Short tutorial on 'How to use HiJackThis'

Stanislav Polshyn edited this page Oct 03, 2018

Table of contents:

Special notes:

This tutorial is updated to use with HiJackThis Fork v.2.9.0.1 and newer.
The same is available in English, Russian and Ukrainian within HiJackThis menu → Help → User's manual → Section descriptions.
Links to the Full version of tutorial:

  • In Russian
  • In English (translation is currently in progress)
Log Sections:

The different sections of hijacking influences have been separated into the following groups:

  • R - Changes in basic Internet Explorer settings:
    • R0 - Changed registry value
    • R1 - Created registry value
    • R2 - Created registry key
    • R3 - Created extra registry parameter where only one should be
    • R4 - Search providers (SearchScopes)
  • F - Autoloading from INI-files and corresponding registry locations
    • F0 - Changed ini-file value (system.ini)
    • F1 - Created ini-file parameter (win.ini)
    • F2 - Changed registry value that is override ini-file settings (shell, userinit)
    • F3 - Created registry parameter that is override ini-file settings (load, run)
  • O - Other sections:
    • O1 - Hijack of Hosts and hosts.ics files / DNSApi hijacking
    • O2 - Internet Explorer: BHO
    • O3 - Internet Explorer: toolbars
    • O4 - Autoloading Registry entries and 'Autostart' folder / msconfig disabled items
    • O5 - Hiding of Control Panel items
    • O6 - IE Policy: Disabling of 'Internet Options' main tab
    • O7 - Policies: Regedit, Explorer, TaskMgr / IP Security / Certificates / OS troubleshooting
    • O8 - Internet Explorer: Extra context menu items
    • O9 - Internet Explorer: Extra services and buttons
    • O10 - Breaking of Internet access due to the damage or infection in Winsock LSP
    • O11 - Internet Explorer: options in 'Advanced' settings tab
    • O12 - Internet Explorer: plugins for file extensions or MIME types
    • O13 - Internet Explorer: Hijacking of URL prefixes
    • O14 - Internet Explorer: Changing of IERESET.INF
    • O15 - Internet Explorer: Web-sites and protocols in 'Trusted Zone'
    • O16 - Downloaded Program Files items (DPF)
    • O17 - Domain and DNS hijack / DNS issued by router through DHCP
    • O18 - Protocols and filters hijack
    • O19 - User stylesheet hijack
    • O20 - AppInit_DLLs, Winlogon Notify
    • O21 - Shell Service Object Delay Load (SSODL), Shell Icon Overlay (SIOI), ShellExecuteHooks (SEH)
    • O22 - Shared Task Scheduler jobs
    • O23 - Windows Services and Drivers, Dependencies
    • O24 - ActiveX Desktop Components
    • O25 - WMI permanent event consumers
    • O26 - Process debuggers

Detailed information on sections:

R0 - Changed registry value

A Registry value changed from the default setting, resulting in a different IE Home page, Search Page, Search Bar Page or Search Assistant.

Action taken by HiJackThis:

  • registry value is restored to default URL.
R1 - Created registry value

A Registry value not present in a default Windows install, possibly resulting in changed settings for Internet searches or other IE settings (IE Window Title, ProxyServer, ProxyOverride, Internet Connection Wizard, ShellNext, etc.)

Action taken by HiJackThis:

  • Registry value is deleted.
R2 - Created registry key

A Registry key not present in a default Windows install. Currently, this section is not used (no database entries).

Action taken by HiJackThis:

  • Registry key is deleted, with everything in it.
R3 - Created extra registry parameter where only one should be

Detected more than one value inside URLSearchHooks regkey. If you specify a URL address without http:// or ftp:// prefixes, the browser will attempt to figure out the correct protocol using the list in UrlSearchHook.

Action taken by HiJackThis:

  • Registry value is deleted;
  • default URLSearchHook value is restored.
R4 - Search providers (SearchScopes)

Internet Explorer uses search provider (DefaultScope) to show a list of tips in the search bar while you type search queries into the address bar. IE allows you to replace its default provider with any from the list (SearchScopes).

