Introduction

HijackThis is a utility that produces a listing of certain settings found in your computer. HijackThis wills scan your registry and various other files for entries that are similar to what a Spyware or Hijacker program would leave behind. Interpreting these results can be tricky as there are many legitimate programs that are installed in your operating system in a similar manner that Hijackers get installed. Therefore you must use extreme caution when having HijackThis fix any problems. I can not stress how important it is to follow the above warning.

There are two prevalent tutorials about HijackThis on the Internet currently, but neither of them explain what each of the sections actually mean in a way that a layman can understand. This tutorial, in addition, to showing how to use HijackThis, will also go into detail about each of the sections and what they actually mean. There is no reason why you should not understand what it is you are fixing when people examine your logs and tell you what to do.

With that said, lets move on to the tutorial on how to use it. If you want to see normal sizes of the screen shots you can click on them. Keep in mind, that a new window will open up when you do so, so if you have pop-up blockers it may stop the image window from opening.

How to use HijackThis

The first step is to download HijackThis to your computer in a location that you know where to find it again. This program does not have an installation to it, so you need to remember where you downloaded it to in order to launch it in the future.

You can download HijackThis here: HijackThis Download Link

Create a folder where you would like the HijackThis file to reside. It is important that you download this file to its own folder as this folder will be used when HijackThis makes backups. If you run it out of a compressed file, like a zip file, instead of running it from a directory, the backups will not be made.

Once it is downloaded navigate through Windows Explorer or My Computer to the location your downloaded it to and double click on the icon for HijackThis.exe When it is launched the first time, you will see a screen similar to the figure below:

 

Figure 1. HijackThis Startup screen when run for the first time

We suggest you put a checkmark in the checkbox labeled Don't show this frame again when I start HijackThis, designated by the blue arrow above, as most instructions you will given will not account for this screen. After you have put a checkmark in that checkbox, click on the None of the above, just start the program button, designated by the red arrow in the figure above. You will then be presented with the main HijackThis screen as seen in Figure 2 below.


 

Figure 2. Starting Screen of Hijack This

You should first click on the Config button, which is designated by the blue arrow in Figure 2, and confirm that your settings match those found in Figure 3 below. The options that should be checked are designated by the red arrow.

Figure 3. HijackThis Configuration Options

When you are done setting these options, press the back key and continue with the rest of the tutorial.

To have HijackThis scan your computer for possible Hijackers, click on the Scan button designated by the red arrow in Figure 2. You will then be presented with a screen listing all the items found by the program as seen in Figure 4.

Figure 4. Scan Results

At this point, you will have a listing of all items found by HijackThis.

If what you see seems confusing and daunting to you, then click on the Save Log button, designated by the red arrow, and save the log to your computer somewhere you will remember later.

To open up the log and paste it into a forum, like ours, you should following these steps:

1. Click on Start then Run and type Notepad and press OK. Notepad will now be open on your computer.
2. Click on File and Open, and navigate to the directory where you saved the Log file.
3. When you see the file, double click on it. The log file should now be opened in your Notepad.
4. Click on Edit and then Select All. All the text should now be selected.
5. Click on Edit and then Copy, which will copy all the selected text into your clipboard.
6. Go to the message forum and create a new message.
7. Title the message: HijackThis Log: Please help Diagnose
8. Right click in the message area where you would normally type your message, and click on the paste option. The previously selected text should now be in the message.
9. Press Submit

If you would like to see information about any of the objects listed, you can click once on a listing, and then press the "Info on selected item..." button. This will bring up a screen similar to Figure 5 below:

Figure 5. Object Information

When you are done looking at the information for the various listings, and you feel that you are knowledgeable enough to continue, look through the listings and select the items you would like to remove by placing checkmarks in the checkboxes next to each listing as shown in Figure 6. At the end of the document we have included some basic ways to interpret the information in these log files. By no means is this information extensive enough to cover all decisions, but should help you determine what is legitimate or not.

Figure 6. Select an item to Remove

Once you have selected the items you would like to remove, press the Fix Checked button, designated by the blue arrow, in Figure 6. HijackThis will then prompt you to confirm if you would like to remove those items. Press Yes or No depending on your choice.
 

How to restore items mistakenly deleted
 

HijackThis comes with a backup and restore procedure in the event that you erroneously remove an entry that is actually legitimate. If you have configured HijackThis as was shown in this tutorial, then you should be able to restore entries that you have previously deleted. If you have had your HijackThis program running from a temporary directory, then the restore procedure will not work.

