New Computer Hope tool

[Computer Hope Admin]

7.0 Update - Windows process and HijackThis log tool vA7.0a

Another big update. 

- Completely reworked the algorithm that parses out filenames. This has greatly increased total files found in many logs and as far as I can tell has eliminated any lost files not being shown in the table. Seems to be a really big improvement for Combofix logs.
- Improved detection again on multiple files listed in one line.
- Improved on Firewall and AntiVirus detection. In addition will also show unique icons for AntiVirus / Firewall related files
to help with quick identification.
- Now looks at each of the following extensions: .dll .exe .cfg .cab .ocx .bat .sys .cpl .com
- With the addition of .com extensions being looked at and reported script does have some minor issues identifying between some domains and actual file names. Still being worked out, but for most part most domains even in file paths are properly ignored.
- Slightly modified the look of the table, added additional icons in addition to those mentioned above.
- Added several additional Hijackthis triggers for detecting more than just process threats, things like browser hijacks.
- Added close to another 1,000 processes to database.
- Few additional checks and table formatting changes for when user looking at Combofix log.
- Several other dozen things not really worth mentioning.

[evilfantasy]

It's looking good.

I still haven't ran a CF log through it. Call me stubborn...

How about a GMER parser lol. Now THAT would be nice!

[evilfantasy]

SWEET!!

It does a nice job in parsing Panda ActiveScan logs also. Maybe you can see some tweaking to be done in this area also. The logs are fairly easy to read but all of the extra characters can make it confusing. Note that nothing in this log is actually malicious. Those are all Smitfraudfix files.

The main thing is it separates out all of the cookies and extra text and read the actual executables. Although I do wish it would show the entire file path. ntp.exe isn't malicious, but when you see the entire file path it becomes clear why it was flagged. C:\ComboFix\ntp.exe.

Another log is attached.

ANALYSIS: 2008-12-06 15:00:15
PROTECTIONS: 1
MALWARE: 23
SUSPECTS: 9
;****************************************************************************
PROTECTIONS
Description Version Active Updated
;===========================================================================
AVG Anti-Virus 8.0 Yes Yes
;===========================================================================
Id Description Type Active Severity Disinfectable Disinfected Location
;===========================================================================
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\don pc\favorites\insurance
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\don_pc@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\don_pc@atdmt[2].txt
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\don_pc@tradedoubler[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\don_pc@fastclick[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\don_pc@mediaplex[1].txt
00147806 Cookie/7search TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\don_pc@7search[1].txt
00147824 Cookie/Clickbank TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\don_pc@clickbank[1].txt
00159881 Application/Pskill.A HackTools No 0 Yes No C:\System Volume Information\_restore{F07A53C8-B184-416E-84DF-091CF0822230}\RP157\A0025744.exe
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\don_pc@statcounter[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\[email protected][1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\don_pc@apmebf[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\don_pc@serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\[email protected][2].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\don_pc@adtech[1].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\[email protected][1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\don_pc@advertising[1].txt
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\[email protected][3].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\[email protected][1].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\don_pc@overture[1].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\don_pc@adrevolver[2].txt
00207936 Cookie/Adviva TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\don_pc@adviva[2].txt
03477235 Application/SmithFraudFix.A HackTools No 0 Yes No C:\Documents and Settings\Don PC\Desktop\SmitfraudFix.exe
;===============================================================================
Sent Location j
;==============================================================================
Yes C:\Documents and Settings\Don PC\Desktop\SmitfraudFix\404Fix.exe j
Yes C:\Documents and Settings\Don PC\Desktop\SmitfraudFix\IEDFix.C.exe j
Yes C:\Documents and Settings\Don PC\Desktop\SmitfraudFix\VACFix.exe j
No C:\Documents and Settings\Don PC\Local Settings\Temp\~tmpb.exe j
Yes C:\RECYCLER\S-1-5-21-796845957-299502267-839522115-1004\Dc1.exe j
Yes C:\WINDOWS\system32\404Fix.exe j
Yes C:\WINDOWS\system32\IEDFix.C.exe j
Yes C:\WINDOWS\system32\o4Patch.exe j
Yes C:\WINDOWS\system32\VACFix.exe j
;=============================================================================
VULNERABILITIES
Id Severity Description j
;============================================================================
;=============================================================================

[Saving space - attachment deleted by admin]

[paudashlake]

Pretty cool!  How would you make something like that?  You don't have to tell me if you don't want to.

yuppp

 

[Carbon Dudeoxide]

Trying to put my HijackThis log through and...

