Table of contents:
This tutorial is updated to use with HiJackThis+ v.3.0.0.1 and newer.
The same is available in English, French, Spanish, Russian and Ukrainian within HiJackThis menu → Help → User's manual → Section descriptions.
Links to the Full version of tutorial:
- In Russian
- In English (translation is currently in progress)
The different sections of hijacking influences have been separated into the following groups:
-
B - Browser extensions and policies:
- B - Chrome
- R - Changes in basic Internet Explorer settings:
- F - Autoloading from INI-files and corresponding registry locations
-
O - Other sections:
- O1 - Hijack of Hosts and hosts.ics files / DNSApi hijacking
- O2 - Internet Explorer: BHO
- O3 - Internet Explorer: toolbars
- O4 - Autoloading Registry entries and 'Autostart' folder / msconfig disabled items
- O5 - Hiding of Control Panel items
- O6 - IE Policy: Disabling of 'Internet Options' main tab
- O7 - Policies: Regedit, Explorer, TaskMgr / IP Security / Certificates / OS troubleshooting / KnownFolder
- O8 - Internet Explorer: Extra context menu items
- O9 - Internet Explorer: Extra services and buttons
- O10 - Breaking of Internet access due to the damage or infection in Winsock LSP
- O11 - Internet Explorer: options in 'Advanced' settings tab
- O12 - Internet Explorer: plugins for file extensions or MIME types
- O13 - Internet Explorer: Hijacking of URL prefixes
- O14 - Internet Explorer: Changing of IERESET.INF
- O15 - Internet Explorer: Web-sites and protocols in 'Trusted Zone'
- O16 - Downloaded Program Files items (DPF)
- O17 - Domain and DNS hijack / DNS issued by router through DHCP
- O18 - Protocols and filters hijack
- O19 - User stylesheet hijack
- O20 - AppInit_DLLs, Winlogon Notify
- O21 - Shell Service Object Delay Load (SSODL), Shell Icon Overlay (SIOI), ShellExecuteHooks (SEH)
- O22 - Shared Task Scheduler jobs
- O23 - Windows Services and Drivers, Dependencies
- O24 - ActiveX Desktop Components
- O25 - WMI permanent event consumers
- O26 - Process debuggers
- O27 - Account & Remote desktop protocol
Detailed information on sections:
Browser section represents suspicious extensions and policies. It's under construction at the moment. Not many definitions and browsers are supported.
Action taken by HiJackThis:
- browser is closed.
- files and registry values are modified or deleted.
A Registry value changed from the default setting, resulting in a different IE Home page, Search Page, Search Bar Page or Search Assistant.
Action taken by HiJackThis:
- registry value is restored to default URL.
A Registry value not present in a default Windows install, possibly resulting in changed settings for Internet searches or other IE settings (IE Window Title, ProxyServer, ProxyOverride, Internet Connection Wizard, ShellNext, etc.)
Action taken by HiJackThis:
- Registry value is deleted.
A Registry key not present in a default Windows install. Currently, this section is not used (no database entries).
Action taken by HiJackThis:
- Registry key is deleted, with everything in it.
Detected more than one value inside URLSearchHooks regkey. If you specify a URL address without http:// or ftp:// prefixes, the browser will attempt to figure out the correct protocol using the list in UrlSearchHook.
Action taken by HiJackThis:
- Registry value is deleted;
- default URLSearchHook value is restored.
Internet Explorer uses search provider (DefaultScope) to show a list of tips in the search bar while you type search queries into the address bar. IE allows you to replace its default provider with any from the list (SearchScopes).
Action taken by HiJackThis:
- provider key is deleted.
- default value of DefaultScope (Microsoft Bing) and provider parameters are recovered.
An ini-file value changed from the default value, possibly resulting in program(s) loading at Windows startup. Often used to autostart a program.
File checked: C:\Windows\system.ini
Default value
Shell=explorer.exe
Infected example
Shell=explorer.exe,openme.exe
Action taken by HiJackThis:
- default ini-file value is restored.
- corresponding file is NOT deleted.
An ini-file value that is not present in a default Windows install, possibly resulting in program(s) loading at Windows startup. Often used to autostart a program.
File checked: C:\Windows\win.ini
Default values
run= load=
Infected example
run=dialer.exe
Action taken by HiJackThis:
- ini-file value is deleted.