Action taken by HiJackThis:

  • provider key is deleted.
  • default value of DefaultScope (Microsoft Bing) and provider parameters are recovered.
F0 - Changed ini-file value (system.ini)

An ini-file value changed from the default value, possibly resulting in program(s) loading at Windows startup. Often used to autostart a program.
File checked: C:\Windows\system.ini

Default value

Shell=explorer.exe

Infected example

Shell=explorer.exe,openme.exe

Action taken by HiJackThis:

  • default ini-file value is restored.
  • corresponding file is NOT deleted.
F1 - Created ini-file parameter (win.ini)

An ini-file value that is not present in a default Windows install, possibly resulting in program(s) loading at Windows startup. Often used to autostart a program.
File checked: C:\Windows\win.ini

Default values

run=
load=

Infected example

run=dialer.exe

Action taken by HiJackThis:

  • ini-file value is deleted.
  • corresponding file is NOT deleted.
F2 - Changed registry value that is override ini-file settings (shell, userinit)

F2 section corresponds to the equivalent location in registry for system.ini file (F0).
A registry value changed from the default value, possibly resulting in program(s) loading at Windows startup. Often used to autostart a program.

To be checked:

\Software\Microsoft\Windows NT\CurrentVersion\WinLogon → Shell
\Software\Microsoft\Windows NT\CurrentVersion\WinLogon → UserInit

Default values:

UserInit=C:\Windows\System32\UserInit.exe,
Shell=explorer.exe
Shell=%WINDIR%\explorer.exe

Infected examples:

UserInit=C:\Windows\System32\UserInit.exe,C:\Windows\apppatch\capejw.exe,
Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"

Action taken by HiJackThis:

  • default registry value is restored.
  • corresponding file is NOT deleted.
F3 - Created registry parameter that is override ini-file settings (load, run)

F3 section corresponds to the equivalent location in the registry for the win.ini file (F1).
A registry value not present in a default Windows install, possibly resulting in program(s) loading at Windows startup. Often used to autostart a program.

To be checked

\Software\Microsoft\Windows NT\CurrentVersion\Windows → run
\Software\Microsoft\Windows NT\CurrentVersion\Windows → load

Default values

run=
load=

Infected example

run=С:\WINDOWS\inet20001\services.exe

Action taken by HiJackThis:

  • registry value is deleted.
  • corresponding file is NOT deleted.
O1 - Hijack of Hosts and hosts.ics files / DNSApi hijacking
  1. Windows uses records in the 'hosts' file to look-up domain names before querying internet DNS servers. Changes to the 'hosts' file can make Windows believe that e.g. 'google.com' has a different IP than it actually has, leading browsers to open a different page. It can also block site(s) entirely by redirecting them to localhost or a non-existent IP.

  2. Attackers can also hijack the DNSApi.dll file to alter the location where the system loads the hosts file (all OS versions). Example: Hijacker.DNS.Hosts / Trojan.Win32.Patched.qw.

  3. Attackers can also change registry DatabasePath values (Win XP/2003 and older).

  4. Hosts.ics file is created automatically when you share internet access. It contains a mapping between IP and home (local) network domain and can be hijacked in the same way as a hosts file.

Legal entry example

Hosts.ics: 192.168.137.1 AnakonDA.mshome.net # 2018 5 2 22 8 3 40 685

Infected examples:

213.67.109.7	google.com
127.0.0.1	kaspersky.ru
DNSApi: File is patched - c:\Windows\system32\dnsapi.dll
Hosts file is located at: c:\windows\System32\drivers\etc\hoctc

Action taken by HiJackThis:

  • For hosts and hosts.ics entries - Line is deleted from file.
  • For DNSApi - dll file is recovered if available using SFC subsystem.
  • For altered hosts location - default registry value is restored.
  • Also, DNS cache entries are flushed and DNS caching services are restarted.
O2 - Internet Explorer: BHO

A BHO (Browser Helper Object) is a specially crafted program that integrates into IE, and has virtually unlimited access rights. Though BHO's can be helpful (like the Google Toolbar), hijackers often use them for malicious purposes such as tracking your online behavior, displaying popup ads, etc.

