How To: Root Out Stubborn Malware with HijackThis
Posted 03/02/10 at 10:33:46 AM by Paul Lilly
Trying to fix a badly infected PC without HijackThis is sort of like going into surgery without a scalpel; it’s the only tool for the job when all other measures fail. New spyware strains and increasingly complex viruses emerge every day, and your PC’s immune system (i.e, antivirus software) isn’t always able to keep up. And if you’re performing emergency surgery on someone else’s PC, you may find that they didn’t have any AV software installed to begin with.
No matter how bad the infection, HijackThis gives you the means to dig deep into Windows to root out whatever it is that’s wreaking havoc. It’s not a cure-all, however, or even a cure-little. In fact, HijackThis doesn’t cure anything on its own. What HijackThis does do is give you a snapshot of the system’s registry and file settings, putting particular emphasis on the browser. It doesn’t discern between safe and malicious settings, so it’s possible to unintentionally inflict real harm if you don’t know what you’re doing. Follow along as we show you how to properly wield HijackThis.
1. Download and Run HijackThis
Originally developed by Dutch programmer Merijn Bellekom, HijackThis has since been sold to Trend Micro, a security firm better equipped to maintain and update the program. But don’t worry, HijackThis is still free and you can download it at http://free.antivirus.com/hijackthis/ where you’ll find both a stable and beta version. We haven’t run into much trouble using the beta, but it’s currently only available as an installer. With the stable version, you have the option of downloading just the executable and plopping it on your USB thumb drive.
Once installed, fire up the program and choose ‘Do a system scan and save a logfile.’
After you do this, you should see a bunch of seemingly obscure settings in the program’s main window, (Image 2) which will also be listed out in a separate text file generated on the fly. If the text file that appears is empty, try using the stable release instead of the beta.
2. Understand the Results
Keep in mind what we said earlier, in that HijackThis doesn’t discern between safe and malicious entries. Even on a badly infected system, many, if not most, of the settings will be legit and altering them could affect the functionality of your PC.
If you consider yourself a savvy user, you can scroll through the settings on your own and look for any suspicious or harmful settings. In some cases, this will be obvious, but not always, so you want to be sure to Google (or Bing) any entries you’re unsure about before nuking them.
This seems to be a good
Submitted by jcbrown on Tue, 08/03/2010 - 11:18pm
This seems to be a good option if you are sure about all the stuff you have in your pc. If not it would be disastrous if you end up deleting important and vital software which might be take time to download and configure. I guess it is worth shot if all of you out there understand all the technical blah blah. As for me I think I will simply call in a technician and let him do his job because I am sure that I will mess up and delete some important stuff/! Brown | Network Virtualization
Submitted by alienplayer on Sat, 03/20/2010 - 9:51am
I used HijackThis a year back to root out a spyware that was pretending to be an antivirus. The main part of the spyware was a BHO service which pretended to be a legit browser helper. I then used another program to restore the setting the spyware had changed.
This is a great tool for any user. It gives the information you need to manually fix the problem.
Submitted by Nyarlathotep on Mon, 03/08/2010 - 5:00pm
I'll have to add Hijack This to my emergency thumb drive. I think it's odd that just about everyone I know with a computer has come to me with virus problems in just the last two weeks. I have helped most of them now and I must say they have been some of the nastiest virus's to remove. One in particular rerouted all internet traffic to an "internet security" site, disabled the task manager, disabled system restore, created and automatically logged into a user account labeled administrator to hadicap removal attempts, and spammed the desktop with Windows look-a-like security alert popups. I did manage to clean it out and get them running again but I was scratching my head for a while. The users have been running the computer for about six years with no upkeep so I made a few recomendations... One was to format and reinstall Windows, to which they replied "You can do that?"
"Sheesh, It's just one man's opinion..." -Me
Submitted by pastorbob on Fri, 03/12/2010 - 9:32am
I've had two very similar experiences over the last couple of weeks. One system had 8 diiferent malware programs and another had 14. Threat level for all 22 was High or Severe. In one case the user had Trend-Micro Antivirus installed but it had been disabled by one of the trojans. In the other the user had been psyched by fake scan software which he downloaded and it hijacked his system.
But I was able to clean up both systems though it didd take a couple of days each. Just getting them to the point where I could download and use ANY tool was the hardest part of the task. Hijackthis has been around for many years and is invaluable for cleaning infected systems.
What is more frustrating are the people who download every bell and whistle they see on the Internet and they only have 512 meg of RAM. My advice to them after I have restored their systems to usable status is - a. add RAM and b. Anything you can do with the bells and whistles can be done with stock Windows and IE 8 or Firefox. Learn how to use your system and the readily available tools!
Submitted by Nyarlathotep on Fri, 03/12/2010 - 11:37am
Whenever I work on someones computer I always look at how much ram they have and what programs are loading at startup. I then try to explain to the user the difference between RAM and hard drive storage. In so many cases the user has a comp with barely enough RAM to support the OS let alone all of the crapware that vendors set to load at startup. I always make an effort to look at every process running and disable the ones that really aren't necessary. Most inexperienced users don't comprehend what I am explaining to them but in most cases they do feel the difference in startup time and overall resposiveness after the changes. So many times it's the bloated security suites made by the biggest two commercial companies out there that bring a system with too little RAM and a low end processor to it's knee's. The fact thet they are often paying a yearly subscription fee to make their system almost unusable makes me sad, especially since I'm there because they are infected...
