefs.js of Netscape 7
N4 - Change in prefs.js of Mozilla
O - Other, several sections which represent:
O1 - Hijack of auto.search.msn.com with Hosts file
O2 - Enumeration of existing MSIE BHO's
O3 - Enumeration of existing MSIE toolbars
O4 - Enumeration of suspicious autoloading Registry entries
O5 - Blocking of loading Internet Options in Control Panel
O6 - Disabling of 'Internet Options' Main tab with Policies
O7 - Disabling of Regedit with Policies
O8 - Extra MSIE context menu items
O9 - Extra 'Tools' menuitems and buttons
O10 - Breaking of Internet access by New.Net or WebHancer
O11 - Extra options in MSIE 'Advanced' settings tab
O12 - MSIE plugins for file extensions or MIME types
O13 - Hijack of default URL prefixes
O14 - Changing of IERESET.INF
O15 - Trusted Zone Autoadd
O16 - Download Program Files item
O17 - Domain hijack
O18 - Enumeration of existing protocols and filters
O19 - User stylesheet hijack
O20 - AppInit_DLLs autorun Registry value
O21 - ShellServiceObjectDelayLoad (SSODL) autorun Registry key
O22 - SharedTaskScheduler autorun Registry key

You can get more detailed information about an item by selecting it from the list of found items or highlighting the relevant line above, and clicking 'Info on selected item'.