HijackThis

From Wikipedia, the free encyclopedia

You have new messages (last change).
This article or section does not adequately cite its references or sources.
Please help improve this article by adding citations to reliable sources. (help, get involved!)
This article has been tagged since December 2006.
HijackThis

HijackThis 1.99.1 screenshot
Developer: Trend Micro
Latest release: 2.00 beta / March 12, 2007
OS: Microsoft Windows
Use: Malware removal
License: Freeware
Website: www.trendsecure.com

HijackThis, sometimes abbreviated HJT, is freeware spyware-removal tool for Microsoft Windows originally created by Merijn Bellekom, and later sold to Trend Micro. The program is notable for taking a heuristic approach on detecting malware - rather than relying on a database of known spyware it quickly scans a user's computer, creates a list of differences from a known spyware-free environment and allows the user to decide what from the list needs to be removed.

Contents

[edit] Use

HijackThis can generate a plain text logfile detailing all entries it finds, and most entries can be removed or disabled by HijackThis. Caution should be exercised when using the latter option, as HijackThis does not discriminate between legitimate and unwanted items with the exception of a small whitelist of legitimate entries — thus allowing a user to unintentionally disable important programs from running, which may possibly cause their system or peripherals to stop working. HijackThis will, however, attempt to create backups of the files and registry entries it removes, which can be used to restore the system in the event of a mistake.

A common tradition is to post the logfile to some web board/forum where more experienced users will help decipher which entries need to be removed. Automated tools also exist that analyze saved logs and attempt to provide recommendations to the user, or to clean entries automatically. Use of such tools, however, is generally discouraged by those who specialize in manually dealing with HijackThis logs; they consider the tools to be potentially dangerous to inexperienced users, and neither accurate nor reliable enough to substitute for consulting with a trained human analyzer.

Later versions of HijackThis include additional tools like a task manager, hosts file editor, and alternate data stream scanner.

[edit] Codes

When a log is created before each line it adds one of the codes above so that an expert can know what type of line this is. For example if an expert sees a line that begins with O4 then he will know that it is a startup program.

Explanation of the codes

R - Registry, StartPage/SearchPage changes

   R0 - Changed registry value
   R1 - Created registry value
   R2 - Created registry key
   R3 - Created extra registry value where only one should be

F - IniFiles, autoloading entries

   F0 - Changed inifile value
   F1 - Created inifile value
   F2 - Changed inifile value, mapped to Registry
   F3 - Created inifile value, mapped to Registry

N - Netscape/Mozilla StartPage/SearchPage changes

   N1 - Change in prefs.js of Netscape 4.x
   N2 - Change in prefs.js of Netscape 6
   N3 - Change in prefs.js of Netscape 7
   N4 - Change in prefs.js of Mozilla

O - Other, several sections which represent:

   O1 - Hijack of auto.search.msn.com with Hosts file
   O2 - Enumeration of existing MSIE BHO's
   O3 - Enumeration of existing MSIE toolbars
   O4 - Enumeration of suspicious autoloading Registry entries
   O5 - Blocking of loading Internet Options in Control Panel
   O6 - Disabling of 'Internet Options' Main tab with Policies
   O7 - Disabling of Regedit with Policies
   O8 - Extra MSIE context menu items
   O9 - Extra 'Tools' menuitems and buttons
   O10 - Breaking of Internet access by New.Net or WebHancer
   O11 - Extra options in MSIE 'Advanced' settings tab
   O12 - MSIE plugins for file extensions or MIME types
   O13 - Hijack of default URL prefixes
   O14 - Changing of IERESET.INF
   O15 - Trusted Zone Autoadd
   O16 - Download Program Files item
   O17 - Domain hijack
   O18 - Enumeration of existing protocols and filters
   O19 - User stylesheet hijack
   O20 - AppInit_DLLs autorun Registry value, Winlogon Notify Registry keys
   O21 - ShellServiceObjectDelayLoad (SSODL) autorun Registry key
   O22 - SharedTaskScheduler autorun Registry key
   O23 - Enumeration of NT Services

This has been taken from the actual program.

[edit] References

    [edit] External links

    Retrieved from "http://en.wikipedia.org../../../h/i/j/HijackThis_45b0.html"
    In other languages