"Sheesh, It's just one man's opinion..." -Me
Submitted by tri8gman on Wed, 03/03/2010 - 8:41pm
I've become very dependant on my flash drive installation of Ubuntu for malware fighting (or almost any troubleshooting)
I have a 16GB Kingston drive that I've partitioned into 11GB NTFS, 4GB Ext4, and 1GB Swap.
The NTFS partition is the largest so I can still use it regularly (with large file support) and it's the FIRST partition because Windows systems refuse to mount anything but the first partition on a flash drive. This allows me to exchange things like a raw hardware list from Ubuntu with Windows as well as store Windows applications and other Windows-centric things.
I then have Ubuntu (with the splash screen turned off) installed on the 4GB Ext4 partition, and I keep nothing but the basics on there (1.6GB is free for browsing and extra packages I may become interested in)
YES, there is a debate about swap on flash, but I need every bit of performance I can get, and the drive is still kicking after a year, so I'm fine with this. I keep nothing I don't have a backup of on the drive for the day it does finally stop.
No, I don't scan with ClamAV, I go to the most likely places viruses hang out (AppData, Temp, Windows, etc.). After eliminating the EXE(s) I can then boot and go about a normal cleanup.
Submitted by chenyx75 on Tue, 03/02/2010 - 7:02pm
sometimes I encountered the students' laptops were infected by some viruses, and I used safe mode and when I tried to install Malwarebytes and execution file access being denied. How to install HijackThis in such case.
Submitted by Nyarlathotep on Mon, 03/08/2010 - 5:03pm
I recently tried to install Malwarebytes on a computer in safe mode too and it wouldn't. I just assumed the virus was blocking it but maybe it's safe mode that won't allow it to run.
"Sheesh, It's just one man's opinion..." -Me
Submitted by MRR045 on Tue, 03/02/2010 - 4:12pm
One thing that still baffles me is why NO ONE every mentions one of the easiest ways to avoid infections in the first place. Can you guess? No... I am not talking about using a MAC or Linux ... their day is coming... what I am talking about is surfing the Internet under a user profile instead of an administrator profile. You will cut the chances of infections down immensely if you will just do that one thing! Try it... you will spend less time scanning your PC...
MRR
Submitted by pastorbob on Fri, 03/12/2010 - 9:39am
I have used Administrator mode since it first came into existence. And I have never had a malware infection. Period. Perhaps people just need ot be more aware of what the heck they are doing while surfing the Internet. That and keep their systems updated with the latest patches and virus definitions.
Submitted by Nyarlathotep on Mon, 03/08/2010 - 5:08pm
I have always wondered why MS or OEM's don't automate setting up a non administrator account for less experienced users. I assume it's because of the large amount of service calls it would generate.
I forgot my password...
I get "access denied" when I try to install my software...
and so on....
Then again, I guess there was UAC in Vista...
"Sheesh, It's just one man's opinion..." -Me
I still remember playing
Submitted by Keith E. Whisman on Tue, 03/02/2010 - 9:13am
I still remember playing with Dos 3 and Windows 1 then I went to Windows 3 and then Win95 and then Win98 and then I played with WinME and WinXpee and then I played with Win Vista and now Seven. And all the dos from IBM Dos to PC Dos through Dos 622 and Dos 7 in WinXP.
Submitted by Keith E. Whisman on Tue, 03/02/2010 - 8:01am
I have had excellent success with Windows System Restore. After restoring to a time before the infection I've just deleted the newer dates. I've been cursed in the forums for this but it freaking works. No body thinks it works but it does. I've been unable to locate viruses and malware after doing restores and the restores and returned complete functionality. Now I know I'm going to get ridicule so I'll start off with fuck you to you because It's worked for me. So don't call me a liar pretty much to my face when I know it has worked for me alot. It's only failed to work for me once or twice and those times were because I changed a critical system file too much but then again that was in win95 and win98.
Submitted by tri8gman on Wed, 03/03/2010 - 8:20pm
Well System Restore only works if the malware didn't disable System Restore, along with other extenuating circumstances.
The thing about System Restore the way most people use it is they don't actually get rid of the infections afterward. This is probably the source of the ridicule - System Restore is a bandaid if you don't take the finishing touches after, as you apparently do.
I tend to get machines that have the virus actually set several restoration dates back, and depending on the retention settings may cause it to be useless.
Submitted by compnovo on Tue, 03/02/2010 - 8:52am
It's only failed to work for me once or twice and those times were because I changed a critical system file too much but then again that was in win95 and win98.
I too am a fan of Windows System Restore. However, Win95 and 98 didn't have it, the tool was introduced with WinMe.
