An introduction to the analysis of a HijackThis log file

The HijackThis program is a very useful tool in analysing browser hijacking attempts and viruses, but requires a reasonable level of operating systems expertise in order to fully understand the log and take appropriate action.
This will not detail the steps in how to obtain a HijackThis log, nor will it detail the steps that should be taken prior to obtaining one.

The top 4 lines of the log file: Basic system information
The log entries in this example actually come from my PC in a log run today.

1. The top few lines identify the version of HijackThis,
2. The date and time of scan,
3. The operating system and service pack of the PC
4. The version of Internet Explorer installed.

eg:

Logfile of HijackThis v1.97.7
Scan saved at 19:59:43, on 28/02/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

The third and fourth lines can be used to identify whether a PC is running the latest service pack for its operating system and whether IE is patched (the original IE6 for example is version 6.00.2600.0000). If not, these patches can be obtained via [link http://windowsupdate.microsoft.com]WindowsUpdate[/link] if you don't have them available on disk. Even then, it won't indicate if the latest security patches have been installed.

List of running processes
Next, you get a list of running processes at the time the scan was run. The actual processes will vary depending upon the applications running at the time as well as the background processes.
eg:

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\devldr32.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

Paste the whole HijackThis log file into http://www.hijackthis.de and have it analyse the file. It will get most dodgy things, but be careful as I have known it generate false positives on a few occasions.
For anything else, go through each of these filenames and look for something suspicious.
Simply identifying a running filename itself isn't enough, because some viruses or hijackers use valid filenames (such as svchost.exe) in non valid locations, so you have to take the file and pathname together as a whole.
Common techniques for viruses, malware and spyware are to use names similar to valid windows filenames in non standard places, slightly alter the name or to use a completely daft filename that makes no sense to anybody.
Note that multiple occurrences of the same filename in the list are perfectly legitimate, and nothing to be worried about.

To find out if a file is valid or not, use one of two methods:
1. Search for the filename with [link http://www.google.com/]Google[/link]. If you get multiple responses from antivirus sites, anti spyware sites etc confirming that it is indeed legitimate, then leave it.

2. Search for the filename at the
[link http://www.liutilities.com/products/wintaskspro/processlibrary/]Wintasks Pro Process library[/link].
Another good site for file and process information to identify whether it is on your PC for a good reason.

3. Search for the filename at [link http://www.sysinfo.org/startuplist.php]SysInfo.org Startup List[/link]. The data on this site is used by Spybot Search & Destroy as well as by many professional IT support teams, and is very comprehensive.

Having now identified dodgy filenames you are ready to proceed to the next section:
Analysis of the log file:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [FilterGate] C:\PROGRA~1\FILTER~1\filtergate.exe /ASK
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37881.4608449074
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

This is not a complete list, but I will go through the more common object types below:

Note: the following section is not illustrated in my example above
F0 corresponds to the Shell= line in the WIN.INI file, which is used on 9x systems with older software. You should be suspicious of anything here if your PC is fairly new, or you use an NT based system (NT/2K/XP).

F1 corresponds to the RUN= and Load= lines in the Win.INI file, which are kept only for backwards compatibility with older applications. Modern software will not generally use this setting, and as with F0, you should investigate if you don't run older software on it.

F2 and F3 represent items loaded from the registry in 9x/NT/2K/XP systems and generally are more commonly used than the older F0/F1 category.
One common entry in this section is "Userinit" pointing to userinit.exe. This entry can, and should be removed, but the file itself should not be deleted because it forms part of Windows user profiles subsystem.
There is a bug in HijackThis 1.97.7 which will restore the userinit value to an incorrect registry location if you restore a HijackThis backup. If you are still using a version prior to 1.99.1, please upgrade to the latest version.

Anything labelled R0, R1, R2 or R3 that you don't recognise as your IE homepage, default search page or Window title should be fixed. The N0, N1, N2 or N3 are the Netscape/Firefox/Mozilla equivalents and should be done if you use any of those browsers.

The "O1" category represents redirection in the Hosts file. Generally, anything here should be fixed unless it points to machines on your network that you have configured.

