HijackThis is easily my favorite anti-spyware tool. I don't mean that AdAware, Spybot: S&D and the others out there aren't great, but HijackThis has saved my butt so many times that it's ridiculous. It's not at all like a traditional adware scanner. There are no definition files, no updates to worry about, not even any real 'scanning'. HijackThis merely does a quick romp through your registry and a few other files, and displays results of what it finds in various areas of them.
There is no real easy way to explain how to use it. If you're a complete novice at computers, then it may not be a good idea to use this tool, because you can certainly mess up a few things with it. McAfee tends to be temperamental if you accidentally axe some part of it with HJT, so keep an eye on what it is you're having it remove.
That said, it's not a huge deal to use at all. When you first start it up you will be presented with the new users quick start. Go ahead and click the 'Do a system scan only' button. Don't worry, you can always save a log later.
Following your click, the above screen should appear. Notice that all entries have a code in front of them. This tells you what section of the registry or whatnot they came out of, and the short description afterwards gives you a good idea of what it does.
I'll go over the more common codes, and give some general guidelines as to what to do with the ones I don't cover.
The first section, R0 and the like, are what your default pages are set to. Make sure that you recognize any site that is listed in that section. If it's not from Microsoft, and you don't know what it is, remove it.
The next, 01, means that auto.search.msn.com is hijacked courtesy of an entry in your HOSTS file. This means that when your computer tries to use the above site, it is redirected towards a malicious site that may cause some sites not to appear, fake sites to appear, or perhaps just redirect all your traffic through some advertising agent. Remove it.
02 is the section that I pay very close attention to. BHO's are great, if they're good. Browser Help Objects can also be malicious items as well. ANYTHING in this section that you don't EXPRESSLY recognize you should remove. It will be fairly obvious what you will remember, and what you won't. If you're in doubt, then just remove it. If it is something you want, it'll be easy enough to get back. For instance, look at the above pic. In the 02 section you see 2 entries. AcroIEHlprObj Class is up there. If you pay attention to it's path which is shown after it you can see that it is part of Adobe Acrobat. I read PDF's all the time, so that BHO is OK. The next one says Google Toolbar Helper. That's pretty self-explanatory, and since I have the Google Toolbar, it's even more obvious. Like I said, if you don't recognize what it is, remove it.
03 has the information for the toolbars. In the entry above, you see the name &Google. Also in the path after it you can see that it comes from the Google directory, and that the file is even named googletoolbar1. This section is yet another example of if you don't recognize, then remove. Toolbars are also another common thing for adware to add to your system in the faux of being helpful. Anything that looks randomly named 99.9% of the time is bad. If it feels funky, whack it.
04 is now getting into the startup section of the system. Yes, you could remove every single entry here and your system would likely boot just fine. You don't need anything in your startup most of the time for the system to load, but handy little programs like your antivirus software as well as your printer drivers, pocket PC program, messengers, etc all load in the startup. You'll definitely want to be more careful in this section, but it is also the one you will want to scrutinize the very most. Just look through the items and see if all of it rings a bell. Most of it should. Even if the executable file itself looks confusing, the path will often tell you what it is. WCESCOMM.EXE isn't terribly descriptive, but if you look above you can see that the path is Microsoft ActiveSync. Obviously it's for my Dell Axim. In this section, what I usually do is this: Remove everything you know to be bad. ANYTHING that loads out of a temporary directory. NO legit program would reside in any temp directory, so you'll definitely want to kill that. As for the items that you're not so sure about, I usually use MSCONFIG to disable those. That way if it turns out that you need it, it's easy enough to get back. So, in summary, remove any obviously bad items. The one's your not sure about, use MSConfig to disable.
08 Extra content menu item. Now we're to a section that isn't all that dangerous. Even if you accidentally left a bad spyware item behind, it wouldn't much matter. You would only activate it if you clicked on that particular extra item. I usually clean up most entries here, simply because you don't really need them, and I'm a bit of a minimalist. Same rules apply here too though, just make sure it's something you recognize.
09 Almost the same thing as the extra menu item, only this actually adds a button to IE's toolbar. Scrutinize this a bit better than the 08 items, simply because it's easier to accidentally click a button that's always readily available.
016 Keep an eye on this one. DPF, or Downloaded Program Files are stored in the Windows base folder and holds misc programs from the internet. They are loaded when IE is, (like a BHO) so there is a strong possibility that some malware has put itself there.
020 The AppInit_DLLs section. I've NEVER seen a legit use of the AppInit_DLLs key. Ever. This key loads the DLL specified in it every time a program is opened. If you see an entry here it is almost definitely spyware.
023 is for services. Norton registers services, my ATi video card has a couple, etc. Services load very similar to the entries in the 04 section, so scrutinize it carefully. It's a favorite hiding spot for viruses, because services don't show up in most startup configuration programs. Even in MSConfig you have to specifically select the services tab.
I haven't gone through every singe type of entry available with HijackThis, because there are tons and it's impossible to describe every situation. Keep in mind that not everything that HJT displays is bad. In fact, most of it is good. (Most of the time) Just keep in mind the rule of thumb, if you don't recognize the entry, or some part of it, you probably should remove it. Also keep in mind that what you scan usually shouldn't be much longer than this. They all vary in length, but that's a fairly average one.
If you're still intimidated by the results displayed, then you can always save a logfile and post it on a forum for some people to analyze for you. After the scan, just click the 'Save Log' button on the bottom left. Save the txt file and post its contents on a forum somewhere.
There is also a nifty little HijackThis analyzer out there. Just post the contents of the log on this site, and it will give you a good idea of what to remove. Keep in mind that these sites are not fool proof and occasionally come up with false positives, and also sometimes fail to recognize the bad items.
If you think you've removed an item you shouldn't, worry not. HijackThis creates backups of everything that it removes. Read this article: I've removed something I shouldn't with HijackThis! What do I do?