Computer Hope
Other => Other => Topic started by: Computer Hope Admin on November 10, 2008, 05:33:41 AM
-
This weekend for my form of fun I wanted to program so decided to create a new tool for Computer Hope that I hope everyone can find useful. This tool is known as the "Windows process search tool" and is currently in the alpha stage of testing. The idea behind the tool is to enable users to search for one or more process and find additional information about that process. What makes this unique from all the other services like this is that you can copy and paste a long listing of processes (e.g. from HijackThis) and quickly identify everything running on the computer. In addition to the easy to read listing of processes you can also click the top bar to quickly and easily sort any row of data (helpful for grouping programs from the same company). Finally, all processes can be looked at individually to give additional helpful information and link into other services such as pulling the company links (if any), Q&A links (if any), and related dictionary links (if any).
Found at:
http://www.computerhope.com/cgi-bin/process.pl
Example of a HijackThis log with processes:
http://www.computerhope.com/cgi-bin/process.pl?o=00
This is still being developed so still a lot of work to do and only had the time to add a few hundred processes. Would appreciate any feedback, suggestions, etc. from the community. ;D
p.s. Anything found as Unknown is automatically logged so I can get them added.
Update:
YouTube video giving a quick overview of this tool found here (http://www.youtube.com/watch?v=85DCuZcOmkY).
-
Looks great!
Must have took a lot of work.
-
That is simply awesome!
Now I understand why you were spending so much time on the malware section (I actually thought you wanted to be a malware removal specialist and were learning to study HJT logs....I actually did!)
I copied a few things from the HJT log and got info on all three Items, wow thanks a lot Nathan!
Amazing tool!!
-
Yeah, very nice.
:)
-
Thanks for the feedback. I've made a few more updates to fix issues with posting the full HijackThis log instead of just the processes section. Now either method will work. Also added a dozen or so more processes seen in the unknown file.
-
I went ahead and posted my HijackThis Log as well as a list of my disabled startup items (wow long list) and about 60% of them were unknown.
I managed to hold back from putting in carbon.exe.....
-
Updated again and added some additional processes.
-
Posted another large update to this tool. In addition to adding several hundred more additional processes. Will now parse out complete HiJackThis logs and also look out .dll files.
-
Bye Bye Malware removal specialists! :'( ;D
-
Good work Nathan.
I don't think our Malware Specialists will be removed any time soon. :D
-
carbon.exe can only be removed by a complete DOD Format and a clean install...
-
I don't think our Malware Specialists will be removed any time soon. :D
Not at all. We use programs like this on a regular basis to help us get through logs quickly. They are not something should be relied upon, however. As helpful as they are, they are unable to catch many things such as certain file extensions or hidden registry entries. Personally, I think these process scanners should only be used by those who have proper training. A lot of people tend to take the results at face value and end up removing the wrong things.
This is a great project, though, and I hope it will be ongoing. And of course, I'd be more than happy to help if any assistance is ever needed.
-
Most intriguing - and for sure a lotta work. I will watch with interest.
(BTW - notification emails seem to have dried up!)
-
Thanks for the feedback and regarding notifications believe that's due to mail server issues currently working on it.
Just on a side note. During the late server crash of '08 ;) I had a lot of spare time while I was moving thousands of files and made a ton of additional updates and fixes to this script and added a few hundred more entries to the data file. Below are some of the updates I can recall doing at this moment did a lot and was half asleep so sure I'm missing a few.
- Will no longer report common system files as being potentially infected because of new check mentioned below.
- When parsing a HiJackthis log for processes that contain file path information if it notices that in the log that the Windows process is not in the directory it should be e.g. c:\windows vs. c:\windows\system32 it'll report this.
- When parsing a HiJackthis log that contains missing files registry entries it'll mention each of those and give warnings.
Any other suggestions welcome.
-
How about getting it to check for the up to date Windows versions for XP and Vista? With XP either SP3 or SP2 is still considered up to date. Vista is SP1. The HJT header information is just as important as the rest of the log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:55:16 AM, on 11/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600) <- Warn of out of date service pack (SP1 and below)
MSIE: Internet Explorer v7.00 (7.00.6000.16735) <- Current IE v7
Boot mode: Normal
Note: The current IE v6 is MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) or SP3
-
hey that tool is awesome evil good job. I just tried it and it works great
-
DOH! Don't thank me. That's our fearless leader the Computer Hope Admin ;)
-
I don't think our Malware Specialists will be removed any time soon. :D
Not at all.
Honestly you guys don't get a joke or what? :o ::)
Obviously the tool can explain what our log shows but we still need malware removal specialists to tell us what to do about whatever is detected...goodness I don't know about others but hopefully carbon had gotten the joke...or is the upper floor getting thick for you too Carby? :D
-
Hmmm?
-
Oh! All doubts cleared.
-
Good idea this has been added and new update has been uploaded.
-
This has enormous potential but sure as heck gonna be hard to cover all bases - as so many possibles.
Kudos tho for the effort thus far - awesome. :)
-
I just spent a few more additional hours updating this tool. :)
- New interface, now displays icons in place of text on type/required/threat columns
- Had to revamp the sorting JavaScript with something new since icons were not sortable. With new sort script all columns are still sortable.
- Mouse hovers on icons will describe what they are.
- Unknown files in \windows\* will be displayed as warnings.
- Now have over 1,000 processes that are looked at (sorry still no carbon.exe). Several dozen additional malware associated programs added.
- Lots of other minor little fixes and updates not really worth mentioning.
Feel free to suggest more. I'm having fun doing this as my off work time project. A lot better than gaming or watching TV. Parse your HiJackThis logs for testing. ;D
-
I like what you did with the place. :P
I think you should put a warning like 'If you have posted your HijackThis log and it has found any errors or problems, please post it on our forums for our Malware Specialists to review. Fixing your HijackThis Log yourself may potentially be dangerous if you don't know what you are doing.'
-
Yeah during my next update session I plan on starting the diagnostic steps and will be definately recommending forums in addition to the steps. Just one more step in driving traffic to the site and getting more community members on the forum. :)
-
Outstanding tool!
Seriously, I was really amazed when I copied a HijackThis log in there and only 2 were missing.
Excellent job. ;)
-
Just following up on Evil's idea here: http://www.computerhope.com/forum/index.php/topic,70163.msg458889.html#msg458889.
