dslreports logo
site
spacer

spacer
 
    All FAQs Site FAQ DSL FAQ Cable Tech About DSL Distance DSL Hurdles »»
spc

spacer




how-to block ads



I. HijackThis is not used as often any longer and definitely NOT a stand-alone clean tool. It does not scan the entire system and only certain areas are scanned to help diagnose the presence of undetected malware in some of the telltale places it hides. It is extremely important that you give the infected user a full system scan tool like Adaware or Spybot (or both) for spyware issues and an online AV scan for virus, worm or trojan infections. Preferably the fix should START with those steps and finish the cleanup of strays or undetected items with HJT. It is not unusual to have programs find hundreds of infected files and registry items HJT does not target especially in 64 bit systems. This is why we now use OTL. Additional infected files need to be removed by online AV scans also.
Just because you "fixed" it in HJT doesn't mean it's clean.

Note:
A. Use the Mandatory Steps prerequisite for running apps & posting logs first:
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance

II. Do NOT start your fix by disabling System Restore. This rule applies to any manual fixes and is especially true for spyware removal. That is because disabling System Restore wipes out all restore points. Should a problem arise during the fix you would have NO good working configuration to go back to get the computer up and running. Even if you have to start over removing infections, this is preferable to a dead PC thanks to having System Restore turned off. Clean the restore folder and set a new point AFTER the PC is clean and all programs are working properly.

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405

How to Enable and Disable System Restore in Windows ME
http://support.microsoft.com/default.aspx?...kb;en-us;264887
..........................
III. Please don't delete all the 016 items as a rule. I see this being done and it is very sloppy HJT work as the harmless, even helpful ones, should remain on the user's PC. You can check 016 items in SpywareBlaster's Database by rightclicking on the Database list in the program and choose *find* (you can find by name or by CSLID). Then, if found, you can click on *more information* and find by name to see what that item is and if there are any special instructions needed (Javacool provides information links to many of those items). With the ones that remain, if you are not sure you can check the website if you are using Eric Howe's IESPYAD. If the site shows up in the restricted zone - best to remove it. But I see too many helpers removing perfectly harmless 016 items.
..................................

IV. About (file Missing) and what it means. It doesn't always mean the file is really missing!!

You will see (file missing) in some of the lines in different sections. You can only rely on that to be true in the sections for BHOs and Toolbars (02s & 03s)

When you see (file missing) in other sections, it may really NOT be missing. You will see it in the 09's and the 023s especially. The only time you should fix the (file missing) in those sections is IF AND ONLY IF you see a *bad* file there. Be aware that "fixing" doesn't remove the malware either. It's important to have them manually delete the file as well (plus any other recommended removal methods)

Except for the 02 & 03 Sections, good items listed in other sections with (file missing) should be left alone. Most often they ARE there but HJT doesn't see the file.

.................................
V. Don't begin fixes until you have an updated HJT version and it is located in the proper folder!!

quote:
Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use something like "C:\Program Files\HijackThis" but feel free to use any name. Use the exe not the beta installer! See here for specific instructions and screen shots to help:
http://russelltexas.com/malware/createhjtfolder.htm
This is to ensure it makes the necessary backups for recovery if needed.


................................
VI. Back up the Registry Don't even think about giving instructions to edit the Registry unless you have them backup the Registry first

How to backup and restore the entire registry:
http://service1.symantec.com/SUPPORT/tsgen...c_nam#_Section2
...........................
VII. Don't wrap up a thread until you have given your user some prevention advice and tools.
»Security Cleanup FAQ »How do I prevent Browser Hijacks and Spyware?

Give a man a fish and he will eat for a day. Teach a man to fish and he will eat for a lifetime

Remember that part of our mission is educating our visitors! Each one should not leave here without some good free antispyware tools and instructions to be able to clean their PC and prevent future infections.
................................
VIII Remember to check for Windows Critical Security Updates Remind your victims to check Windows Update and get all the latest updates recommended for their OS and IE. The first defense against infection is a properly patched system and browser.

http://v5.windowsupdate.microsoft.com/en/default.asp

Encourage them to set their PC for automatic updates so that they won't miss any.
................................
IX DO lookup what type of malware you are dealing with where possible.
Many times, the user might have a nasty that requires extra instruction due to registry changes, lowered security system changes, or other considerations. Especially in the case of a dangerous nasty like a trojan, keylogger, password stealer or RAT. Most of the databases used to lookup HJT items have links for reference to the file names - very useful in these cases :)

In other words, just finding out a file is bad is NOT ENOUGH. you must find out why it is bad and how to clear out the entire infection. plus any cautions your user may need to know about changing passwords, accounts, etc.
...................................
X DO identify unknown files where possible and submit undetected nasties to the AT/AV/AS vendorswhere possible. You can scan single files at one of these:

»Security Cleanup FAQ »Single File Detection Sites

Those sites will submit your file to any vendors they are using at their site that do NOT detect a particular nasty (unless none of them detect it, then you need to submit manually to the Vendors)
Here
Submit Malware

by CalamityJane See Profile edited by lilhurricane See Profile
last modified: 2010-03-26 08:17:38