New Computer Hope tool

[CBMatt]

Great progress so far, Nathan!  If you haven't already done so, a firewall check would also be handy.  And it would be great if you could also check for Java and whether it's the newest version or not.

Once I get some sleep, I'm sure I'll have more suggestions.

[Computer Hope Admin]

haha The process scanner told me to delete c:\windows\system32\choice.exe as in the DOS command choice. i happen to be running a batch file at the time!

FB

Heh, yikes, yeah that could be an issue.  Good catch.

Great progress so far, Nathan!  If you haven't already done so, a firewall check would also be handy.  And it would be great if you could also check for Java and whether it's the newest version or not.

Once I get some sleep, I'm sure I'll have more suggestions.

That's what's the system information script is for. But good suggestion, put it into the listing of things to do at the bottom of the log.

[CBMatt]

There's one thing that concerns me...  Although your script is great so far, it still needs a lot of work because there are so many different known files.  That's not the issue, however.  I ran a log through the parser and the majority of the files were unknown and the page instructed me to remove most of them because they were running in the system32 folder.  The problem with this is that they were legitimate files!

It may not be best to have removal instructions at the bottom, at least not until the utility is refined.  Even then, no automated program is perfect and it could get confused at times.  It could give some detailed cleanup instructions (maybe borrow some of the information from evilfantasy's "read first" thread), but for actual removal of entries, I think it would be best to refer people to the forum.  After all, we're dealing with people's registries here and we all know what can happen if things go awry

If you would still like to have these removal steps, then perhaps you can at least set it up to not remove unknown files.  And maybe you can make it so the page produces a log or special link that users can provide us with...that way, if someone uses your utility, we can take a look at the results and make sure it took the proper steps.  I think this would be an acceptable approach if you would like to implement automatic removal instructions.

[CBMatt]

Out of curiosity, I tried running a ComboFix log (HERE) through the parser.  I only used the first two sections and excluded the registry scans.  Now, I know parsers don't typically work properly for ComboFix scans, but yours actually did surprisingly well.  Most of the files were unknown, but it did a pretty good job of picking out the filenames and paths.  However, there were about 30 that didn't show up in the results.  I'm assuming the creation/modified dates and file sizes probably confused it a bit.  I wonder if there's a way could accomodate for this?  ComboFix logs can be a pain sometimes and I think it would be great if your utility could accurately analyze the entries (I'm not too concerned about the registry sections, as I think they're easier to sort through; and your utility actually does fairly well with these anyway).

Also, do you think you could display the file paths in the results?  If your concerned about space, maybe it could show up as a tooltip when hovering over the filenames.

Oh, and what's the best way for us to submit filenames and info to you?  Just from that log alone, I've got a decent list of unknown files that should be corrected.  I'm pretty busy with school, but I'd be happy to obtain file information and pass it along to you whenever I have free time.

[Computer Hope Admin]

Update 4.0

A ton of new updates to this new upcoming tool:

- As far as the suggestion of deleting unknown files. I've left this only because many of the malware I've seen by running hundreds of different logs garble the name of their files to prevent detection. However, I've added a disclaimer for these files to verify they're really unknown before deleting them and if really not sure to just leave them.

- Added Firewall detection although found that could report missing firewall even though one may be installed because some firewall processes are included within the actual antivirus security package. Not sure how to detect this yet. Ideas welcome.

- Reworked the algorithm to help catch missing files in Hijackthis and even in ComboFix. Should find all (may not have an explanation, but should still report the file) if not please let me know the file and log you're using.

- Added new (path) column that displays a folder and if mouse is hovered over the line displays path and/or other information the file was grabbed from.

- Corrected issues with Windows 2000 Hijackthislogs

- Ran a script to grab hundreds of Windows files in the Windows directories to help prevent unknowns like the choice.exe issue pointed out by Fireballs.

- Added hundreds of new file entries from logs of files not found thanks for everyone parsing logs through the script.

-As far as submitting files to me the best method right now is to just search for them or the logs containing them on the site since any unknowns are currently logged.

I'm working on this more than other Computer Hope tasks currently because I'm hoping to elevate this new tool to beta (from alpha) and introduce it on the main Computer Hope site on the first of December.

[CBMatt]

Wow, lots of updates!  Thanks for addressing some of these issues.  For firewall detection, I understand that it can be a bit tricky when someone is using a security suite.  It's thrown me for a loop several times.  One thing we can do is get info from the most popular security suites available, and if someone has one installed, the utility can assume they have a firewall.  This won't be 100% accurate, but it's a start.

And I'll be sure to keep parsing logs so you can get the reports.