Action taken by HiJackThis:

  • Delete BHO registry key and all corresponding keys (like CLSID and special IE BHO policies);
  • Delete BHO dll file.
O3 - Internet Explorer: toolbars

IE Toolbars are part of BHO's (Browser Helper Objects) like the Google Toolbar that may be helpful, but can also be annoying or malicious by tracking your behavior and displaying popup ads.

Action taken by HiJackThis:

  • Delete registry value and all corresponding keys (like settings and special IE BHO policies).
  • Dll file is deleted.
O4 - Autoloading Registry entries and 'Autostart' folder / msconfig disabled items

This part of the scan checks for several suspicious entries that autoload when Windows starts. Autoloading registry entries may load a script (VBS, JS, HTA file, etc) possibly causing the Start Page, Search Page, Search Bar or Search Assistant to redirect to a hijacker's page. A DLL file can also be loaded that hooks into different parts of your system. Scripts, other programs, or fileless registry entries (e.g. legit system file PowerShell.exe with arguments) in autostart can also be used as droppers that load other malicious files via the internet, or ensure the survival of malware after a reboot.
O4 section also includes list of autorun disabled items (MSConfig / TaskMgr).
Area to be checked: registry keys and 'Autostart' folder.

Infected example

regedit c:\windows\system\sp.tmp /s

Action taken by HiJackThis:

  • Autostarting registry entries - registry value is deleted.
  • Also, corresponding process will be killed or freezed.
  • 'AutoStart' folder - autoloading file is deleted.
  • Disabled autorun items - registry entry is deleted (For Windows 8+: autoloading file is deleted too. For Windows 7 and older: autoloading file left in the folder: C:\Windows\pss).
O5 - Hiding Control Panel items

Modifying CONTROL.INI can cause Windows to hide certain icons in the Control Panel. Though originally meant to speed up Control Panel loading and reduce clutter, it can also be used by hijackers, for example, to prevent access to the 'Internet Options' window.
Area to be checked: control.ini file and equivalent locations in the registry.

Infected examples

control.ini: [don't load] inetcpl.cpl = yes (Internet Control Panel)
HKCU\Control Panel\don't load: [Firewall.cpl] (Windows Firewall Control Panel)

Action taken by HiJackThis:

  • depending on location, line is deleted from Control.ini file or registry value is deleted.
O6 - IE Policy: Disabling of 'Internet Options' main tab

Disabling the 'Internet Options' menu entry in the 'Tools' menu of IE is done using Windows Policies. Normally used by administrators to restrict user access, it can also be used by hijackers to prevent access to the 'Internet Options' window.
StartPage Guard also uses Policies to restrict homepage changes, done by hijackers.

Action taken by HiJackThis:

  • corresponding information is deleted from the registry.
O7 - Policies: Regedit, Explorer / IP Security settings / Certificates / OS troubleshooting
O7 - Policies: Regedit, TaskMgr, Explorer and "Start" menu

Regedit is disabled using Windows Policies. Normally used by administrators to restrict users, it can also be used by hijackers to prevent access to the Registry editor. This results in a message saying that your administrator does not allow you to access Regedit. Malicious programs also disable access to the Task Manager to protect themselves from termination. Some items may be blocked in Explorer and Start menu, making navigation difficult. For instance, the disc is hidden in "My Computer" folder.

O7 - IPSec

IP Security Policies allow or block network data packets, and fine-tune source and destination packet filters like IP address (including subnet), type, port number and more.

O7 - Untrusted Certificate

Malicious programs can add antivirus digital signature hashes to the list of untrusted certificates, thereby blocking the launch of executable files.