I Think the script should also make sure that HijackThis is up to date (2.0.2)
-
Just following up on Evil's idea here: http://www.computerhope.com/forum/index.php/topic,70163.msg458889.html#msg458889.
I Think the script should also make sure that HijackThis is up to date (2.0.2)
Yep actually already does this, something I forgot to mention. I also implemented but have not yet posted an updated version that also does a virus scanner check and should also notice if more than one Virus scanner is running. :)
-
Update 3.0a:
Posted the latest version of this tool, which includes the following updates.
- Detects if anti-virus is found in Hijackthis log and if so report it in overview
- If anti-virus found watches for multiple instances, in case user has more than one anti-virus installed.
- Scans and reports back information on .cab files.
- If warnings found will now list steps to perform in HijackThis at the bottom of the report. Working with malware specialists on this to perfect this section; an example of steps generated and a HijackThis log with issues found on this post (http://www.computerhope.com/forum/index.php/topic,70456.0.html).
- Corrected a few issues with text parsing algorithm to help detect files embedded in messy lines of text.
- Added a few dozen more files to definitions
- Corrected a few other minor issues.
-
haha The process scanner told me to delete c:\windows\system32\choice.exe as in the DOS command choice. i happen to be running a batch file at the time!
FB
-
Great progress so far, Nathan! If you haven't already done so, a firewall check would also be handy. And it would be great if you could also check for Java and whether it's the newest version or not.
Once I get some sleep, I'm sure I'll have more suggestions.
-
haha The process scanner told me to delete c:\windows\system32\choice.exe as in the DOS command choice. i happen to be running a batch file at the time!
FB
Heh, yikes, yeah that could be an issue. :-\ Good catch. :)
Great progress so far, Nathan! If you haven't already done so, a firewall check would also be handy. And it would be great if you could also check for Java and whether it's the newest version or not.
Once I get some sleep, I'm sure I'll have more suggestions.
That's what's the system information script (http://www.computerhope.com/cgi-bin/systeminfo.cgi) is for. :) But good suggestion, put it into the listing of things to do at the bottom of the log.
-
There's one thing that concerns me... Although your script is great so far, it still needs a lot of work because there are so many different known files. That's not the issue, however. I ran a log through the parser and the majority of the files were unknown and the page instructed me to remove most of them because they were running in the system32 folder. The problem with this is that they were legitimate files!
It may not be best to have removal instructions at the bottom, at least not until the utility is refined. Even then, no automated program is perfect and it could get confused at times. It could give some detailed cleanup instructions (maybe borrow some of the information from evilfantasy's "read first" thread), but for actual removal of entries, I think it would be best to refer people to the forum. After all, we're dealing with people's registries here and we all know what can happen if things go awry
If you would still like to have these removal steps, then perhaps you can at least set it up to not remove unknown files. And maybe you can make it so the page produces a log or special link that users can provide us with...that way, if someone uses your utility, we can take a look at the results and make sure it took the proper steps. I think this would be an acceptable approach if you would like to implement automatic removal instructions.
-
Out of curiosity, I tried running a ComboFix log (HERE (http://www.computerhope.com/forum/index.php/topic,70633.0/topicseen.html)) through the parser. I only used the first two sections and excluded the registry scans. Now, I know parsers don't typically work properly for ComboFix scans, but yours actually did surprisingly well. Most of the files were unknown, but it did a pretty good job of picking out the filenames and paths. However, there were about 30 that didn't show up in the results. I'm assuming the creation/modified dates and file sizes probably confused it a bit. I wonder if there's a way could accomodate for this? ComboFix logs can be a pain sometimes and I think it would be great if your utility could accurately analyze the entries (I'm not too concerned about the registry sections, as I think they're easier to sort through; and your utility actually does fairly well with these anyway).
Also, do you think you could display the file paths in the results? If your concerned about space, maybe it could show up as a tooltip when hovering over the filenames.
Oh, and what's the best way for us to submit filenames and info to you? Just from that log alone, I've got a decent list of unknown files that should be corrected. I'm pretty busy with school, but I'd be happy to obtain file information and pass it along to you whenever I have free time.
-
Update 4.0
A ton of new updates to this new upcoming tool:
- As far as the suggestion of deleting unknown files. I've left this only because many of the malware I've seen by running hundreds of different logs garble the name of their files to prevent detection. However, I've added a disclaimer for these files to verify they're really unknown before deleting them and if really not sure to just leave them.
- Added Firewall detection although found that could report missing firewall even though one may be installed because some firewall processes are included within the actual antivirus security package. Not sure how to detect this yet. Ideas welcome.
- Reworked the algorithm to help catch missing files in Hijackthis and even in ComboFix. Should find all (may not have an explanation, but should still report the file) if not please let me know the file and log you're using.
- Added new (path) column that displays a folder and if mouse is hovered over the line displays path and/or other information the file was grabbed from.
- Corrected issues with Windows 2000 Hijackthislogs
- Ran a script to grab hundreds of Windows files in the Windows directories to help prevent unknowns like the choice.exe issue pointed out by Fireballs.
- Added hundreds of new file entries from logs of files not found thanks for everyone parsing logs through the script.
-As far as submitting files to me the best method right now is to just search for them or the logs containing them on the site since any unknowns are currently logged.
I'm working on this more than other Computer Hope tasks currently because I'm hoping to elevate this new tool to beta (from alpha) and introduce it on the main Computer Hope site on the first of December.
-
Wow, lots of updates! Thanks for addressing some of these issues. For firewall detection, I understand that it can be a bit tricky when someone is using a security suite. It's thrown me for a loop several times. One thing we can do is get info from the most popular security suites available, and if someone has one installed, the utility can assume they have a firewall. This won't be 100% accurate, but it's a start.
And I'll be sure to keep parsing logs so you can get the reports.
-
Oh! A couple more things...
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
This is a legitimate entry...for Windows ME. However, if it shows up in an XP log, it's an infection.
Also, when scanning a single file, the utility gives suggestions for disabling them. But certain files (such as the above, as well as vital system files) shouldn't be disabled...perhaps there should be a tag to designate files that shouldn't be disabled. BleepingComputer does something like this, I believe.
And there's another thing I didn't think to mention. This is something I haven't seen done by any other parsers yet (granted, I don't test them all on a regular basis, but still)...when a HijackThis log doesn't have any O2 entries, it's often a sign that the user may be infected with Vundo because some variants will hide these entries. It's possible for a user to not have O2 entries without being infected, but it's not common.
