HijackThis Auto Analysis

[zarzenz]

I recently tried this HijackThis auto analysis site:

http://hijackthis.de/index.php?langselect=english

I was quite impressed with how easy and fast it checked and gave me a very good report with easy to understand results. I know that individual logs from members cannot be answered here now, so I was wondering if this auto analysis system is a good way to go. I realise that it may not have the ability to know all the answers but it seems pretty good as far as I can see.

[ronjor]

zarzenz

Merijn answers your question in post seventeen of this thread.


http://www.wilderssecurity.com/showthread.php?t=62044

Hi Zarzenz,

We are aware of the automated service, and definitely do not recommend it for the average user. One must tread with great care with the results given, and thoroughly investigate the findings. Utilizing the free counselling provided by the member forums of ASAP is the certainly the best course of action. The automated scanner doesn't have the benefit of a description of the problem, isn't as current / up to date, and also with the shearing number of different system configs (programs) ... it may identify legit entries as suspicious/unknowns.

[zarzenz]

Thanks Ron,

Yes... very interesting. So the thing is to use it maybe as a first check, and then if anything seems not right, to then use either one's own knowledge if able, to check any suspects further or ask advice from the experts that are still able to do this at the various forums doing log checks.

It seems like a good place to start, and obviously we would have to allow for the odd nasty possibly not being picked up, but it does still seem worthwhile and may get better with time as it developes.

[zarzenz]

Thanks dog,

I just saw your reply now after posting mine.

Yes... all understood and your comments are greatly appreciated also.

[Paul Wilders]

Spanner,

Please read the comment from the Merijn - developer from this app in the first place - once more.

regards,

paul

Hi,

I tried out the auto hijackthis site and got one nasty that says "this entry should be fixed immediately" and was wondering if I could ask about this one entry here? Or should I go to another site? Thanks very much.

[Paul Wilders]

Spanner,

We disagree on one topic:

In our view this service should not be used for obvious reasons, except by those who do know exactly what they are dealing with. And those Spyware Experts mostly rely on their own range of apps. All others would merely be confused by - fairly often - flawed results and may havoc their system as a result.

For good guidance and help in matters like these, people are far better of having their issue handled by knowledgeable experts like for example over on castlecops.

overthebridge,

I presume I've answered you question now as well

regards,

paul

Hi Spanner,

Quote:

Originally Posted by Spanner

I don't see where the dissagreement is here ...

Just to make it clear. The difference is in the interpretation of the synopsis

Quote:

Originally Posted by Merijn

The automated log parser at hijackthis.de was created without my knowledge or consent, and though I don't think it's a bad idea in the first place, you shouldn't rely solely on the automatic parser since it's pretty flawed. I've only used it a couple of times on infected logs and it shows both false positives as false negatives. You can use it for guidance, but the results should be taken with a grain of salt.Generally I feel that the only parser bound to be perfect is your own mind, ,together with the lists of Startups from Pacman, and the list of CLSIDs from TonyKlein.

Merijn makes it pretty clear, without saying "I do not recommend it", that he does not.

Quote:

Originally Posted by Spanner

I think the folks over at - http://hijackthis.de/index.php?langselect=english - should be congratulated for setting up such a service in the first place !

Let's NOT forget it takes Time Money and dedication to devote to such a project, and put up and maintain a Website and update the definitions etc etc for the benefit of others, And it's FREE 2 !

So maybe it aint perfect yet ? then again not much is, but at least they are doing a first that no one else has done arn't they. Also i imagine it will get better and better, and what a fabulous idea anyway.

So i say Well done on behalf of anyone and everyone who may need to make use of it, if only at this stage for some quick pointers.

The general synopsis of your post on the other hand does.

Hijack This is a great Tool in the right hands with a knowledgable/proper analysis. But the use of HJT by those unversed, can be devastating, with or without the use of the automated log parser.

Steve


Bumping Paul's post for everyone elses benefit:

Quote:

Originally Posted by Paul Wilders

In our view this service should not be used for obvious reasons, except by those who do know exactly what they are dealing with. And those Spyware Experts mostly rely on their own range of apps. All others would merely be confused by - fairly often - flawed results and may havoc their system as a result.

For good guidance and help in matters like these, people are far better of having their issue handled by knowledgeable experts like for example over on castlecops.

regards,

paul

[kareldjag]

Hi,

I've already have the same discussion on a french forum.
And i'm agree with the majority of us:it's not interesting to analyze a log by a robot with database.