O7 - TroubleShooting

Here, incorrect OS settings are displayed, which potentially lead to system and software malfunctions. These include:

  1. [EV] Incorrect value and/or type of environment variable. Check for important paths in the %PATH% variable.
  2. [Disk] Lack of free space on the system disk (less than 1 GB.)
  3. [Network] Wrong network settings, e.g. empty computer name.

Action taken by HiJackThis:

  • for O7 - Policies: registry value is deleted.
  • for O7 - IPSec: all registry keys associated with the marked policy are deleted, including all the filters that apply to it.
  • for O7 - Untrusted Certificate: registry key is deleted.
  • for O7 - TroubleShooting: [EV] variables will be reset to defaults. For %PATH% - the missing path will be added.
  • for O7 - TroubleShooting: [Disk] Microsoft disk cleanup manager CleanMgr will be launched in automatic mode.
  • for O7 - TroubleShooting: [Network] standard settings will be applied.
O8 - Internet Explorer: Extra context menu items

Extra items in the context (right-click) menu can prove helpful or annoying. Some recent hijackers add items to the context menu. The Internet Explorer PowerTweaks Web Accessory adds several useful items, including "Highlight", "Zoom In/Out", "Links list", "Images list" and "Web Search".

Action taken by HiJackThis:

  • Registry key is deleted.
O9 - Internet Explorer: Extra services and buttons

Extra items in the Internet Explorer 'Tools' menu and extra buttons in the main toolbar are usually present as branding (Dell Home button) or added after system updates (MSN Messenger button) and rarely by hijackers. The Internet Explorer PowerTweaks Web Accessory adds two menu items, "Add site to Trusted Zone" and "Add site to Restricted Zone".

Action taken by HiJackThis:

  • Registry key is deleted.
O10 - Breaking of Internet access due to the damage or infection in Winsock LSP

The Windows Socket system (Winsock) uses a list of providers for resolving DNS names (i.e. translating www.microsoft.com into an IP address). This is called the Layered Service Provider (LSP). Some programs are capable of injecting their own (spyware) providers in the LSP. If files referenced by the LSP are missing or the 'chain' of providers is broken, none of the programs on your system can access the Internet. Removing references to missing files and repairing the chain will generally restore Internet access.
Note: LSP fixing is a risky procedure. You can get WinSockReset from https://www.foolishit.com/vb6-projects/winsockreset/ to repair the Winsock stack.

Action taken by HiJackThis:

  • Not provided. You will be asked to go to www.foolishit.com and download the WinSockReset program.
O11 - Internet Explorer: options in 'Advanced' settings tab

Options in the 'Advanced' tab of Internet Explorer options are stored in the Registry, and extra options can be added by creating extra Registry keys. Very rarely, spyware/hijackers add their own options which are hard to remove. (e.g. CommonName adds a section 'CommonName' with a few options.)

Action taken by HiJackThis:

  • Registry key is deleted.
O12 - Internet Explorer: plugins for file extensions or MIME types

Plugins handle filetypes that aren't supported natively by Internet Explorer. Common plugins handle Macromedia Flash, Acrobat PDF documents, and Windows Media formats, enabling the browser to open these itself instead of launching a separate program. When hijackers or spyware add plugins for their filetypes, malware - even if it's been removed - may be reinstalled if the browser opens a file handled by that plugin.

Action taken by HiJackThis:

  • Registry key and plugin file are deleted.
O13 - Internet Explorer: Hijacking of URL prefixes

When you type a URL into Internet Explorer's Address bar without the prefix (http://), a prefix is automatically added when you hit Enter. This prefix is stored in the Registry, together with the default prefixes for FTP, Gopher and other protocols. When a hijacker changes these to the URL of their server, you are always redirected there when you do not enter a prefix. For example, Prolivation uses this hijack.