-
Here is one that could be tricky.
mcafeeupdate.exe Unknown - Click here to open Google search for this process.
This is actually a worm and not part of McAfee.
http://www.bleepingcomputer.com/startups/Mcafeeupdate.exe-5350.html
http://www.castlecops.com/s6402-Mcafeeupdate_exe.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.YN&VSect=T
-
Update - v5.0
- Added mcafeeupdate.exe to process database
- If logfile appears to be incomplete (doesn't begin with logfile and end with 'end of file') mention it.
- If multiple antiviruses detect will list the two companies in conflict to help find conflicts easier.
- Firewall detection will now list developer detected.
- If multiple firewall processes detected warn user about potential users.
- HijackThis logs that have an old date (7+ days) will suggest generating a new log.
- Added additional guidelines and helpful tips in the delete files and hijack section to prevent potential problems with could be encountered by inappropriate steps by the tool.
- Added better support and detection for users not running windows in the windows directory
- Numerous other minor changes
- Now have over 2,000 entries in the database
p.s. Still working on your lasts requests Chris.
-
Still just observing but - awesome project. Great work.
-
Very nice.
In a very short time you have created one of the better HJT parsers out there.
-
Very nice.
In a very short time you have created one of the better HJT parsers out there.
Agreed! No program is perfect, but your parser has significantly cut down on the time it takes for me to read logs. I no longer sigh each time I open a ComboFix log. Heh. Awesome work so far, Nathan. It's going to take some time for me to get used to the interface (I've grown accustomed using another one for so long), but this is already becoming a regular tool in my arsenal. It would be great if you could someday program a downloadable version.
I know I've already made a ridiculous amount of suggestions, but I have one more. Don't worry, this one is pretty simple. I thought of it when I read about your addition of the week-old warning. How about an alert for dates/times in the future? It's not common, but I have reviewed a few logs from computers that were a day or two ahead. It's not always noticeable, but it will prevent certain anti-malware programs from updating properly because they get confused.
EDIT: I forgot to mention that I'm still having some trouble with certain lines not showing up when parsing ComboFix logs. I'm not sure what's going on, but they seem to create some sort of confusion. If I single these lines out and parse them separately, I just get a blank page.
-
I no longer sigh each time I open a ComboFix log.
Agreed. I don't think people actually believe we look at every line in every log we request. It's more then just run a tool and see what's removed...
-
It had a bit of a problem with a log in foreign language. It's flagging Symantec and Intellipoint as malware.
Log attached.
Also rsit.exe is Randoms System Information Tool. It runs HJT and automatically renames the HJT.exe to whatever the user name on the computer is. In this case chopssuey.exe
[Saving space - attachment deleted by admin]
-
6.0 Update
Unfortunately with the holiday season I was unable to get this tool to what I considered a beta stage so I'm not going to be announcing it on the site yet. Below is all latest fixes to the script.
- Added requested feature to detect hijackthis logs that have dates later than the current date (in the future) because of potential time zone differences this warning will report >= +2 days
- Corrected issue with date format being formatted improperly for users who have month/day/year instead of day/month/year (believe this is related to non-US computers).
- Improved detectability of two files on one line and the reporting of both files and not just one.
- Hijackthis renamed files will no longer be shown as unknowns but will display disclaimer on description instead.
- Improved firewall detection.
- Better detection on directories using the 8.3 file format.
- Added disclaimer to warnings that may be displayed for users who have non-english version of Windows and the Program Files directory is actually Programas.
Still working on:
- Detecting files like: StateMgr.exe that are only used with WinME and not XP/Vista
- I'll see about a downloadable version but something that would likely be way down the road.
-
7.0 Update - Windows process and HijackThis log tool vA7.0a (http://www.computerhope.com/cgi-bin/process.pl)
Another big update. ;D
- Completely reworked the algorithm that parses out filenames. This has greatly increased total files found in many logs and as far as I can tell has eliminated any lost files not being shown in the table. Seems to be a really big improvement for Combofix logs.
- Improved detection again on multiple files listed in one line.
- Improved on Firewall and AntiVirus detection. In addition will also show unique icons for AntiVirus / Firewall related files
to help with quick identification.
- Now looks at each of the following extensions: .dll .exe .cfg .cab .ocx .bat .sys .cpl .com
- With the addition of .com extensions being looked at and reported script does have some minor issues identifying between some domains and actual file names. Still being worked out, but for most part most domains even in file paths are properly ignored.
- Slightly modified the look of the table, added additional icons in addition to those mentioned above.
- Added several additional Hijackthis triggers for detecting more than just process threats, things like browser hijacks.
- Added close to another 1,000 processes to database.
- Few additional checks and table formatting changes for when user looking at Combofix log.
- Several other dozen things not really worth mentioning. ;)
-
It's looking good.
I still haven't ran a CF log through it. Call me stubborn...
How about a GMER parser lol. Now THAT would be nice!
-
SWEET!!
It does a nice job in parsing Panda ActiveScan logs also. Maybe you can see some tweaking to be done in this area also. The logs are fairly easy to read but all of the extra characters can make it confusing. Note that nothing in this log is actually malicious. Those are all Smitfraudfix files.
The main thing is it separates out all of the cookies and extra text and read the actual executables. Although I do wish it would show the entire file path. ntp.exe isn't malicious, but when you see the entire file path it becomes clear why it was flagged. C:\ComboFix\ntp.exe.
Another log is attached.
