Removing Malware with a-squared HiJackFree 2.0"a-squared HiJackFree is a detailed system analysis tool which helps advanced users to detect and remove all types of Hijackers, Spyware, Adware, Trojans and Worms." You can read this on the product homepage but how does this all actually work in concrete terms? This tutorial uses a number of examples to explain how a Malware specialist would go about manually examining a computer for Malware infection.
4. Windows Services
1. Malware basics
Most modern Malware, such as Trojans or Spyware, usually run as independent processes.
The only exceptions to this are classical viruses that attach themselves to other
programs in order to run. However, here we will only deal with the recognition of
stand-alone Malware. Knowledge of the currently running processes can be helpful
because you only need to find the relevant malware process and then terminate it
to render it ineffective.
- Where does the program come from?
- Who wrote the program?
- Does the program open a TCP or UDP port to receive commands from outside the computer?
- Was the program automatically started via an Autostart entry?
- Does the program run as a Windows Service?
Since the average PC usually has around 50 running processes, this can rapidly become
a tedious job when you have to answer these questions using only the standard tools
provided with Windows. This is where a-squared HiJackFree comes into play. The advantage
of HiJackFree is that it allows exactly these questions required for Malware recognition
to be answered much more quickly.
This should make it clear that HiJackFree cannot provide you with a concrete statement
as to whether a process is Malware or not, but it provides a great deal of help
in filtering out all the normal system processes. You should initially focus on
the yellow, red and white entries, which will save you a great deal of time. However,
you should never blindly trust the color of an entry!
Once you have definitely identified a process as hostile, then the next step
is cleaning it from the computer:
2. TCP/UDP ports
TCP or UDP ports are data channels that can be used by a program for receiving commands over the Internet. Examples of normally used TCP ports are web servers (Port 80), FTP (Port 21), SMTP (Port 25) or POP3 (Port 110). However, Backdoor Trojans also open ports to allow remote control of the PC over the Internet. Any port number can be chosen but a given port can only be used by one program at a time.
The ports section in HiJackFree shows you all open ports on your PC and the associated
processes. Proceed in exactly the same manner as with the process list, by going
through all entries and checking the ports being used. In some situations, a process
is well camouflaged by a well-chosen name and is not immediately recognized in the
process list. However, it cannot hide itself from the port list. Open ports are
not fundamentally hostile. Check whether a program has a plausible reason for opening
ports. For example, a program that is supposed to do word processing does not normally
need to open ports.
This section of a-squared HiJackFree shows you all Autostart entries in your system, which are used to automatically start various programs when the system is started. In addition to the standard Autostart locations in the registry, there are also lots of other less well-documented places in the system that allow a program to be automatically started. HiJackFree shows you 30 different Autostart locations. You should be especially careful with entries in the "Tricky startups" section and definitely consult a specialist or obtain detailed information from the Web before deleting anything here - otherwise the system can be very quickly made unusable.
The most important Autostarts are in the "Registry" section, which is divided into two sub-categories: Autostarts that apply system-wide to all users (HKLM) and those that only apply to the currently logged-on user (HKCU). You can deactivate an Autostart entry here to see what effect it has on the system. A deactivated entry can be later simply switched on again. Complete deletion is not necessary.
The "Refresh Online Data" button compares the Autostart list with an online database, in the same manner as with the process list, to make identification of a Malware Autostart entry much easier.
Here too, you should always check whether you actually need all the listed programs to be constantly running. Note that every program running constantly in the background requires system resources and slows down the computer. However, please do not delete the Autostart entries for your security software. Without these entries, your computer is unprotected after a system restart.
Tip: Double-clicking on an entry in the tree (e.g. Run) opens the registry editor,
allowing you to directly access the relevant place in the registry.
The "Services" section is very similar to the Windows Service Manager. The main difference is that in HiJackFree you also see the full path to the service at a glance and also receive lots of additional information in the Details window.
Generally, the services list is not very different to the process list. It is a
type of filter showing the programs registered as services in the system, but it
also shows services that are currently stopped and also hidden drivers (.SYS) that
you cannot normally see. Services are loaded by Windows when the system starts,
before any user is logged on. Malware registered as a service is thus already active
before you can do anything with the PC as a user.
The "Others" section contains some useful tools for eliminating Malware:
5.1. Explorer Addons
LSP stands for Layered Service Provider and describes a type of network driver that can be switched between programs and the network card. Adware uses such modules to insert advertising into the incoming browser data stream. There are also benign areas of application such as (e.g.) Anti-Spam programs that directly filter Spam out of the data stream received from the Internet.
Always be very careful when deleting LSPs! If an LSP DLL file is deleted without
also deleting the associated entry in the LSP list, then the Internet access my
stop working! For this reason, it is very important to cleanly remove LSPs - a-squared
HiJackFree can help you with this.
As with the previously described sections, the Hosts file can also be used for benign and hostile purposes. The Hosts file allows particular host names to be mapped to a specific IP address, independently of the DNS lookup.
A brief detour into the world of Domain Name Systems (DNS): If you (e.g.) enter the address www.yahoo.com into your browser, the nearest DNS server is first asked for the IP address corresponding to this Web address (Domain). This will then answer the browser with the Yahoo IP address. The browser then connects to this IP address and receives the requested Homepage data.
The Hosts file allows this DNS Server to be overridden. For example, add the following
line to the Hosts file:
Then start your browser and enter www.yahoo.com. Instead of accessing the yahoo Web server, you are redirected to your own PC (127.0.0.1 is always your own PC).
Spyware uses this trick to (e.g.) redirect the web address of your bank to a hacker server containing a copy of the online banking application. You will not notice the difference but, as soon as you have entered your PIN number, you are not logging into your bank but onto the server of an attacker who wants to plunder your account.
This technique also has a useful side. You can (e.g.) redirect the addresses of
various advertising networks to point to your local IP and thus prevent advertising
from appearing on websites that you visit. Pre-configured Hosts files for this purpose
are available from (e.g.)
MVPS.org. Web developers also use the Hosts file for testing purposes when
In contrast to the section for browser ActiveX modules, this section displays all system-wide registered ActiveX DLLs. These DLLs are program modules that are publicly available for other programs to use. If you (e.g.) insert an Excel table into an MS Word document, this type of ActiveX module is used for the inter-program communication.
HiJackFree colors all no longer active ActiveX registry entries in red. "No longer
active" means that the Registry contains information on a module for which the DLL
is no longer present. These entries can usually deleted without causing any problems.
a-squared HiJackFree is a powerful tool but is definitely not for beginners. In contrast to a Malware scanner, it cannot tell you whether a program is definitely Malware or not. However, it can help you to find and remove all traces of hidden Malware.
This tutorial shows how versatile and creative Malware programmers want to break
into your system. You must be absolutely clear that the topics described here only
describe the tip of the iceberg of application possibilities. We could fill several
books explaining all these techniques in detail.