Root out hidden infections with HijackThis

Editors' note: This article was first published on February 27, 2008, and was titled, "Clean your PC with Trend Micro HijackThis." It was updated on May 21, 2009.

Malware has gotten more sophisticated at hiding its tracks compared with a few years ago. Adware, it seems, with its pop-ups and unwanted browser toolbars, has taken a backseat to the sly, ever-dangerous, and much more lucrative realm of the botnet, also known as that class of malware that conscripts your computer into an army of spam-spewing zombies, or worse.

If you suspect your Windows computer may be compromised, you should always try running standard adware-removal programs first. Ad-Aware and Avira AntiVir Personal Free are two good starts. If they can't seem to keep the nasties at bay, Trend Micro HijackThis digs deep. For most, HijackThis will be diagnostic software for Windows XP (with high compatibility for Vista) that creates a log of your Windows Registry and file settings. It is not a spyware removal tool. However, its capability to identify commonly abused methods of altering your computer can help you (and the Internet community) determine your next course of action.

Step 1: Install it

Version 2.0.2 of HijackThis contains an installer, unlike the previous version that launched from a ZIP file or EXE. If you're using that legacy version, be sure to update. You'll find that this build also downloads a desktop icon for quick-launching.

Step 2: Scan your system

If you scan without a log file, you can always create one later on.

Trend Micro HijackThis opens with a simple interface that offers limited instruction. Running the program and interpreting its results can be confusing. Click either of the two "system scan" buttons to bring up a list of registry and file entries. Expect to see a mess of entries--even a Firefox plug-in on a completely healthy computer can produce multiple listings. If you choose to scan the system only, you can still save a record after the scan by selecting the "Save log" button on the bottom left. This will save the log as a plain text document that you'll be able to open in Notepad.

Step 3: Identify problems

Add safe entries to the Ignore List to speed up future scans.

Here's the rub--now that you've got a long list of your computer's contents, how do you determine which results are critical, and which benign?

There are a few determining factors. Some entries may be obviously tied to a legitimate program you installed. A browser helper object like Adobe PDF Reader Link Helper is clearly harmless and installs with the Adobe Reader application. Listings like these you can ignore or can add to the Ignore List to bypass in future scans. To excuse any entry from showing up in the results list in the future, click the adjacent box to add a check mark and choose the button reading "Add checked to ignorelist." See it in action in this video (Note: The video accurately demonstrates using the ignore list on a previous version of HijackThis.)

Click Fix Checked only if you are certain the entry is unsafe.

What if you're less certain about a cryptic Registry entry, DLL, or EXE? You can select an individual item by highlighting it or clicking the check box and hitting the "Info on Selected Item" button. This brings up a short definition of the entry, examples of infected items, and the location of the file should you want to find it on your computer and look at its properties. There's also a description of the action HijackThis takes were you to "fix" the entry with the Fix Checked button. It's a bit of a misnomer in truth, as "fixing" means deleting the entry in one or more locations.

Before obliterating any file from your registry or systems settings, a word to the wise: this is risky business, and one false move could permanently foul up your computer. We recommend that only advanced computer users who are very comfortable with the registry use this feature. Otherwise, searching the Internet for the item's name or number will help you identify the entry and help determine if you can safely ignore the it or if you need to seek out assistance.

Step 4: Getting help

TrendMicro will compare your system contents with other users'. Chances are, if 90 percent of users have it, you should too.

There are a few ways to report your findings. The first is to choose the "Analyze This" button in HijackThis' results window. So long as a corporate firewall isn't blocking it, this will open a browser tab to Trend Micro's Web site, where you can compare your entries side by side with those of other computer users. The more common the instance, the logic goes, the more likely it's safe. To get detailed help with your system stats, however, the best thing to do is save the log, preferably in a Trend Micro HijackThis folder, and look to the Internet for answers.

Many antimalware and technical-support online forums feature dedicated support technicians who will examine your Trend Micros HijackThis log file free of charge and tell you which entries to delete. Other times, experienced and helpful power users will fill that role. In either case, it may be a good idea to double check their suggestions with online research of your own. SpywareInfo Forum is one starting place, as are Tech Support Forum and Tweaks.com, which has a dedicated folder for HijackThis logs. Registration is required to participate in the forums. It's a standard prerequisite, but free and relatively quick. Read the forum rules before posting, and be patient.

The person who's helping you will tell you which files to remove by "fixing" them, then probably ask you to restart, rescan, and post a new HijackThis log. If there's a suspect EXE in your kit, you may also have luck with an uninstaller like Revo Uninstaller, which also scans the registry for leftover files after a program uninstalls. After that, restart your computer and rerun HijackThis or possibly an adware-removal program, depending on your issue, to see if that took care of the problem. Carry on until your computer is once again deemed pristine.

Miscellaneous tools

Get at extra tools and configurations here.

Scanning may be the heart of HijackThis, but its miscellaneous tools section, accessible from the main menu, also contains a handful of useful system tools and settings. It's from there that you'll be able to generate a text log in Notepad of the processes and Windows Registry entries that run as your computer boots up. While you won't be able to manage these through HijackThis, it will point to other outlets for unwanted codes to run. You'll be able to further disable some of these through Windows system settings or with additional Windows optimizing software like Glary Utilities.

In addition, you'll find a process manager and other basics tools to flag a file for deletion on the next reboot. HijackThis includes a simple uninstaller as well, though we'd recommend going with a standalone uninstaller instead. There's also the option to open something called ADS Spy, where "ADS" stands for "alternate data streams." Most of you won't use this, but here's a video that helps explain the feature.

Much more indispensable is the Backups menu that's right next to the Miscellaneous Tools list on the configuration menu. HijackThis keeps a record of every item you've "fixed." It's here that you're able to reinstate the item if you realize the error of your overenthusiastic ways after the fact. Here's the video demonstration. From this configuration menu, you'll also be able to manage the ignore list and tweak program preferences.

Again, HijackThis is not a panacea of protection, but for many it is a very effective way to root out offending processes and settings files--a crucial first step to curing the infection.