This is from the the HijackThis turorial it explains what the letters in it's report reffer to; http://www.spywareinfo.com/~merijn/htlogtutorial.html HijackThis log tutorial On the forums of SpywareInfo, a lot of people new to browser hijacking post topics asking for help analyzing logs from HijackThis, because they don't understand what stuff is good and what is bad. This is a basic guide as to what the log means, and some tips on reading it yourself. This should in no way replace asking for help in the SWI forums, but help you somewhat in understanding the log yourself. Overview Each line in a HijackThis log starts with a section name. (For technical information on this, click 'Info' in the main window and scroll down. Highlight a line and click 'More info on this item'.) For practical information, click the section name you need help with: R0, R1, R2, R3 - Internet Explorer Start/Search pages URLs F0, F1 - Autoloading programs N1, N2, N3, N4 - Netscape/Mozilla Start/Search pages URLs O1 - Hosts file redirection O2 - Browser Helper Objects O3 - Internet Explorer toolbars O4 - Autoloading programs from Registry O5 - IE Options icon not visible in Control Panel O6 - IE Options access restricted by Administrator O7 - Regedit access restricted by Administrator O8 - Extra items in IE right-click menu O9 - Extra buttons on main IE button toolbar, or extra items in IE 'Tools' menu O10 - Winsock hijacker O11 - Extra group in IE 'Advanced Options' window O12 - IE plugins O13 - IE DefaultPrefix hijack O14 - 'Reset Web Settings' hijack O15 - Unwanted site in Trusted Zone O16 - ActiveX Objects (aka Downloaded Program Files) O17 - Lop.com domain hijackers O18 - Extra protocols and protocol hijackers O19 - User style sheet hijack R0, R1, R2, R3 - IE Start & Search pages What it looks like: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ R2 - (this type is not used by HijackThis yet) R3 - Default URLSearchHook is missing What to do: If you recognize the URL at the end as your homepage or search engine, it's OK. If you don't, check it and have HijackThis fix it. For the R3 items, always fix them unless it mentions a program you recognize, like Copernic. F0, F1, F2, F3 - Autoloading programs from INI files What it looks like: F0 - system.ini: Shell=Explorer.exe Openme.exe F1 - win.ini: run=hpfsched What to do: The F0 items are always bad, so fix them. The F1 items are usually very old programs that are safe, so you should find some more info on the filename to see if it's good or bad. Pacman's Startup List can help with identifying an item. ++ There is more on the web site. Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see ~ http://www.mwn.ca <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> See my Anti-Virus pages <http://www3.telus.net/mikebike/mikes_virus_page.htm> <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance & OWTA Charter Member -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Was this forwarded to you? Want to subscribe? Send an email to chadfree-request@xxxxxxxxxxxxx?Subject=subscribe. For a complete list of email commands for our list send an email to ecartis@xxxxxxxxxxxxx with a subject line of "info chadfree" without the quotes. If you wish to unsubscribe from our list send an email to; chadfree-request@xxxxxxxxxxxxx?Subject=unsubscribe To contact the list moderators send an email to chadfree-moderators@xxxxxxxxxxxxx -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-