ANALYSIS: 2008-12-06 15:00:15
PROTECTIONS: 1
MALWARE: 23
SUSPECTS: 9
;****************************************************************************
PROTECTIONS
Description Version Active Updated
;===========================================================================
AVG Anti-Virus 8.0 Yes Yes
;===========================================================================
Id Description Type Active Severity Disinfectable Disinfected Location
;===========================================================================
00039204 adware/cws Adware No 0 Yes No c:\documents and settings\don pc\favorites\insurance
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\don_pc@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\don_pc@atdmt[2].txt
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\don_pc@tradedoubler[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\don_pc@fastclick[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\don_pc@mediaplex[1].txt
00147806 Cookie/7search TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\don_pc@7search[1].txt
00147824 Cookie/Clickbank TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\don_pc@clickbank[1].txt
00159881 Application/Pskill.A HackTools No 0 Yes No C:\System Volume Information\_restore{F07A53C8-B184-416E-84DF-091CF0822230}\RP157\A0025744.exe
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\don_pc@statcounter[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\[email protected][1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\don_pc@apmebf[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\don_pc@serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\[email protected][2].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\don_pc@adtech[1].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\[email protected][1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\don_pc@advertising[1].txt
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\[email protected][3].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\[email protected][1].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\don_pc@overture[1].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\don_pc@adrevolver[2].txt
00207936 Cookie/Adviva TrackingCookie No 0 Yes No C:\Documents and Settings\Don PC\Cookies\don_pc@adviva[2].txt
03477235 Application/SmithFraudFix.A HackTools No 0 Yes No C:\Documents and Settings\Don PC\Desktop\SmitfraudFix.exe
;===============================================================================
Sent Location j
;==============================================================================
Yes C:\Documents and Settings\Don PC\Desktop\SmitfraudFix\404Fix.exe j
Yes C:\Documents and Settings\Don PC\Desktop\SmitfraudFix\IEDFix.C.exe j
Yes C:\Documents and Settings\Don PC\Desktop\SmitfraudFix\VACFix.exe j
No C:\Documents and Settings\Don PC\Local Settings\Temp\~tmpb.exe j
Yes C:\RECYCLER\S-1-5-21-796845957-299502267-839522115-1004\Dc1.exe j
Yes C:\WINDOWS\system32\404Fix.exe j
Yes C:\WINDOWS\system32\IEDFix.C.exe j
Yes C:\WINDOWS\system32\o4Patch.exe j
Yes C:\WINDOWS\system32\VACFix.exe j
;=============================================================================
VULNERABILITIES
Id Severity Description j
;============================================================================
;=============================================================================
[Saving space - attachment deleted by admin]
-
Pretty cool! How would you make something like that? You don't have to tell me if you don't want to. ;) ;) ;)
yuppp
;D ;D ;D ;D ;D ;D
-
Trying to put my HijackThis log through and...
Software error:
Month '-1' out of range 0..11 at process.pl line 419
For help, please send mail to the webmaster ([email protected]), giving this error message and the time and date of the error.
-
Ok......This is interesting...
I got rid of the header for my HJT and submitted the log and Kaspersky rang out.
Trojan Program (modification):
C:\Documents and Settings\user\Local Settings\Application Data\Mozilla\Firefox\Profiles\0q8gzr31.default\Cache\29061B48d01
See attached file
(I got rid of this:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:03:29 PM, on 07-Dec-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal)
[Saving space - attachment deleted by admin]
-
It does a nice job in parsing Panda ActiveScan logs also. Maybe you can see some tweaking to be done in this area also.
Definitely something that could be done. For now going to focus first on HJT and Combofix since they seem to be used more often.
Although I do wish it would show the entire file path. ntp.exe isn't malicious, but when you see the entire file path it becomes clear why it was flagged. C:\ComboFix\ntp.exe.
The full path and other information the file is found on is displayed if you hover the mouse over the folders in the path column. Were you wanting something more specific then that or somewhere else? Chris wanted this to be added and seems to work with all logs as far as I can tell.
Pretty cool! How would you make something like that? You don't have to tell me if you don't want to.
Program was written by me in Perl. Really difficult however to answer a generic question like that when it comes to programing because would be extremely hard to explain the whole program. Basically, Grabs text inputted by user, parses text through a bunch of regexp algorithms, looks for matches, and spits out the results in a formatted table.
Software error: Month '-1' out of range 0..11 at process.pl line 419
This is definately a problem and has been fixed to prevent from happening again (will show in ver 7.0b+). However, I would like to know if the date stamp you had (Scan saved at 5:03:29 PM, on 07-Dec-08) is something you created or something actually generated by Hijackthis? I've never seen a date stamp in a hijackthis log that has the abbreviation of the month, usually always the numerical value.
As far as Kaspersky reporting malware in this script is beyond me. My assumption is that maybe the page generated for your log contains some keyword(s) that trigger it to falsely report it. Rest assured there is nothing else the script is doing other than parsing through the text entered into it.
-
The full path and other information the file is found on is displayed if you hover the mouse over the folders in the path column.
Ahh, I just didn't do enough hovering lol. Works great!
However, I would like to know if the date stamp you had (Scan saved at 5:03:29 PM, on 07-Dec-08)
That caught my eye also.
-
Carbon's header looks like that because of the short-date format in his regional settings.
Here's my header with the default settings...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:41:20 PM, on 12/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
And now with the same setting as Carbon...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:42:41 PM, on 08-Dec-08
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal
All HJT is pull the time/date from the computer's clock. It doesn't have it's own special way of formatting this information.
-
CBMatt is correct. I changed my date format in my Regional and Language Settings over in Control Panel.
I get the same format as the one in my HJT Log if I got to Command Prompt and type 'echo %date%'.
As far as Kaspersky reporting malware in this script is beyond me. My assumption is that maybe the page generated for your log contains some keyword(s) that trigger it to falsely report it. Rest assured there is nothing else the script is doing other than parsing through the text entered into it.
All right. As long as I know you're not doing anything devious behind our backs. ;)
-
Do you remember what Kaspersky was reporting?
-
All I've got is what I posted here:
http://www.computerhope.com/forum/index.php/topic,70163.msg468373.html#msg468373
-
I ran the log through again without the header and I got some screenshots:
When I click Search:
(http://www.fileupyours.com/files/191176/k1.PNG)
I click Allow:
(http://www.fileupyours.com/files/191176/k2.PNG)
Comes up after a few seconds:
(http://www.fileupyours.com/files/191176/k3.PNG)
-
It's the scripts that the tool uses.
See here > http://vurl.mysteryfcm.co.uk/?url=146107
-
Hmm, I just noticed that the parser is confused by [email protected] and sees it simply as home.exe (and of course doesn't know what it is). I'm assuming this can be fixed with a regexp tweak...and we know how much fun that always is.
-
Update: vA7.0b
Haven't had much time the last few days to work on big updates so just fixed a few of the small issues.
- Corrected the date issue and will now take months such as "Dec" and convert to proper month integer. Thanks Chris for pointing out how / why Hijackthis displays date differently.
- Corrected issue with Folding@home not showing up properly. This was caused because of new domain filtering (on e-mail addresses)
-
Update: A8.0
- Things not found are now using a Google Custom search (http://www.google.com/coop/cse?cx=003411668307610607965:hvbvocqjr7q), which is only searching 16+ specific sites for processes. If you happen to know a site that's not indexed feel free to mention it.