Action taken by HiJackThis:

  • Registry value is restored to default data.
O14 - Internet Explorer: Changing of IERESET.INF

When you hit 'Reset Web Settings' on the 'Programs' tab of the Internet Explorer Options dialog, your homepage, search page and a few other sites are reset to default values. These defaults are stored in C:\Windows\Inf\Iereset.inf. When a hijacker changes these to his own URLs, 'Reset Web Settings' causes you to be (re)infected. For example, SearchALot uses this hijack.

Action taken by HiJackThis:

  • Value in the Inf file is restored to default data.
O15 - Internet Explorer: Web-sites and protocols in 'Trusted Zone'

Websites in the Trusted Zone (see Tools → Internet Options → Security → Trusted sites → Sites) are allowed to use potentially dangerous scripts and ActiveX objects. Some programs automatically add sites to the Trusted Zone without you knowing. Only a very few legitimate programs are known to do this.

Action taken by HiJackThis:

  • Registry key is deleted.
  • Protocol to Zone mapping defaults is restored.
O16 - Downloaded Program Files items (DPF)

The Download Program Files (DPF) folder in your Windows base folder holds various programs that were downloaded from the Internet. These programs are loaded whenever Internet Explorer is active. Legitimate examples include the Java VM, Microsoft XML Parser and Google Toolbar. When deleted, these objects are downloaded and installed again (after prompting). Unfortunately, IE also lets malicious sites automatically download things like porn dialers, bogus plugins, and ActiveX Objects to this folder, which haunt you with popups, large phone bills, random crashes, and other browser hijackings.

Action taken by HiJackThis:

  • registration of DPF CLSID is cancelled.
  • dll file and downloaded file are deleted.
O17 - Domain and DNS hijack / DNS issued by router through DHCP

Windows uses several registry values to help resolve domain names into IP addresses. Hijacking these values can cause all programs that use the Internet to redirect to other pages. Lop.com uses this method, together with a (huge) list of cryptic domains.
DHCP DNS in this section displays the DNS address issued by the router by DHCP, i.e. when the "Automatically receive DNS address" checkbox is selected in network connection settings.

Action taken by HiJackThis:

  • Registry value is deleted.
  • When fixing DHCP DNS, DNS Resolver Cache is flushed. The user must manually configure the router by entering the address specified by their contract provider BEFORE fixing this item in HiJackThis.
O18 - Protocols and filters hijack

A protocol is a 'language' Windows uses to 'talk' to programs, servers or itself. Webservers use the 'http:' protocol, FTP servers use the 'ftp:' protocol, Windows Explorer uses the 'file:' protocol. Introducing a new protocol to Windows or changing an existing one can change how Windows handles files. CommonName and Lop.com both register new protocols when installed (cn: and ayb:).
Filters are content types accepted by Internet Explorer (and internally by Windows). If a filter exists for a content type, data will pass through the content-type file handler first. Several variants of the CWS trojan add a text/html and text/plain filters, allowing them to hook all webpage content passed through Internet Explorer.

Action taken by HiJackThis:

  • Registry key and file are deleted.
  • File is deleted (if it's not belong to Microsoft).
O19 - User stylesheet hijack

IE has an option to use a user-defined stylesheet for all pages instead of the default one, to enable handicapped users to better view the webpages. An especially vile hijacking method made by Datanotary has surfaced, which overwrites any stylesheet the user has configured and replaces it with one that causes popups, as well a system slowdown when typing or loading pages with many pictures.

Action taken by HiJackThis:

  • Registry value is deleted.
  • Style using is disabled.
O20 - AppInit_DLLs, Winlogon Notify

Files specified in the AppInit_DLLs Registry value are loaded very early during Windows startup and stay in memory until system shutdown. This way of loading a .dll is rarely used, except by trojans. Examples of legitimate records here can be libraries of video drivers or cryptographic systems. AppInit_DLLs will not load if Secure Boot is enabled. The WinLogon Notify Registry subkeys load dll files into memory at a similar point in the boot process, keeping them loaded into memory until the session ends. Apart from several Windows system components, adware like VX2, ABetterInternet and Look2Me use this Registry key.
Since both methods ensure the dll file stays loaded in memory, fixing this won't help if the dll restores Registry values or keys after you fix them. In such cases, it is recommended to use the 'Delete file on reboot' function or KillBox to first delete the file.

