HijackThis Auto Analysis

Discussion in 'privacy general' started by zarzenz, Jan 19, 2005.

Thread Status:
Not open for further replies.
  1. zarzenz

    zarzenz Registered Member

    Joined:
    May 19, 2002
    Posts:
    449
    Location:
    UK
    I recently tried this HijackThis auto analysis site:

    http://hijackthis.de/index.php?langselect=english

    I was quite impressed with how easy and fast it checked and gave me a very good report with easy to understand results. I know that individual logs from members cannot be answered here now, so I was wondering if this auto analysis system is a good way to go. I realise that it may not have the ability to know all the answers but it seems pretty good as far as I can see.
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
  3. dog

    dog Guest

    Re: HijackThis

    Hi Zarzenz, ;)

    We are aware of the automated service, and definitely do not recommend it for the average user. One must tread with great care with the results given, and thoroughly investigate the findings. Utilizing the free counselling provided by the member forums of ASAP is the certainly the best course of action. The automated scanner doesn't have the benefit of a description of the problem, isn't as current / up to date, and also with the shearing number of different system configs (programs) ... it may identify legit entries as suspicious/unknowns.

    :ninja: *puppy* :ninja:
     
  4. zarzenz

    zarzenz Registered Member

    Joined:
    May 19, 2002
    Posts:
    449
    Location:
    UK
    Thanks Ron,

    Yes... very interesting. So the thing is to use it maybe as a first check, and then if anything seems not right, to then use either one's own knowledge if able, to check any suspects further or ask advice from the experts that are still able to do this at the various forums doing log checks.

    It seems like a good place to start, and obviously we would have to allow for the odd nasty possibly not being picked up, but it does still seem worthwhile and may get better with time as it developes.
     
  5. zarzenz

    zarzenz Registered Member

    Joined:
    May 19, 2002
    Posts:
    449
    Location:
    UK
    Thanks dog,

    I just saw your reply now after posting mine.

    Yes... all understood and your comments are greatly appreciated also.
     
  6. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Spanner,

    Please read the comment from the Merijn - developer from this app in the first place - once more.

    regards,

    paul
     
  7. Hi,

    I tried out the auto hijackthis site and got one nasty that says "this entry should be fixed immediately" and was wondering if I could ask about this one entry here? Or should I go to another site? Thanks very much.
     
  8. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Spanner,

    We disagree on one topic:

    In our view this service should not be used for obvious reasons, except by those who do know exactly what they are dealing with. And those Spyware Experts mostly rely on their own range of apps. All others would merely be confused by - fairly often - flawed results and may havoc their system as a result.

    For good guidance and help in matters like these, people are far better of having their issue handled by knowledgeable experts like for example over on castlecops.

    overthebridge,

    I presume I've answered you question now as well ;)

    regards,

    paul
     
  9. dog

    dog Guest

    Hi Spanner, ;)

    Just to make it clear. The difference is in the interpretation of the synopsis :)

    Merijn makes it pretty clear, without saying "I do not recommend it", that he does not.

    The general synopsis of your post on the other hand does.

    Hijack This is a great Tool in the right hands with a knowledgable/proper analysis. But the use of HJT by those unversed, can be devastating, with or without the use of the automated log parser.

    Steve


    Bumping Paul's post for everyone elses benefit:


     
  10. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    I've already have the same discussion on a french forum.
    And i'm agree with the majority of us:it's not interesting to analyze a log by a robot with database.

    It's better for a newbie to post his log and to have help on a good forum.
    It's surely better for his learning and knowledge.

    Best Regards
     
  11. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I will say this just the one LAST time

    apart from the amount of false alerts on that site, just fixing things with HJT will NOT fix most problems

    Any that are fixable that way would be fixed by running adaware or spybot or Microsoft antispyware or other similar program

    The ones that are not fixed by the automatic fixing programs are the ones that need specialised help and an online analysis scanner will not do that
     
  12. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Hi Spanner

    They may have good intentions but unfortunately their good intentions make it much harder to actually cure the problems a user has

    Many HJT cleaning sites will not help or be able to help fix a problem after a user has removed a lot of entries with one of the automatic analysers.