It's better for a newbie to post his log and to have help on a good forum.
It's surely better for his learning and knowledge.

Best Regards

[dvk01]

I will say this just the one LAST time

apart from the amount of false alerts on that site, just fixing things with HJT will NOT fix most problems

Any that are fixable that way would be fixed by running adaware or spybot or Microsoft antispyware or other similar program

The ones that are not fixed by the automatic fixing programs are the ones that need specialised help and an online analysis scanner will not do that

[dvk01]

Hi Spanner

They may have good intentions but unfortunately their good intentions make it much harder to actually cure the problems a user has

Many HJT cleaning sites will not help or be able to help fix a problem after a user has removed a lot of entries with one of the automatic analysers.

We look for certain pointers when trying to fix an infection/hijack and if some of the pointers are missing then we won't even look for the others because we assume they aren't there

It is much easier to cure a problem from the first rather than trying to correct waht has already been done first

I really wish that there was an automatic analyser that worked as it would make my job a lot easier, but in almost every case when I've attempted to fix a problem after the user has "fixed" it following the advice of the analyser it has been much more difficult to do


As I said previously if it was a relatively simple fix that an automatic online analyser could tell you how to cure it, then running one of the anti-spyware removers would have most lilkely fixed it anyway

[dvk01]

Unfortunately too many people think that HJT should be used in every case and everything fixed with it

That is not what it's intended for and it's far better to attempyt a clean up with the anti-spyware/ anti-trojan/ antivirus program first and if that doesn't cure the problem then turn to HJT and an expert

[zarzenz]

I didn't realise this was going to be such a controversial subject.

I do see the dangers in using auto analysis, and obviously agree that inexperienced users should seek expert advice before removing any suspect entries. However, I think it's a useful tool and does no harm to give it a try. And providing a backup is made then even if something good is removed, it shouldn't be too much of a problem to reinstate an entry if any particular difficulty should result from a false deletion. As long as the user feels happy doing this, which only they themselves will know, then it could prove to be a useful experience for them as they gain more expertise in these areas.

I would never have gained confidence in registry cleaning had I not played around with JV16's cleaner all those years ago. Sometimes you just have to get in there and try things out to gain the knowledge in the first place.

But yes... anyone with serious problems and without the skills to go through each section, bit by bit, of a HT log should really only have a look at the auto result, do nothing, and then seek the experts advice, and maybe compare the analysis later. That way, they will have a bit more confidence and knowledge as they learn how all this stuff works.

Thanks guys... I enjoyed reading the replies very much.

[gerardwil]

I agree with you, you have to start somewhere if you come this far.
Though might be helpfull reading this before, during and after :

http://www.bleepingcomputer.com/foru...orial=42#RDiag

Cheers,

Gerard

[zarzenz]

Thanks Gerard,

That's a very good link there with an excellent description of the HT sections.

I used that auto HJT on the advice of someone who probly should know better, it listed Wilders, Spywareinfo, spywarrior, as Nasty. Then spywareblaster, spywareguard, trojan hunter, spybot and a bunch of reglar protection programs, it said they were bad, and all should be deleted as nasties? by the time it was thru i might as well deleleted everything protecting my system!

If I didnt know I might have! It listed silly stuff, it just goes by the names, and if it sounds strange or spy like or spooky to the guy who wrote it, it says delete it!
Its not a help, its causing more problems, they aren't helping anyone, they just want to be what? Computer Celebrities? or hope there automatic program will get lots of donations & get good reviews by C-net.

Anyone who knows much about protecting their computer would laugh - and then worry other people will use it. There is nothing high minded about confusing or misleading people who neeed your help!.

Don't take my word, you got plenty of good adivice, you should take it.

[gerardwil]

I just did a scan and copied and paste the log on that site. None of the issues you are talking about show up here. Only a few Question marks for unknown services which however are known by me.
Regards,

Gerard

[Jimbob1989]

Will this seriously effect ASAP?

Jimbob

[snowbound]

Quote:

Originally Posted by Jimbob1989

Will this seriously effect ASAP?

Jimbob

I very much doubt that.


snowbound

Quote:

If I didnt know I might have! It listed silly stuff, it just goes by the names, and if it sounds strange or spy like or spooky to the guy who wrote it, it says delete it!

