HijackThis Hijacked by Trojan Remover

Trend Micro malware analysts warn that the company's popular HijackThis utility is being abused by authors of a trojan remover, who pack it within their program. The system analysis tool is being used to lure users into acquiring a license.

HijackThis (HJT) is a program that scans and lists potentially malicious startup entries, registry keys, browser helper object (BHO) files, etc. Originally developed by Merijn Bellekom, the free application, which is mainly used for diagnosis, was acquired by Trend Micro after it achieved a significant level of popularity.

"By itself, it does not determine what is good or bad, but it lists registry keys and files system of the scanned system where unwanted programs potentially could reside," Det Caraig, technical communication specialist at Trend, explains. Because of this, its output can generally only be understood by computer experts or experienced users.

While analyzing an application called Loaris Trojan Remover, Edgardo Diaz, Jr., escalation engineer at TrendLabs, found that it "contained the HijackThis program repackaged using Delphi-based packager InnoSetup." The program then provides an option in its interface to launch and use HJT.

"Users who are really interested in using HijackThis, may thus be tricked into buying the antivirus," Mr. Diaz says. "Beware, Trend Micro does NOT sell nor intend to sell HijackThis," he stresses. It seems that, in this case, Loaris Inc., the company developing the trojan remover, failed to ask Trend Micro for permission to bundle its tool, which is free, but not open source, with its software.

Following the Trend article, Loaris has stopped illegally distributing and deploying HijackThis with its own security software. "Loaris Trojan Remover version 1.1.6.8 no longer carries HJT in its UI," Mr. Det Caraig announces.

Trend Micro advises users to "download software only from the official vendor sites or highly trusted communities." The latest version of HijackThis is available for download here.