New Computer Hope tool

[Mod & Malware Specialist]

Very nice!  It's turning out really great so far.

This weeks work. Big update and a lot of hours put into it, enjoy. 

Update b1.0a

- Updated script status from alpha to beta.
- Added detection and if missing the suggestion of installing WOT (Web of Trust) on the computer.
- Added "Skip to cleaning steps" link in top overview section, to quickly scroll to cleaning steps (if available).
- Added detection of blank lines such as:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

- Each of the file information pages will now contain a link to the custom google search to get additional information from third-party pages if needed.
- Added several thousand new processes.

Fixes
================

- Fixed bad link from being generated for saved HijackThis logs.
- Corrected rare issue with incoming Unicode being improperly parsed and causing crash.
- Fixed issue with not ending process if too many files to process.
- Google link now searches for processes in quotes, to help eliminate bad results in custom google search.
- Corrected error with reporting multiple firewalls even though its the same firewall.
- Updated top overview section, improving the look and functionality.
- Changed old HijackThis log warning icon to match other warning messages icons.
- Found and corrected pesky flaw with mywebsearch not being found. This in turn could help with finding matches that may have not been found before.
- Removed the report of prefix hijack on "gopher prefix: " and domain hijack warnings on "Hosts: ::1 localhost" and hijack warning on WOT protocol change.
- Corrected error with detection of multiple files on the same line.
- Redesigned how file information stored and rewrote the read function.
- Added increased count for each domain host changes detected.
- Fixed it so @dll files are just detected as the actual DLL.
- Removed redundant and often long HijackThis DNS line info on potential DNS hijack warnings.
- Updated the final report (at bottom of HijackThis log) to common look throughout Computer Hope, hopefully making it easier to read and scan.
- Corrected a few spelling and grammar errors in final report.
- Updated the file information pages with more complete and in some cases accurate information.
- Other minor updates not mentioned.

Still have a lot on the plate I'd like to do but wanted to get it at least posted and mentioned before I went to sleep tonight. All other updates still working on will be in next release.

[Web moderator]

One other thing I've seen is that, here in Europe with the date and month the other way around (e.g. today is 23/05/2009), sometimes the Process Tool gvies a warning saying that the HJT log is out of date and suggests running a new one. Not sure if this is fixed though...

here in Europe with the date and month the other way around (e.g. today is 23/05/2009)

The mm/dd/yyyy format is mainly used by the USA and very few other countries. The vast majority of the world's countries use either the little endian dd/mm/yyyy date format (most) or (a few) the big endian yyyy/mm/dd format. All three are recognised in Canada, although official documents use big endian dates.

The mm/dd/yy format is used in:

    * Belize
    * Federated States of Micronesia
    * Kenya
    * Palau
    * Philippines (when written in English)
    * Puerto Rico
    * United States

Looks like a great tool, will use if occasion ever arises.

One other thing I've seen is that, here in Europe with the date and month the other way around (e.g. today is 23/05/2009), sometimes the Process Tool gvies a warning saying that the HJT log is out of date and suggests running a new one. Not sure if this is fixed though...

This should be fixed to the best of my knowledge. Unfortunately it's tricky since there is no traditional formatting, so I have to kind of assume what goes where and look for strange situations, e.g. 23 > 12 so obviously a day and not a month. However, if it's something like 05/05/2009 I have no real method of knowing if the first is a day or month.

[Mod & Malware Specialist]

I'm not sure if this would rectify the situation or not, but couldn't you just extract the date/time from the user's computer and compare it to the log?  I know the information can be extracted via PHP fairly easily.  And to make the comparison easier, the user can select their date/time format from a list before submitting their log.  Doing so would run the necessary check.  It's not perfect, but as long as the person knows what their format is (or how to easily find out if they're uncertain), then it could be pretty accurate.  If they opt to not choose a format, the check can either be skipped or it can be handled in some other way.

I'm not sure if this would rectify the situation or not, but couldn't you just extract the date/time from the user's computer and compare it to the log?  I know the information can be extracted via PHP fairly easily.  And to make the comparison easier, the user can select their date/time format from a list before submitting their log.  Doing so would run the necessary check.  It's not perfect, but as long as the person knows what their format is (or how to easily find out if they're uncertain), then it could be pretty accurate.  If they opt to not choose a format, the check can either be skipped or it can be handled in some other way.

That's definately a great idea, unfortunately I believe a lot of users are going to be using this to also analyze other peoples log files so looking at the date of the machine posting the log may not actually apply and may give a false report.

I've posted bv1.2 after doing a lot of updating this week. I wont bore everyone with all the changes other than mentioning the tool now has close to 9,000 processes and probably close to one hundred new changes. 

[Web moderator]

Great work on this, Nathan.

Update:

Have done a lot of minor updates to this tool, again going to not torture everyone with the list of each change. Also quickly approaching 10,000 processes in database.

Finally, have also created and posted a video tutorial for this tool at: http://www.youtube.com/watch?v=85DCuZcOmkY

Nathan,

Just an observation,

Would it not be advantageous to have a suggestion/warning for users of the process tool to create a new restore point after they have fixed their problems in HJT?....Seems to me a lot of people of less experience would neglect to purge their systems of restore points which may contain copies of malware.

[Web moderator]

Now that this thread has been revived, detection of 64bit PCs in HJT logs would be a great addition also...

Now that this thread has been revived, detection of 64bit PCs in HJT logs would be a great addition also...

Absolutely, good point kpac.

how would you detect a 64-bit OS from a log generated by a 32-bit program?