How to analyse Trend Micro Hijackthis (Free) log?

attributionName - Hemanth Yaji - Copyrighted under Creative Commons Attribution-Non-Commercial 2.0 UK: England & amp; Wales License

http://creativecommons.org/licenses/by-nc/2.0/uk

[Last updated on 21 May 2009]

Hijackthis is a free tool developed by Trend Micro that quickly scans a computer to find the settings in the computer which may have been affected by spyware, malware, virus or other unwanted programmes. The version of Hijackthis explained here is 2.0.2. This software displays a list of areas in the computer that are suspected to be changed by software. Unfortunately this tool is unable to determine what is good or bad. Only advanced users who could interpret the scan results are able to find the harmful changes made by software. An attempt is made here to explain how a novice computer user could understand the output log of this software and remove the infections on a computer.

My advice is to download Hijackthis from the following website.

http://www.trendsecure.com/portal/en-US/_download/HiJackThis.exe

If the file is downloaded from the above link, it does not have to be installed. In fact Hijackthis is free of cost.

Run the downloaded tool with administrator rights, if you are on Windows Vista. To run with administrator rights, right click on the downloaded file and click on Run as administrator. Now when the programme (Fig. 1) opens up, click on Do a system scan and save a log file. A log file in Notepad would be open with the results of the scan. Now close Hijackthis and keep the log file open. If you want to know what the letters such as R0, R1, R2, R3, F0, F1 and others in the log file refer to, click on Info (Fig. 3) after you have clicked on Do a system scan and save a log file.

Open the following website and paste the entire text from the Hijackthis log file, in the text box on this website. I would recommend opening this website in Internet Explorer, because there may be some add-ons in Firefox that could prevent this website from working properly.

http://www.internetinspiration.co.uk/hijack%20this-Automated%20analysis.htm

1. On this website leave show the Visitor ratings checked and click on Analyze. Note that the analysis for Hijackthis log, works for individual entries as well. For example simply paste C:\Windows\Explorer.EXE from your Hijackthis log on the above website. This would save bandwidth for people, with very low bandwidth Internet connections or for those on dial-up Internet connections.
2. Now you could see the file classification. The analyser classifies the files as very safe, safe, neutral, nasty and extremely nasty based on the user comment. The file classification is under Visitor’s assessment column as in Fig. 2.
3. A click on any of these classifications (for example on very safe as in Circle 1 in Fig. 2), would bring up a window (window 1, Fig. 2) where the comments for a file could be entered. Note that unfortunately, the comments from the users could not be trusted.
4. If the classification for a file does not appear, there are no user comments on it. You could classify the file and the results would be updated in the next analysis. If you are unable to classify, Google the "file name" with its extension (example as Explorer.EXE), exactly as it appears in the Hijackthis log, and come to a conclusion about the file.
5. If a file is not classified, and you are unable to find sufficient information on it, post your problem on any of the Security Support Forum out there on the Internet. The forum members should be able to help you out further on how to deal with the suspicious files.
6. If the file is classified as nasty or extremely nasty, Google the "file name" with its extension, exactly as it appears on the Hijackthis log, and make sure that it is to be deleted. In this case delete the file immediately.
   

Yaji