Saturday, February 12, 2005

The Overuse of HijackThis

I would consider HijackThis an advanced tool for the detection of certain Spyware. However it is being widely used and recommended online as the only correct way to remove Spyware and irresponsibly Viruses. As usual the Elitists will try to make everything more complicated then it is or needs to be.

"Elitism (Defined) - The belief that certain persons or members of certain classes or groups deserve favored treatment by virtue of their perceived superiority, as in intellect or social status."

Spyware Background

Spyware infection in Windows Operating Systems has currently exceeded some estimates of 90%. Its proliferation can largely be contributed to Antivirus Companies dismissal of it. This forced new classifications for "Spyware" and "Malware", further complicating a situation to an already confused public. New companies such as Lavasoft had to start from the ground up gaining a reputation that Antivirus companies have held for years and could have used to prevent this current epidemic. Spyware infection occurs using Browser or operating system exploits to install itself. The fact that a large amount of Spyware does not replicate or follow standard Virus attributes has led to this self-inflicted blind eye by the Antivirus Companies. To compound matters, some Spyware is bundled with over the counter software making detection and removal by Antivirus Companies potentially more of a legal issue. Whether or not a EULA includes language for "legal" installation of this trash does not make it any less of a problem.

The Cure

With Antivirus companies taking a back seat in regards to Spyware, third party solutions were looked upon to solve the problem. However a Virus scan should ALWAYS be run before checking for Spyware since Viruses can mimic just about any symptom. You can run a free online scan here:

Trend Micro Housecall

Scanning for Spyware also happens to be free:

Spybot Search and Destroy
Windows Defender

With these powerful free scanners fully available and used in combination with an updated Antivirus program you can effectively eliminate all known Spyware from your PC. The problem exists that like Viruses new versions of Spyware will be made, thus the scanners must be updated, just like your Antivirus program. These updates have currently been on a weekly or monthly basis.

Rogue Elements

With anything software related you would have the pirates. These are not pirates in the normal sense of selling copies of software but the rogue elements who prey on the naive and novice user. Rogue AntiSpyware products have appeared that flat out copy the respectable AntiSpyware products (Ad-aware, Spybot), offer deliberate false detections for profit or at the very worst install Spyware on your PC. Eric L. Howes created a list of: Rogue AntiSpyware Products.

"HijackThis is a general homepage hijackers detector and remover. Initially based on the article Hijacked!, but expanded with almost a dozen other checks against hijacker tricks. It is continually updated to detect and remove new hijacks. It does not target specific programs/URLs, just the methods used by hijackers to force you onto their sites. As a result, false positives are imminent and unless you are sure what you're doing, you should always consult with knowledgeable folks before deleting anything."
Lets start by saying the maker of HijackThis; Merijn should be applauded for taking the time to develop advanced Spyware tools. He should also be credited with creating CWShredder, which he has since sold to Intermute then Trend Micro who continually actively develops it and has released the most current version.

I personally don't recommend using HijackThis as I have found it to be generally unnecessary. However, the online community, especially in numerous technical support forums, has gone too far with the recommendation of a tool that is designed to merely list certain Registry entries and running processes. You'll see main header topics in these forums listing instructions that only include Run HijackThis, post your log and wait for an "expert" to assist you. Failing to recommend running basic Antivirus and Spyware scans first results in multiple page long logs and unnecessarily wasted time by the HijackThis Elitists inflicted upon the novice user, while they point out each line one at a time to be removed. All the time failing to inform or recommend that HijackThis is not an Antivirus program nor can it clean most Viruses or complex Spyware. This results in this never ending posting - counter posting of HijackThis logs until someone tells them to run a virus scan or use one or more of the Spyware scanners. Talk about ridiculous!

The reason this happens is misinformation. HijackThis, while an advanced tool for detection and in certain instances basic removal of some Spyware, took on a status as THE advanced Spyware removal tool. So much so people recommend it first since they may have had what I have found to usually be Virus infections that the Spyware scanners do not detect. No kidding Spyware scanners only detect Spyware!!!

The other obvious problem is when new Spyware is detected before the scanners have had a chance to release an update. This happens but not that often at least not as often as some of the Elite try to say it happens.

The fact still remains that in the large number of cases if you run the correct scans in the correct order and then check HijackThis, it will be clean. Coincidence? Not at all, certain members of the online community have gone so far to claim Elite status they refuse to let anyone but those trained in their "special" HijackThis removal courses to help people on their forums. This is completely absurd and the most blatant example I have seen of Elitism yet.

Is Spyware removal difficult for the novice user? Sure, anything is difficult when you do not know what to do and seeking out online help is a good idea. The problem is that so much online help is bad information, including recommending absurd solutions like using Firefox. This is not only bad advice it is potentially dangerous since the infected machine is never properly cleaned, usually of viruses as well as Spyware. A responsible solution is simply recommending running a set of relatively simple scans. After which only if necessary (usually not) posting a HijackThis log. That is not even necessary anymore with the Online HijackThis Analyzer. The only question remaining is what to do with the remaining HijackThis Elitists and all the extra Forum Space?


Andrew said...

I know exactly what you are saying. Certain sites have tried to make this elitist group up revolving around HijackThis. It is a load of BS. Anyone who can use Google can read a HijackThis log. Meerly use the HijackThis tutorial:

None of those guys will tell you what they really do is plug the logs into programs like the KRC HijackThis Analyzer:

and then spit the results back the forums.

HijackThis is largly unnecessary, especially when the proper scans are run first, including a VIRUS scan. You can find all you need here:

Steps 1 and 2 will keep you clean.

Andrew said...

HijackThis definitely does not always clearly show what you are infected with. The names of files and locations can be the same name of standard windows files. Viruses can and most commonly infect regular Windows system files, which will never show up in HijackThis. The only way to find these files is by running a virus scan. These same files will not show in Task Manager.

It is completely irresponsible to not have people run standard AntiVirus and AntiSpyware scans before looking at any HijackThis log, which will only show certain Malware that is execute through standard Windows run components and BHOs. That is hardly comprehensive. Anyone who thinks it is has absolutely no idea how Viruses and Malware works.

Andrew said...

Yeah I've seen these "forums" most with incomplete instructions that are never required because of the HijackThis "groupies" who love giving pages of pointless instructions using HijackThis rather than making the person do the work of running the scans in safe mode.

What do you mean "random CLSIDs"? You mean registry entries? Talk about elitist trying to use registry entry labels when describing what HijackThis does.

Yeah I've met those "experts". Please, their backgrounds are usually not even in IT. What a load of crap. The only way they can perpetuate this con is because people assume they are an authority. You CANNOT make a database up to deal with entries that fake legitimate applications. This is what you elitists don't get. You guys think you found this special program that does it all! Please HijackThis is a glorified MSconfig program, Autoruns does the same thing. You cannot look at a log and know if an entry faking a Java associated DLL is real or not using that tool. You have to run scans.

Yeah I know all there is to know about HijackThis reading the documentation that comes with it and I also know how malware infections really work.

HijackThis is tool glorified by wannabe pseudo-intellectuals who want to make themselves feel important. People can get 99% of the way there in almost all case running simple scans in safe mode. I do this for a living and yes occasionally I do use HijackThis. Almost every time, the system is already clean and the tool is useless.