- corresponding file is NOT deleted.
F2 section corresponds to the equivalent location in registry for system.ini file (F0).
A registry value changed from the default value, possibly resulting in program(s) loading at Windows startup. Often used to autostart a program.
To be checked:
\Software\Microsoft\Windows NT\CurrentVersion\WinLogon → Shell \Software\Microsoft\Windows NT\CurrentVersion\WinLogon → UserInit
Default values:
UserInit=C:\Windows\System32\UserInit.exe, Shell=explorer.exe Shell=%WINDIR%\explorer.exe
Infected examples:
UserInit=C:\Windows\System32\UserInit.exe,C:\Windows\apppatch\capejw.exe, Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
Action taken by HiJackThis:
- default registry value is restored.
- corresponding file is NOT deleted.
F3 section corresponds to the equivalent location in the registry for the win.ini file (F1).
A registry value not present in a default Windows install, possibly resulting in program(s) loading at Windows startup. Often used to autostart a program.
To be checked
\Software\Microsoft\Windows NT\CurrentVersion\Windows → run \Software\Microsoft\Windows NT\CurrentVersion\Windows → load
Default values
run= load=
Infected example
run=С:\WINDOWS\inet20001\services.exe
Action taken by HiJackThis:
- registry value is deleted.
- corresponding file is NOT deleted.
-
Windows uses records in the 'hosts' file to look-up domain names before querying internet DNS servers. Changes to the 'hosts' file can make Windows believe that e.g. 'google.com' has a different IP than it actually has, leading browsers to open a different page. It can also block site(s) entirely by redirecting them to localhost or a non-existent IP.
-
Attackers can also hijack the DNSApi.dll file to alter the location where the system loads the hosts file (all OS versions). Example: Hijacker.DNS.Hosts / Trojan.Win32.Patched.qw.
-
Attackers can also change registry DatabasePath values (Win XP/2003 and older).
-
Hosts.ics file is created automatically when you share internet access. It contains a mapping between IP and home (local) network domain and can be hijacked in the same way as a hosts file.
Legal entry example
Hosts.ics: 192.168.137.1 AnakonDA.mshome.net # 2018 5 2 22 8 3 40 685
Infected examples:
213.67.109.7 google.com 127.0.0.1 kaspersky.ru DNSApi: File is patched - c:\Windows\system32\dnsapi.dll Hosts file is located at: c:\windows\System32\drivers\etc\hoctc
Action taken by HiJackThis:
- For hosts and hosts.ics entries - Line is deleted from file.
- For DNSApi - dll file is recovered if available using SFC subsystem.
- For altered hosts location - default registry value is restored.
- Also, DNS cache entries are flushed and DNS caching services are restarted.
A BHO (Browser Helper Object) is a specially crafted program that integrates into IE, and has virtually unlimited access rights. Though BHO's can be helpful (like the Google Toolbar), hijackers often use them for malicious purposes such as tracking your online behavior, displaying popup ads, etc.
Action taken by HiJackThis:
- Delete BHO registry key and all corresponding keys (like CLSID and special IE BHO policies);
- Delete BHO dll file.
IE Toolbars are part of BHO's (Browser Helper Objects) like the Google Toolbar that may be helpful, but can also be annoying or malicious by tracking your behavior and displaying popup ads.
Action taken by HiJackThis:
- Delete registry value and all corresponding keys (like settings and special IE BHO policies).
- Dll file is deleted.
This part of the scan checks for several suspicious entries that autoload when Windows starts. Autoloading registry entries may load a script (VBS, JS, HTA file, etc) possibly causing the Start Page, Search Page, Search Bar or Search Assistant to redirect to a hijacker's page. A DLL file can also be loaded that hooks into different parts of your system. Scripts, other programs, or fileless registry entries (e.g. legit system file PowerShell.exe with arguments) in autostart can also be used as droppers that load other malicious files via the internet, or ensure the survival of malware after a reboot.
O4 section also includes list of autorun disabled items (MSConfig / TaskMgr).
Area to be checked: registry keys and 'Autostart' folder.
Infected example
regedit c:\windows\system\sp.tmp /s
Action taken by HiJackThis:
- Autostarting registry entries - registry value is deleted.
- Also, corresponding process will be killed or freezed.
- 'AutoStart' folder - autoloading file is deleted.
- Disabled autorun items - registry entry and autoloading file are deleted.
