(aka AbuIbrahim12)

A. Elshafei

Guidelines Before Responding to Hijackthis Logs




When replying to a hijackthis log either it is a practice log or a live log, you will need to do the following actions in order:


1. The first thing is to make sure that hjt log posted is not an attachment. Do not open the log attachment. Ask the OP to copy and paste the logfile into a new post. A lot of forums have policies that the OP's should post the contents of the log file and not attach files unless requested to do so.


2. If the user posted an unreadable log or one with spaces in between the entries, have them rescan with HijackThis and when notepad opens, go to "Format" and uncheck "Word Wrap." Otherwise this will waist a lot of time for helpers to read the logfile.


3. Make sure:

- that hijackthis program used is the latest version

- the log file is not cut-off (incomplete log)

- hijackthis is not running from a temporary folder

- the date stamp of the log file is not more than a week old. You can ask the OP to post an updated logfile

- the OP is authorized to remove files from the company PC

- the OP is not being helped at another forum for the same log


4. Do not assist the OP at all if p2p programs are found within the log or mentioned anywhere by the OP. Request the OP to remove all the P2P programs before proceeding with the cleanup or advising any further instructions.


5. If there is any hints from the OP posts/log, or doubt that the OP may not be using a legitimate windows copy, then ask the OP to download and run the MGA diagnostics tool from microsoft to verify that the windows copy is valid. The tool can be downloaded from here:


If the windows copy is not legitimate, the thread should be locked immediately. The thread will also be locked if the OP has any cracks or warez to any other commercial software.

Hints of non-legitimate copies could be: wgatray.exe process is running. or If the OP has a very old service pack, like XP no-SP, XP SP1, Vista no-SP, Win 2k SP3. However, XP SP3 is relatively new so an OP with XP SP2 only should not raise an alarm.


6. If two or more antivirus programs are found, then ask the OP to uninstall one of them. Two antivirus programs are enough to make the computer unusable. So ask the OP to do so before or within the same post when providing malware removal instructions.


7. If the OP is infected with a malware, then It is a good practice to double-check if the malware is a backdoor+password stealer. In this case you will have to inform the OP about the compromise and to change passwords, contact banks, etc.

For more information about this, please see:



8. If there is no firewall or anti-virus and the OP does not have a serious infection. Then ask the OP to download, install, update and scan the computer before posting any removal instructions. However, if the OP has by definition a worm, a virus, backdoor, malicious keylogger, botnets, or an unknown malware that uses a service, then it is better to install the anti-virus after removing the malware. Viruses in particular are known to either disrupt, infect or delete anti-virus software especially if they aren't installed yet.


9. If the OP has any of the protection programs listed here, then ask the OP to temporarily disable the real time protection tools when providing instructions for malware removal. Once the malware is removed, remember to re-enable the protections tools. An exception to this is when the malware removal procedure is done in safe mode.


10. Once all of the above is cleared, then you can post removal instructions in any form that is applicable, using online scans, manually deleting files, hijackthis fixes, combofix, etc.


A. Elshafei (AbuIbrahim)

Microsoft MVP 2008

English: www.islaam.ca - Arabic: www.sahab.net