- Corrected and added additional checking on the date stamps in Hijackthis logs
- Added better detection and visibility for OCX files found (usually with combofix logs)
- Added warning on ComboFix logs that do not go all the way to the end
- Added warnings to be displayed for unknown files in the %window%\system directory
- Corrected a few dozen of the Windows files that were showing as potential threats for Vista users
- Added several hundred new processes to database, now over 3,000
- Various other minor fixes
-
Could you list those 16+ sites?
-
Could you list those 16+ sites?
Sure since I guess it can't be seen through Google :(
http://www.filename.info
http://www.liutilities.com
http://www.programchecker.com
http://www.runscanner.net
http://www.spywaredata.com
http://processlist.com
http://www.what-is-exe.com
http://www.pcpitstop.com/libraries/process/
http://www.file.net/process
http://www.whatsrunning.net
http://www.neuber.com
http://www.computerhope.com
http://www.greatis.com
http://www.processlibrary.com
http://www.threatexpert.com
http://www.bleepingcomputer.com/filedb/
http://www.bleepingcomputer.com/startups/
http://www.systemlookup.com
-
Thanks.
I can see, one great startup site is missing: http://www.sysinfo.org/startuplist.php
This must be one of the oldest, and most comprehensive site.
-
Thanks.
I can see, one great startup site is missing: http://www.sysinfo.org/startuplist.php
This must be one of the oldest, and most comprehensive site.
Thanks added. I've also added a few others that I've recently stumbled across while working on next update.
-
Update A8.0a
- Added new feature that will save the reports generated so they can be referred to or looked at by other users or used as a reference. For example, here (http://www.computerhope.com/cgi-bin/process.pl?o=00)is an example of a saved log. Links and additional information about accessing saved files found at the bottom of each process report.
- A few hundred more processes added to database.
- A few other minor changes.
-
Is it possible to send you some updates about certain entries, which are listed as unknown, thus redirected to Google search?
If so, how would I do this?
-
Is it possible to send you some updates about certain entries, which are listed as unknown, thus redirected to Google search?
If so, how would I do this?
You can either the a PM here or on the webmaster submission. However, anything not found is logged and I'll eventually see it and if I can figure out what it is add it to the database. So probably really not required since I'll eventually add it.
-
OK.
-
Hello!
I was just browsing through computer hope today and came across your new utility and just outta curiosity thought I would try it. well all I have to say is WOW! That is one fantastic tool you are working on there! I loved how I could click on the process and it took me to the definition and gives me an idea of what it does. I cannot believe the information it gives a simple person like me. I am not a expert on computers but have done my fair share of fixing them mainly as a hobby or just intrigues me I guess. I have had lots of help from your malware specialist in here and I can kinda see what they are looking at when they are looking at a hjt log from me now. I have never seen a utility like the one you are working on, but does not surprise me, due to the excellence of this forum. would just like to say you guy's are the best and look forward to your final phase of this project. sounds like computer hope has a great team!
Ok with that all said: The hjt said it didn't find any firewall on my system and I know I should have a better one but was just wondering if you have it set to not recognize windows firewall. I do have windows firewall enabled and running so was just curious! It had one thing for me to fix which I didn't just due to fact my comp is running good. I also haven't installed sp3 yet, just because I am updated on sp2 still and have heard sp3 can cause problems. that is the only 3 threats it found if you would like to see it here is where it say's a report was saved:
http://www.computerhope.com/cgi-bin/process.pl?o=24162240.htm
Just had to put my two cents worth in.. ;D You are the best of the best out there in my book. I have gained great knowledge from this forum... Thanks!
-
Many tools will not detect the Windows firewall. If you do any online banking, eBay, PayPal etc then you should install a 3rd party firewall.
Remember only install ONE firewall
1) Comodo (http://www.personalfirewall.comodo.com/) (Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" if you choose this one)
2) Online Armor (http://www.tallemu.com/online_armor_free.html)
3) Sunbelt/Kerio (http://www.sunbeltsoftware.com/Home-Home-Office/Sunbelt-Personal-Firewall/)
4) Agnitum (http://www.agnitum.com/products/outpostfree/download.php)
5) PC Tools Firewall Plus (http://www.pctools.com/firewall/)
If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
----------
Your Hijackthis log contains a missing file reference to: {7e853d72-626a-48ec-a868-ba8d5e23e045}. Although not a threat to the computer it may cause errors.
This is part of Windows Live Messenger and isn't dangerous and is actually safe. It won't hurt to fix it with HJT though.
----------
SP3 only caused a problem for a small number of people. While it isn't critical to update to SP3 like it was to update to SP2, it is still recommended.
-
Thanks for the advice Evilfantasy!
Guess I best get a firewall installed then! CBMatt suggested the same thing on my moms comp that he just helped me clean up.
Would like to say again .."great tool that is being made here in computerhope"
Will be watching with great enthusiasm. Looks like alot of work involved. A Pat on the back to Computer Hope Admin for his efforts!!! ;)
-
Glad to hear you're enjoying the tool az_shyguy and thanks for the feedback.
-
Update 9.0
- Added a listing of R0 - R3 HijackThis lines. For those not that familiar with HJT these are the lines that list your Internet Explorer preferences, e.g. your home page.
- Checking and listing on O1 lines for potential host file changes.
- Added checking for 05 (Missing control panel icons)
- Added checking for 06 (Disabled IE settings)
- Added checking for 07 (Disabled regedit access)
- Added checking for O10 (Windows Winsock hijackers) and made suggestion to LSP-Fix.
- Added checking for O13 (IE prefix (http://) hijack)
- Added checking for O15 (IE trusted zones)
- Added checking for O17 (DNS / Domain hijacks)
- Added checking for O18 (Protocol hijacks)
- Added checking for O18 (CSS style sheet hijacks)
- If running HijackThis from Safe Mode will report it as a potential warning.
- Added a few dozen more processes.
- Added digg button (feel free to digg it if you like it)
- A few other minor changes and/or changes I forgot I made. :)
-
Very nice! It's turning out really great so far.
-
This weeks work. Big update and a lot of hours put into it, enjoy. ;D
Update b1.0a
- Updated script status from alpha to beta.
- Added detection and if missing the suggestion of installing WOT (Web of Trust) on the computer.
- Added "Skip to cleaning steps" link in top overview section, to quickly scroll to cleaning steps (if available).
