† Internationally recognized by over 300 independent sources including Forbes, the International Journal of Modern Physics and the United States Senate.

Saturday, February 12, 2005

The Overuse of HijackThis

I would consider HijackThis an advanced tool for the detection of certain Spyware. However it is being widely used and recommended online as the only correct way to remove Spyware and irresponsibly Viruses. As usual the Elitists will try to make everything more complicated then it is or needs to be.

"Elitism (Defined) - The belief that certain persons or members of certain classes or groups deserve favored treatment by virtue of their perceived superiority, as in intellect or social status."

Spyware Background

Spyware infection in Windows Operating Systems has currently exceeded some estimates of 90%. Its proliferation can largely be contributed to Antivirus Companies dismissal of it. This forced new classifications for "Spyware" and "Malware", further complicating a situation to an already confused public. New companies such as Lavasoft had to start from the ground up gaining a reputation that Antivirus companies have held for years and could have used to prevent this current epidemic. Spyware infection occurs using Browser or operating system exploits to install itself. The fact that a large amount of Spyware does not replicate or follow standard Virus attributes has led to this self-inflicted blind eye by the Antivirus Companies. To compound matters, some Spyware is bundled with over the counter software making detection and removal by Antivirus Companies potentially more of a legal issue. Whether or not a EULA includes language for "legal" installation of this trash does not make it any less of a problem.


The Cure

With Antivirus companies taking a back seat in regards to Spyware, third party solutions were looked upon to solve the problem. However a Virus scan should ALWAYS be run before checking for Spyware since Viruses can mimic just about any symptom. You can run a free online scan here:

Trend Micro Housecall

Scanning for Spyware also happens to be free:

Spybot Search and Destroy
Windows Defender

With these powerful free scanners fully available and used in combination with an updated Antivirus program you can effectively eliminate all known Spyware from your PC. The problem exists that like Viruses new versions of Spyware will be made, thus the scanners must be updated, just like your Antivirus program. These updates have currently been on a weekly or monthly basis.


Rogue Elements

With anything software related you would have the pirates. These are not pirates in the normal sense of selling copies of software but the rogue elements who prey on the naive and novice user. Rogue AntiSpyware products have appeared that flat out copy the respectable AntiSpyware products (Ad-aware, Spybot), offer deliberate false detections for profit or at the very worst install Spyware on your PC. Eric L. Howes created a list of: Rogue AntiSpyware Products.


HijackThis
"HijackThis is a general homepage hijackers detector and remover. Initially based on the article Hijacked!, but expanded with almost a dozen other checks against hijacker tricks. It is continually updated to detect and remove new hijacks. It does not target specific programs/URLs, just the methods used by hijackers to force you onto their sites. As a result, false positives are imminent and unless you are sure what you're doing, you should always consult with knowledgeable folks before deleting anything."
Lets start by saying the maker of HijackThis; Merijn should be applauded for taking the time to develop advanced Spyware tools. He should also be credited with creating CWShredder, which he has since sold to Intermute then Trend Micro who continually actively develops it and has released the most current version.

I personally don't recommend using HijackThis as I have found it to be generally unnecessary. However, the online community, especially in numerous technical support forums, has gone too far with the recommendation of a tool that is designed to merely list certain Registry entries and running processes. You'll see main header topics in these forums listing instructions that only include Run HijackThis, post your log and wait for an "expert" to assist you. Failing to recommend running basic Antivirus and Spyware scans first results in multiple page long logs and unnecessarily wasted time by the HijackThis Elitists inflicted upon the novice user, while they point out each line one at a time to be removed. All the time failing to inform or recommend that HijackThis is not an Antivirus program nor can it clean most Viruses or complex Spyware. This results in this never ending posting - counter posting of HijackThis logs until someone tells them to run a virus scan or use one or more of the Spyware scanners. Talk about ridiculous!

The reason this happens is misinformation. HijackThis, while an advanced tool for detection and in certain instances basic removal of some Spyware, took on a status as THE advanced Spyware removal tool. So much so people recommend it first since they may have had what I have found to usually be Virus infections that the Spyware scanners do not detect. No kidding Spyware scanners only detect Spyware!!!

The other obvious problem is when new Spyware is detected before the scanners have had a chance to release an update. This happens but not that often at least not as often as some of the Elite try to say it happens.

The fact still remains that in the large number of cases if you run the correct scans in the correct order and then check HijackThis, it will be clean. Coincidence? Not at all, certain members of the online community have gone so far to claim Elite status they refuse to let anyone but those trained in their "special" HijackThis removal courses to help people on their forums. This is completely absurd and the most blatant example I have seen of Elitism yet.

Is Spyware removal difficult for the novice user? Sure, anything is difficult when you do not know what to do and seeking out online help is a good idea. The problem is that so much online help is bad information, including recommending absurd solutions like using Firefox. This is not only bad advice it is potentially dangerous since the infected machine is never properly cleaned, usually of viruses as well as Spyware. A responsible solution is simply recommending running a set of relatively simple scans. After which only if necessary (usually not) posting a HijackThis log. That is not even necessary anymore with the Online HijackThis Analyzer. The only question remaining is what to do with the remaining HijackThis Elitists and all the extra Forum Space?

6 comments:

culla said...

i agree bloody elitists i got 24hr ban just for trying to help at www.techguy.org
even though i've been running computers for a long time all clean the only reason i downloaded hjt was because they said to and it found me clean and yes i think i can read them safely enough but they reckon i can't good on you for your truthfull statement:)

Andrew said...