Modifying CONTROL.INI can cause Windows to hide certain icons in the Control Panel. Though originally meant to speed up Control Panel loading and reduce clutter, it can also be used by hijackers, for example, to prevent access to the 'Internet Options' window.
Area to be checked: control.ini file and equivalent locations in the registry.
Infected examples
control.ini: [don't load] inetcpl.cpl = yes (Internet Control Panel) HKCU\Control Panel\don't load: [Firewall.cpl] (Windows Firewall Control Panel)
Action taken by HiJackThis:
- depending on location, line is deleted from Control.ini file or registry value is deleted.
Disabling the 'Internet Options' menu entry in the 'Tools' menu of IE is done using Windows Policies. Normally used by administrators to restrict user access, it can also be used by hijackers to prevent access to the 'Internet Options' window.
StartPage Guard also uses Policies to restrict homepage changes, done by hijackers.
Action taken by HiJackThis:
- corresponding information is deleted from the registry.
Action taken by HiJackThis:
- for O7 - Policies: registry value is deleted.
- for O7 - IPSec: all registry keys associated with the marked policy are deleted, including all the filters that apply to it.
- for O7 - Untrusted Certificate: registry key is deleted.
- for O7 - KnownFolder: the registry parameter of the well-known folder will be reset to its default value. The folder will be created on the disk if it is missing.
- for O7 - TroubleShooting: [EV] variables will be reset to defaults. For %PATH% - the missing path will be added.
- for O7 - TroubleShooting: [Disk] Microsoft disk cleanup manager CleanMgr will be launched in automatic mode.
- for O7 - TroubleShooting: [Network] standard settings will be applied.
Extra items in the context (right-click) menu can prove helpful or annoying. Some recent hijackers add items to the context menu. The Internet Explorer PowerTweaks Web Accessory adds several useful items, including "Highlight", "Zoom In/Out", "Links list", "Images list" and "Web Search".
Action taken by HiJackThis:
- Registry key is deleted.
Extra items in the Internet Explorer 'Tools' menu and extra buttons in the main toolbar are usually present as branding (Dell Home button) or added after system updates (MSN Messenger button) and rarely by hijackers. The Internet Explorer PowerTweaks Web Accessory adds two menu items, "Add site to Trusted Zone" and "Add site to Restricted Zone".
Action taken by HiJackThis:
- Registry key is deleted.
The Windows Socket system (Winsock) uses a list of providers for resolving DNS names (i.e. translating www.microsoft.com into an IP address). This is called the Layered Service Provider (LSP). Some programs are capable of injecting their own (spyware) providers in the LSP. If files referenced by the LSP are missing or the 'chain' of providers is broken, none of the programs on your system can access the Internet. Removing references to missing files and repairing the chain will generally restore Internet access.
Note: LSP fixing is a risky procedure. You can get WinSockReset from https://www.foolishit.com/vb6-projects/winsockreset/ to repair the Winsock stack.
Action taken by HiJackThis:
- Not provided. You will be asked to go to www.foolishit.com and download the WinSockReset program.
Options in the 'Advanced' tab of Internet Explorer options are stored in the Registry, and extra options can be added by creating extra Registry keys. Very rarely, spyware/hijackers add their own options which are hard to remove. (e.g. CommonName adds a section 'CommonName' with a few options.)
Action taken by HiJackThis:
- Registry key is deleted.
Plugins handle filetypes that aren't supported natively by Internet Explorer. Common plugins handle Macromedia Flash, Acrobat PDF documents, and Windows Media formats, enabling the browser to open these itself instead of launching a separate program. When hijackers or spyware add plugins for their filetypes, malware - even if it's been removed - may be reinstalled if the browser opens a file handled by that plugin.
Action taken by HiJackThis:
- Registry key and plugin file are deleted.
When you type a URL into Internet Explorer's Address bar without the prefix (http://), a prefix is automatically added when you hit Enter. This prefix is stored in the Registry, together with the default prefixes for FTP, Gopher and other protocols. When a hijacker changes these to the URL of their server, you are always redirected there when you do not enter a prefix. For example, Prolivation uses this hijack.
Action taken by HiJackThis:
- Registry value is restored to default data.