Submitted by Keith E. Whisman on Tue, 03/02/2010 - 9:08am
I couldn't remember which windows I had those problems with. I do get mad bringing it up because in the forums I was pretty much called a liar and laughed out of there by moderators. The MPC moderators went out of their way to belittle me for suggesting it and called me a liar when I mentioned my successes. And come to think about it I think it was winme and WinXPee.
I think I installed incompatible software in Windows and changed some files that System restore couldn't change or it was software that was broken full of bugs. This was about ten years ago. LOL... 2000 and 2001.
I had WinME promotional upgrade that cost $50bucks at Fry's Electronics back when WinME was first released back in 2000 and WinXPee Home edition I purchased a year later in 2001. What a bad year.
Submitted by compnovo on Tue, 03/02/2010 - 10:37am
My experience using system restore to fix a malware problem has been mixed; its success is dependent on what type of infection you're experiencing. I've had the best results using system restore in Safe Mode, but I've also worked on friend's PCs that were so hosed nothing but a reformat would make the problem go away. For instance, there was an infection a couple of years ago that disguised itself as an egreeting card from a legitimate site that completely fubarred any computer from which the link was clicked.
Submitted by NicciAdonai on Tue, 03/02/2010 - 1:14pm
I like System Restore when it works, but sometimes it just fails to restore at all, let alone fix the problem. My experience has probably been about 50/50, maybe due to the fact that the situation is fairly bad by the time someone calls me to fix their PC.
Submitted by Keith E. Whisman on Tue, 03/02/2010 - 7:50am
It's always a good idea to do the three finger salute (control, Alt and Delete) and start up task manager and get to know all the files that are running and also take a look at the services and get used to what's in there as well. I have a look in my task manager every other day and investigate when I find something different. Just a glance every other day and you'll notice when something is different. Now after being acquainted with things differences will seem to stand out. Highjack this will produce a list that looks really familiar you'll be able to pick out offenders and do google searches on them and you'll usually be right. You just have to be inquisitive. Get your hands dirty and I recommend everyone that cares about their computers to just take 5minutes out a couple times a week to get acquainted with their services and programs and files running in the taskmanager. It'll make you smarter and much more nerdy.
Submitted by tri8gman on Wed, 03/03/2010 - 8:25pm
Most people (unfortunately and without knowing the difference) run their Windows machines as administrators, and plenty of malware modifies the registry to block task manager.
Personally, I prefer ProcessExplorer or ProcessHacker because they include loads more information.
Task Manager can also be induced via right-clicking the taskbar or ran from the Run command or Searchbox in the Start Menu, but again only if you're "allowed."
Then you have those nasty apps that "wrist slap" (close immediately at launch) your infection fighting apps when you try to run them.
Submitted by ErikTheGreat on Tue, 03/02/2010 - 5:36am
This kind of stuff is great, keeps me payin' for the dead tree version.
Submitted by PhoneyVirus on Tue, 03/02/2010 - 12:52am
Nice thanks for the fast Tips but wouldn't be without any AV or some kind of Malware remover, don't kill to scan Thanks for the How-to. Good Work
Submitted by QuakindudeMod on Mon, 03/01/2010 - 7:33pm
Wow. Even an old dog can learn new tricks!
The value of this program is that you should get an exact name of the infection. Why go installing all these different antivirus programs, which may cause even further damage, if it's a root kit? Or a specific and ugly piece of malware that requires a very specific program written only for it?
Many of the viruses and malware self running pieces of code that's popping up out there will simply disable any antivirus program you install. Hell, you may have to rename HijackThis to Mommy.exe or urscrewed.exe just to get it run because some of these pieces of specifically coded software are so insistent and nasty. Try doing that with pandascan.exe!!
The point being, in today's computing environment, you really need to identify the infection before you start randomly installing software. You end up spending less time by knowing exactly what you're dealing with in the first place and any professional virus/malware remover will tell you to begin by identifiying the problem FIRST. Then installing specific programs to deal with it. You just don't see the Pro's going about willy nilly installing things without knowing what they're dealing with before the first rectifying program is ever installed.
*****MaximumPC Moderator. Report inappropriate/SPAM comments to
QuakindudeMod at Gmail--dot--com with a link. My personal comments do not necessarily
reflect the opinions of MaxPC or Future US*****
Submitted by grandsire2001 on Mon, 03/01/2010 - 7:24pm
I agree, if the PC is completely infected just nuke the drive and reload a clean image.
Submitted by Havok on Tue, 03/02/2010 - 11:41am
"...no matter how good a personal system administrator you are, there’s a
time to take your OS install out behind the shed and put two in its
head."
CLICK.
Submitted by JimmyJimJames on Mon, 03/01/2010 - 6:59pm
I would never trust my system after an infection. I guess this tool might get things running just long enough to make sure data is backed up before I nuke the drive.
Connect with Maximum PC
|
|
|
|
|
|
|
|
|
Must Read Articles
-
Feature -
Feature -
How-To -
Feature -
Feature
This Month's Issue
FEATURE29 Essential PC SkillsFEATUREAndroid Power Users GuideHOW TOGet Linux Power of Your Windows PCFEATUREMotherboard ManiaWHITE PAPERIntel's Light Peak
Maximum PC on Facebook
© 2010 Future US, Inc. All rights reserved.