HijackThis Auto Analysis

I recently tried this HijackThis auto analysis site:

http://hijackthis.de/index.php?langselect=english

I was quite impressed with how easy and fast it checked and gave me a very good report with easy to understand results. I know that individual logs from members cannot be answered here now, so I was wondering if this auto analysis system is a good way to go. I realise that it may not have the ability to know all the answers but it seems pretty good as far as I can see.

 

Re: HijackThis

Hi Zarzenz,

We are aware of the automated service, and definitely do not recommend it for the average user. One must tread with great care with the results given, and thoroughly investigate the findings. Utilizing the free counselling provided by the member forums of ASAP is the certainly the best course of action. The automated scanner doesn't have the benefit of a description of the problem, isn't as current / up to date, and also with the shearing number of different system configs (programs) ... it may identify legit entries as suspicious/unknowns.

 

Thanks Ron,

Yes... very interesting. So the thing is to use it maybe as a first check, and then if anything seems not right, to then use either one's own knowledge if able, to check any suspects further or ask advice from the experts that are still able to do this at the various forums doing log checks.

It seems like a good place to start, and obviously we would have to allow for the odd nasty possibly not being picked up, but it does still seem worthwhile and may get better with time as it developes.

 

Thanks dog,

I just saw your reply now after posting mine.

Yes... all understood and your comments are greatly appreciated also.

 

Hi,

I tried out the auto hijackthis site and got one nasty that says "this entry should be fixed immediately" and was wondering if I could ask about this one entry here? Or should I go to another site? Thanks very much.

 

Hi Spanner,

Just to make it clear. The difference is in the interpretation of the synopsis

Merijn makes it pretty clear, without saying "I do not recommend it", that he does not.

The general synopsis of your post on the other hand does.

Hijack This is a great Tool in the right hands with a knowledgable/proper analysis. But the use of HJT by those unversed, can be devastating, with or without the use of the automated log parser.

Steve


Bumping Paul's post for everyone elses benefit:

 

Hi,

I've already have the same discussion on a french forum.
And i'm agree with the majority of us:it's not interesting to analyze a log by a robot with database.

It's better for a newbie to post his log and to have help on a good forum.
It's surely better for his learning and knowledge.

Best Regards

 

I didn't realise this was going to be such a controversial subject.

I do see the dangers in using auto analysis, and obviously agree that inexperienced users should seek expert advice before removing any suspect entries. However, I think it's a useful tool and does no harm to give it a try. And providing a backup is made then even if something good is removed, it shouldn't be too much of a problem to reinstate an entry if any particular difficulty should result from a false deletion. As long as the user feels happy doing this, which only they themselves will know, then it could prove to be a useful experience for them as they gain more expertise in these areas.

I would never have gained confidence in registry cleaning had I not played around with JV16's cleaner all those years ago. Sometimes you just have to get in there and try things out to gain the knowledge in the first place.

But yes... anyone with serious problems and without the skills to go through each section, bit by bit, of a HT log should really only have a look at the auto result, do nothing, and then seek the experts advice, and maybe compare the analysis later. That way, they will have a bit more confidence and knowledge as they learn how all this stuff works.

Thanks guys... I enjoyed reading the replies very much.

 

I agree with you, you have to start somewhere if you come this far.
Though might be helpfull reading this before, during and after :

http://www.bleepingcomputer.com/forums/index.php?showtutorial=42#RDiag

Cheers,

Gerard

 

Thanks Gerard,

That's a very good link there with an excellent description of the HT sections.

 

I used that auto HJT on the advice of someone who probly should know better, it listed Wilders, Spywareinfo, spywarrior, as Nasty. Then spywareblaster, spywareguard, trojan hunter, spybot and a bunch of reglar protection programs, it said they were bad, and all should be deleted as nasties? by the time it was thru i might as well deleleted everything protecting my system!

If I didnt know I might have! It listed silly stuff, it just goes by the names, and if it sounds strange or spy like or spooky to the guy who wrote it, it says delete it!
Its not a help, its causing more problems, they aren't helping anyone, they just want to be what? Computer Celebrities? or hope there automatic program will get lots of donations & get good reviews by C-net.

Anyone who knows much about protecting their computer would laugh - and then worry other people will use it. There is nothing high minded about confusing or misleading people who neeed your help!.

Don't take my word, you got plenty of good adivice, you should take it.

 

I just did a scan and copied and paste the log on that site. None of the issues you are talking about show up here. Only a few Question marks for unknown services which however are known by me.
Regards,

Gerard

 

Will this seriously effect ASAP?

Jimbob

 

I very much doubt that.


snowbound

 

Hmmeven[b/] if a human expert instead of a machine is reading the log, he is equally limited. All you got to work with is the name.

If the filename is exactly the same as that of a legimate processname , the expert has to guess or at least check with the user to see if he has that software on his system.

