How To: Root Out Stubborn Malware with HijackThis

25

Comments

+ Add a Comment
avatar

alienplayer

I used HijackThis a year back to root out a spyware that was pretending to be an antivirus. The main part of the spyware was a BHO service which pretended to be a legit browser helper. I then used another program to restore the setting the spyware had changed.

This is a great tool for any user. It gives the information you need to manually fix the problem.

avatar

Nyarlathotep

I'll have to add Hijack This to my emergency thumb drive. I think it's odd that just about everyone I know with a computer has come to me with virus problems in just the last two weeks. I have helped most of them now and I must say they have been some of the nastiest virus's to remove. One in particular rerouted all internet traffic to an "internet security" site, disabled the task manager, disabled system restore, created and automatically logged into a user account labeled administrator to hadicap removal attempts, and spammed the desktop with Windows look-a-like security alert popups. I did manage to clean it out and get them running again but I was scratching my head for a while. The users have been running the computer for about six years with no upkeep so I made a few recomendations... One was to format and reinstall Windows, to which they replied "You can do that?" 

 

 

"Sheesh, It's just one man's opinion..."   -Me

avatar

pastorbob

I've had two very similar experiences over the last couple of weeks. One system had 8 diiferent malware programs and another had 14. Threat level for all 22 was High or Severe. In one case the user had Trend-Micro Antivirus installed but it had been disabled by one of the trojans. In the other the user had been psyched by fake scan software which he downloaded and it hijacked his system.

But I was able to clean up both systems though it didd take a couple of days each. Just getting them to the point where I could download and use ANY tool was the hardest part of the task. Hijackthis has been around for many years and is invaluable for cleaning infected systems.

What is more frustrating are the people who download every bell and whistle they see on the Internet and they only have 512 meg of RAM. My advice to them after I have restored their systems to usable status is - a. add RAM and b. Anything you can do with the bells and whistles can be done with stock Windows and IE 8 or Firefox. Learn how to use your system and the readily available tools!

avatar

Nyarlathotep

Whenever I work on someones computer I always look at how much ram they have and what programs are loading at startup. I then try to explain to the user the difference between RAM and hard drive storage. In so many cases the user has a comp with barely enough RAM to support the OS let alone all of the crapware that vendors set to load at startup. I always make an effort to look at every process running and disable the ones that really aren't necessary. Most inexperienced users don't comprehend what I am explaining to them but in most cases they do feel the difference in startup time and overall resposiveness after the changes. So many times it's the bloated security suites made by the biggest two commercial companies out there that bring a system with too little RAM and a low end processor to it's knee's. The fact thet they are often paying a yearly subscription fee to make their system almost unusable makes me sad, especially since I'm there because they are infected...

 

 

"Sheesh, It's just one man's opinion..."   -Me

avatar

tri8gman

I've become very dependant on my flash drive installation of Ubuntu for malware fighting (or almost any troubleshooting)

I have a 16GB Kingston drive that I've partitioned into 11GB NTFS, 4GB Ext4, and 1GB Swap.

The NTFS partition is the largest so I can still use it regularly (with large file support) and it's the FIRST partition because Windows systems refuse to mount anything but the first partition on a flash drive. This allows me to exchange things like a raw hardware list from Ubuntu with Windows as well as store Windows applications and other Windows-centric things.

I then have Ubuntu (with the splash screen turned off) installed on the 4GB Ext4 partition, and I keep nothing but the basics on there (1.6GB is free for browsing and extra packages I may become interested in)

YES, there is a debate about swap on flash, but I need every bit of performance I can get, and the drive is still kicking after a year, so I'm fine with this. I keep nothing I don't have a backup of on the drive for the day it does finally stop.

No, I don't scan with ClamAV, I go to the most likely places viruses hang out (AppData, Temp, Windows, etc.). After eliminating the EXE(s) I can then boot and go about a normal cleanup.

avatar

chenyx75

sometimes I encountered the students' laptops were infected by some viruses, and I used safe mode and when I tried to install Malwarebytes and execution file access being denied. How to install HijackThis in such case.

avatar

Nyarlathotep

I recently tried to install Malwarebytes on a computer in safe mode too and it wouldn't. I just assumed the virus was blocking it but maybe it's safe mode that won't allow it to run.

 

 

"Sheesh, It's just one man's opinion..."   -Me

avatar

MRR045

One thing that still baffles me is why NO ONE every mentions one of the easiest ways to avoid infections in the first place. Can you guess? No... I am not talking about using a MAC or Linux ... their day is coming... what I am talking about is surfing the Internet under a user profile instead of an administrator profile. You will cut the chances of infections down immensely if you will just do that one thing! Try it... you will spend less time scanning your PC...

 

 

MRR

avatar

pastorbob

I have used Administrator mode since it first came into existence. And I have never had a malware infection. Period. Perhaps people just need ot be more aware of what the heck they are doing while surfing the Internet. That and keep their systems updated with the latest patches and virus definitions.

avatar

Nyarlathotep

I have always wondered why MS or OEM's don't automate setting up a non administrator account for less experienced users. I assume it's because of the large amount of service calls it would generate.

I forgot my password...

I get "access denied" when I try to install my software...

and so on....

Then again, I guess there was UAC in Vista...

