Computers| Computers |
|
01-29-2008, 05:47 PM
| #1 (permalink) |
| Security/Hacking Mod  Join Date: Jan 2005 Location: USA
Posts: 23,998
|  HijackThis Tutorial & Guide HijackThis Tutorial & Guide A guide and tutorial on using HijackThis to remove Browser Hijackers & Spyware HijackThis should only be used if your browser or computer is still having problems after running thru Osiris's Spyware Removal Guide. HijackThis is an advanced tool, and therefore requires advanced knowledge about Windows and operating systems in general. If you delete items that it shows, without knowing what they are, it can lead to other problems such as your Internet no longer working or problems with running Windows itself. You should also attempt to clean the Spyware/Hijacker/Trojan with all other methods before using HijackThis. If you allow HijackThis to remove entries before another removal tool scans your computer, the files from the Hijacker/Spyware will still be left on your computer and future removal tools will not be able to find them. If you do not have advanced knowledge about computers you should NOT fix entries using HijackThis without consulting an expert on using this program. If you have already gone thru Osiris's Spyware Removal Guide and are still having problems, then please continue with this tutorial and post a HijackThis log in our Hijackthis Forum, including details about your problem, and we will advise you on what to fix. Introduction HijackThis is a utility that produces a listing of certain settings found in your computer. HijackThis wills scan your registry and various other files for entries that are similar to what a Spyware or Hijacker program would leave behind. Interpreting these results can be tricky as there are many legitimate programs that are installed in your operating system in a similar manner that Hijackers get installed. Therefore you must use extreme caution when having HijackThis fix any problems. I can not stress how important it is to follow the above warning. There are two prevalent tutorials about HijackThis on the Internet currently, but neither of them explain what each of the sections actually mean in a way that a layman can understand. This tutorial, in addition, to showing how to use HijackThis, will also go into detail about each of the sections and what they actually mean. There is no reason why you should not understand what it is you are fixing when people examine your logs and tell you what to do. How to use HijackThis The first step is to download HijackThis to your computer in a location that you know where to find it again. This program does not have an installation to it, so you need to remember where you downloaded it to in order to launch it in the future. Create a folder where you would like the HijackThis file to reside. It is important that you download this file to its own folder as this folder will be used when HijackThis makes backups. If you run it out of a compressed file, like a zip file, instead of running it from a directory, the backups will not be made. Once it is downloaded navigate through Windows Explorer or My Computer to the location your downloaded it to and double click on the icon for HijackThis.exe When it is launched the first time, you will see a screen similar to the figure below: http://i222.photobucket.com/albums/dd71/landjr/1-4.jpg We suggest you put a checkmark in the checkbox labeled Don't show this frame again when I start HijackThis, designated by the blue arrow above, as most instructions you will given will not account for this screen. After you have put a checkmark in that checkbox, click on the None of the above, just start the program button, designated by the red arrow in the figure above. You will then be presented with the main HijackThis screen as seen in Figure 2 below. PIC HERE You should first click on the Config button, which is designated by the blue arrow in Figure 2, and confirm that your settings match those found in Figure 3 below. The options that should be checked are designated by the red arrow. PIC HERE When you are done setting these options, press the back key and continue with the rest of the tutorial. To have HijackThis scan your computer for possible Hijackers, click on the Scan button designated by the red arrow in Figure 2. You will then be presented with a screen listing all the items found by the program as seen in Figure 4. PIC HERE At this point, you will have a listing of all items found by HijackThis. If what you see seems confusing and daunting to you, then click on the Save Log button, designated by the red arrow, and save the log to your computer somewhere you will remember later. To open up the log and paste it into a forum, like ours, you should following these steps:
PIC HERE When you are done looking at the information for the various listings, and you feel that you are knowledgeable enough to continue, look through the listings and select the items you would like to remove by placing checkmarks in the checkboxes next to each listing as shown in Figure 6. At the end of the document we have included some basic ways to interpret the information in these log files. By no means is this information extensive enough to cover all decisions, but should help you determine what is legitimate or not. PIC HERE Once you have selected the items you would like to remove, press the Fix Checked button, designated by the blue arrow, in Figure 6. HijackThis will then prompt you to confirm if you would like to remove those items. Press Yes or No depending on your choice. How to restore items mistakenly deleted HijackThis comes with a backup and restore procedure in the event that you erroneously remove an entry that is actually legitimate. If you have configured HijackThis as was shown in this tutorial, then you should be able to restore entries that you have previously deleted. If you have had your HijackThis program running from a temporary directory, then the restore procedure will not work. If the configuration setting Make backups before fixing items is checked, HijackThis will make a backup of any entries that you fix in a directory called backups that resides in the same location as Hijackthis.exe. If you start HijackThis and click on Config, and then the Backup button you will be presented with a screen like Figure 7 below. You will have a listing of all the items that you had fixed previously and have the option of restoring them. Once you restore an item that is listed in this screen, upon scanning again with HijackThis, the entries will show up again. PIC HERE Once you are finished restoring those items that were mistakenly fixed, you can close the program. How to Generate a Startup Listing At times when you post your log to a message forum asking for assistance, the people helping may ask you to generate a listing of all the programs that automatically start on your computer. HijackThis has a built in tool that will allow you to do this. In order to do this go into the Config option when you