In many cases (at least for system processes), where the file resides is a dead giveaway, trained human experts know how to see this, and if you notice, this HJT logchecker seems to have info about the default path of processes it recognises, and warns you that a process is not in its usual place so that helps a bit.

I agree though, I don't think automated logcheckers are for beginners. It can be used I think for people who don't experience any problems, but just want to check periodically they are fine. If the logcheckers don't pass them, then post the hjt log to a human expert. This might help reduce the load, even though you don't gain 100% assurance that you are totally safe.

Still I suspect these automated checkers are far better at detecting problems due to their large database of entries (with false positives of course), but you certainly shouldnt try to fix the problem.

I know of the following HJT log checkers. I've being playing with them, by running them using clean systems that are loaded with the normal security apps, Wilders members run (namely my main home system) as well as with infected HJT logs from various malware removal forums.


1) http://hijackthis.de/
2) http://www.spywareguide.com/contribute/parser.php
3) http://www.help2go.com/modules.php?name=HJTDetective
4) http://www.x-raypc.com/

Test 1

On clean computer, this one ran the normal popular antiviruses, antitrojans firewalls etc. It has one tricky entry

O18 - Protocol: shell - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll

An entry placed by Qwifix and Secureit. 018s are in many cases bad, so it will trip up a lot of people , much less automated checkers.


(1) Best of the bunch. Recognised almost all entries. Warned about non-default path. Called the above 018 as a positive nasty. Stopped short at indentifying it as one though.

(2) For recognising safe entries it picked up less than (1). No FPs, the 018 was listed as unknown. Possibly because it has only 3 categories, safe, unknown, unsafe. No "possible nasty" category.

(3) This one only lists problems. It indentified the above 018 has CWS. oops.

(4) 2nd best at recognising entries. No FPs.Same as (2) when it comes to handling 018.

Test 2

This log was infected with a CWS variant

Everyone except (2) picked up on R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Res://C:\DOCUME~1\censored\LOCALS~1\Temp\sp.dll/sp.html as something to be fixed. None gave a specific indentification so it might be some kind of heuristic. Nothing else was detected.

Test 3

A relatively simple adware program called Adstatusservice. All you need to do is to stop the 04, and reset the home pages.

[1] Recommended R1-R0s to reset correctly. But failed to see that the critical auto 04 run key. Also had a false positive on a legimate O2 (BHO) placed by Microsoft money

[2] While unlike [1] it recognised the Microsoft Money BHO,but it failed to detect anything else. It idenitifed as a nasty a O16 activeX object placed by Real. While some human experts remove it routinely, strictly speaking this one isn't really a nasty .

[3] This one recommended you remove O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe . Correct!! But for some reason it doesn't tell you to reset the R1-R0s, which seems easiest to detect.
Correctly lists the 016 from Real (as well as other startups like Office link) as unnecessary because they take up system resrouces.

Test 4

Computer infected with VX2, plus a few other adbundled software.

Very nasty! I'm not going to pretend I know exactly how to fix this, but for sure to pass, the scanner has to detect dodgy 04s (autostarts), 01s (Hosts)
and 010s (Winsock LSP).

[1] Does very well. detects the proccesess runnign as nasties. Also picks up 2 fairly harmless and transparent adware .Also picks up The hosts modifications, autostarts and Winsock LSP. But I pity the newbies who tries to fix those manually though

[2] Completely failed. Sees nothing at all

[3] Picks up many of the same things as [1] Except there is some disagreement over Viewpoint Manager advertising program, which [1] calls safe, but [3] calls adware. [3] seems to be correct, though it's relatively benign adware. It fails to detect the modified Winsock though

Conclusion.

[2] seems worthless for detecting malware. [1] and [3] seems to be better at bring attention to you problems. [3] Seems more aggressive though.

 

I thought it might. Many forums seem to be shutting down their 'hijackthis analysis forums' and so there are fewer places to go. Plus, with this tool, you don't have to wait for an asap member to check it out for you.

Just out of interest, are any asap members using this tool?

Jimbob

 

Hi Bob, No not at all, it isn't doing anything good to the expert advice that is needed to clean certain malware.

there is a lot more to be a spyware expert then only knowing the names and googling for it...

As Merijn (one more time: a humble thanx btw) clearely stated that this service isn't trustworthy enough and way too automatic, we will never forward a member of the community to hijackthis.de

I do think they try to help and some of them are Expert at ASAP too but I (and a lot of others) hear too many stories bout not handling it right so....

and that is an answer for Ronin's Post as well cause I don't think you can "test" such servers the way you did...

that is soo not correct cause all his software setup is showing in the log and a true expert never guesses btw, like I said a lot more then guessing and names checking...

Off course Paul, no prbs

have a nice day



Inf

 

I understand that this program cannot purely be used by ASAP members, however i should imagine it is a usefull tool even for the proffessionals. As a kind of reference.

Jimbob