HijackFree Tutorial
|
Even though it is easier than HijackThis, using HijackFree is quite difficult, especially when you're not familiar with system files and process. Just like the name, HijackFree is created to fix and free hijacked parts of your system. This is actually for power users, especially. Intermediate users can have a look and try. Not suit for beginners. |
Use this tool only when your antispyware program fail to remove the spyware symptom or unwanted BHO. Follow removal guide first, before using HijackFree.
Download and install A-squared HijackFree
How to use HijackFree
Unlike HijackThis, not many forum provides help with using HijackFree. However, the advantage is that some users can easily recognize, and remove programs that is suspicious or known as dangerous. Before you delete something, you have to be sure that it is not important files, programs or process needed to make system fully functioning. You need to analyze each process in details. Like:
- where the program comes from
-who wrote the program
-does the apps open TCP or UDP port to receive certain commands.
-does the program run as Windows services
HijackFree (HJF) screenshot. Green indicates that the process is safe. On the bottom of the screen, properties of certain process is explained in details.
The icons:
The list icon has four functions. First, you can choose
whether to view running process or autoruns. Then, if you
select HJT compatible, you can save your system information
in form of HijackThis log file, .txt format. You can also
save that in XML.
Print icon has two function. You can print the entire
running process list. You can also view a more detail
information about certain objects.
By clicking on refresh button, you'll be downloading latest
definitions on benign or hostile programs. Then, your
process list will be colored by green, red, yellow or white.
This
is online analysis button. By clicking this button, you'll
directing to Emsisoft website, and see of there is related
problems to yours in forums.
Settings.
Change the settings of the program here.
The colors:
If you select certain section,
a click on refresh button
, you'll the entries colored with green, yellow, red or
white. These are the meaning:
Green : Entries colored green are safe. It could be process, Active X objects, services, BHO.
Yellow : Entries
colored yellow are used by both malware and benign software.
Click on the entry and scroll to the online online
information at bottom of the details window underneath. This
shows all the information available in the process database.
Now compare the program paths listed here with the path of
the active process on your PC. This requires a certain nose
for details. Assuming that the path of the active process
is:
c:\programs\knownmanufacturer\program.exe
and there are two entries in the process database for program.exe. One of them
describes a hostile process with the path:
c:\windows\program.exe
and the other describes a benign process with the path:
c:\programs\knownmanufacturer\version 2\program.exe
In this case, you can assume that this is a benign process because the program
path only slightly differs from a process defined as being benign (in this case
only the version number in the folder name differs). If you also recognize the
process from the manufacturer name as an intentionally
installed benign program, then you can confidently note this program as "benign" and continue to the next process.
Red : There could be two reasons for entries colored red. Either that is a malware, or there is no other information in the process on a benign process at the same name. Anyway, it's better for you to check this process. That is by entering the name of the process in Google. HJF details shows files properties, directory installed, loaded modules, manufacture's name and whether it opens TCP or UDP (very suspicious).
For ActiveX case, entries marked red is no longer present. So, you can delete this entry without further problems. For example, if you install a toolbar then uninstall it. Even tough the toolbar is gone, the entry will remain and marked red by HJF.
White : No information found. It is a good idea to search the web for more info.
These colors won't provide you a concrete information whether a process, objects or files are malware or not, but at least, it'll help you in filtering out all the processes.
Process tab
This one shows
running process, and allow your to stop and delete unwanted
programs. Click refresh button
. HijackFree (HJF) will compare the process with online
database containing information processes normally used by
safe or malicious apps. You'll find out that certain process
will be colored in green, red, yellow or white.
Terminate unwanted process : First, you have to be sure that the process is really malicious. To terminate the process, simply select the process and check on delete file. Click on Kill process. If you check save backup, the process will be quarantined.
Ports tab
TCP or UDP ports are channels that can be used for receiving commands from the internet. Port 80 are web servers, file transfer protocol (FTP) is port 21, port 25 is SMTP (for email). Malicious trojan can open ports to allow remote control on your computer. Any port number can be chosen but a given port can only be used by one program at a time. By clicking ports tab in HJF, you can see all open ports and processes involved. Open ports are not necessarily hostile. Check what program and what reasons for opening that port. In certain cases, if opening ports is not necessary, then the program can be considered suspicious. For example, a program that is supposed to do word processing does not normally open ports and is suspicious if it does.
