"HijackThis" - Spyware and Browser Hijacker Detector

<< Spyware Adware Detection and Removal

<< Windows Tutorials - Herong's Tutorial Examples

This section provides a tutorial example on how to run 'HijackThis' to generate a system diagnose report.

HijackThis is probably the most popular spyware detection tools available on the Internet. So I downloaded HijackThis v1.99.0 from the Web site: http://www.merijn.org/.

Here is a basic tour of how to use HijackThis:

1. Run HijackThis, it will offer you a couple of command buttons on the first dialog box.

2. Click the "Do a system scan and save a logfile" button. HijackThis will scan your system and show you the "Save logfile" dialog box.

3. Select a directory and enter a file name for the log file, for example, c:\temp\hijackthis.log.

4. Open c:\temp\hijackthis.log with a text editor. You will see a HijackThis report like this:

Logfile of HijackThis v1.99.0
...

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
...
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
...
C:\WINDOWS\Explorer.EXE
...
C:\local\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL
   = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page 
   = http://www.yahoo.com
...
O2 - BHO: Google Desktop Search Capture - {7c1ce531-09e9-4fc5
   -9803-1c2956615786} - C:\Program Files\Google\Google Desktop
   Search\GoogleDesktopIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333
   -CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AlxTB BHO - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} 
   - C:\WINDOWS\System32\AlxTB1.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} 
   - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090...}
   - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} 
   - C:\local\NetZero\Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} 
   - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless
   \Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies
   \ATI Control Panel\atiptaxx.exe
...
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google
   \Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [NetZero_uoltray] C:\local\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files
   \Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files
   \Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip
   \WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files
   \google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:
   \program files\google\GoogleToolbar2.dll/cmwordtrans.html
...
O8 - Extra context menu item: Translate Page into English - res://c:
   \program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} 
   - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF
   -AAA5-00401...} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
...
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} 
   - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d
   -11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = abc.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList 
   = abc.com,xyz.com
...
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32
   \Ati2evxx.exe
O23 - Service: Network Associates Task Manager - Network Associates, 
   Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel
   \Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor - Intel Corporation 
   - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Apache Tomcat - Apache Software Foundation 
   - C:\tomcat50\bin\tomcat.exe
...

See the next section on how to read this report.

Sections in This Chapter

What Is Spyware?

"HijackThis" - Spyware and Browser Hijacker Detector

"HijackThis" Report Entry Types

Spyware: WebBar - htwtb.bin and bar.dll

Spyware: SurfBuddy - sbuddy.dll

Spyware: WebSpecials - webspec.dll

Spyware: DSSAgent - DSSAgent.exe

Transponder: Best Offer - farmmext.exe

Spyware: dinst.exe - dsr.dll