Google is your best friend when troubleshooting HiJackThis log files. Just about any one can look up unfamiliar entries in their HiJackThis log files and determine if they have a problem with viruses, spyware, or adware.
After you run HiJackThis you will be left with a log file that you can post to a forum full of "experts", or you can examine it yourself and learn what is normal, and what is not, when you look at that log file.
Each individual line in the HiJackThis log file will show one entry for each running program on your computer in the first section called "Running processes". Here is an example line from that section.
- C:\Windows\system32\Dwm.exe
Look up Dwm.exe by copying, and pasting it into a Google search box. You will get a long list of links, some of which should have accurate information on almost any process that runs under Windows.
These links should share a consensus among themselves about whether or not a file is virus, spyware, adware, or other malware, and what it's function is on your computer. If they are not in complete agreement, then lean toward the side which states one particular case on more of the links than others.
There will usually be instructions for removing any malware you find in the links you obtain by searching.
The next section down in your HiJackThis log file is below the lines ending in .exe or .com and start with R1, R2, etc... where the R stands for Registry. These are registry settings that start programs when you boot your computer up.
Here is what one looks like wrapped over several lines.
-
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
The above line starts a search toolbar for Internet Explorer, and searches g.msn.com or loads the toolbar from there.
-
R3 - URLSearchHook: (no name) - - (no file)
You can use the same strategy with these lines as you did with the one in the first section. The next line above I was not sure about so I Googled URLSearchHook and discovered that
- "URLSearchHook is called by the browser when the browser cannot determine the protocol of a URL address.. When attempting to browse to a URL address that does not contain a protocol, Internet Explorer first attempts to determine the correct protocol using the unmodified address. If this fails, Internet Explorer creates URL Search Hook objects that have been registered, and calls each object's translate method until the URL has been translated or until all hooks have been called. Normally there should be only one value in this key.".
I also found that -
- "Many IE hijackers will add their UrlSearchHook to your system so every time when you type a url without protocol, you will be redirected to the hijacker's site. HijackThis tags this, if the default search hook value is changed, missing or a new value added in the above key."
Both on the same page at Understanding and Interpreting HijackThis Entries - Part 1
Since URLSearchHook was still in the copy buffer, I selected Edit, Find in Firefox to find it again on the page above itself. This gives you a nice "Next' button to push to find each subsequent instance of URLSearchHook in the page.
The first two searches in the page turned up the above information, but it will not always be quite that easy. You might not land on a page that has good information with every search link you turn up.
There is more information on the other search links about URLSearchHook which can help you determine if you have a bogus entry by a hacker.
Try a Google search in the search box below.