I know exactly what you are saying. Certain sites have tried to make this elitist group up revolving around HijackThis. It is a load of BS. Anyone who can use Google can read a HijackThis log. Meerly use the HijackThis tutorial:

http://www.spywareinfo.com/~merijn/htlogtutorial.html

None of those guys will tell you what they really do is plug the logs into programs like the KRC HijackThis Analyzer: http://www.greyknight17.com/download.htm

and then spit the results back the forums.

HijackThis is largly unnecessary, especially when the proper scans are run first, including a VIRUS scan. You can find all you need here: http://mywebpages.comcast.net/SupportCD/DiagnoseXP.html

Steps 1 and 2 will keep you clean.

Tortuga said...

Personally, what made HijackThis my #1 is exactly how simple and straightforward it is, in addition to being 100% effective ( at least while it continues to be updated ).

It gives you 100% control over the task at hand - having a clean computer. For me it is an all in one - you get rid of spyware, you get rid of viruses, you get rid of useless startup items and reminders, and other resident programs.

I have yet to witness one of my clients actually using the software by themselves, which kind of proves your point. However I don't see that as a shortcoming of the software. People want something that they can set and forget (even better - if someone
would set it for them so that they will never have to bother). And this kind of solution doesn't exists. All the automatic spyware removal software fails at some point. People don't bother to update it, or a certain spyware finds a workaround, or
a backdoor virus renders it useless, etc. That is my experience. If there was an
almighty automatic solution - I guess everyne would be using it and that would be the
end of it, but it's not the case.

You are right that HijackThis is a last resort in a certain sense. If all else fails then you can use HijackThis to utlimately solve the problem. I am not saying I haven't
run into problems that go beyond HijackThis (like LSPfix or smitRem type). But that doesn't change the fact that it is the most powerful and useful tool "I" know.

That is the reason why people usually ask first to see the HijackThis log (that and being very practical for remote troubleshooting). It is assumed that whatever automated software you use, it failed. So why bother going through that many steps of run this or that, when you can go straight to the point and SEE where the problem is. And it's easy on the person being helped - he only has to deal with one software, and one pretty straightforward task.

Whether you use it as a last resort or as the first step is a personal choice. I for one, run HijackThis first to see if I "have" a virus, and then take action with an antivirus program. It doesn't bother me if I have a virus, backdoor, a spyware, etc on my computer as long as it's not active. In fact, lately I use my antivirus just to scan new files and almost never to clean my system. Even for my clients, once I'm finished with HijackThis, the virus scanning is mostly redundant.

People need to understand that they need to be unvolved in the security of their computers. Until they do, spyware, adware, backdoors, etc will remain.

I don't agree that with HijackThis you need to be a professional (or elite) to use it. A simple strategy that everyone, even the least knowledgeable can follow is to google each item from his log and read what it does. Hence whether it needs removing or not. It takes time, but once you go through all the items once - you can add them to the ignore list, and never bother with them again. Next time you "catch" something it will be that much more obvious to see.

For me it couldn't be simpler - check your Task Manager regularly. Once you notice something irregular, run HijackThis and remove the "problem". If it persists, deal with HijackThis when in Safe Mode and you should be done.

Just as a last note, I have nothing against all that other automated software, shall we call it. If it helps - that's good. I just don't see HijackThis as becoming obsolete and I find it the easiest and fastest tool to work with. For example I can spot and disable an active virus in 5min, while running the antivirus will usually take hours.

Andrew said...

HijackThis definitely does not always clearly show what you are infected with. The names of files and locations can be the same name of standard windows files. Viruses can and most commonly infect regular Windows system files, which will never show up in HijackThis. The only way to find these files is by running a virus scan. These same files will not show in Task Manager.

It is completely irresponsible to not have people run standard AntiVirus and AntiSpyware scans before looking at any HijackThis log, which will only show certain Malware that is execute through standard Windows run components and BHOs. That is hardly comprehensive. Anyone who thinks it is has absolutely no idea how Viruses and Malware works.

anonymous said...

lol you people are all full of BS. If you go to a proper HJT forum you might just about find that they do have pre-HJT instructions.

All the entries means different things and RANDOM cslids, filenames are usually SIGNS of a SPECIFIC INFECTIONS.

WHO makes the DATABASE with all the information about the HJT entries that you can google up? THE EXPERTS. THEY put the information up to help other people.

IMHO I think you people need to do know a hell lot more about HJT before making something like this. Proper Experts do use specialized tools to help them.

This I think is Absolute BULL.

Andrew said...

Yeah I've seen these "forums" most with incomplete instructions that are never required because of the HijackThis "groupies" who love giving pages of pointless instructions using HijackThis rather than making the person do the work of running the scans in safe mode.

What do you mean "random CLSIDs"? You mean registry entries? Talk about elitist trying to use registry entry labels when describing what HijackThis does.

Yeah I've met those "experts". Please, their backgrounds are usually not even in IT. What a load of crap. The only way they can perpetuate this con is because people assume they are an authority. You CANNOT make a database up to deal with entries that fake legitimate applications. This is what you elitists don't get. You guys think you found this special program that does it all! Please HijackThis is a glorified MSconfig program, Autoruns does the same thing. You cannot look at a log and know if an entry faking a Java associated DLL is real or not using that tool. You have to run scans.

Yeah I know all there is to know about HijackThis reading the documentation that comes with it and I also know how malware infections really work.

HijackThis is tool glorified by wannabe pseudo-intellectuals who want to make themselves feel important. People can get 99% of the way there in almost all case running simple scans in safe mode. I do this for a living and yes occasionally I do use HijackThis. Almost every time, the system is already clean and the tool is useless.