O2 - Browser Helper Objects are used for providing extra functionality within the browser.
Many are legitimate such as the one shown above, which is the Spybot Search & Destroy helper and the Google toolbar, but many others are not.

O3 - Internet Explorer toolbars.
This includes third party toolbars. Remove if you don't recognise them.

O4 - Autoloading programs.
This section is likely to be quite large. Items in this section can come from the registry (anything starting HKLM\..\Run, RunOnce, RunServices or HKCU\..\Run, \RunOnce or \RunServices. This represents where in the registry the setting is located, so anything illegitimate can be unticked.
Again, if you don't recognise the filename, try searching for it on the sites listed above, but a general rule of thumb is that there shouldn't be anything in the RunOnce category at all unless you have just installed a software package that needed a reboot after finishing and you haven't yet done so.
Likewise, entries in the win.ini section are now unlikely to be legitimate unless you run very old software. Items in the Windows Startup group are also mentioned here.

Remember that if an item starts "HKCU" and you are running on a system configured for multiple users, other people will need to run HijackThis when logged in as themselves to remove the settings from their profile.

Items classifed as O5, O6 and O7 may be legitimate if your system operates within a network and there are policy settings installed to hide Internet Explorer Options icons in the control panel/start menu and registry editor facilities. Some viruses may use this category in order to make removal more difficult. The chances are quite considerable that if your machine is a standalone and does not participate in any network, anything here can be unticked. If you do participate in a network, ask your support staff.

Items classified as O8 represent extra items in the main Internet Explorer context menu (accessed with the right mouse button click). If you don't recognise anything here as something you have installed or use, then remove it.

The "O9" section represents extra items in the main Internet Explorer toolbar and Tools menu. Anything here should be fairly obvious if you have added it or it is not required.

The "O10" section represents a Winsock Hijacker. If this happens, untick it.
Take note that you may need to run WinsockFix and LSPFix as well, because these are embedded in the TCP/IP communications system of the computer, and just fixing this will more than likely render your internet connection unusable, so please download them beforehand.
I haven't included URL's for those packages because they are fairly widespread and a Google search will quickly locate an up to date download location for each of them.

Items classified as "O11" represent an extra group within the Internet Explorer Advanced Options window.
This is only likely to be present if browser addons require their own preferences to be accessible via IE. Anything else is likely to be invalid.

Items classified as "O12" represents Internet Explorer plugins. Use your discretion about what should and should not be here, you have to know whether it is on your PC as part of a legitimate application or not.

"O13" represents the Internet Explorer Default Prefix. This is not likely to happen unless other products use their own protocol and set it as the default. The chances are anything here is wrong and should be fixed.

"O15" represents sites in the Trusted Security zone. Sites that are used for phone homes may put themselves in the trusted security zone because of the more lenient security settings applied to it. Therefore, anything here that you don't know about or don't recognise should be removed.

"O16" represents items within the Downloaded Program Files directory (hence DPF), sometimes referred to as ActiveX or COM objects. There are legitimate items in here such as the WindowsUpdate control, the Macromedia Flash player and the Yahoo Messenger AutoUpdater but anything dodgy should be investigated further with a filename or GUID search. (GUIDs are the long strings that start with an open { and end with } ).

"O19" represents the User Stylesheet. This is commonly used on some systems that have screen readers installed for the visually impaired, in order to get larger than usual text, or to allow any webpage to be read through a screen reader, but this could also be used to set a larger than usual font or to set preferences for the screen reader through aural settings, or to change colours for somebody with colour blindness, but most of the time this setting will not be necessary.

I should point out that other settings are available and this should be considered only a very basic introduction to the process of HijackThis log analysis. Hopefully with a bit of insight you will start to learn which processes are legitimate and others that are not, and how to find out more about them.

