BleepingComputer.com: Hijack This Program

Hi,

I did not know where to ask this question but thought this was the best place. If it is the wrong place, I apologize.

I have been trying to find out what exactly the Hijack This program does and if it makes any changes to the system when you run it. From the little I know about it, it seems it can give a lot of good information about ones system but I have not been able to find out if running it can cause any damage, like making changes you might not want made.

Can anyone give me details on this program and if it is safe to run just to see what is happening on ones system?

For the most part, HijackThis doesn't really make any changes unless you select something and hit the Fix button. Of course, overall, using HijackThis without the supervision of someone trained in its use is pretty dangerous (as is any tool like DDS, RSIT, and especially Combofix).

After that, any information about HijackThis (or other tools) would be information I don't know about or not authorized to talk about (like I'd know anything anyways....)

Thank you for your reply. I guess one of the reasons I thought it might be dangerous is all the talk here about it needing to be used with supervision, but I thought if it did not make any changes without my approval, it should not be dangerous. I just wanted to use it for the information about my system that I thought it could provide and not have it make any changes. If it did not make any changes to my system without me authorizing it, which I have no intentions of doing, I did not feel supervision would be necessary, but I wasn't sure it wouldn't change things without my authorization.

I am sorry if I have broken some rule by asking about it

Take a look at the HijackThis Tutorial and you will see why you want to have an expert guide you in its use.

Thank you, I will check out that link

Hijackthis is sort of a reporting tool used to collate data about your system. It is true that you have to tell it what to do but it is all to easy to accidentally click a button and have it delete half your registry keys etc. If this happens and the program hasn't been installed and set-up correctly that you are basically buggered because the backups won't work.

There is information available on the internet regarding Hijackthis but i would advise you to have a read of this BC Tutorial - HijackThis.

NB: It's strongly advised that you don't run the program without supervision.

Stang777, on Mar 6 2009, 07:08 AM, said:

You're welcome and follow E-Mu's advice about not using it without supervision.

Thank you E-Mu. I just finished reading the BC tutorial on the program and found it to be very informative, it gave exactly the info I needed.

As tork has said your more than welcome

tork, on Mar 6 2009, 05:46 AM, said:

After reading the info on that tutorial I think I would do fine running the program on my own should I decide I really want the info it would provide. I pretty much know what I am doing when it comes to the computer but should the program find something that might need to be fixed, I would certainly get supervision before fixing it if I was even a little bit unsure what the item needing to be fixed was. Of course, that supervision would have to come from here or an actual paid tech as I am the computer go to person for everyone I know, so there is nobody other than you guys and a paid tech for me to go to.

The only thing on computers that I do not feel comfortable messing with is hardware. If it is inside the case, it is beyond me, other than that, I can handle most things.

I appreciate the help everyone here has given me

If you 'do' run it and 'have' a look and run into anything that needs fixing then as you know there's plenty of people here who will help out.

NB: I am not condoning the use of Hijackthis without trained advice.
(This is not aimed at you Stang777 but to anyone else who may have an opinion on my comments in this thread.)

You should never attempt to fix anything using HijackThis, until someone who is experienced at reading the log outputs, has a chance to review it.
Fixing the wrong items can make your computer unbootable.

Spaces, extra characters, spelling, file location, plus numerous other subtle changes, all make the difference between a "good", or "bad", file entry.

HijackThis is not a removal tool.
It lists what is found in certain areas of the registry, or system files, in an easily accessible manner, so that those familiar with the use and reading of HijackThis logs, and windows programs, can determine what is infecting the machine, and how to remove it.
It will indeed remove the entries listed, but that does not cure the underlying problem.
The problem must be properly identified first, and cured, prior to removing the entries with HJT.
Otherwise, you leave the infection, and remove the keys which are needed to identify and remove it.

Removing entries in HJT before the problem is properly identified, and correct removal instructions posted, can make the problem undetectable to other detection, and removal, tools.
HijackThis should only be used to clean up the entries left behind, after you have properly removed the offending program, file, trojan, worm, hijacker, etc.
And this usually requires help.

E-Mu, on Mar 6 2009, 06:44 AM, said:

Thank you E-Mu

Thank you tg1911 and I understand what you are saying and will heed your advice

Hi Stang777,
As tg1911 has so aptly stated, there are several pitfalls when using HijackThis for malware removal that the inexperienced and uneducated can fall into. For the more casual use that you are alluding to, it is good to have a healthy respect for it, but, IMO, you are OK to not be afraid of it. The restrictions against posting in just any forum is because you can often get bad advice that can even be harmful, and the warnings against casual use are because HJT modifies the registry. And we all know what happens when the registry is modified without the proper knowledge.

Even tho you have now enjoyed Grinler's nice tutorial, let me try to summarize in the simplest terms what HJT is all about. It has two basic functions.

1. An enumerator. When you scan with HJT, you don't make any changes to your system. It just lists areas, mostly in the registry, where any program can be started so that it runs in memory. Whether that is a file that is loaded when windows starts, or that takes some user action to initiate, such as opening your browser so that an extension runs.

2. Modifies the registry (with some few exceptions) when you select an entry and click Fix Checked. For malware, this is key to ending bad behavior because no malware (or any other file for that matter) is going to affect you if it is not started/loaded into memory. What most people know as Startups, i.e., what some manage in msconfig, are values of Run keys in the registry.

In the earlier days, before malware got to be so vicious and HJT was little heard of, HJT specialists would use it to both rid victims of hijackings and various other unwanted software, and as a startup manager. The latter is still done to some extent--and by some specialists more than others. For the most part there are way too many logs in the malware removal forum to worry about helping to speed up startup.

For several reasons, it is not a good idea to use HJT as a startup manager. Most important is that most reg entries are deleted rather than being just disabled. HJT makes backups in case of mistakes, but they are not always viable and can be lost. I have to admit I do use it to enumerate when I am trying out new software to see what startups it adds when installed, but I will rarely fix anything with it. In my opinion the best way to manage startups is to configure the program to not start if you don't want it to. Short of that there are many nice startup managers available that are designed for just this purpose. Plus many security tools include a startup manager component.

I'm fond of Mike Linn's Startup Control Panel--simple and sweet.

We would be remiss if we failed to give warnings about some startup managers as well. Autoruns by SysInternals is very much like HijackThis--it shows little known areas where Windows allows startups to load (and Windows has a lot of them). It also allows you to delete the startups--and I don't remember seeing anywhere that it makes backups. There is a pinned topic in their forum where some people have deleted userinit and so then weren't able to boot their computer.

Startup Control Panel is less dangerous as it doesn't enumerate the Userinit/Wininit, but you still can delete startups. It does make backups tho.

It is amazing, really, how much Autoruns is like HJT. Besides the browser start page and search settings, the main difference is that HJT does have a whitelist of system files to make the list to analyze shorter--that is why I use it to enumerate when trying out new software.

Hope I've added a bit to the great help you've already received.

This post has been edited by Papakid: 09 March 2009 - 03:13 PM