    We look for certain pointers when trying to fix an infection/hijack and if some of the pointers are missing then we won't even look for the others because we assume they aren't there

    It is much easier to cure a problem from the first rather than trying to correct waht has already been done first

    I really wish that there was an automatic analyser that worked as it would make my job a lot easier, but in almost every case when I've attempted to fix a problem after the user has "fixed" it following the advice of the analyser it has been much more difficult to do


    As I said previously if it was a relatively simple fix that an automatic online analyser could tell you how to cure it, then running one of the anti-spyware removers would have most lilkely fixed it anyway
     
  13. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    Unfortunately too many people think that HJT should be used in every case and everything fixed with it

    That is not what it's intended for and it's far better to attempyt a clean up with the anti-spyware/ anti-trojan/ antivirus program first and if that doesn't cure the problem then turn to HJT and an expert
     
  14. zarzenz

    zarzenz Registered Member

    Joined:
    May 19, 2002
    Posts:
    449
    Location:
    UK
    I didn't realise this was going to be such a controversial subject.

    I do see the dangers in using auto analysis, and obviously agree that inexperienced users should seek expert advice before removing any suspect entries. However, I think it's a useful tool and does no harm to give it a try. And providing a backup is made then even if something good is removed, it shouldn't be too much of a problem to reinstate an entry if any particular difficulty should result from a false deletion. As long as the user feels happy doing this, which only they themselves will know, then it could prove to be a useful experience for them as they gain more expertise in these areas.

    I would never have gained confidence in registry cleaning had I not played around with JV16's cleaner all those years ago. Sometimes you just have to get in there and try things out to gain the knowledge in the first place.

    But yes... anyone with serious problems and without the skills to go through each section, bit by bit, of a HT log should really only have a look at the auto result, do nothing, and then seek the experts advice, and maybe compare the analysis later. That way, they will have a bit more confidence and knowledge as they learn how all this stuff works.

    Thanks guys... I enjoyed reading the replies very much.
     
  15. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
  16. zarzenz

    zarzenz Registered Member

    Joined:
    May 19, 2002
    Posts:
    449
    Location:
    UK
    Thanks Gerard,

    That's a very good link there with an excellent description of the HT sections.
     
  17. jxkruzzn

    jxkruzzn Guest

    I used that auto HJT on the advice of someone who probly should know better, it listed Wilders, Spywareinfo, spywarrior, as Nasty. Then spywareblaster, spywareguard, trojan hunter, spybot and a bunch of reglar protection programs, it said they were bad, and all should be deleted as nasties? by the time it was thru i might as well deleleted everything protecting my system!

    If I didnt know I might have! It listed silly stuff, it just goes by the names, and if it sounds strange or spy like or spooky to the guy who wrote it, it says delete it!
    Its not a help, its causing more problems, they aren't helping anyone, they just want to be what? Computer Celebrities? or hope there automatic program will get lots of donations & get good reviews by C-net.

    Anyone who knows much about protecting their computer would laugh - and then worry other people will use it. There is nothing high minded about confusing or misleading people who neeed your help!.

    Don't take my word, you got plenty of good adivice, you should take it.
     
  18. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    I just did a scan and copied and paste the log on that site. None of the issues you are talking about show up here. Only a few Question marks for unknown services which however are known by me.
    Regards,

    Gerard
     
  19. Jimbob1989

    Jimbob1989 Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    2,529
    Will this seriously effect ASAP?

    Jimbob
     
  20. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    I very much doubt that.


    snowbound
     
  21. Ronin

    Ronin Guest

    Hmmeven[b/] if a human expert instead of a machine is reading the log, he is equally limited. All you got to work with is the name.

    If the filename is exactly the same as that of a legimate processname , the expert has to guess or at least check with the user to see if he has that software on his system.

