Getting started
|
HijackThis is actually an utility used to fix hijacked or modified parts. For example, if a spyware installs itself a startup objects, then you can fix it using HijackThis. It is actually not a spyware remover. Therefore, do not use HijackThis before you scanning your computer using spyware remover programs. Run the steps in this page, before using HijackThis. |
Also, this tool is for advance users. It requires advanced knowledge about Windows in general. If you delete an object without knowing for sure what they are, it can lead to other problems. If you don't have advanced knowledge about about computers, and got serious spyware problem, do not fix any entries without getting help from the experts.
About HijackThis
HijackThis, is freeware spyware-removal tool for Microsoft Windows originally created by Merijn Bellekom, and later sold to Trend Micro. The program is notable for taking a heuristic approach on detecting malware - rather than relying on a database of known spyware it quickly scans a user's computer, creates a list of differences from a known spyware-free environment and allows the user to decide what from the list needs to be removed.
Download the executable. The program does not require installation, and won't create a start menu shortcut, so it best that you download it at easy-to-find location, such as your desktop. Make sure that you put HijackThis in its own directory, since it'll create backup for the fixed item.
Please take note that the functions of Trend Micro HijackThis used in this tutorial could be differ from yours - it depends on the version. In this tutorial, I use Trend Micro HijackThis v2.0.2.
Configuring this program
Double-click the .exe file and you'll get a Window like the left one below. Click none of above, just start the program. You'll get another screen like below.
:
Click on Config button. It is recommended that you check make backups before fixing items, do not show intro frame at startup, and others like below. By default, these important options is already checked. When you're done, press the back button or the main menu button.
Scan with HijackThis
At the main menu, select scan and save a logfile. After the scan, you'll get a logfile, opened in notepad. This one is already saved in wherever you put your HijackThis. If you want the expert to analyze your log, just go to any HijackThis forum. Read the rule first and make sure you already follow the steps given. If you don't like it, try another forum. Then simply copy and paste the log from the notepad to your thread.
To view more details on certain objects, you can check it, and click on "info on selected item". If you're sure the objects is bad, select that object and click on fixed checked. You can also ignore an object by clicking add checked to ignore list.
Object information
If you click on info button, you'll get
explanation on certain objects:
R - Registry, StartPage/SearchPage changes
R0 - Changed registry value
R1 - Created registry value
R2 - Created registry key
R3 - Created extra registry value where only one should be
F - IniFiles, autoloading entries
F0 - Changed inifile value
F1 - Created inifile value
F2 - Changed inifile value, mapped to Registry
F3 - Created inifile value, mapped to Registry
N - Netscape/Mozilla StartPage/SearchPage changes
N1 - Change in prefs.js of Netscape 4.x
N2 - Change in prefs.js of Netscape 6
N3 - Change in prefs.js of Netscape 7
N4 - Change in prefs.js of Mozilla
O - Other, several sections which represent:
O1 - Hijack of auto.search.msn.com with Hosts file
O2 - Enumeration of existing MSIE BHO's
O3 - Enumeration of existing MSIE toolbars
O4 - Enumeration of suspicious autoloading Registry entries
O5 - Blocking of loading Internet Options in Control Panel
O6 - Disabling of 'Internet Options' Main tab with Policies
O7 - Disabling of Regedit with Policies
O8 - Extra MSIE context menu items
O9 - Extra 'Tools' menuitems and buttons
O10 - Breaking of Internet access by New.Net or WebHancer
O11 - Extra options in MSIE 'Advanced' settings tab
O12 - MSIE plugins for file extensions or MIME types
O13 - Hijack of default URL prefixes
O14 - Changing of IERESET.INF
O15 - Trusted Zone Autoadd
O16 - Download Program Files item
O17 - Domain hijack
O18 - Enumeration of existing protocols and filters
O19 - User stylesheet hijack
O20 - AppInit_DLLs autorun Registry value, Winlogon Notify Registry keys
O21 - ShellServiceObjectDelayLoad (SSODL) autorun Registry key
O22 - SharedTaskScheduler autorun Registry key
O23 - Enumeration of NT Services
O24 - Enumeration of ActiveX Desktop Components
Command-line parameters:
* /autolog - automatically scan the system, save a logfile and open it
* /ihatewhitelists - ignore all internal whitelists
* /uninstall - remove all HijackThis Registry entries, backups and quit
* /silentautuolog - the same as /autolog, except with no required user
intervention
Restore a fixed item
If you check "make backups before fixing an items", a backup will be created for any fixed objects or parts. This would be useful, should you mistakenly deleted important objects. You can restore it back.