Autoruns tab
This section is used to monitor and terminate unwanted programs that is loaded with your Windows. HJF shows 30 different Autostart locations. Double clicking on certain entries will show the location of file in your hard disk. The most important autostarts are in the registry section. It is divided into lots of sections, all users, current users, .default, local service, network service and system. To deactivate an entry, simply uncheck the autorun enabled. See what happen. If that autorun is malicious, you'll find out that your system starts faster and better after disabling it. Delete that entry if you're pretty sure it is malicious. However, please do not delete or disable security programs, such as antivirus or firewall. If you do so, you'll leave your system unprotected.
Just like the process, you can
press refresh
to compare the entries with a-squared online database. "Tricky startups" section and definitely consult a specialist or obtain detailed
information from the Web before deleting anything here - otherwise the system
can be very quickly made unusable.
Windows Services
This part allows you to
see full path to certain Windows Service, see the details in
details window and differentiate between hostile and benign
services with different colors. Just like all above
sections, you can stop suspected services and see what
happen. If you're sure it is malicious, you may delete that.
Services are loaded by Windows when the system starts, before you even logged on. Hence, if any malware registered as a service, it already active even before the Windows starts.
I think that this feature is very useful, especially when you're uninstalling fake / malicious antispyware program. Spy Locked, Spysheriff and many other fake programs usually register as Windows services and the entry will exist even after you remove them. Hence, by using HJF, you can easily recognize and remove malicious services.
Others tab
You'll find out that
"Others" section is very useful.
Explorer Addons
IE toolbars : This one is probably useful. Internet Explorer is probably the main target for malware. They could install themselves as irritating toolbar. Use this part to remove all the toolbars manually.
Shell Extensions :
Right click on any icon in your Desktop, you'll get a simple
menu. Different function can be added into this menu. For
example, if you install an antivirus program, you'll get
"Scan for viruses" in this right-click menu. Spyware can
also be activated here.
Shell Hooks : These are also modules that attach to Explorer in order to provide benign or hostile functionality.
Browser Helper Objects - BHOs :
This one is commonly used by spyware. If you've got infected
seriously by spyware before, probably the spyware install
itself as BHO. This function allows you to remove any
unwanted browser help objects with a snap.
Explorer Addons - ActiveX (browser ActiveX) :
This is another function that affects IE browser. These
modules allow the functionality of IE browser to be
extended. For example, Adobe Flash player will display flash
animations. Spyware might as well install itself as activeX
objects.
LSP Protocols :
Layered Service Provider is a type of network driver
that can be switched between programs and the network card. LSP can be used for
good or bad purposes. On good side, anti-spam programs can
use this module to filter spam directly from the internet.
On the other hand, adware can insert advertising into the
incoming browser data stream. Be careful when deleting LSP.
If an LSP DLL isdeleted without also deleting the associated
entry in the list, then internet access might stop working.
Hence, it is important to cleanly remove LSP.
Hosts file : Hosts can also be used for benign and hostile purposes. The good purpose is for browsing. For example, if you already visit certain website for the first time, Hosts allow the homepage data and DNS server to be overridden. For example, if you visit a website, www.emsisoft.com, the DNS number is 80.237.191.14. This line is then added to your Hosts file 127.0.0.1 www.emsisoft.com. The next time you write www.emsisoft.com in your browser, you'll be accessing your own computer, 127.0.0.1, instead of accessing Emsisoft server (80.237.191.14). Spyware uses this Hosts trick to redirect the web address of your bank to a hacker server. As the result, you'll be logging into the server of attacker who wants to rob your account.
ActiveX : This part shows all activeX objects that is installed in your entire system, and not limited to browser only. These activeX DLLs are modules that available for other programs to use.
HijackFree is additional tool for your malware scanner. It is not for amateurs and users need to understand the system very well. It won't suggest the correct malware objects, but at least you can use this tool to track down and perhaps kill any more hidden malware left in your system.