Browsing the modern internet is an exercise in avoiding the scams, viruses, and malware that lurk around every corner. It’s sadly no longer the case that only visiting reputable websites can keep you safe either. That doesn’t mean that your favorite music streaming site is necessarily malicious though. Instead, many websites, downloads, and emails are compromised and loaded with malicious intent.
While malware sometimes leaves less-than-subtle hints about its existence, that isn’t always the case. Often you just get a sense that something isn’t right. Maybe it’s a missing file, or unexplained network activity. However, you’ve checked all the obvious hiding places, so where do you turn next? Fortunately, a popular malware scanning tool known as HijackThis might come to the rescue.
HijackThis has been around since the turn of the millennium, originally created by Merijn Bellekom as proprietary software. HijackThis (HJT) is a scanning tool that is often used to locate malware and adware installed on your computer. Its intended purpose is not to remove the malware, but to help you diagnose any infections. In 2007 it was sold to the security software company Trend Micro after amassing over 10 million downloads. When a large company buys a small, independently developed application, that often signals its demise.
However, Trend Micro bucked this trend by releasing HijackThis on SourceForge as an open source project. Trend Micro said at the time that they were committed to developing HJT. However, not long after the decision was taken to open source HTJ, development was stalled at version 2.0.5. One of the benefits of open source software is that anyone is able to view or edit the source code. Fortunately, in the case of HJT another developer picked up the mantle left by Trend Micro and has been busy maintaining a fork of the original project — HijackThis Fork V3.
While two versions of HJT now exist — the Trend Micro edition at version 2.0.5 and the fork currently at 2.6.4 — both have kept the original scan feature largely unchanged since its mid-2000s heyday.
Most malware makes changes to your operating system, whether by editing the registry, installing additional software, or changing settings in your browser. These symptoms may not always be obvious, and that may be intentional so that the malware isn’t easily discovered. HJT scans through your computer, the registry, and other common software settings and lists what it finds. Windows has built-in utilities, but HJT brings all the common malware hiding places together in one list.
However, the tool makes no judgement on what it finds, unlike other mainstream antivirus software. This means that it isn’t subject to regular security definition updates, but also means that it can be potentially dangerous. Many of the areas HJT scans are critical to the proper function of your PC, and removing them may be catastrophic. It’s for this reason that the common guidance when using HJT is to run the scan, generate a logfile, and post it online for others to glance over and help you understand the results.
HJT scans across a number of areas that malware typically attacks. So that you can easily identify the results by scan area, the results are grouped into several categories. There are broadly four categories; R, F, N, O.
- R – Internet Explorer Search and Start pages
- F – Autoloading programs
- N – Netscape Navigator & Mozilla Firefox Search and Start pages
- O – Windows operating system components
F relates to autoloading malware which can be difficult to diagnose as these programs often try to disable your access to Windows utilities like Task Manager. Malware, and in particular adware, has a tendency to hide within the browser in the form of search engine redirects or home page changes. The HJT results can help you identify if anything malicious is concealed inside your browser. Chrome is notably absent from the list, which may limit its usefulness to any users of Google’s immensely popular browser. The N category denotes items related to Netscape Navigator, the popular 90s browser which was discontinued in 2008. Although it includes items related to Firefox, it’s an indication of how little development has been committed to HijackThis in recent years.
The Log File
One of the most important outputs of the scan is the log file. This includes a list of everything that HJT found. You can then post the contents of the log file to a security forum for others to help diagnose your issue. The original developer used to maintain a website dedicated to the analysis of these log files. However, when Trend Micro made the switch to open source, the website was closed.
But that doesn’t mean that you are out of options. Security forums are still a hive of activity with many members willing to lend their expertise to those in need. Be cautious on these sites though — while the majority of users will be entirely trustworthy, there is always a minority who may act with malicious intent. If you are in any doubt, wait for the consensus of other members. Also remember to never disclose any personal or sensitive information, including passwords or other login credentials.
Manual Analysis & Performing Fixes
If you feel confident in your knowledge of the registry and other Windows components, then you may want to skip the group analysis and attempt a fix on your own. While limited, HJT does give you some guidance when performing your own analysis. Selecting an entry in the results list and clicking Info on selected item from the Scan & fix stuff menu opens a dialogue with background information on the result.
It’s important to remember that this guidance is only for the result category, not the item itself. For example, the guidance for a result with the category R0 is “a Registry value that has been changed from the default, resulting in a changed IE Search Page, Start Page, Search Bar Page or Search Assistant.” Once you have identified any suspicious entries you wish to change, select the check boxes and click Fix selected to remove all checked entries.
HijackThis — The Fork
Open source software has a lot of benefits, not least of which is the ability for development to continue long after the original project has disbanded. Thanks to Trend Micro’s decision to open source HijackThis, developer Stanislav Polshyn has continued where Trend Micro left off. This forked version of HJT moves from Trend Micro’s version 2.0.5 to 2.6.4. Somewhat confusingly the developer refers to the latest edition as version 3.
Version 3 adds support for modern operating systems like Windows 8 and 10, and an improved interface. The scan has been improved too with the updated hijacking detection. Although the primary function of HJT is the scan and its resulting log file, it also includes a Process Manager, Uninstaller, and Hosts file manager. The forked edition expands on these features with the addition of StartupList, a Digital Signature Checker, and a Registry Key Unlocker.
Given the nature of the software, it’s always best to be cautious when downloading from a third party. The HJT fork hasn’t received much coverage which may make you question its reptuation. However, that might be a reflection on how the market for functionally simplistic but advanced tools like these has changed. It’s worth keeping in mind that for the most part, the fork brings only incremental improvements to the Trend Micro scan. If you would rather stick to the older mainstream release, then version 2.0.5 should be more than adequate.
Approach With Caution
Unless you are confident in registry management, then you should not apply any fixes before taking advice. HJT doesn’t make any judgement on the safety of any entry — it only scans to see what is there, legitimate or otherwise. The registry contains all the important elements of your operating system, and without them your computer may refuse to operate correctly.
Even if you feel that you can confidently navigate your way around the registry, you should approach any fixes with caution. Before applying fixes, make sure that you have backed up the registry within HJT. The next step is to also complete a full computer backup to restore from should something go awry.
Ready To Reclaim Your Computer?
HijackThis rose to fame in the early years of the internet, before Google had even been born. It’s simplicity meant that it became the tool of choice for anyone aiming to diagnose malware infections. However, its acquisition by Trend Micro, the switch to open source, and the newly maintained fork have slowed development to a crawl. You may be left wondering why you’d use HJT over other notable names.
HJT may not be the kind of sleek, modern app that we are used in the age of the smartphone. However, its longevity is evidence of its usefulness. With Trend Micro opting to make HJT open source, you always have a freely available tool for situations where nothing else will do.
What do you make of HijackThis? What’s your worst malware scare story? How did you get rid of it? Let us know in the comments!
Image Credit: 6okean.gmail.com/Depositphotos