If the configuration setting Make backups before fixing items is checked, HijackThis will make a backup of any entries that you fix in a directory called backups that resides in the same location as Hijackthis.exe.

If you start HijackThis and click on Config, and then the Backup button you will be presented with a screen like Figure 7 below. You will have a listing of all the items that you had fixed previously and have the option of restoring them. Once you restore an item that is listed in this screen, upon scanning again with HijackThis, the entries will show up again.

Figure 7. Restoring a mistakenly removed entry

Once you are finished restoring those items that were mistakenly fixed, you can close the program.

How to Generate a Startup Listing

At times when you post your log to a message forum asking for assistance, the people helping may ask you to generate a listing of all the programs that automatically start on your computer. HijackThis has a built in tool that will allow you to do this.

In order to do this go into the Config option when you start HijackThis, which is designated by the blue arrow in Figure 2, and then click on the Misc Tools button at the top. You should see a screen similar to Figure 8 below.

Figure 8. Generating a StartupList Log.

You will then click on the button labeled "Generate StartupList Log" which is is designated by the red arrow in Figure 8. Once you click that button, the program will automatically open up a notepad filled with the Startup items from your computer. Copy and paste these entries into a message and submit it.

Hopefully with either your knowledge or help from others you will have cleaned up your computer. If you would like to learn more detailed information about what exactly each section in a scan log means, then continue reading.

How to use the Process Manager

HijackThis has a built in process manager that can be used to end processes as well as see what DLLs are loaded in that process. To access the process manager, you should click on the Config button and then click on the Misc Tools button. You should now see a new screen with one of the buttons being Open Process Manager. If you click on that button you will see a new screen similar to Figure 9 below.

Figure 9. HijackThis Process Manager

This window will list all open processes running on your machine. You can then click once on a process to select it, and then click on the Kill Process button designated by the red arrow in Figure 9 above. This will attempt to end the process running on the computer.

If you would like to terminate multiple processes at the same time, press and hold down the control key on your keyboard. While that key is pressed, click once on each process that you want to be terminated. As long as you hold down the control button while selecting the additional processes, you will be able to select multiple processes at one time. When you have selected all the processes you would like to terminate you would then press the Kill Process button.

If you would like to see what DLLs are loaded in a selected process, you can put a checkmark in the checkbox labeled Show DLLs, designated by the blue arrow in the figure above. This will split the process screen into two sections. The first section will list the processes like before, but now when you click on a particular process, the bottom section will list the DLLs loaded in that process.

To exit the process manager you need to click on the back button twice which will place you at the main screen.

How to use the Hosts File Manager

HijackThis also has a rudimentary Hosts file manager. With this manager you can view your hosts file and delete lines in the file or toggle lines on or off. To access the Hosts file manager, you should click on the Config button and then click on the Misc Tools button. You should now see a new screen with one of the buttons being Hosts File Manager. If you click on that button you will see a new screen similar to Figure 10 below.

Figure 10: Hosts File Manager

This window will list the contents of your HOSTS file. To delete a line in your hosts file you would click on a line like the one designated by the blue arrow in Figure 10 above. This well select that line of text. Then you can either delete the line, by clicking the on the Delete line(s) button, or toggle the line on or off, by clicking on the Toggle line(s) button. It is possible to select multiple lines at once using the shift and control keys or dragging your mouse over the lines you would like to interact with.

If you delete the lines, those lines will be deleted from your HOSTS file. If you toggle the lines, HijackThis will add a # sign in front of the line. This will comment out the line so that it will not be used by Windows. If you are unsure as to what to do, it is always safe to Toggle the line so that a # appears before it.

To exit the Hosts file manager you need to click on the back button twice which will place you at the main screen.

How to use the Delete on Reboot tool

At times you may find a file that stubbornly refuses to be deleted by conventional means. HijackThis introduced, in version 1.98.2, a method to have Windows delete the file as it boots up, before the file has the chance to load. To do this follow these steps:

1. Start Hijackthis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the button labeled Delete a file on reboot...
5. A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file and click on it once, and then click on the Open button.
6. You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now, otherwise click on the No button to reboot later.