- Added detection of blank lines such as:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
- Each of the file information pages will now contain a link to the custom google search to get additional information from third-party pages if needed.
- Added several thousand new processes.
Fixes
================
- Fixed bad link from being generated for saved HijackThis logs.
- Corrected rare issue with incoming Unicode being improperly parsed and causing crash.
- Fixed issue with not ending process if too many files to process.
- Google link now searches for processes in quotes, to help eliminate bad results in custom google search.
- Corrected error with reporting multiple firewalls even though its the same firewall.
- Updated top overview section, improving the look and functionality.
- Changed old HijackThis log warning icon to match other warning messages icons.
- Found and corrected pesky flaw with mywebsearch not being found. This in turn could help with finding matches that may have not been found before.
- Removed the report of prefix hijack on "gopher prefix: " and domain hijack warnings on "Hosts: ::1 localhost" and hijack warning on WOT protocol change.
- Corrected error with detection of multiple files on the same line.
- Redesigned how file information stored and rewrote the read function.
- Added increased count for each domain host changes detected.
- Fixed it so @dll files are just detected as the actual DLL.
- Removed redundant and often long HijackThis DNS line info on potential DNS hijack warnings.
- Updated the final report (at bottom of HijackThis log) to common look throughout Computer Hope, hopefully making it easier to read and scan.
- Corrected a few spelling and grammar errors in final report.
- Updated the file information pages with more complete and in some cases accurate information.
- Other minor updates not mentioned.
Still have a lot on the plate I'd like to do but wanted to get it at least posted and mentioned before I went to sleep tonight. All other updates still working on will be in next release.
-
One other thing I've seen is that, here in Europe with the date and month the other way around (e.g. today is 23/05/2009), sometimes the Process Tool gvies a warning saying that the HJT log is out of date and suggests running a new one. Not sure if this is fixed though...
-
here in Europe with the date and month the other way around (e.g. today is 23/05/2009)
The mm/dd/yyyy format is mainly used by the USA and very few other countries. The vast majority of the world's countries use either the little endian dd/mm/yyyy date format (most) or (a few) the big endian yyyy/mm/dd format. All three are recognised in Canada, although official documents use big endian dates.
The mm/dd/yy format is used in:
* Belize
* Federated States of Micronesia
* Kenya
* Palau
* Philippines (when written in English)
* Puerto Rico
* United States
-
Looks like a great tool, will use if occasion ever arises.
-
One other thing I've seen is that, here in Europe with the date and month the other way around (e.g. today is 23/05/2009), sometimes the Process Tool gvies a warning saying that the HJT log is out of date and suggests running a new one. Not sure if this is fixed though...
This should be fixed to the best of my knowledge. Unfortunately it's tricky since there is no traditional formatting, so I have to kind of assume what goes where and look for strange situations, e.g. 23 > 12 so obviously a day and not a month. However, if it's something like 05/05/2009 I have no real method of knowing if the first is a day or month.
-
I'm not sure if this would rectify the situation or not, but couldn't you just extract the date/time from the user's computer and compare it to the log? I know the information can be extracted via PHP fairly easily. And to make the comparison easier, the user can select their date/time format from a list before submitting their log. Doing so would run the necessary check. It's not perfect, but as long as the person knows what their format is (or how to easily find out if they're uncertain), then it could be pretty accurate. If they opt to not choose a format, the check can either be skipped or it can be handled in some other way.
-
I'm not sure if this would rectify the situation or not, but couldn't you just extract the date/time from the user's computer and compare it to the log? I know the information can be extracted via PHP fairly easily. And to make the comparison easier, the user can select their date/time format from a list before submitting their log. Doing so would run the necessary check. It's not perfect, but as long as the person knows what their format is (or how to easily find out if they're uncertain), then it could be pretty accurate. If they opt to not choose a format, the check can either be skipped or it can be handled in some other way.
That's definately a great idea, unfortunately I believe a lot of users are going to be using this to also analyze other peoples log files so looking at the date of the machine posting the log may not actually apply and may give a false report.
-
I've posted bv1.2 after doing a lot of updating this week. I wont bore everyone with all the changes other than mentioning the tool now has close to 9,000 processes and probably close to one hundred new changes. ;D
-
Great work on this, Nathan.
-
Update:
Have done a lot of minor updates to this tool, again going to not torture everyone with the list of each change. Also quickly approaching 10,000 processes in database.
Finally, have also created and posted a video tutorial for this tool at: http://www.youtube.com/watch?v=85DCuZcOmkY
-
Nathan,
Just an observation,
Would it not be advantageous to have a suggestion/warning for users of the process tool to create a new restore point after they have fixed their problems in HJT?....Seems to me a lot of people of less experience would neglect to purge their systems of restore points which may contain copies of malware.
-
Now that this thread has been revived, detection of 64bit PCs in HJT logs would be a great addition also...
-
Now that this thread has been revived, detection of 64bit PCs in HJT logs would be a great addition also...
Absolutely, good point kpac.
-
how would you detect a 64-bit OS from a log generated by a 32-bit program?
-
how would you detect a 64-bit OS from a log generated by a 32-bit program?
;
One way would be to check for the "Program Files (x86)" folder, instead of the normal "Program Files". Another way would be to automatically pick up on too many system files with (file missing) entries.
-
Nathan,
Just an observation,
Would it not be advantageous to have a suggestion/warning for users of the process tool to create a new restore point after they have fixed their problems in HJT?....Seems to me a lot of people of less experience would neglect to purge their systems of restore points which may contain copies of malware.
Correct me if I'm wrong but are restore points not already created when items are fixed?
Now that this thread has been revived, detection of 64bit PCs in HJT logs would be a great addition also...
Evilfantasy actually brought this up in another section and I believe it should be already addressed in an earlier release as shown below.
Update (bv1.2f)
* Look for "Program Files (x86)", which is the only thing I could see that should uniquely identify a 64-bit system.
* If this is found generate create a new error saying: "Your computer has a 64-bit processor which is not 100% compatible with HijackThis and can cause improper errors in the log."
* Create a flag indicating that it's a 64-bit system and do not warn on missing log lines if found.
-
Could you make the reader just reject a 64bit log and send them to the forums? Or have it ignore any line with c:\program files (x86) in it?
-
The CLSID search isn't working for every search, only a few.
