[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More


Hijackthis - some Tips & Tricks

Published on
17,747 Points
14 Endorsements
Last Modified:
Community Pick
There are many HijackThis tutorials on the web already, so this article is about tips that help utilize HijackThis' full potential as a diagnostic tool.

Download HijackThis from a TrendMicro link or from known reliable sources only.

Never run HijackThis from a Temporary Folder:
You need to save HijackThis.exe into its own permanent folder e.g. C:\HijackThis, not in any temp locations where it can be accidentally deleted when you run temp files cleaner. This is very important because by default hijackthis saves a backup of all 'Fixed' entries and you don't want those backups to be deleted when you change your mind and decide to restore some of the entries.

Restoring from the Backup:

At any time when you want to restore items that were previously Fixed just start HijackThis again and go to Config > Backups or Misc Tools > Backups  and click on the Restore button, click Yes on the prompt and that particular entry/entries will be restored instantly.
Be aware also that running it from your desktop if you're using your real name as your user account may not be a good idea if posting your log online with that info for the world to see (example below). If that's the case, remove your name before posting the log.
Same thing goes when running other scanners from a desktop.
C:\Documents and Settings\Edward Cullen\Desktop\HiJackThis.exe
C:\Documents and Settings\Leroy Jethro Gibbs\Desktop\ComboFix.exe

So it's a good idea to install it so it will be running from the default location of Program Files folder, then your account name will not show up in the log like the below example.
C:\Program Files\Trend Micro\HijackThis\Hijackthis.exe

HijackThis scan must be done in Normal Mode:
DO NOT run HijackThis in safe mode unless that's the only mode the pc boots into. Normal mode is the mode it should be run when all nasties lurking in the system are active and running. You would want to know everything that are running(bad or good) in order to know what infection is present and what method to use for removal.

MSConfig and HijackThis:
DO NOT uncheck any entries in MSConfig > Startup prior to running Hijackthis. It is important that you do not disable any startup entries because Hijackthis will not scan them and the log will not show all the programs or nasties running in the system.

I have seen suggestions on threads where Experts advised users to disable startup entries in msconfig and then suggested a HijackThis scan after.
This is not a good method(if you haven't seen the log yet) because we want to know all the programs that are running at startup and if you disable those then they are not being scanned therefore won’t be listed in the log. You can disable them after the scan or alternatively just disable them using HijackThis by fixing the relevant entries.
Fixing the 04 entries in HijackThis is equivalent to unchecking entries in MSConfig > Startup.
If it's a work PC or if it's part of the company's network, be aware that your company’s Domain name or IP address can also show up in the log and you may not want to post a log online with that info for the hackers to see.
There is an automated analyzer at www.hijackthis.de/ that basically tells you whether the entries are legit or not but you mustn't rely on its findings as any automated analyzer is only as good as its database. So use it only as a guidance.

A clean HijackThis log doesn't necessarily mean a clean system because a lot of nasties can now hide from the HijackThis scan. So other scanners are needed or other diagnostic tools need to be used if the system is infected. HijackThis is not a standalone removal tool, it can't remove infections on its own so it often needs other tools to complete the removal.
If you want someone to analyze your log, ask a Question in the HijackThis Zone and attach your log.

Supported Operating Systems:

HijackThis supports Windows 98, Windows 2000, Windows ME, Windows XP, Windows Vista
and Windows 7.

Though it will run on non-supported systems(the diagnostic scan side of it) it may not function as well as expected when you start fixing entries or deleting files etc. The report can be misleading as may show legit entries that look suspicious, and shows "file missing" when in fact they are not missing, e.g. below. So be aware before you start fixing entries or using HijackThis' other functions on these systems.

C:\Documents and Settings\Alice Cullen\WINDOWS\System32\smss.exe
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)

For info on HijackThis entries, check out this tutorial:
LVL 38

Expert Comment

rpggamergirl -
Some great (and really timely) advice for anyone using HJT.
Thank you for putting it together.

"Yes" vote up above.
LVL 65

Expert Comment

by:☠ MASQ ☠
Thanks - Thumbs up vote from here!
LVL 47

Author Comment

younghv, MASQUERAID,

Thanks for the Yes vote! :)
LVL 54

Expert Comment

How useful is HJT now?  I may not be up to date (or confusing it with another) but I thought I read the program was purchased by a big company who hadn't updated it.  Great points and info and I am a huge fan of the program.  Even out of date it would still be useful I would think for certain things but I was just curious, especially when I noticed support for Windows 7, if it is now being updated and actively developed.

Thanks for the article and your time to create it!

LVL 47

Author Comment

"How useful is HJT now?"

Good question. HJT is still a useful tool, it depends what you want it for...it has lots of features and functions.
You can disable startup programs, disable/delete services, delete file on reboot, kill process etc.... but as a malware diagnostic tool it is NOT that useful anymore because a lot of nasties can now hide from its scan. A clean Hijackthis log doesn't mean that the system is clean.

"I may not be up to date (or confusing it with another) but I thought I read the program was purchased by a big company who hadn't updated it."

Yes, TrendMicro bought Hijackthis, but unfortunately Trend doesn't have a good history of maintaining their acquired tools. If you remember CWShredder which they also acquired, it become obsolete.
Yes, HJT is still being updated, but nothing dramatic is happening there. I only hope that what happened to CWShredder will not happen with HijackThis.

Thanks for the Yes vote, :)

Featured Post

Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Join & Write a Comment

Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month