How do I use Trend Micro HijackThis?

Updated: 01/24/2018 by Computer Hope

After downloading and installing the latest version of Trend Micro HijackThis, open the file. If your computer is unable to open the program, try renaming the file to something else (for example, sniper.exe) and running it again. Once open, you should see a screen similar to the example pictured below.

Trend Micro HijackThis main screen

Click the last button "None of the above, just start the program" and select the "Config.." button. Make sure check boxes for the following are checked:

  • Make backups before fixing items
  • Confirm fixing & ignoring of items
  • Ignore non-standard but safe domains in IE
  • Include list of running processes in logfiles

Once checked or verified, click the Main Menu button.

Trend Micro HijackThis config

Next, select the first button Do a system scan and save a logfile to start the system scan. Once completed, you'll see a screen similar to the example pictured below and a new notepad window displaying the new HijackThis log.

Trend Micro Hijackthis results

If you are generating this log to be analyzed online, copy the complete log into the clipboard by pressing Ctrl+A to select all the text. Once highlighted, click Edit and Copy. Once done, this can be pasted into a forum page or a HijackThis tool, such as the Computer Hope Windows process tool.

The HijackThis log file is also saved on your computer in the default directory "C:\program files\Trend Micro\HijackThis\" and can be attached to a forum post or sent to another user in an e-mail to be analyzed.

Understanding the results

At first glance, the results can seem overwhelming, but the log contains all information and potential locations where malware may attack your computer. Below is a brief description of each of these sections for a general understanding of what they are.

Caution: HijackThis is an advanced utility and can make modifications to the Registry and other system files that can cause additional computer issues. Make sure you have followed the directions above, are making backups of changes, and that you are familiar with what's being fixed before fixing any checked items.

R0 - R3 sections

Windows Registry values that have been created and changed that relate to your Microsoft Internet Explorer browser. Often malware attack these Registry values to change your default homepage, search page, etc. Below is an example of an R0 value.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.computerhope.com/

F0 - F3 sections

An overview of anything displayed that's loading from the system.ini or win.ini files.

N1 - N4 sections

Similar to the R0-R3 sections, these sections are part of the prefs.js file that relate to the Netscape and Mozilla Firefox browsers that can be attacked to change the default homepage, search page, etc.

O1 section

This section will contain any host file redirections that have been made to the Windows hosts file. Redirections are another type of attack that redirects a domain name to a different IP address. For example, an attack may use this to redirect your banking URL to another site to steal log in information. Below is an example of an O1 line.

O1 - Hosts: ::1 localhost

O2 section

This section contains any Internet Browser Helper Object (BHO's) with CLSID (enclosed in {}) installed on the computer. Below is an example of an O2 line.

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O3 section

This section will list any Microsoft Internet Explorer toolbars that are installed on the computer. Although there are plenty of legitimate browser toolbars, there are also plenty of malicious toolbars and toolbars installed by other programs that you may not want. Below is an example of an O3 line.

O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll

O4 section

One of the most commonly looked at sections, the O4 section contains any programs that are automatically loading in the Windows Registry each time the computer starts. Below is an example of this line.

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O5 section

This section displays any Windows Control Panel icons that have been disabled from being shown. Some malware may disable Windows Control Panel to help prevent you from troubleshooting issues caused by the program.

O6 section

If any Microsoft Internet Explorer options have been disabled by the policies, they should be fixed.

O7 section

This section displays if accessing the Registry Editor (regedit) has been disabled. If present should be fixed.

O8 section

Any additional features that have been added into the Microsoft Internet Explorer right-click menu show in this section. Below is an example of this line.

O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm.

O9 section

Any additional buttons or menu items that have been added to Microsoft Internet Explorer will be shown here. Below is an example of this line.

O9 - Extra button: StumbleUpon - {75C9223A-409A-4795-A3CA-08DE6B075B4B} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll.

O10 section

This section displays any Windows Winsock hijackers. Although these lines can be fixed from HijackThis because of how Winsock works, we suggest using LSP-Fix an alternative tool designed to fix this section if found. Below is an example of this line.

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O11 section

Displays any extra group that's been added to the Microsoft Internet Explorer Advanced Options section.

O12 section

This section displays any Microsoft Internet Explorer plugins that have been installed on the computer.

O13 section

Displays any changes that have been made to Microsoft Internet Explorers default http:// prefix. Used when a user types in a URL address but doesn't add the "http://" in front.

O14 section

This section displays any changes in the iereset.inf file that have been made. This file is used when restoring Microsoft Internet Explorer settings back to the default settings.

O15 section

Displays any Microsoft Internet Explorer Trusted Zone changes. Unless you've added or recognize this section we suggest fixing it through HijackThis. Below is an example of an O15 line.

O15 - Trusted Zone: http://www.partypoker.com

O16 section

Displays all Microsoft Internet Explorer ActiveX objects. Below is an example of this line.

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab.

O17 section

This section displays any potential DNS and Domain hijacks. Below is an example of this line.

O17 - HKLM\System\CCS\Services\Tcpip\..\{F30B90D7-A542-4DAD-A7EF-4FF23D23587B}: NameServer = 203.23.236.66 203.23.236.69.

O18 section

Any protocol hijackers will be shown here. If this section is seen it's recommended it be fixed by HijackThis.

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll.

O19 section

This section displays any CSS style sheet changes that have been made. Unless you're using a custom style sheet it's recommended that you use HijackThis to fix this section.

O20 section

In this section anything that's being loaded through APPInit_DLL or Winlogon show in this section. Below is an example of each of these lines.

O20 - AppInit_DLLs: avgrsstx.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL.

O21 section

Anything that is loading in the ShellServiceObjectDelayLoad (SSODL) Windows Registry key will be shown in this section.

O22 section

This section shows any SharedTaskScheduler autorun Windows Registry keys. Below is an example of this line.

O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll.

O23 section

In this section any Windows XP, NT, 2000, 2003, and Vista startup services show in this section. Below is an example of this line.

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe.

O24 section

Finally, the O24 section is any Microsoft Windows Active Desktop components that are installed on the computer. Unless you're using Active Desktop or recognize the name, we suggest you fix these as well. Below is an example of this line.

O24 - Desktop Component 1: (no name) - http://mbox.personals.yahoo.com/mbox/mboxlist.

Additional information