How to use ADS Spy

There is a particular infection called Home Search Assistant or CWS_NS3 that will sometimes use a file called an Alternate Data Stream File to infect your computer. These files can not be seen or deleted using normal methods. ADS Spy was designed to help in removing these types of files. For those who are interested, you can learn more about Alternate Data Streams and the Home Search Assistant by reading the following articles:

Windows Alternate Data Streams [Tutorial Link]

Home Search Assistant Analysis [Tutorial Link]

To use the ADS Spy utility you would start HijackThis and then click on the Config button. Then click on the Misc Tools button and finally click on the ADS Spy button. When the ADS Spy utility opens you will see a screen similar to figure 11 below.

Figure 11: ADS Spy

Press the Scan button and the program will start to scan your Windows folder for any files that are Alternate Data Streams. If it finds any, it will display them similar to figure 12 below.

Figure 12: Listing of found Alternate Data Streams

To remove one of the displayed ADS files, simply place a checkmark next to its entry and click on the Remove selected button. This will remove the ADS file from your computer. When you are done, press the Back button next to the Remove selected until you are at the main HijackThis screen.

How to use the Uninstall Manager
 

The Uninstall Manager allows you to manage the entries found in your control panel's Add/Remove Programs list. When cleaning malware from a machine entries in the Add/Remove Programs list invariably get left behind. Many users understandably like to have a clean Add/Remove Programs list and have difficulty removing these errant entries. Using the Uninstall Manager you can remove these entries from your uninstall list.

To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

Figure 13: HijackThis Uninstall Manager

To delete an entry simply click on the entry you would like to remove and then click on the Delete this entry button. If you want to change the program this entry is associated with you can click on the Edit uninstall command button and enter the path to the program that should be run if you double-click on that entry in the Add/Remove Programs list. This last function should only be used if you know what you are doing.

If you are asked to save this list and post it so someone can examine it and advise you as to what you should remove, you can click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad into a reply in the topic you are getting help in.
 

How to interpret the scan listings

This next section is to help you diagnose the output from a HijackThis scan. If you are still unsure of what to do, or would like to ask us to interpret your log, paste your log into a post in our Privacy Forum.

Every line on the Scan List for HijackThis starts with a section name. Below is a list of these section names, taken from Merijn's Tutorial, and their explanations. You can click on a section name to bring you to the appropriate section.

It is important to note that certain sections use an internal white list so that HijackThis will not show known legitimate files. To disable this white list you can start hijackthis in this method instead: hijackthis.exe /ihatewhitelists.

In our explanations of each section we will try to explain in layman terms what they mean. We will also tell you what registry keys they usually use and/or files that they use. Finally we will give you recommendations on what to do with the entries.

R0,R1,R2,R3 Sections

This section covers the Internet Explorer Start Page, Home Page, and Url Search Hooks.

R0 is for Internet Explorers starting page and search assistant.

R1 is for Internet Explorers Search functions and other characteristics.

R2 is not used currently.

R3 is for a Url Search Hook. An Url Search Hook is used when you type an address in the location field of the browser, but do not include a protocol such as http:// or ftp:// in the address. When you enter such an address, the browser will attempt to figure out the correct protocol on its own, and if it fails to do so, will use the UrlSearchHook listed in the R3 section to try to find the location you entered.

A common question is what does it mean when the word Obfuscated is next to one of these entries. When something is obfuscated that means that it is being made difficult to perceive or understand. In Spyware terms that means the Spyware or Hijacker is hiding an entry it made by converting the values into some other form that it understands easily, but humans would have trouble recognizing, such as adding entries into the registry in Hexadecimal. This is just another method of hiding its presence and making it difficult to be removed.

If you do not recognize the web site that either R0 and R1 are pointing to, and you want to change it, then you can have HijackThis safely fix these, as they will not be detrimental to your Internet Explorer install. If you would like to see what sites they are, you can go to the site, and if it's a lot of popups and links, you can almost always delete it. It is important to note that if an RO/R1 points to a file, and you fix the entry with HijackThis, Hijackthis will not delete that particular file and you will have to do it manually.

There are certain R3 entries that end with a underscore ( _ ) . An example of what one would look like is:

R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)

Notice the CLSID, the numbers between the { }, have a _ at the end of it and they may sometimes difficult to remove with HijackThis. To fix this you will need to delete the particular registry entry manually by going to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

Then delete the CLSID entry under it that you would like to remove. Please leave the CLSID , CFBFAE00-17A6-11D0-99CB-00C04FD64497, as it is the valid default one.

Unless you recognize the software being used as the UrlSearchHook, you should generally Google it and after doing some research, allow HijackThis to fix it