When you hit 'Reset Web Settings' on the 'Programs' tab of the Internet Explorer Options dialog, your homepage, search page and a few other sites are reset to default values. These defaults are stored in C:\Windows\Inf\Iereset.inf. When a hijacker changes these to his own URLs, 'Reset Web Settings' causes you to be (re)infected. For example, SearchALot uses this hijack.
Action taken by HiJackThis:
- Value in the Inf file is restored to default data.
Websites in the Trusted Zone (see Tools → Internet Options → Security → Trusted sites → Sites) are allowed to use potentially dangerous scripts and ActiveX objects. Some programs automatically add sites to the Trusted Zone without you knowing. Only a very few legitimate programs are known to do this.
Action taken by HiJackThis:
- Registry key is deleted.
- Protocol to Zone mapping defaults is restored.
The Download Program Files (DPF) folder in your Windows base folder holds various programs that were downloaded from the Internet. These programs are loaded whenever Internet Explorer is active. Legitimate examples include the Java VM, Microsoft XML Parser and Google Toolbar. When deleted, these objects are downloaded and installed again (after prompting). Unfortunately, IE also lets malicious sites automatically download things like porn dialers, bogus plugins, and ActiveX Objects to this folder, which haunt you with popups, large phone bills, random crashes, and other browser hijackings.
Action taken by HiJackThis:
- registration of DPF CLSID is cancelled.
- dll file and downloaded file are deleted.
Windows uses several registry values to help resolve domain names into IP addresses. Hijacking these values can cause all programs that use the Internet to redirect to other pages. Lop.com uses this method, together with a (huge) list of cryptic domains.
DHCP DNS in this section displays the DNS address issued by the router by DHCP, i.e. when the "Automatically receive DNS address" checkbox is selected in network connection settings.
Action taken by HiJackThis:
- Registry value is deleted.
- When fixing DHCP DNS, DNS Resolver Cache is flushed. The user must manually configure the router by entering the address specified by their contract provider BEFORE fixing this item in HiJackThis.
A protocol is a 'language' Windows uses to 'talk' to programs, servers or itself. Webservers use the 'http:' protocol, FTP servers use the 'ftp:' protocol, Windows Explorer uses the 'file:' protocol. Introducing a new protocol to Windows or changing an existing one can change how Windows handles files. CommonName and Lop.com both register new protocols when installed (cn: and ayb:).
Filters are content types accepted by Internet Explorer (and internally by Windows). If a filter exists for a content type, data will pass through the content-type file handler first. Several variants of the CWS trojan add a text/html and text/plain filters, allowing them to hook all webpage content passed through Internet Explorer.
Action taken by HiJackThis:
- Registry key and file are deleted.
- File is deleted (if it's not belong to Microsoft).
IE has an option to use a user-defined stylesheet for all pages instead of the default one, to enable handicapped users to better view the webpages. An especially vile hijacking method made by Datanotary has surfaced, which overwrites any stylesheet the user has configured and replaces it with one that causes popups, as well a system slowdown when typing or loading pages with many pictures.
Action taken by HiJackThis:
- Registry value is deleted.
- Style using is disabled.
Files specified in the AppInit_DLLs Registry value are loaded very early during Windows startup and stay in memory until system shutdown. This way of loading a .dll is rarely used, except by trojans. Examples of legitimate records here can be libraries of video drivers or cryptographic systems. AppInit_DLLs will not load if Secure Boot is enabled. The WinLogon Notify Registry subkeys load dll files into memory at a similar point in the boot process, keeping them loaded into memory until the session ends. Apart from several Windows system components, adware like VX2, ABetterInternet and Look2Me use this Registry key.
Since both methods ensure the dll file stays loaded in memory, fixing this won't help if the dll restores Registry values or keys after you fix them. In such cases, it is recommended to use the 'Delete file on reboot' function or KillBox to first delete the file.
Action taken by HiJackThis:
- for AppInit_DLLs: Concrete registry value is cleared; parameter is NOT deleted.
- for Winlogon Notify: Registry key is deleted.
This is an undocumented Registry key that contains a list of CLSID references, which in turn reference .dll files that are loaded by Explorer.exe at system startup. The dll files stay in memory until Explorer.exe quits, which is achieved either by shutting down the system or killing the shell process.