start HijackThis, which is designated by the blue arrow in Figure 2, and then click on the Misc Tools button at the top. You should see a screen similar to Figure 8 below. PIC HERE You will then click on the button labeled "Generate StartupList Log" which is is designated by the red arrow in Figure 8. Once you click that button, the program will automatically open up a notepad filled with the Startup items from your computer. Copy and paste these entries into a message and submit it. Hopefully with either your knowledge or help from others you will have cleaned up your computer. If you would like to learn more detailed information about what exactly each section in a scan log means, then continue reading. How to use the Process Manager HijackThis has a built in process manager that can be used to end processes as well as see what DLLs are loaded in that process. To access the process manager, you should click on the Config button and then click on the Misc Tools button. You should now see a new screen with one of the buttons being Open Process Manager. If you click on that button you will see a new screen similar to Figure 9 below. PIC HERE This window will list all open processes running on your machine. You can then click once on a process to select it, and then click on the Kill Process button designated by the red arrow in Figure 9 above. This will attempt to end the process running on the computer. If you would like to terminate multiple processes at the same time, press and hold down the control key on your keyboard. While that key is pressed, click once on each process that you want to be terminated. As long as you hold down the control button while selecting the additional processes, you will be able to select multiple processes at one time. When you have selected all the processes you would like to terminate you would then press the Kill Process button. If you would like to see what DLLs are loaded in a selected process, you can put a checkmark in the checkbox labeled Show DLLs, designated by the blue arrow in the figure above. This will split the process screen into two sections. The first section will list the processes like before, but now when you click on a particular process, the bottom section will list the DLLs loaded in that process. To exit the process manager you need to click on the back button twice which will place you at the main screen. How to use the Hosts File Manager HijackThis also has a rudimentary Hosts file manager. With this manager you can view your hosts file and delete lines in the file or toggle lines on or off. To access the Hosts file manager, you should click on the Config button and then click on the Misc Tools button. You should now see a new screen with one of the buttons being Hosts File Manager. If you click on that button you will see a new screen similar to Figure 10 below. PIC HERE This window will list the contents of your HOSTS file. To delete a line in your hosts file you would click on a line like the one designated by the blue arrow in Figure 10 above. This well select that line of text. Then you can either delete the line, by clicking the on the Delete line(s) button, or toggle the line on or off, by clicking on the Toggle line(s) button. It is possible to select multiple lines at once using the shift and control keys or dragging your mouse over the lines you would like to interact with. If you delete the lines, those lines will be deleted from your HOSTS file. If you toggle the lines, HijackThis will add a # sign in front of the line. This will comment out the line so that it will not be used by Windows. If you are unsure as to what to do, it is always safe to Toggle the line so that a # appears before it. To exit the Hosts file manager you need to click on the back button twice which will place you at the main screen. How to use the Delete on Reboot tool At times you may find a file that stubbornly refuses to be deleted by conventional means. HijackThis introduced, in version 1.98.2, a method to have Windows delete the file as it boots up, before the file has the chance to load. To do this follow these steps:
There is a particular infection called Home Search Assistant or CWS_NS3 that will sometimes use a file called an Alternate Data Stream File to infect your computer. These files can not be seen or deleted using normal methods. ADS Spy was designed to help in removing these types of files. For those who are interested, you can learn more about Alternate Data Streams and the Home Search Assistant by reading the following articles: Windows Alternate Data Streams [Tutorial Link] Home Search Assistant Analysis [Tutorial Link] To use the ADS Spy utility you would start HijackThis and then click on the Config button. Then click on the Misc Tools button and finally click on the ADS Spy button. When the ADS Spy utility opens you will see a screen similar to figure 11 below. PIC HERE Press the Scan button and the program will start to scan your Windows folder for any files that are Alternate Data Streams. If it finds any, it will display them similar to figure 12 below. PIC HERE To remove one of the displayed ADS files, simply place a checkmark next to its entry and click on the Remove selected button. This will remove the ADS file from your computer. When you are done, press the Back button next to the Remove selected until you are at the main HijackThis screen. How to use the Uninstall Manager The Uninstall Manager allows you to manage the entries found in your control panel's Add/Remove Programs list. When cleaning malware from a machine entries in the Add/Remove Programs list invariably get left behind. Many users understandably like to have a clean Add/Remove Programs list and have difficulty removing these errant entries. Using the Uninstall Manager you can remove these entries from your uninstall list. To access the Uninstall Manager you would do the following:
PIC HERE To delete an entry simply click on the entry you would like to remove and then click on the Delete this entry button. If you want to change the program this entry is associated with you can click on the Edit uninstall command button and enter the path to the program that should be run if you double-click on that entry in the Add/Remove Programs list. This last function should only be used if you know what you are doing. If you are asked to save this list and post it so someone can examine it and advise you as to what you should remove, you can click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad into a reply in the topic you are getting help in. To be completed later on with images....... |
|
 |
| Thread Tools | |
| Display Modes | |
| |
Similar Threads | ||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| HijackThis Tutorial & Guide | Osiris | Virus - Spyware Protection / Detection | 0 | 01-29-2008 02:25 PM |
| Messed Up Links? - HiJackThis log requested by "peterhuang913" | smssoleimani | Virus - Spyware Protection / Detection | 5 | 06-10-2007 10:11 AM |
Linear Mode