Hmm[b]even[b/] if a human expert instead of a machine is reading the log, he is equally limited. All you got to work with is the name.

If the filename is exactly the same as that of a legimate processname , the expert has to guess or at least check with the user to see if he has that software on his system.

In many cases (at least for system processes), where the file resides is a dead giveaway, trained human experts know how to see this, and if you notice, this HJT logchecker seems to have info about the default path of processes it recognises, and warns you that a process is not in its usual place so that helps a bit.

I agree though, I don't think automated logcheckers are for beginners. It can be used I think for people who don't experience any problems, but just want to check periodically they are fine. If the logcheckers don't pass them, then post the hjt log to a human expert. This might help reduce the load, even though you don't gain 100% assurance that you are totally safe.

Still I suspect these automated checkers are far better at detecting problems due to their large database of entries (with false positives of course), but you certainly shouldnt try to fix the problem.

I know of the following HJT log checkers. I've being playing with them, by running them using clean systems that are loaded with the normal security apps, Wilders members run (namely my main home system) as well as with infected HJT logs from various malware removal forums.


1) http://hijackthis.de/
2) http://www.spywareguide.com/contribute/parser.php
3) http://www.help2go.com/modules.php?name=HJTDetective
4) http://www.x-raypc.com/

Test 1

On clean computer, this one ran the normal popular antiviruses, antitrojans firewalls etc. It has one tricky entry

O18 - Protocol: shell - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll

An entry placed by Qwifix and Secureit. 018s are in many cases bad, so it will trip up a lot of people , much less automated checkers.


(1) Best of the bunch. Recognised almost all entries. Warned about non-default path. Called the above 018 as a positive nasty. Stopped short at indentifying it as one though.

(2) For recognising safe entries it picked up less than (1). No FPs, the 018 was listed as unknown. Possibly because it has only 3 categories, safe, unknown, unsafe. No "possible nasty" category.

(3) This one only lists problems. It indentified the above 018 has CWS. oops.

(4) 2nd best at recognising entries. No FPs.Same as (2) when it comes to handling 018.

Test 2

This log was infected with a CWS variant

Everyone except (2) picked up on R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Res://C:\DOCUME~1\censored\LOCALS~1\Temp\sp.dll/sp.html as something to be fixed. None gave a specific indentification so it might be some kind of heuristic. Nothing else was detected.

Test 3

A relatively simple adware program called Adstatusservice. All you need to do is to stop the 04, and reset the home pages.

[1] Recommended R1-R0s to reset correctly. But failed to see that the critical auto 04 run key. Also had a false positive on a legimate O2 (BHO) placed by Microsoft money

[2] While unlike [1] it recognised the Microsoft Money BHO,but it failed to detect anything else. It idenitifed as a nasty a O16 activeX object placed by Real. While some human experts remove it routinely, strictly speaking this one isn't really a nasty .

[3] This one recommended you remove O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe . Correct!! But for some reason it doesn't tell you to reset the R1-R0s, which seems easiest to detect.
Correctly lists the 016 from Real (as well as other startups like Office link) as unnecessary because they take up system resrouces.

Test 4

Computer infected with VX2, plus a few other adbundled software.

Very nasty! I'm not going to pretend I know exactly how to fix this, but for sure to pass, the scanner has to detect dodgy 04s (autostarts), 01s (Hosts)
and 010s (Winsock LSP).

[1] Does very well. detects the proccesess runnign as nasties. Also picks up 2 fairly harmless and transparent adware .Also picks up The hosts modifications, autostarts and Winsock LSP. But I pity the newbies who tries to fix those manually though

[2] Completely failed. Sees nothing at all

[3] Picks up many of the same things as [1] Except there is some disagreement over Viewpoint Manager advertising program, which [1] calls safe, but [3] calls adware. [3] seems to be correct, though it's relatively benign adware. It fails to detect the modified Winsock though

Conclusion.

[2] seems worthless for detecting malware. [1] and [3] seems to be better at bring attention to you problems. [3] Seems more aggressive though.

[Jimbob1989]

Quote:

Originally Posted by snowbound

I very much doubt that.


snowbound

I thought it might. Many forums seem to be shutting down their 'hijackthis analysis forums' and so there are fewer places to go. Plus, with this tool, you don't have to wait for an asap member to check it out for you.

Just out of interest, are any asap members using this tool?

Jimbob