If you're in the main menu select "None of above, just start the program". To restore an item, simply go to click on Config button > Backups. You can view list of deleted items. Check any that necessary and select restore.
Misc Tools Section
Misc tools is useful to create Startup log, process manager, hosts file manager, delete file on reboot, delete an NT service, open ads spy, and uninstall any programs. To use any Misc tools, you need to be in main menu > Open the Misc tools selection.
Generate Startup Log
For certain reason, you might need to see list of startup programs and fix any hijacked part. To do this, make sure that you're in the main menu. Then click on Open the Misc Tool section > Generate Startup List log.
View and stop process
Some spyware works in the background. That will slows down your computer and internet connection. To regain your computer's speed, you can stop these process.
Actually, there are two ways you can do this. First, by opening Windows Task Manager. Press Ctrl + Alt + Del on your desktop and you'll see task manager panel. Select process tab and terminate unwanted process.
While the second way is by using HijackThis. From the main menu > Open the Misc Tool section > Open process manager. Select and kill any process that you're certain it is malicious. If you check shows DLLs, you can view any DLL file related to that process.
Some spyware and bad antispyware program creates additional DLL files to your system, upon installation. Hence, by checking this, you'll be able to detect DLLs that had been added by spyware. After terminating that spyware, you should remove these DLL files later on.
Host file manager
Host file can be manipulated by spyware for phishing scam. By using host file, a user will be accessing a website from his own computer, instead of the real server.
Some spyware could write on this file, and lead user to a phishing site, rather than the real bank website. By using host file manager, you'll be able to delete any bad websites written. To delete any host file written, simply select and delete.
If you delete the lines, those lines will be deleted from your HOSTS file. If
you toggle the lines, HijackThis will add a # sign in front of the line. This
will comment out the line so that it will not be used by Windows. If you are
unsure as to what to do, it is always safe to Toggle the line so that a #
appears before it.
Delete undeletable files
Some spyware files can't be easily deleted from system. When you press delete button, you'll get the message "Access is denied". The effective way to delete such files is by using Delete on Reboot tool.
First, make sure that you already access Misc Tool selection. Then, select "Delete file on reboot....". A windows will open and ask you to select any file from your disk.
Once the file is selected, you'll be prompted whether you want to restart your computer now, or restart later.
ADS Spy
Alternate Data Stream (ADS) is a way of storing meta-information for files without actually storing the information in the file it belongs to, carried over from early MacOS compatibility from Windows NT4. These files are invisible via Windows Explorer and so far, very few antispyware program able to detect malicious entry in such files. Recently browser hijackers began using this technique to store hidden information on the system, and even store trojan executable files in ADS streams of random files on the system.
ADS Spy is a tool to view or delete Alternate Data Stream for Windows 2000 and above, that using NTFS system files. ADS Spy is another tool in Misc Selection.
Click scan to view any ADS file in your system, save log to save in notepad. Click on the entry and remove selected to remove any unwanted ADS file.
Uninstall manager
Uninstall manager allows you to remove any program installed in your computer. Even tough you can remove them from Control Panel > Add/ Remove program, some programs just won't go away. The effective way is by running HijackThis > Open Misc tools selection > uninstall manager.
Open Add/Remove software list = This will open Add/Remove program in Control Panel
Edit uninstall command = Edit the uninstall command for that program. For example, it could be C:/Program Files/Program/uninstall.exe
Delete this entry = Use this when that entry can't be removed using Add/Remove Software list.
Refresh list = Analyze and list again new programs installed.
Save list = Save this list to .txt file.