[CBMatt]

Oh!  A couple more things...

O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe

This is a legitimate entry...for Windows ME.  However, if it shows up in an XP log, it's an infection.


Also, when scanning a single file, the utility gives suggestions for disabling them.  But certain files (such as the above, as well as vital system files) shouldn't be disabled...perhaps there should be a tag to designate files that shouldn't be disabled.  BleepingComputer does something like this, I believe.

And there's another thing I didn't think to mention.  This is something I haven't seen done by any other parsers yet (granted, I don't test them all on a regular basis, but still)...when a HijackThis log doesn't have any O2 entries, it's often a sign that the user may be infected with Vundo because some variants will hide these entries.  It's possible for a user to not have O2 entries without being infected, but it's not common.

[evilfantasy]

Here is one that could be tricky.

mcafeeupdate.exe   Unknown - Click here to open Google search for this process.

This is actually a worm and not part of McAfee.

http://www.bleepingcomputer.com/startups/Mcafeeupdate.exe-5350.html
http://www.castlecops.com/s6402-Mcafeeupdate_exe.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.YN&VSect=T

[Computer Hope Admin]

Update - v5.0

- Added mcafeeupdate.exe to process database
- If logfile appears to be incomplete (doesn't begin with logfile and end with 'end of file') mention it.
- If multiple antiviruses detect will list the two companies in conflict to help find conflicts easier.
- Firewall detection will now list developer detected.
- If multiple firewall processes detected warn user about potential users.
- HijackThis logs that have an old date (7+ days) will suggest generating a new log.
- Added additional guidelines and helpful tips in the delete files and hijack section to prevent potential problems with could be encountered by inappropriate steps by the tool.
- Added better support and detection for users not running windows in the windows directory
- Numerous other minor changes
- Now have over 2,000 entries in the database

p.s. Still working on your lasts requests Chris.

[ChrisXPPro]

Still just observing but - awesome project.  Great work.

[evilfantasy]

Very nice.

In a very short time you have created one of the better HJT parsers out there.

[CBMatt]

Very nice.

In a very short time you have created one of the better HJT parsers out there.

Agreed!  No program is perfect, but your parser has significantly cut down on the time it takes for me to read logs.  I no longer sigh each time I open a ComboFix log.  Heh.  Awesome work so far, Nathan.  It's going to take some time for me to get used to the interface (I've grown accustomed using another one for so long), but this is already becoming a regular tool in my arsenal.  It would be great if you could someday program a downloadable version.

I know I've already made a ridiculous amount of suggestions, but I have one more.  Don't worry, this one is pretty simple.  I thought of it when I read about your addition of the week-old warning.  How about an alert for dates/times in the future?  It's not common, but I have reviewed a few logs from computers that were a day or two ahead.  It's not always noticeable, but it will prevent certain anti-malware programs from updating properly because they get confused.


EDIT:  I forgot to mention that I'm still having some trouble with certain lines not showing up when parsing ComboFix logs.  I'm not sure what's going on, but they seem to create some sort of confusion.  If I single these lines out and parse them separately, I just get a blank page.

[evilfantasy]

I no longer sigh each time I open a ComboFix log.

Agreed. I don't think people actually believe we look at every line in every log we request. It's more then just run a tool and see what's removed...

[evilfantasy]

It had a bit of a problem with a log in foreign language. It's flagging Symantec and Intellipoint as malware.

Log attached.

Also rsit.exe is Randoms System Information Tool. It runs HJT and automatically renames the HJT.exe to whatever the user name on the computer is. In this case chopssuey.exe

[Saving space - attachment deleted by admin]

[Computer Hope Admin]

6.0 Update

Unfortunately with the holiday season I was unable to get this tool to what I considered a beta stage so I'm not going to be announcing it on the site yet. Below is all latest fixes to the script.

- Added requested feature to detect hijackthis logs that have dates later than the current date (in the future) because of potential time zone differences this warning will report >= +2 days
- Corrected issue with date format being formatted improperly for users who have month/day/year instead of day/month/year (believe this is related to non-US computers).
- Improved detectability of two files on one line and the reporting of both files and not just one.
- Hijackthis renamed files will no longer be shown as unknowns but will display disclaimer on description instead.
- Improved firewall detection.
- Better detection on directories using the 8.3 file format.
- Added disclaimer to warnings that may be displayed for users who have non-english version of Windows and the Program Files directory is actually Programas.

Still working on:

- Detecting files like: StateMgr.exe that are only used with WinME and not XP/Vista
- I'll see about a downloadable version but something that would likely be way down the road.