ShellIconOverlayIdentifiers works similarly. This registry key contains several subkeys with identifiers of the files loaded to Explorer.exe. Usually, one program registers several such handlers at once. Key names often start with a few spaces. These libraries are responsible for handling file icon rendering in Windows Explorer, depending on certain conditions (file types or other factors). An example of a legitimate program can be a client for cloud storage of Yandex.Disk, which changes the appearance of the icon depending on the state of file synchronization. The malicious program that installed the handler can execute any arbitrary code via dll.
Action taken by HiJackThis:
- Registry value or key is deleted together with CLSID identifier key.
- dll file is deleted.
- Explorer is restarted.
Task Scheduler is a service that can be configured to run an arbitrary process at a specified time or on a certain schedule. One such setting is called a Job. Jobs (task) can be run with elevated privileges without requesting UAC, be bound to a specific users, contain the paths to the processes, arguments, states, and so on. Malware often uses tasks to provide autorun and still survive after a process is restarted. Tasks can be managed through the Task Scheduler snap-in (taskschd.msc).
Action taken by HiJackThis:
- The task is disabled.
- Tasks' process is killed.
- The task file, executable file and all associated registry keys are deleted.
O23 - Service
The 'Services' are a special type of programs that are essential to the system and are required for proper functioning of the system. Service processes are started before the user logs in and are protected by Windows. They can only be stopped from the services dialog in the Administrative Tools window. Malware that registers itself as a service is subsequently also harder to kill.
O23 - Driver
The driver is a kind of service that is launched at an earlier stage of the system boot and runs with kernel privileges. Malicious programs can also install their drivers. For instance, this is used to prevent the deletion (programs running with Administrator or Local System rights can not kill kernel-level processes), as well as to mask their presence, files and processes (so-called rootkits).
Note: the "Driver R" items without a digit character in log - is a dynamically loaded driver (not through the registry).
O23 - Dependency
Malicious programs can write themselves into the list of dependencies of the system service to protect themselves from deletion. After removing such a service, a legitimate Microsoft service will no longer be able to start. Some Windows services are critical for the normal operation of OS. Their non-launching can negatively affect the operation of other programs up to the whole OS boot fails. Some services are also combined into a service group, which has its name. If the service depends on the service group, it will not start until all services that belong to service group is start. HiJackThis also checks for third-party services that have been included in the Microsoft service group.
Action taken by HiJackThis:
- Service (or driver) is disabled, stopped and removed.
- Reboot will be prompted.
- For O23 - Dependency: the dependency will be deleted from the registry.
Desktop Components are ActiveX objects that can be made part of the desktop whenever Active Desktop is enabled. They run as (small) website widgets. Malware abuses feature by setting the desktop background to a local HTML file with a large, bogus warning, e.g. for Ransomware it may show text of ransom requirements.
Action taken by HiJackThis:
- Registry key and file are deleted.
- Explorer is restarted and desktop background is updated.
Windows Management Instrumentation is a default Windows service. It can create permanent event consumers for both legitimate and malicious purposes. These events can collect hardware and software data to automate malware activities like spying. They can create pipes to connect between machines, or execute external script files or script code stored inside (fileless). Events can be triggered by the WMI subsystem at set intervals (like Task Scheduler) or manually when applications execute special WMI queries.
Note: only the consumer is tested. If there are only a filter, binding and/or a timer (without consumer), the item is not displayed in the log.
Action taken by HiJackThis:
- event consumer, filter, timer and binding are deleted in WMI database;
- associated file is also deleted.
In the 'Image File Execution' Registry key, a program can be set up to use a debugger. Whenever the host program is started, the 'debugger' program is loaded instead.
Note: when a debugger file deleted but still set, the host program will not start!
Also attacker can configure debugger to run together with default UWP applications, like 'Cortana' or 'People' (Win 10 only). Since these applications usually start automatically when the system boot, the attacker provides autorun (much like O4) for his malware using this method.
Action taken by HiJackThis:
- registry value is deleted.
- (AutoLogon) represents account name registered for automatic logon in OS with a saved password. Malware can force user for automatic logon to prevent from account change.
- (Bad profile) is a folder located at %SystemDrive%\Users which is not referenced by any of the user profiles.
- (Missing) is a registry record about SID and user profile, having profile folder missing from the disk.
- (Hidden) is an account hidden from the logon screen.
- (RDP Group) is a user who is the member of RDP group. Allows remote connections on behalf of this user.
- (Other) other account settings in registry.
