HijackThis is a portable tool that helps you catch and remove malware

We all have security software on our computers. Ideally those security software will protect us against malware but sometimes that doesn’t work so well; either the software don’t detect malware or they can’t properly remove it. If you suspect your computer is infected with malware and running scans with your security software isn’t fixing it, HijackThis may be the tool for you.

WHAT IS HIJACKTHIS

HijackThis is a small, portable tool that scans specific areas of your computer where malware are likely to reside or make changes to, areas such as registry keys, services, BHOs, and the HOSTS file. It then displays the scan results, allowing you to manually fix areas that you think are infected. If you are not tech savvy enough to figure it out yourself, HijackThis has the ability to save scan results in text files which you can share with techie friends who can then identify areas that might be infected.

Exactly what areas of your computer does HijackThis scan? The following:

R – Registry, StartPage/SearchPage changes
    R0 – Changed registry value
    R1 – Created registry value
    R2 – Created registry key
    R3 – Created extra registry value where only one should be
 F – IniFiles, autoloading entries
    F0 – Changed inifile value
    F1 – Created inifile value
    F2 – Changed inifile value, mapped to Registry
    F3 – Created inifile value, mapped to Registry
N – Netscape/Mozilla StartPage/SearchPage changes
    N1 – Change in prefs.js of Netscape 4.x
    N2 – Change in prefs.js of Netscape 6
    N3 – Change in prefs.js of Netscape 7
    N4 – Change in prefs.js of Mozilla
O – Other, several sections which represent:
    O1 – Hijack of auto.search.msn.com with Hosts file
    O2 – Enumeration of existing MSIE BHO’s
    O3 – Enumeration of existing MSIE toolbars
    O4 – Enumeration of suspicious autoloading Registry entries
    O5 – Blocking of loading Internet Options in Control Panel
    O6 – Disabling of ‘Internet Options’ Main tab with Policies
    O7 – Disabling of Regedit with Policies
    O8 – Extra MSIE context menu items
    O9 – Extra ‘Tools’ menuitems and buttons
    O10 – Breaking of Internet access by New.Net or WebHancer
    O11 – Extra options in MSIE ‘Advanced’ settings tab
    O12 – MSIE plugins for file extensions or MIME types
    O13 – Hijack of default URL prefixes
    O14 – Changing of IERESET.INF
    O15 – Trusted Zone Autoadd
    O16 – Download Program Files item
    O17 – Domain hijack
    O18 – Enumeration of existing protocols and filters
    O19 – User stylesheet hijack
    O20 – AppInit_DLLs autorun Registry value, Winlogon Notify Registry keys
    O21 – ShellServiceObjectDelayLoad (SSODL) autorun Registry key
    O22 – SharedTaskScheduler autorun Registry key
    O23 – Enumeration of NT Services
    O24 – Enumeration of ActiveX Desktop Components

In addition to scanning the above-mentioned areas of your computer, HijackThis has the ability to create a special report of just startup processes, a process manager, a HOSTS file manager, the ability to delete a user-defined file on reboot, the ability to delete a Windows NT service, an ADS Spy utility, and a basic uninstaller.

WHAT HIJACKTHIS IS NOT

HijackThis is not an anti-virus, anti-spyware, firewall, etc. HijacThis does not automatically detect and remove malware. HijackThis is a tool for manual analysis of areas of your computer that are likely to be infected if you have malware. HijackThis does have the ability to remove/”fix” what is infected but you must manually tell HijackThis what to fix — it doesn’t do it automatically for you.

HOW TO USE HIJACKTHIS

When you run HijackThis (remember, it is portable so no installation is necessary) you will be asked what you want to do:

Do a system scan and save a logfile scans your system, displays the results to you, and saves the results in a text file (which is placed in the same folder as where you have the HijackThis EXE file). Do a system scan only does a system scan and displays the results to you but does not save the results in a text file.

Scans are pretty quick and the results are displayed to you on-screen:

Once you have the scan results, it is up to you to look through the list and determine what – if anything – is infected. If you cannot understand the results shown to you, using the Save log button allows you to save the scan results into a text file (be sure to add a .txt extension to the file name when saving the log otherwise it won’t save as a text file) which you can then share with someone who can help you.

If you are not sure what an item is, selecting it (single left-click) and hitting the Info on selected item… displays more information on what the item is:

If you decide there is something that is infected, checking the checkbox next to that item and hitting the Fix checked button tells HijackThis to try to fix that specific item. How HijackThis fixes the item depends on what you selected, for example if you select a BHO it will be removed by HijackThis. HijackThis makes automatic backups of everything before applying any fixes so you can easily restore at a later date if you make a mistake.

On the other hand, if you know for sure something is safe and you don’t want HijackThis scanning it in the future, you can check the checkbox and hit the Add checked to ignorelist to tell HijackThis to ignore that item in the future.

At at the scan results window there is an AnalyzeThis button which makes it sound like HijackThis will analyze the list and tell you if anything is infected. In reality, however, that button simply opens a web page in your default browser window telling you that you should submit the scan results to a tech help forum:

HIJACKTHIS SETTINGS AND OTHER TOOLS

Hitting the Config button from the main program window gives you access to HijackThis settings, ignorelist, backup list, and the other tools it has:

CONCLUSION AND DOWNLOAD LINKS

HijackThis isn’t a magic wand for fixing your computer. However, it is a very useful tool to help analyze and catch malware; the ability to share scan results is a huge plus for people who aren’t tech savvy themselves.

You can grab HijackThis from the links below:

Price: Free

Version reviewed: v2.0.4

Supported OS: All Windows

Download size: 380 KB

Malware status: VirusTotal malware scan (0/43)

HijackThis homepage [direct download]

Share this post

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

7 comments

  1. Mags

    @Liam K: A thumbs up for your comments.

    FWIW, I already have HijackThis on my pc, although never had to use it on mine. However, did have to use it a couple of times on my son’s laptop. And did go to experts for advice on what to do with the results. I would never attempt to try and do it myself as I’m not an expert.

    My advice to non experts is definitely find a forum where help is provided to figure out what is wrong and what to do to fix it. If you don’t, you could end up with a seriously messed up pc.

  2. Liam K

    @Ashraf: Well, they’re intended for people aspiring to help others remove infections. http://www.geekstogo.com/geeku/ is the one in which I participated.

    I think it might be wise to add a clear warning that, as HijackThis does not differentiate between good or bad items, using it without research or instruction from an expert can cause severe problems on one’s computer.

  3. Liam K

    I highly recommend that any users, even advanced ones, post their logs in the anti-malware forums at BleepingComputer, GeeksToGo, or TechGuy. I took a course on HijackThis log analysis at GeeksToGo a few years ago (which I never completed, unfortunately :/) and I can say that the people there are very friendly and willing to help. Generally, except for maybe the most minor infections, all the instances of it will not be obvious and it will just recreate itself after an attempted HijackThis removal.