Removing Malware with a-squared HiJackFree 2.0

"a-squared HiJackFree is a detailed system analysis tool which helps advanced users to detect and remove all types of Hijackers, Spyware, Adware, Trojans and Worms." You can read this on the product homepage but how does this all actually work in concrete terms? This tutorial uses a number of examples to explain how a Malware specialist would go about manually examining a computer for Malware infection.

Contents:

1. Malware basics
1.1. Filtering out suspicious processes
1.2. Removing identified Malware
2. TCP/UDP Ports
3. Autostarts
4. Windows Services
5. Others
5.1. Explorer addons
5.2. LSP protocol
5.3. Hosts file
5.4. ActiveX modules
6. Summary


1. Malware basics

Most modern Malware, such as Trojans or Spyware, usually run as independent processes. The only exceptions to this are classical viruses that attach themselves to other programs in order to run. However, here we will only deal with the recognition of stand-alone Malware. Knowledge of the currently running processes can be helpful because you only need to find the relevant malware process and then terminate it to render it ineffective.

1.1. Filtering out suspicious processes

Before you terminate something, or delete it, you need to make sure that it is not benign software needed for correct system operation. This requires analyzing each and every process in detail. The following questions must be answered:

- Where does the program come from?
- Who wrote the program?
- Does the program open a TCP or UDP port to receive commands from outside the computer?
- Was the program automatically started via an Autostart entry?
- Does the program run as a Windows Service?

Since the average PC usually has around 50 running processes, this can rapidly become a tedious job when you have to answer these questions using only the standard tools provided with Windows. This is where a-squared HiJackFree comes into play. The advantage of HiJackFree is that it allows exactly these questions required for Malware recognition to be answered much more quickly.

This is how it works:

• First open the "Processes" section and click on "Refresh Online Data", the first button in the button bar at the top right of the window. This causes HiJackFree to compare the list of active processes with an online process database containing information on the processes normally used by benign or hostile software. The process list will now be colored in green, yellow, red and white lines.
  
  
• Green entries are process names whose process database entries only refer to benign software. You can therefore assume that these processes are highly likely to be not hostile. However, it can never be guaranteed that these processes are benign. This simply means that the process information database contains no information on hostile processes with the same name.
  
  
• Yellow entries are process names that are used by both Malware and benign Software. In this case, you click on the entry and scroll to the online information at bottom of the details window underneath. This shows all the information available in the process database. Now compare the program paths listed here with the path of the active process on your PC. This requires a certain nose for details. Assuming that the path of the active process is:
  
  c:\programs\knownmanufacturer\program.exe
  
  and there are two entries in the process database for program.exe. One of them describes a hostile process with the path:
  
  c:\windows\program.exe
  
  and the other describes a benign process with the path:
  
  c:\programs\knownmanufacturer\version 2\program.exe
  
  In this case, you can assume that this is a benign process because the program path only slightly differs from a process defined as being benign (in this case only the version number in the folder name differs). If you also recognize the process from the manufacturer name as an intentionally installed benign program, then you can confidently note this program as "benign" and continue to the next process.
  
  
• Red entries in the process list are process names for which the process database contains only information on hostile programs. There can be two reasons for this: Either this is truly a Malware process or there is simply no other information in the process database on a benign process of the same name. Regardless of the reason, it is a good idea to examine this process in more detail.
  
  Enter (e.g.) the file name of this suspicious process into your favorite search machine to obtain information from other process databases in the Internet. You can then use this information and the path information to decide whether the process is benign or hostile. The HiJackFree "Details" window contains lots of useful information to help with this decision. In the "File properties" section you can see the properties of the relevant program file, such as the manufacturer and product names. Under "Process Details" you can also see whether the process runs as a Windows Service (less suspicious), whether it was started via an Autostart entry (suspicious) and whether it opens TCP or UDP ports (very suspicious).
  