CH search results. http://www.systemlookup.com/lists.php?list=1&type=clsid&search={a173b69a-1f9b-4823-9fda-412f641e65d6}&s=
Actual results. http://www.systemlookup.com/search.php?type=clsid&client=malwaresearch-ff&search={a173b69a-1f9b-4823-9fda-412f641e65d6}
-
Long time coming update for process tool (http://www.computerhope.com/cgi-bin/process.pl).
Update (bv1.2f)
- Added several thousand additional processes
- Added better Windows 7 detection
- Updated script to not report error when seeing HiJackthis beta version log.
- When browsing through all processes lists processes 10 at a time. Helping with server overloads when having to query thousands of processes for each letter.
- Top 10 looked at processes listed on main page.
- Corrected above CLSID link suggestion Evil suggested. Just changed all links to match the above example.
- Corrected and improved detection with file descriptions containing directories. (help with detecting malware with valid names in alternate directory).
- Additional warning for users running IE 6 (since it's so insecure).
- If multiple anti-virus programs found in Getting your system clean section recommends removing one of them to prevent problems.
- Corrected CSS issue with how top bar on table was being displayed.
- Added a few more missing Firewall and Antivirus programs.
- Script now links all files found in the winsock hijack warnings.
- Dozens of other minor changes/fixes.
and Congrats everyone for over 10,000,000 files looked at surpassed a few months ago. ;D
-
Wow, very nice. Kudos, Nathan!
-
Excellent.....Nice Work !
-
Nice work!
A concern I have found when running my Win 7 64bit log through is this.
C:\Windows\SysWOW64\rundll32.exe - Being identified as malicious.
Microsoft Windows process that handles handling.dll files that should be located in the C:\Windows\System32 directory not the c:\windows\syswow64\ directory.
VirusTotal Results (http://www.virustotal.com/analisis/5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124-1264697119) 0/38 (0%)
Also I'm not sure how easy it would be but it is still suggesting the the O23 entries with '(file missing)' should be removed. Maybe you could add a ***** Note to O23 (file missing) entries that if they are on a 64bit system that the user should ignore them?
-
Thanks all and regarding the O23 entries Kevin, if detected as 64-bit those shouldn't be pulling up. I've added some additional 64-bit detection and a caution warning that will now be also shown in the "what to do in Hijackthis" section. If you happen to come across another 64-bit log that generates problems let me know and post a link to the log file. I've ran my 64-bit systems with the new updated version and also some other 64-bit logs I found through Google and all seems well now.
v1.5c Updates
===========
-Above mentioned 64-bit fixes.
-Additional improved support on detecting Windows 7
-Several hundred more processes (now well over 10,000 processes)
-Other minor fixes
-
That's much better. :)
If anybody has a HJT log that shows MSE (Microsoft Security Essentials) entries please send it to me or post it here. I'm kind of disappointed that MSE does not show in my log. Microsoft is hiding it, which is good, but it's hidden too well IMHO.
-
That's much better. :)
If anybody has a HJT log that shows MSE (Microsoft Security Essentials) entries please send it to me or post it here. I'm kind of disappointed that MSE does not show in my log. Microsoft is hiding it, which is good, but it's hidden too well IMHO.
Yeah I've researched this on all the computers I have here and they all don't show up in the hijackthis logs or as a process. So unfortunately it appears as if it could be hidden in another process (e.g. svchost.exe) like the Windows Firewall. :( If anyone has ideas on detecting these I'm all ears.
-
I'm not sure where it's running from. Even tools like Security Check by screen317 (http://screen317.spywareinfoforum.org/SecurityCheck.exe) don't find it.
-
Here it is. I don't know if it helps any...
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Security Essentials
C:\Program Files\Microsoft Security Essentials\msseces.exe,0
HKEY_USERS\S-1-5-21-1616066376-2122674282-4061501089-1001\Software\Microsoft\IntelliPoint\AppSpecific\msseces.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
HKEY_USERS\S-1-5-21-1616066376-2122674282-4061501089-1001_Classes\Local Settings\MuiCache\10F\52C64B7E
@c:\Program Files\Microsoft Security Essentials\MpAsDesc.dll,-240
-
would "c:\Program Files\Microsoft Security Essentials\msseces.exe" not be in the processes list from the log?
-
If anybody has a HJT log that shows MSE (Microsoft Security Essentials) entries please send it to me or post it here.
This is interesting issue, because 1-2 months ago, I saw quite a few HJT logs from computers running MSE and could be seen in a list of running processes.
I just had another HJT log today from the computer running MSE and.....nada.
Some Windows update hid it even "better"?
-
Actually, I was lying. In this brand new log, it's not listed under processes, but I found it as O4 entry:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:24:47 PM, on 1/28/2010
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\hp\support\hpsysdrv.exe
C:\hp\KBD\kbd.exe
C:\Program Files\PC Hardware Manager\PCHardwareManager.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
hjt:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = AOL.com - Welcome to AOL
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PC Hardware Manager] C:\Program Files\PC Hardware Manager\PCHardwareManager.exe
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - .DEFAULT User Startup: Preload.lnk = ? (User 'Default user')
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - https://wimpro2.cce.hp.com/ChatEntry...ds/sysinfo.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ndows-i586.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01...PUplden-us.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
-
Edit: Maybe I'm thinking of Vista when I saw it in my logs?
This is interesting issue, because 1-2 months ago, I saw quite a few HJT logs from computers running MSE and could be seen in a list of running processes.
I just had another HJT log today from the computer running MSE and.....nada.
Some Windows update hid it even "better"?
Agreed. When I first installed MSE it was in the HJT log. Not now.
would "c:\Program Files\Microsoft Security Essentials\msseces.exe" not be in the processes list from the log?
Nope. Just like Windows Defender, once it went final at also went missing (for the most part) unless you went looking for it.
-
come to think of it, hijackthis really should output all the services running on a machine.
-
It's not a service, but a process, but in any case, HJT since taken over by TrendMicro has been basically dead, development-wise.
So, it doesn't really show everything.
HJT creator, Merijin, joined Malwarebytes crew lately.
I'm pretty sure, TM took HJT over just to kill it.
-
They recently released a new Beta. v2.0.3 http://free.antivirus.com/hijackthis/
Although there are no apparent changes yet.
-
Very minor changes and on a top of it, some people with Vista and 7 experience problems, when trying to run it as administrator, so I always suggest to run 2.0.2.