 

"Sheesh, It's just one man's opinion..."   -Me

avatar

Keith E. Whisman

I still remember playing with Dos 3 and Windows 1 then I went to Windows 3 and then Win95 and then Win98 and then I played with WinME and WinXpee and then I played with Win Vista and now Seven. And all the dos from IBM Dos to PC Dos through Dos 622 and Dos 7 in WinXP.

avatar

Keith E. Whisman

I have had excellent success with Windows System Restore. After restoring to a time before the infection I've just deleted the newer dates. I've been cursed in the forums for this but it freaking works. No body thinks it works but it does. I've been unable to locate viruses and malware after doing restores and the restores and returned complete functionality. Now I know I'm going to get ridicule so I'll start off with fuck you to you because It's worked for me. So don't call me a liar pretty much to my face when I know it has worked for me alot. It's only failed to work for me once or twice and those times were because I changed a critical system file too much but then again that was in win95 and win98.

avatar

tri8gman

Well System Restore only works if the malware didn't disable System Restore, along with other extenuating circumstances.

The thing about System Restore the way most people use it is they don't actually get rid of the infections afterward. This is probably the source of the ridicule - System Restore is a bandaid if you don't take the finishing touches after, as you apparently do.

I tend to get machines that have the virus actually set several restoration dates back, and depending on the retention settings may cause it to be useless.

avatar

compnovo

It's only failed to work for me once or twice and those times were because I changed a critical system file too much but then again that was in win95 and win98.

I too am a fan of Windows System Restore.  However, Win95 and 98 didn't have it, the tool was introduced with WinMe.

avatar

Keith E. Whisman

I couldn't remember which windows I had those problems with. I do get mad bringing it up because in the forums I was pretty much called a liar and laughed out of there by moderators. The MPC moderators went out of their way to belittle me for suggesting it and called me a liar when I mentioned my successes. And come to think about it I think it was winme and WinXPee.

I think I installed incompatible software in Windows and changed some files that System restore couldn't change or it was software that was broken full of bugs. This was about ten years ago. LOL... 2000 and 2001.

 

I had WinME promotional upgrade that cost $50bucks at Fry's Electronics back when WinME was first released back in 2000 and WinXPee Home edition I purchased a year later in 2001. What a bad year.

avatar

compnovo

My experience using system restore to fix a malware problem has been mixed; its success is dependent on what type of infection you're experiencing.  I've had the best results using system restore in Safe Mode, but I've also worked on friend's PCs that were so hosed nothing but a reformat would make the problem go away.  For instance, there was an infection a couple of years ago that disguised itself as an egreeting card from a legitimate site that completely fubarred any computer from which the link was clicked.

avatar

NicciAdonai

I like System Restore when it works, but sometimes it just fails to restore at all, let alone fix the problem. My experience has probably been about 50/50, maybe due to the fact that the situation is fairly bad by the time someone calls me to fix their PC.

avatar

Keith E. Whisman

It's always a good idea to do the three finger salute (control, Alt and Delete) and start up task manager and get to know all the files that are running and also take a look at the services and get used to what's in there as well. I have a look in my task manager every other day and investigate when I find something different. Just a glance every other day and you'll notice when something is different. Now after being acquainted with things differences will seem to stand out. Highjack this will produce a list that looks really familiar you'll be able to pick out offenders and do google searches on them and you'll usually be right. You just have to be inquisitive. Get your hands dirty and I recommend everyone that cares about their computers to just take 5minutes out a couple times a week to get acquainted with their services and programs and files running in the taskmanager. It'll make you smarter and much more nerdy.    

avatar

tri8gman

Most people (unfortunately and without knowing the difference) run their Windows machines as administrators, and plenty of malware modifies the registry to block task manager.

Personally, I prefer ProcessExplorer or ProcessHacker because they include loads more information.

Task Manager can also be induced via right-clicking the taskbar or ran from the Run command or Searchbox in the Start Menu, but again only if you're "allowed."

Then you have those nasty apps that "wrist slap" (close immediately at launch) your infection fighting apps when you try to run them.

avatar

ErikTheGreat

This kind of stuff is great, keeps me payin' for the dead tree version.

avatar

PhoneyVirus

Nice thanks for the fast Tips but wouldn't be without any AV or some kind of Malware remover, don't kill to scan Thanks for the How-to. Good Work

avatar

QuakindudeMod

Wow. Even an old dog can learn new tricks!

The value of this program is that you should get an exact name of the infection. Why go installing all these different antivirus programs, which may cause even further damage, if it's a root kit? Or a specific and ugly piece of malware that requires a very specific program written only for it? 

Many of the viruses and malware self running pieces of code that's popping up out there will simply disable any antivirus program you install. Hell, you may have to rename HijackThis to Mommy.exe or urscrewed.exe just to get it run because some of these pieces of specifically coded software are so insistent and nasty. Try doing that with pandascan.exe!!

The point being, in today's computing environment, you really need to identify the infection before you start randomly installing software. You end up spending less time by knowing exactly what you're dealing with in the first place and any professional virus/malware remover will tell you to begin by identifiying the problem FIRST. Then installing specific programs to deal with it. You just don't see the Pro's going about willy nilly installing things without knowing what they're dealing with before the first rectifying program is ever installed.  

*****MaximumPC Moderator. Report inappropriate/SPAM comments to
QuakindudeMod at Gmail--dot--com with a link. My personal comments do not necessarily
reflect the opinions of MaxPC or Future US*****

avatar

grandsire2001

I agree, if the PC is completely infected just nuke the drive and reload a clean image.  

avatar

Havok

"...no matter how good a personal system administrator you are, there’s a
time to take your OS install out behind the shed and put two in its
head."

 

 

CLICK.

avatar

JimmyJimJames

I would never trust my system after an infection.  I guess this tool might get things running just long enough to make sure  data is backed up before I nuke the drive.

Log in to MaximumPC directly or log in using Facebook

Forgot your username or password?
Click here for help.

Login with Facebook
Log in using Facebook to share comments and articles easily with your Facebook feed.