  
• White entries in the list are processes for which no online information was found. Here too, it is a good idea to search the Web for more information on each of these filenames.

This should make it clear that HiJackFree cannot provide you with a concrete statement as to whether a process is Malware or not, but it provides a great deal of help in filtering out all the normal system processes. You should initially focus on the yellow, red and white entries, which will save you a great deal of time. However, you should never blindly trust the color of an entry!

1.2. Removing identified Malware

Once you have definitely identified a process as hostile, then the next step is cleaning it from the computer:

• To stop an active Malware process, you must simple terminate or "kill" it. To do this, select the process from the list and then click on the "Kill process" button in the menu on the left-hand side. However, it is highly likely that this process will again become active the next time the system is started.
  
  
• For this reason, you should also delete the corresponding program file of the process: Select the "Delete file" checkbox. It is a good idea not to completely delete the file but rather first place it in quarantine, so that it can be restored if it turns out that it was not Malware but rather a necessary program. Select the "Save backup" checkbox to do this.
  
  
• Since Malware is often loaded at system start by so-called "Autostart" entries, all these associated entries should also be deleted. Select the "Delete references" checkbox to do this. In some cases, the system can also become unstable when the file is deleted but "dead" Autostart entries still exist that refer to this missing file.

2. TCP/UDP ports

TCP or UDP ports are data channels that can be used by a program for receiving commands over the Internet. Examples of normally used TCP ports are web servers (Port 80), FTP (Port 21), SMTP (Port 25) or POP3 (Port 110). However, Backdoor Trojans also open ports to allow remote control of the PC over the Internet. Any port number can be chosen but a given port can only be used by one program at a time.

The ports section in HiJackFree shows you all open ports on your PC and the associated processes. Proceed in exactly the same manner as with the process list, by going through all entries and checking the ports being used. In some situations, a process is well camouflaged by a well-chosen name and is not immediately recognized in the process list. However, it cannot hide itself from the port list. Open ports are not fundamentally hostile. Check whether a program has a plausible reason for opening ports. For example, a program that is supposed to do word processing does not normally need to open ports.


3. Autostarts

This section of a-squared HiJackFree shows you all Autostart entries in your system, which are used to automatically start various programs when the system is started. In addition to the standard Autostart locations in the registry, there are also lots of other less well-documented places in the system that allow a program to be automatically started. HiJackFree shows you 30 different Autostart locations. You should be especially careful with entries in the "Tricky startups" section and definitely consult a specialist or obtain detailed information from the Web before deleting anything here - otherwise the system can be very quickly made unusable.

The most important Autostarts are in the "Registry" section, which is divided into two sub-categories: Autostarts that apply system-wide to all users (HKLM) and those that only apply to the currently logged-on user (HKCU). You can deactivate an Autostart entry here to see what effect it has on the system. A deactivated entry can be later simply switched on again. Complete deletion is not necessary.

The "Refresh Online Data" button compares the Autostart list with an online database, in the same manner as with the process list, to make identification of a Malware Autostart entry much easier.

Here too, you should always check whether you actually need all the listed programs to be constantly running. Note that every program running constantly in the background requires system resources and slows down the computer. However, please do not delete the Autostart entries for your security software. Without these entries, your computer is unprotected after a system restart.

Tip: Double-clicking on an entry in the tree (e.g. Run) opens the registry editor, allowing you to directly access the relevant place in the registry.


4. Windows Services

The "Services" section is very similar to the Windows Service Manager. The main difference is that in HiJackFree you also see the full path to the service at a glance and also receive lots of additional information in the Details window.

Generally, the services list is not very different to the process list. It is a type of filter showing the programs registered as services in the system, but it also shows services that are currently stopped and also hidden drivers (.SYS) that you cannot normally see. Services are loaded by Windows when the system starts, before any user is logged on. Malware registered as a service is thus already active before you can do anything with the PC as a user.