-
Maybe 5-6 months ago, on some other forum, a guy from TM came to describe how huge changes are coming to HJT under TM (basically, it would be something like OTL), but.....nothing happened.
-
After playing with my Vista machine I did get HiJackthis to show msseces.exe as broni showed above, believe it may have not been showing earlier because I could have not been running it as administrator. Still unable to get this to show under Windows 7, however this could be once again an issue with it being 64-bit and HijackThis incompatibility with it. Probably most of the issues boil down to the fact that Hijackthis isn't getting maintained.
Maybe we should consider suggesting converting all our recommendations to an alternative solution such as A-Squared HiJackFree (http://download2.emsisoft.com/a2HiJackFreeSetup.exe) or some other alternative. These tools could be easily adapted to the Computer Hope process tool.
-
I just started testing out A-Squared HiJackFree a few days ago and it works very well. I even have a canned speech for it.
I'll start a topic in the MS section asking what the others think about it and the possible up/downsides. Check in there in a few minutes.
-
I think, HJT days are over.
With today's sophisticated infections, it really doesn't show much unless the computer is totally messed up.
I still use it as a tool for a final look (garbage, unnecessary startups, etc. - it's handy, because it's compact), but not as a primary tool.
Basically, without scanners like DDS, or OTL, you can't see much.
-
Doesn't appear that Hijackfree updates that frequently either. :-\ Based off what I happened to see on their webpage as shown below.
Last Update of a-squared HiJackFree: 5/12/2008 8:15 AM
Version: 3.1.0.16
Number of References:
Processes: 1789
Autoruns: 12129
Update: 1.6
- Updated tool to support hijackfree logs and parse through most of what hijackthis logs does.
- Corrected issue with load files such as userinit not being suggested as the file to delete in fixes.
- Change the title of this tool to "Computer Hope log tool", felt since this tool is supporting more logs that the mention of hijackthis in the title isn't needed.
- Corrected with improper <title> tags in HTML code.
- Added "Note: The Windows XP firewall only filters inbound Internet traffic by default." to warning about no firewall detected under XP.
- Additional firewall and anti-virus programs detected
- Corrected footer issues when displaying saved logs on server.
- Updated hijackthis example log linked to on main page to a more up-to-date version
- Several more hundred files listed
- Other small updates and changes
-
I have run a multitude of logs through the tool this week with all sorts of different AV's so hopefully they are mostly all recognized when you get it updated again.
One bad thing is that Kaspersky is blocking the tool from running.
Exploit.HTML.CodeBaseExec http://www.viruslist.com/en/search?VN=Exploit.HTML.CodeBaseExec
Status: Infected (events: 1)
2/6/2010 2:58:27 PM Infected Trojan program Exploit.HTML.CodeBaseExec http://www.computerhope.com/cgi-bin/process.pl High
I have sent it in as a False Positive. http://support.kaspersky.com/virlab/helpdesk.html
Selected request type False alarm
Email ******************
Installed Kaspersky Lab’s software: KIS 2010
Date of the last successful database update: 02/06/2010
-
Thanks for the help and notice. This is one of the main reasons I've been using Kaspersky this last month, is because of these false alarms. Unfortunately as far as I can tell I can't seem to make it so these don't appear.
-
They may have fixed it on their end. I just ran a log through with no warnings.
-
That's good to hear I'll be updating this some more tonight so it should allow me to see if I'm also getting any errors. Would be really nice to have this fixed since I get users often complaining that the tool is infected when it's really not.
-
Did you change anything just now? It's back to blocking my logs.
-
Did you change anything just now? It's back to blocking my logs.
Nope nothings been changed.
-
Strange. ???
-
Strange. ???
Have an example log you can send me a link to or what you're doing so I can see if I can duplicate it?
-
Okay. It took one log but blocks another. Could it be something in the logs (text, URL...) that it's hitting on?
2 logs. Blocked and not blocked.
[Saving space, attachment deleted by admin]
-
Hmm both of these worked for me with no issues. The blocked one worked but I did get a Kaspersky false warning, is it maybe something to do with that? What is happening when it's saying it's blocked?
-
Using Firefox.
(http://imagecows.net/out.php/i14207_Capture.JPG)
-
Yeah that's something to do Kaspersky and not the process tool. It's the false infection warning and I believe can be ignored to load the page or if a rule for it has been set it may have to be adjusted through Kaspersky.
Update: v1.6a
* Corrected issues with false detections when looking at the directory of the file. e.g. java.exe being found in program files directory and the tool believing it's a potentially infected file.
-
Update: v1.6c
- Updated structure of how files with directory locations are listed in database
- If malware found in /temp/directory additional suggestion of running a Windows cleanup to clear out all temporary files is suggested.
- Corrected files not getting logged if they're in the Windows directory even if they are unknown
- Corrected issue with seriously corrupted hijackthis logs containing HTML to not be parsed as HTML.
- Added several hundred more files to database
-
Update v2.0
- Big update to how this tool queries the files being looked up. The method of going through the files should be a lot faster and a lot less resource intensive on the server.
- When hovering the mouse over the folder icons to display the path if that particular file is in multiple paths it'll now show all paths, separating each path with >>> as shown below.
o2 - bho: swag bucks toolbar - {a057a204-bacc-4d26-b2fc-48f8ccab3ed4} - c:\program files\prodeg~1\prodeg~1.dll >>> o3 - toolbar: swag bucks toolbar - {a057a204-bacc-4d26-b2fc-48f8ccab3ed4} - c:\program files\prodeg~1\prodeg~1.dll
- Better file detection and listing for files embedded within missing files / potential protocol hijacks.
- Corrected file errors within database
- Added several dozen more files
- Few grammatical errors and other minor updates
Although I did spend about an hour going through the a few of the older stored logs I didn't fully test this as of yet. Although it seems stable because of the amount of re-write I did on the code it's possible that issues could still exist since so much was changed. Just got too tired for any more testing. ;)
-
fantastic tool! ;D
-
Nice tool. However, I'm not sure that everything.exe can be defined as malware.
-
Nice tool. However, I'm not sure that everything.exe can be defined as malware.
Everything??
-
http://www.computerhope.com/cgi-bin/process.pl?p=everything.exe
Thanks for the suggestion, the reason this is reporting as malware is infections of everything.exe that are stored in the \windows / \windows\system32 directory. It should probably be mentioned that if this file is in another directory that it is not likely an infection. Will add to my endless todo list. :)