- (Port) informs about 3389 (TCP/UDP) inbound port opened in firewall.
- (Other) other remote desktop protocol settings.
Action taken by HiJackThis:
- for (AutoLogon): automatic logon is disabled. User will we prompted to enter the password.
- for (Bad profile): the folder is removed.
- for (Hidden): unhides user account from the logon screen.
- for (RDP Group): cancels user's membership in the RDP group.
- for (Missing): user's SID record is removed from the registry. HKEY_USERS\<SID> key is not handled.
- for (Port): disables firewall rule, which allow incoming connections to 3389 port.
- for (Other): registry entry is set to defaults.
| Key: | Explanation: |
|---|---|
| /accepteula | Accept the agreement. It will not be displayed when program start. |
| /autolog | Automatically scan the system, save a logfile and open it. |
| /silentautolog | Automatically scan the system, save a logfile and close the program. |
| /startupScan | Automatically scan the system in silent mode and only show a window if items were found. |
| /StartupList | Run scan by 'StartupList' module. |
| /noGUI | Do not show program window during the scan. |
| /sysTray | Run program minimized in notification area (system tray). |
| /saveLog "c:\Path" | Save log in specified folder (or /saveLog "c:\Path\Name.log" - to change also a log name). |
| /default | Load default settings (they will not be saved). |
| /area+Process | Include list of running processes in report (enter /area-Process to exclude). |
| /area+Modules | Include list of modules loaded by processes (enter /area-Modules to exclude). |
| /area+Environment | Include environment variables and special folders in report (enter /area-Environment to exclude). |
| /area+Additional | Execute "Additional scan" (enter /area-Additional to exclude). |
| /skipIgnoreList | Do not load ignore list. |
| /ihatewhitelists | Ignore all internal whitelists. |
| /md5 | Calculate md5 hash of files. |
| /sha1 | Calculate SHA1 hash of files. |
| /sha256 | Calculate SHA256 hash of files. |
| /timeout:sec | Number of seconds allowed for HiJackThis to be run in /silentautolog mode (180 by default; 0 - to disable). |
| /tool:StartupList | Opens integrated tool "StartupList 2" |
| /tool:UninstMan | Opens integrated tool "Uninstall Programs Manager" |
| /tool:DigiSign | Opens integrated tool "Digital Signatures Checker" |
| /tool:RegUnlocker | Opens integrated tool "Registry Key Unlocker" |
| /tool:RegTypeChecker | Opens integrated tool "Registry Key Type Checker" |
| /tool:ADSSpy | Opens integrated tool "Alternative Data Streams Spy" |
| /tool:Hosts | Opens integrated tool "Hosts File Manager" |
| /tool:ProcMan | Opens integrated tool "Itty Bitty Process Manager" |
| /tool:CheckLNK | Opens stand-alone plugin "Check Browsers' LNK" |
| /tool:ClearLNK | Opens stand-alone plugin "ClearLNK" |
| /install | Install HiJackThis to 'Program Files' folder and create shortcuts. |
| /instDir:"c:\Path" | Alternate installation path for HJT. |
| /noShortcuts | Disable creation of shortcuts during HJT installation via /install. |
| /autostart | Set Windows to automatically run a HJT scan after system boot up (use with /install key). |
| /install /autostart d:X | Install HJT in task scheduler to autorun with X sec. delay. |
| /uninstall | Remove all HiJackThis Registry entries and backups, then quit. |
| /silentuninstall | /uninstall analogue, except it disables confirmation requests. |
| /deleteonreboot "c:\file.sys" | Delete the specified file after system rebooting using PendingFileRenameOperations mechanism. |
| /noBackup | Disable backup creation during the fix. |
| /LangEN | Force use English language for user interface. |
| /LangFR | Force use French language for user interface. |
| /LangSP | Force use Spanish language for user interface. |
| /LangRU | Force use Russian language for user interface. |
| /LangUA | Force use Ukrainian language for user interface. |
| /skipErrors | Do not show error messages and prevent warnings and errors from writing to log file. |
| /debug | Tracing mode. Function names will be appended to main log and HiJackThis_debug.log file. You can also rename the file to HiJackThis_debug.exe. |
| /debugtofile | Trace info will be saved to HiJackThis_debug.log file only. |
- Keys are case insensitive.
- Keys can be combined together.
- Keys can also be specified via a hyphen, for example:
-autolog