5. Others

The "Others" section contains some useful tools for eliminating Malware:

5.1. Explorer Addons

• IE Toolbars
  Some Spyware programs install an irritating Internet Explorer browser toolbar on your PC. You can delete individual Toolbar modules here.
  
  
• Shell Extensions
  If you (e.g.) click on a file in Explorer with the right mouse button, a number of entries are displayed in the popup context menu. Different modules can be added to this list. If you have installed the a-squared Scanner you will also see the entry "Scan with a-squared" in this list. Spyware can also be activated by this type of module.
  
  
• Shell Hooks
  These are also modules that attach to Explorer in order to provide benign or hostile functionality.
  
  
• Browser Helper Objects - BHOs
  These are browser extensions for Internet Explorer, similar to IE Toolbars, that can modify the display of a website. Spyware primarily uses such helper objects (BHOs) for adding advertising or popups to visited websites.
  
  
• ActiveX
  This also only affects Internet Explorer. These modules allow the functionality of the browser to be extended. Known browser ActiveX modules are (e.g.) the Flash Player used for displaying Flash animations and the a-squared Web Malware Scanner that allows you to scan your PC for Malware infection.

5.2. LSP Protocols

LSP stands for Layered Service Provider and describes a type of network driver that can be switched between programs and the network card. Adware uses such modules to insert advertising into the incoming browser data stream. There are also benign areas of application such as (e.g.) Anti-Spam programs that directly filter Spam out of the data stream received from the Internet.

Always be very careful when deleting LSPs! If an LSP DLL file is deleted without also deleting the associated entry in the LSP list, then the Internet access my stop working! For this reason, it is very important to cleanly remove LSPs - a-squared HiJackFree can help you with this.

5.3. Hosts file

As with the previously described sections, the Hosts file can also be used for benign and hostile purposes. The Hosts file allows particular host names to be mapped to a specific IP address, independently of the DNS lookup.

A brief detour into the world of Domain Name Systems (DNS): If you (e.g.) enter the address www.emsisoft.com into your browser, the nearest DNS server is first asked for the IP address corresponding to this Web address (Domain). This will then answer the browser with the address: 80.237.191.14. The browser then connects to this IP address (our web server) and receives the requested Homepage data.

The Hosts file allows this DNS Server to be overridden. For example, add the following line to the Hosts file:

127.0.0.1 www.emsisoft.com

Then start your browser and enter www.emsisoft.com. Instead of accessing the a-squared Web server, you are redirected to your own PC (127.0.0.1 is always your own PC).

Spyware uses this trick to (e.g.) redirect the web address of your bank to a hacker server containing a copy of the online banking application. You will not notice the difference but, as soon as you have entered your PIN number, you are not logging into your bank but onto the server of an attacker who wants to plunder your account.

This technique also has a useful side. You can (e.g.) redirect the addresses of various advertising networks to point to your local IP and thus prevent advertising from appearing on websites that you visit. Pre-configured Hosts files for this purpose are available from (e.g.) MVPS.org. Web developers also use the Hosts file for testing purposes when programming.

5.4. ActiveX Modules

In contrast to the section for browser ActiveX modules, this section displays all system-wide registered ActiveX DLLs. These DLLs are program modules that are publicly available for other programs to use. If you (e.g.) insert an Excel table into an MS Word document, this type of ActiveX module is used for the inter-program communication.

HiJackFree colors all no longer active ActiveX registry entries in red. "No longer active" means that the Registry contains information on a module for which the DLL is no longer present. These entries can usually deleted without causing any problems.


6. Summary

a-squared HiJackFree is a powerful tool but is definitely not for beginners. In contrast to a Malware scanner, it cannot tell you whether a program is definitely Malware or not. However, it can help you to find and remove all traces of hidden Malware.

This tutorial shows how versatile and creative Malware programmers want to break into your system. You must be absolutely clear that the topics described here only describe the tip of the iceberg of application possibilities. We could fill several books explaining all these techniques in detail.

Good luck in the hunt for Malware!