Action taken by HiJackThis:

  • for AppInit_DLLs: Concrete registry value is cleared; parameter is NOT deleted.
  • for Winlogon Notify: Registry key is deleted.
O21 - Shell Service Object Delay Load (SSODL), Shell Icon Overlay (SIOI), ShellExecuteHooks (SEH)

This is an undocumented Registry key that contains a list of CLSID references, which in turn reference .dll files that are loaded by Explorer.exe at system startup. The dll files stay in memory until Explorer.exe quits, which is achieved either by shutting down the system or killing the shell process.
ShellIconOverlayIdentifiers works similarly. This registry key contains several subkeys with identifiers of the files loaded to Explorer.exe. Usually, one program registers several such handlers at once. Key names often start with a few spaces. These libraries are responsible for handling file icon rendering in Windows Explorer, depending on certain conditions (file types or other factors). An example of a legitimate program can be a client for cloud storage of Yandex.Disk, which changes the appearance of the icon depending on the state of file synchronization. The malicious program that installed the handler can execute any arbitrary code via dll.

Action taken by HiJackThis:

  • Registry value or key is deleted together with CLSID identifier key.
  • dll file is deleted.
  • Explorer is restarted.
O22 - Shared Task Scheduler jobs

Task Scheduler is a service that can be configured to run an arbitrary process at a specified time or on a certain schedule. One such setting is called a Job. Jobs (task) can be run with elevated privileges without requesting UAC, be bound to a specific users, contain the paths to the processes, arguments, states, and so on. Malware often uses tasks to provide autorun and still survive after a process is restarted. Tasks can be managed through the Task Scheduler snap-in (taskschd.msc).

Action taken by HiJackThis:

  • The task is disabled.
  • Tasks' process is killed.
  • The task file, executable file and all associated registry keys are deleted.
O23 - Windows Services

O23 - Service

The 'Services' are a special type of programs that are essential to the system and are required for proper functioning of the system. Service processes are started before the user logs in and are protected by Windows. They can only be stopped from the services dialog in the Administrative Tools window. Malware that registers itself as a service is subsequently also harder to kill.

O23 - Driver

(the subsection is only available in the "Additional scan" mode)

The driver is a kind of service that is launched at an earlier stage of the system boot and runs with kernel privileges. Malicious programs can also install their drivers. For instance, this is used to prevent the deletion (programs running with Administrator or Local System rights can not kill kernel-level processes), as well as to mask their presence, files and processes (so-called rootkits).
Note: the "Driver R" items without a digit character in log - is a dynamically loaded driver (not through the registry).

O23 - Dependency

(the subsection is only available in the "Additional scan" mode)

Malicious programs can write themselves into the list of dependencies of the system service to protect themselves from deletion. After removing such a service, a legitimate Microsoft service will no longer be able to start. Some Windows services are critical for the normal operation of OS. Their non-launching can negatively affect the operation of other programs up to the whole OS boot fails. Some services are also combined into a service group, which has its name. If the service depends on the service group, it will not start until all services that belong to service group is start. HiJackThis also checks for third-party services that have been included in the Microsoft service group.

Action taken by HiJackThis:

  • Service (or driver) is disabled, stopped and removed.
  • Reboot will be prompted.
  • For O23 - Dependency: the dependency will be deleted from the registry.
O24 - ActiveX Desktop Components

Desktop Components are ActiveX objects that can be made part of the desktop whenever Active Desktop is enabled. They run as (small) website widgets. Malware abuses feature by setting the desktop background to a local HTML file with a large, bogus warning, e.g. for Ransomware it may show text of ransom requirements.

