What is your nastiest experience with viruses and/or other malware? The other day just before presentations my friend came to me with his laptop and showed me the havoc that had reigned on it! He had burnt some discs for others, using data from their USB drive and in the process got infected. Now he was unable to run Powerpoint, nor was he able to scan with the anti-virus as it won’t start a scan due to the infections (see the irony). Just the splash screens and boom – nothing seemed to run.
Boot into safe mode and it got stuck again. We couldn’t just get there. Luckily I had HijackThis in my USB drive and it helped analyse the problem and eventually we cleaned it to the point that he could deliver his presentation.
The moral: No matter what security software you have, you will have to get your hands wet one day so you’d better be prepared!
So what is HijackThis? An anti-virus? Malware removal tool? Anti-spyware? Well nothing fancy, actually its a tool that gives you a log (or dump) of your system’s present state. You can then analyze it yourself or post it at a vast majority of forums that will help you with your problem. In fact a HijackThis log is the first thing they ask for when you discuss your problem on forums. Lets see how you can Make Use Of it!
HijackThis Download and Install
First off you must have HijackThis on your system. Download here and run the executable, then fire up HijackThis. You will be greeted with not much of a fancy but nevertheless a pretty powerful tool.
What can you do?
- You can scan your system and save a log file.
- Simply scan your system.
- Undo the changes you made earlier.
- View the running processes and perform some actions on them.
- View the system Host file.
- Set it up to delete locked files on next system reboot.
- Delete services, open AdSpy and open a powerful uninstall manager.
Let us begin with a system scan and then I will tell you how to interpret the log (it’s not for the faint hearted!). Click on “Scan and save a log file” or simple “Scan”. You will see a plethora of information in a window like the following, this can seem frightening as none of this makes sense at first but lets take a closer look.
First thing to take note of is that towards the left (region 1, marked with red) you will see some codes like R1, R2, R3, O8,O9 etc. All these codes have special meanings (refer table). Towards the right (region 2, marked with green) you will see the details of the file in question.
|R0, R1, R2, R3||Internet Explorer Start/Search pages URLs|
|F0, F1, F2,F3||Auto loading programs|
|N1, N2, N3, N4||Netscape/Mozilla Start/Search pages URLs|
|O1||Hosts file redirection|
|O2||Browser Helper Objects|
|O3||Internet Explorer toolbars|
|O4||Auto loading programs from Registry|
|O5||IE Options icon not visible in Control Panel|
|O6||IE Options access restricted by Administrator|
|O7||Regedit access restricted by Administrator|
|O8||Extra items in the IE right-click menu|
|O9||Extra buttons on main IE button toolbar, or extra items in IE ‘Tools’
|O11||Extra group in IE ‘Advanced Options’ window|
|O13||IE Default Prefix hijack|
|O14||‘Reset Web Settings’ hijack|
|O15||Unwanted site in Trusted Zone|
|O16||ActiveX Objects (aka Downloaded Program Files)|
|O18||Extra protocols and protocol hijackers|
|O19||User style sheet hijack|
|O20||AppInit_DLLs Registry value Autorun|
|O23||Windows XP/NT/2000 Services|
|O24||Windows Active Desktop Components|
|Table from: Bleeping Computer|
Now let’s say you notice something fishy with IE or Firefox then you will see the lines marked R0, R1, R2, R3 and N1, N2, N3 and N4 and see if they contain something you don’t think is correct (like free pills!) or don’t remember installing. After confirming that, you can place a check mark on that particular entre and click “fix selected”.
You can also highlight the entry and click on “Info on selected item” to get some more information about the entry, and then you can decide if it’s indeed causing trouble. If you find yourself stuck click “analyse this” and you will be taken to a help page or alternatively you can post your log on forums and get help.
Some quick tips
All of this information may please a geek but not all of us is one! So I present some personal quick tips from my experience with Windows and the problems it has thrown at my face:
- First and foremost check out the automatically starting applications (the entries marked O4) , If anything looks suspicious just Google for the file name and you will know if it’s legitimate or not. Remove it if it’s not legitimate. You can also check at Process Library or visit here and download the list for use in offline enviornments if you can’t get to the Internet.
- Use the Process manager from HijackThis or the Windows Task manager to view the processes currently running. Again Google the suspicious filename and end it and remove it from automatically starting by combining this and the previous point.
- Make sure you remove the actual file from the computer once you have verified that its harmful. (You might have to show contents of system folders and hidden files to achieve this, or better use the command line).
- Check out the entries with the code O23, you will have to Google most of them if you don’t know what they mean but the entries here could be potentially harmful to your system. Remove the non legitimate ones.
- Check out R0 – R3 and N0 – N3 if you find your browser misbehaving and redirecting somewhere else where you didn’t want to go.
- Boot into safe mode, turn off system restore and do a scan with your antivirus and clean the system. You can also try the latest version of Stinger to find and remove infections from an infected system.
- Be careful the next time. I don’t find many users doing this but please if you are using Windows XP then please create a separate limited account and do your routine work from within it. Occasionally log into the administrator account to do maintainance and software installs etc. This is very important because even if you get infected while logged in a non administrator account, the malicious files don’t have enough rights to do as much damage as they can when you are logged in as administrator.
- If you can’t make sense of something then visit forums and take help. After doing so once or twice you will gain confidence and will be able to make use of this wonderful tool.
HijackThis is very powerful if you just master how to read and use it. It has a built in uninstall manager to remove misbehaving application. A process manager, backup utility to backup the changes you are going to make, ability blacklist or whitelist items. I planned on giving more information on each and every type but think it will get advanced and long (it already is!) so I am having to limit this.
Do let us know if you will like some more information, or would like to know more about Hijackthis in detail? Or perhaps you know of another tool that does a better job?
(By) Varun Kashyap – A tech enthusiast, programmer and a blogger, who personally loves tools like Hijackthis. Know about such tools and more at his TechCrazy blog.