Software error:

Month '-1' out of range 0..11 at process.pl line 419

For help, please send mail to the webmaster ([email protected]), giving this error message and the time and date of the error.

[Carbon Dudeoxide]

Ok......This is interesting...

I got rid of the header for my HJT and submitted the log and Kaspersky rang out.

Trojan Program (modification):
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\0q8gzr31.default\Cache\29061B48d01

See attached file


(I got rid of this:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:03:29 PM, on 07-Dec-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal)


[Saving space - attachment deleted by admin]

[Computer Hope Admin]

It does a nice job in parsing Panda ActiveScan logs also. Maybe you can see some tweaking to be done in this area also.

Definitely something that could be done. For now going to focus first on HJT and Combofix since they seem to be used more often.

Although I do wish it would show the entire file path. ntp.exe isn't malicious, but when you see the entire file path it becomes clear why it was flagged. C:\ComboFix\ntp.exe.

The full path and other information the file is found on is displayed if you hover the mouse over the folders in the path column. Were you wanting something more specific then that or somewhere else? Chris wanted this to be added and seems to work with all logs as far as I can tell.

Pretty cool!  How would you make something like that?  You don't have to tell me if you don't want to.

Program was written by me in Perl. Really difficult however to answer a generic question like that when it comes to programing because would be extremely hard to explain the whole program. Basically, Grabs text inputted by user, parses text through a bunch of regexp algorithms, looks for matches, and spits out the results in a formatted table.

Software error: Month '-1' out of range 0..11 at process.pl line 419

This is definately a problem and has been fixed to prevent from happening again (will show in ver 7.0b+). However, I would like to know if the date stamp you had (Scan saved at 5:03:29 PM, on 07-Dec-08) is something you created or something actually generated by Hijackthis? I've never seen a date stamp in a hijackthis log that has the abbreviation of the month, usually always the numerical value.

As far as Kaspersky reporting malware in this script is beyond me. My assumption is that maybe the page generated for your log contains some keyword(s) that trigger it to falsely report it. Rest assured there is nothing else the script is doing other than parsing through the text entered into it.

[evilfantasy]

The full path and other information the file is found on is displayed if you hover the mouse over the folders in the path column.

Ahh, I just didn't do enough hovering lol. Works great!

However, I would like to know if the date stamp you had (Scan saved at 5:03:29 PM, on 07-Dec-08)

That caught my eye also.

[CBMatt]

Carbon's header looks like that because of the short-date format in his regional settings.

Here's my header with the default settings...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:41:20 PM, on 12/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

And now with the same setting as Carbon...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:42:41 PM, on 08-Dec-08
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

All HJT is pull the time/date from the computer's clock.  It doesn't have it's own special way of formatting this information.

[Carbon Dudeoxide]

CBMatt is correct. I changed my date format in my Regional and Language Settings over in Control Panel.
I get the same format as the one in my HJT Log if I got to Command Prompt and type 'echo %date%'.

As far as Kaspersky reporting malware in this script is beyond me. My assumption is that maybe the page generated for your log contains some keyword(s) that trigger it to falsely report it. Rest assured there is nothing else the script is doing other than parsing through the text entered into it.

All right. As long as I know you're not doing anything devious behind our backs.

[evilfantasy]

Do you remember what Kaspersky was reporting?

[Carbon Dudeoxide]

All I've got is what I posted here:
http://www.computerhope.com/forum/index.php/topic,70163.msg468373.html#msg468373

[Carbon Dudeoxide]

I ran the log through again without the header and I got some screenshots:

When I click Search:


I click Allow:


Comes up after a few seconds:

[evilfantasy]

It's the scripts that the tool uses.

See here > http://vurl.mysteryfcm.co.uk/?url=146107

[CBMatt]

Hmm, I just noticed that the parser is confused by [email protected] and sees it simply as home.exe (and of course doesn't know what it is).  I'm assuming this can be fixed with a regexp tweak...and we know how much fun that always is.