Action taken by HiJackThis:

  • Registry key and file are deleted.
  • Explorer is restarted and desktop background is updated.
O25 - WMI permanent event consumers

Windows Management Instrumentation is a default Windows service. It can create permanent event consumers for both legitimate and malicious purposes. These events can collect hardware and software data to automate malware activities like spying. They can create pipes to connect between machines, or execute external script files or script code stored inside (fileless). Events can be triggered by the WMI subsystem at set intervals (like Task Scheduler) or manually when applications execute special WMI queries.
Note: only the consumer is tested. If there are only a filter, binding and/or a timer (without consumer), the item is not displayed in the log.

Action taken by HiJackThis:

  • event consumer, filter, timer and binding are deleted in WMI database;
  • associated file is also deleted.
O26 - Process debuggers

In the 'Image File Execution' Registry key, a program can be set up to use a debugger. Whenever the host program is started, the 'debugger' program is loaded instead.
Note: when a debugger file deleted but still set, the host program will not start!

Also attacker can configure debugger to run together with default UWP applications, like 'Cortana' or 'People' (Win 10 only). Since these applications usually start automatically when the system boot, the attacker provides autorun (much like O4) for his malware using this method.

Action taken by HiJackThis:

  • registry value is deleted.

Command-line keys:
Key: Explanation:
/accepteula Accept the agreement. It will not be displayed when program start.
/autolog Automatically scan the system, save a logfile and open it.
/silentautolog Automatically scan the system, save a logfile and close the program.
/startupScan Automatically scan the system in silent mode and only show a window if items were found.
/StartupList Run scan by 'StartupList' module.
/noGUI Do not show program window during the scan.
/sysTray Run program minimized in notification area (system tray).
/saveLog "c:\Path" Save log in specified folder (or /saveLog "c:\Path\Name.log" - to change also a log name).
/default Load default settings (they will not be saved).
/area+Process Include list of running processes in report (enter /area-Process to exclude).
/area+Modules Include list of modules loaded by processes (enter /area-Modules to exclude).
/area+Environment Include environment variables and special folders in report (enter /area-Environment to exclude).
/area+Additional Execute "Additional scan" (enter /area-Additional to exclude).
/skipIgnoreList Do not load ignore list.
/ihatewhitelists Ignore all internal whitelists.
/md5 Calculate md5 hash of files.
/timeout:sec Number of seconds allowed for HiJackThis to be run in /silentautolog mode (180 by default; 0 - to disable).
/tool:StartupList Opens integrated tool "StartupList 2"
/tool:UninstMan Opens integrated tool "Uninstall Programs Manager"
/tool:DigiSign Opens integrated tool "Digital Signatures Checker"
/tool:RegUnlocker Opens integrated tool "Registry Key Unlocker"
/tool:ADSSpy Opens integrated tool "Alternative Data Streams Spy"
/tool:Hosts Opens integrated tool "Hosts File Manager"
/tool:ProcMan Opens integrated tool "Itty Bitty Process Manager"
/tool:CheckLNK Opens stand-alone plugin "Check Browsers' LNK"
/tool:ClearLNK Opens stand-alone plugin "ClearLNK"
/autostart Set Windows to automatically run a HJT scan after system boot up (use with /install key).
/install Install HiJackThis to 'Program Files' folder and create shortcuts.
/uninstall Remove all HiJackThis Registry entries and backups, then quit.
/silentuninstall /uninstall analogue, except it disables confirmation requests.
/deleteonreboot "c:\file.sys" Delete the specified file after system rebooting using PendingFileRenameOperations mechanism.
/LangEN Force use English language for user interface.
/LangRU Force use Russian language for user interface.
/LangUA Force use Ukrainian language for user interface.
/debug Tracing mode. Function names will be appended to main log and HiJackThis_debug.log file. You can also rename the file to HiJackThis_debug.exe.
/debugtofile Trace info will be saved to HiJackThis_debug.log file only.
  • Keys are case insensitive.
  • Keys can be combined together.
  • Keys can also be specified via a hyphen, for example: -autolog