[color red]Common Questions and Answers[/color]

What do I do if I have a filename that I can't identify?
If you have a paid for antivirus subscription, many company sites will have a submit virus sample address or form that will let you send them a copy of the file and they will let you know what it is. Generally there are steps that they require before doing this in order to reduce their workload, but give them time, and they will get back to you. Just don't expect an instant response. Check the support pages of your antivirus software vendor's website for more information.
If you are able to positively identify a virus or spyware from a scan from one package that is not picked up by another one of the major spyware scanners, having first checked that they are both up to date let them know what the filename and size is as well as the name of the virus, spyware or other software package and any registry key that it installs itself as.

Alternatively, if you are very careful, navigate to the folder in Windows Explorer, click the right mouse button on it, choose properties and have a look at the information on the Version tab. If the copyright is assigned to Microsoft or another company whose software is legitimately installed on your PC, then you can be fairly sure that it is OK, because I have yet to see any malware try and replicate this. If you try this method, be very careful not to double click the file.
Search for some of this information with Google to see if it comes up with anything.

What do I do if I have a filename that I have identified but is not listed?
If you can identify a legitimate software package or virus that is not listed on SpywareInfo.org then please contact them and let them know about it, so it can be added to the database. If it is a legitimate software package, also give details of where more information about the the software can be obtained (eg vendors website URL).

What do I have to do before removing dodgy items?
[ul]
[li]Before ticking items to fix within HijackThis, if your PC runs Windows XP (either version) or Millennium Edition (Me) you must disable the built in System Restore facility, because otherwise Windows may restore the virus at next reboot.
If your PC has system rollback software installed such as [link http://www.goback.com/]GoBack[/link], this should also be disabled. Remember to re enable it afterwards though, as it performs a useful function in recovering from other system problems.[/li]
[li]You should also update your antivirus software to its latest signatures and any anti spyware software to its latest definitions. Remember that any software of this type whose signatures are over a month old are useless in detecting the most current threats.[/li]
[li]If possible, run [link http://windowsupdate.microsoft.com]WindowsUpdate[/link] and download and install all critical updates for your operating system and applications. Some malware may stop access to the site, but if so please run the it after clearing up the checker.[/li]
[li]If possible, go to Task Manager and terminate any identified dodgy processes because they may reinstate themselves as soon as they have been removed. Some malware prevents this running, so try Safe mode with no networking and hold down the Shift key at logon to bypass the startup group, then run the scan again. An alternative to Task Manager is to use [link http://www.sysinternals.com/Utilities/ProcessExplorer.html] Process Explorer[/link] from [link http://www.sysinternals.com]Sysinternals[/link] [/li]
[/ul]

Why is it so important to keep systems up to date with WindowsUpdate?
Windows Update's security patches close identified security holes in operating systems and applications that malware may use to gain access to its resources or a system. By installing patches, regardless of the state of any antivirus software or spyware scanners, you can prevent the use of any identified security loophole in the first place.

Is there anything I can do to help prevent my system become reinfected after cleaning it up?
Yes:
[ol]
[li]Keep your system up to date with security patches from [link http://windowsupdate.microsoft.com]WindowsUpdate[/link].[/li]
[li]Keep your antivirus and anti spyware software signatures up to date. Most have in built update features to make it easy to do this, so use them.[/li]
[li]Keep your version of HijackThis up to date, because some software includes features to try and fool the software, which newer versions of the application can work around.[/li]
[li]Install software such as the [link http://www.spybot.info]Spybot Search & Destroy Browser helper[/link], [link http://www.microsoft.com/athome/security/spyware/software/default.mspx]Microsoft Antispyware beta[/link] or [link http://www.javacoolsoftware.com/]SpywareBlaster[/link] with background checkers to try and prevent browser hijacks installing themselves.[/li]
[li]Be vigilant. Don't run files attached to emails from complete strangers, or that seem odd from people that you know.[/li]
[li]Ensure your systems are configured correctly. With some firewall software, it is all too easy to select a setting which ignores any authentication mechanisms[/li]
[/ol]

Acknowledgements
My thanks go to Tek-Tips member bcastner for his assistance in checking this FAQ through for technical errors and pointing out omissions from my initial draft, and to diogenes10 for posting information about the F0-3 entries and the bug regarding HijackThis 1.97.7 backup restoration.