Hijackthis - some Tips & Tricks

There are many HijackThis tutorials on the web already, so this article is about tips that help utilize HijackThis' full potential as a diagnostic tool.

Download HijackThis from a TrendMicro link or from known reliable sources only.
http://free.antivirus.com/hijackthis/


Never run HijackThis from a Temporary Folder:

You need to save HijackThis.exe into its own permanent folder e.g. C:\HijackThis, not in any temp locations where it can be accidentally deleted when you run temp files cleaner. This is very important because by default hijackthis saves a backup of all 'Fixed' entries and you don't want those backups to be deleted when you change your mind and decide to restore some of the entries.


Restoring from the Backup:

At any time when you want to restore items that were previously Fixed just start HijackThis again and go to Config > Backups or Misc Tools > Backups  and click on the Restore button, click Yes on the prompt and that particular entry/entries will be restored instantly.

Be aware also that running it from your desktop if you're using your real name as your user account may not be a good idea if posting your log online with that info for the world to see (example below). If that's the case, remove your name before posting the log.
Same thing goes when running other scanners from a desktop.
 
C:\Documents and Settings\Edward Cullen\Desktop\HiJackThis.exe
C:\Documents and Settings\Leroy Jethro Gibbs\Desktop\ComboFix.exe

So it's a good idea to install it so it will be running from the default location of Program Files folder, then your account name will not show up in the log like the below example.
C:\Program Files\Trend Micro\HijackThis\Hijackthis.exe


HijackThis scan must be done in Normal Mode:

DO NOT run HijackThis in safe mode unless that's the only mode the pc boots into. Normal mode is the mode it should be run when all nasties lurking in the system are active and running. You would want to know everything that are running(bad or good) in order to know what infection is present and what method to use for removal.


MSConfig and HijackThis:

DO NOT uncheck any entries in MSConfig > Startup prior to running Hijackthis. It is important that you do not disable any startup entries because Hijackthis will not scan them and the log will not show all the programs or nasties running in the system.

I have seen suggestions on threads where Experts advised users to disable startup entries in msconfig and then suggested a HijackThis scan after.
This is not a good method(if you haven't seen the log yet) because we want to know all the programs that are running at startup and if you disable those then they are not being scanned therefore won’t be listed in the log. You can disable them after the scan or alternatively just disable them using HijackThis by fixing the relevant entries.
Fixing the 04 entries in HijackThis is equivalent to unchecking entries in MSConfig > Startup.

If it's a work PC or if it's part of the company's network, be aware that your company’s Domain name or IP address can also show up in the log and you may not want to post a log online with that info for the hackers to see.

There is an automated analyzer at www.hijackthis.de/ that basically tells you whether the entries are legit or not but you mustn't rely on its findings as any automated analyzer is only as good as its database. So use it only as a guidance.

NOTE:
A clean HijackThis log doesn't necessarily mean a clean system because a lot of nasties can now hide from the HijackThis scan. So other scanners are needed or other diagnostic tools need to be used if the system is infected. HijackThis is not a standalone removal tool, it can't remove infections on its own so it often needs other tools to complete the removal.
If you want someone to analyze your log, ask a Question in the HijackThis Zone and attach your log.
https://www.experts-exchange.com/Virus_and_Spyware/HijackThis/

Supported Operating Systems:

HijackThis supports Windows 98, Windows 2000, Windows ME, Windows XP, Windows Vista
and Windows 7.

Though it will run on non-supported systems(the diagnostic scan side of it) it may not function as well as expected when you start fixing entries or deleting files etc. The report can be misleading as may show legit entries that look suspicious, and shows "file missing" when in fact they are not missing, e.g. below. So be aware before you start fixing entries or using HijackThis' other functions on these systems.

C:\Documents and Settings\Alice Cullen\WINDOWS\System32\smss.exe
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)

For info on HijackThis entries, check out this tutorial:
http://www.bleepingcomputer.com/tutorials/tutorial42.html