In the continuing fight against malware, you can never be too prepared. While I have recommended a number of defensive and offensive programs such as SpywareBlaster, AVG and Spybot, this week I bring you another useful tool that anyone can use. HijackThis! scans your system for all running processes and programs, allowing you to search out any program that could be harming your system. I will cover both how to use the program and the tools it offers to fight back against a system hijacker.

After downloading the latest version, v1.99.1, there is no installation process. Simply unzip the folder and double click on the executable (.exe). I recommend creating a separate folder for the program, if only to separate your log files from any other documents.

When you open HijackThis, you’ll see a “New Users Quick Start”, showing the most common tasks. Click on Scan, with or without a log file. Unless the computer is overly bogged down, the scan should only take a few seconds. Your scan results will look daunting at first, with a long list of programs and their file paths, but don’t worry. It doesn’t take long to understand. The list is comprised of your internet browser and its related software such as toolbars and search assistants. These items are followed by your startup programs from Windows boot up, and lastly a listing of all the processes which are currently running in the background.

HJT uses codes to differentiate the items it finds, so you’ll see R1 or O8 before each item. You can click on the “Info…” button to decipher these codes, but the codes are not as important as the items themselves. For that, highlight an item with a click and go to “Info on selected item”. This will explain what the item is, how it works, and what HJT will do to fix the item if you decide it is a problem. It is important to note that this information is only related to the type of file, not the specific item. So it will tell you what a BHO (Browser Helper Object) is, how it can be used by spyware and how it will be removed. It will not explain that your specific item is, say, Adobe Acrobat Reader. This leads to another important distinction, HJT does not discriminate between safe objects and malware, as many other popular programs do. That is the user’s job. HJT is only a tool to access the running objects in a convenient place. Your general knowledge, Google skills and perhaps help from a forum, will help solve any issues your computer has.

Your first step is to start browsing the list for everything you recognize and still want to keep. Things like anti-virus programs and various startup apps are safe, if you know you installed them, so you can check them and select “Add Checked to Ignore list”. For anything you don’t recognize, or suspect of a hijack, its time to do some research. Look at the end of the entry for the program’s name and file type. Things like ctfmon.exe might sound unfamiliar, but Google shows that it is a part of the Windows operating system, as long as it shows up in the System32 folder. Anywhere else and it should be removed as a Trojan.

If your searches turn up empty, you can take your log file to a knowledgeable security forum, post it and let the experts help you find the problematic entries. When you have narrowed down the files that need fixing, check the box next to them and click “Fix Checked”. HJT will follow the procedure it shows in the Info button, usually removing a file and/or deleting a registry key.

HijackThis has more to offer under the Config button, including customization options and some additional tools. Under the Main tab, you can set HJT to run on Windows startup, or change your preferred homepage and search URLs following a fixed browser hijack. The Ignore list contains all the files that you have deemed safe for future scans. Backups has a list of backed up files. You can choose to have HJT keep a secured copy of items you remove, just in case you find they are needed later on. Finally, Misc Tools contains numerous extras. There is a process manager similar to what you’ll find after a Ctrl + Alt + Del. There is a HOSTS file manager for editing your computers hosts file. See my review of Hoster for more on this subject. You can delete a file on reboot if it refuses to be removed while Windows is running. You can delete a service, but this is risky because they can be required for Windows to function properly. You can uninstall a program within HJT, instead of opening Add/Remove Programs. Lastly you can check for updates or uninstall the program.

So all in all HijackThis! is a very robust program that has been in my anti-spyware arsenal for years. While you don’t need to run it as often as Spybot or Ad-Aware, it is a good habit to keep an eye on your system and know what is running. You never know if something malicious could be lurking in the background without your knowledge. And should you ever have an obvious hijacker, HJT is my first tool to stop it. http://www.merijn.org/downloads.html