Clean your PC with Trend Micro HijackThis

This article was updated on February 27, 2008, from an article originally written by CNET Editor Karen Whitehouse Spiegelman.

Sometimes, despite your best efforts, insidious adware burrows into your computer and won't come out. It can hijack your home page, add an unwanted toolbar to your browser, sling pop-up ads, or even track your every movement for commercial gain. You should always try running standard adware-removal programs such as Ad-Aware and AVG first, but when they can't keep the nasties at bay, Trend Micro HijackThis digs deep. Be careful, though: The program doesn't do spyware removal. It does, however, identify commonly abused methods of altering your computer, some of which may be benign and some that are critical. Fortunately, the Internet community offers ways to separate spyware from critical system components.

Step 1: Set it up

One of Trend Micro's additions when it acquired HijackThis is an installer, so if you're still using an earlier version that launches from a ZIP file or EXE, be sure to update to version 2, which also downloads a desktop icon for quick-launching.

Step 2: Scan your system

If you scan without a log file, you can always create one later on.

Trend Micro HijackThis opens with a simplistic interface, so running it and interpreting the results can be a wee bit confusing. Clicking "system scan" brings up a list of all the questionable entries in your registry and on your computer, either with or without the additional log file. Even a completely healthy computer that's been customized by, say, installing a new Firefox plug-in, can have dozens of entries.

TrendMicro will compare your system contents with other users'. Chances are, if 90 precent of users have it, you should too.

A scan on our test machine resulted in 44 entries, all of which we recognized as benign. How do you know? Either select an individual check box and hit the "Info on Selected Item" button or "Analyze This." Doing the former brings up a short definition of the entry and a general risk rating; the latter button compares, on Trend Micro's Web site, your entries to other users'. The more common the instance, this logic goes, the more likely it is to be safe. For a detailed look at your system stats, however, the best thing to do is save the log, preferably in a Trend Micro HijackThis folder, and look to the Internet for answers.

Step 3: Identify problems

Conveniently, after the program scans, the Scan button turns into the Save Log button. Once you press that, the log opens up in Notepad. At that point, the brave or foolhardy can look up entries on the Web to see whether they're benign, or click either of the information buttons mentioned above. For example, we discovered that lsass.exe is a Microsoft Windows process that helps authenticate user log-ins. Clearly this isn't something we want to delete, whereas the innocent-sounding rundll16.exe comes with the adware program BrowserAid.

However, you don't have to face the cleanup alone. Many antiadware and technical-support online forums feature dedicated and smart people who will examine your Trend Micros HijackThis log file and tell you which entries to delete. SpywareInfo runs a good one, as do CastleCops and TweakXP. For all three, registration is required, but it's free and quick. Read the forum rules before posting, and be patient.

Step 4: Clean house

Click Fix Checked only if you are certain the entry is unsafe.

Once you've done your research, check the box next to items you know are bad, then hit Fix Checked. After that, restart your computer and run an adware-removal program to see whether that took care of the problem. If you're still having problems, either repeat the process or return to the forums. The person who's helping you will tell you which files to remove, then probably ask you to restart, rescan, and post the new log. This process continues until your computer is once again deemed righteous.

Add safe entries to the Ignore List to speed up future scans.

At that point, you can check items you know are good, such as those that reset the browser page to your chosen home page, and remove them from future flagging by hitting the button Add Selected to Ignorelist.