    In many cases (at least for system processes), where the file resides is a dead giveaway, trained human experts know how to see this, and if you notice, this HJT logchecker seems to have info about the default path of processes it recognises, and warns you that a process is not in its usual place so that helps a bit.

    I agree though, I don't think automated logcheckers are for beginners. It can be used I think for people who don't experience any problems, but just want to check periodically they are fine. If the logcheckers don't pass them, then post the hjt log to a human expert. This might help reduce the load, even though you don't gain 100% assurance that you are totally safe.

    Still I suspect these automated checkers are far better at detecting problems due to their large database of entries (with false positives of course), but you certainly shouldnt try to fix the problem.

    I know of the following HJT log checkers. I've being playing with them, by running them using clean systems that are loaded with the normal security apps, Wilders members run (namely my main home system) as well as with infected HJT logs from various malware removal forums.


    1) http://hijackthis.de/
    2) http://www.spywareguide.com/contribute/parser.php
    3) http://www.help2go.com/modules.php?name=HJTDetective
    4) http://www.x-raypc.com/

    Test 1

    On clean computer, this one ran the normal popular antiviruses, antitrojans firewalls etc. It has one tricky entry

    O18 - Protocol: shell - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll

    An entry placed by Qwifix and Secureit. 018s are in many cases bad, so it will trip up a lot of people , much less automated checkers.


    (1) Best of the bunch. Recognised almost all entries. Warned about non-default path. Called the above 018 as a positive nasty. Stopped short at indentifying it as one though.

    (2) For recognising safe entries it picked up less than (1). No FPs, the 018 was listed as unknown. Possibly because it has only 3 categories, safe, unknown, unsafe. No "possible nasty" category.

    (3) This one only lists problems. It indentified the above 018 has CWS. oops.

    (4) 2nd best at recognising entries. No FPs.Same as (2) when it comes to handling 018.

    Test 2

    This log was infected with a CWS variant

    Everyone except (2) picked up on R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Res://C:\DOCUME~1\censored\LOCALS~1\Temp\sp.dll/sp.html as something to be fixed. None gave a specific indentification so it might be some kind of heuristic. Nothing else was detected.

    Test 3

    A relatively simple adware program called Adstatusservice. All you need to do is to stop the 04, and reset the home pages.

    [1] Recommended R1-R0s to reset correctly. But failed to see that the critical auto 04 run key. Also had a false positive on a legimate O2 (BHO) placed by Microsoft money

    [2] While unlike [1] it recognised the Microsoft Money BHO,but it failed to detect anything else. It idenitifed as a nasty a O16 activeX object placed by Real. While some human experts remove it routinely, strictly speaking this one isn't really a nasty .

    [3] This one recommended you remove O4 - HKLM\..\Run: [AdStatus Service] C:\Program Files\AdStatus Service\AdStatServ.exe . Correct!! But for some reason it doesn't tell you to reset the R1-R0s, which seems easiest to detect.
    Correctly lists the 016 from Real (as well as other startups like Office link) as unnecessary because they take up system resrouces.

    Test 4

    Computer infected with VX2, plus a few other adbundled software.

    Very nasty! I'm not going to pretend I know exactly how to fix this, but for sure to pass, the scanner has to detect dodgy 04s (autostarts), 01s (Hosts)
    and 010s (Winsock LSP).

    [1] Does very well. detects the proccesess runnign as nasties. Also picks up 2 fairly harmless and transparent adware .Also picks up The hosts modifications, autostarts and Winsock LSP. But I pity the newbies who tries to fix those manually though :(

    [2] Completely failed. Sees nothing at all

    [3] Picks up many of the same things as [1] Except there is some disagreement over Viewpoint Manager advertising program, which [1] calls safe, but [3] calls adware. [3] seems to be correct, though it's relatively benign adware. It fails to detect the modified Winsock though

    Conclusion.

    [2] seems worthless for detecting malware. [1] and [3] seems to be better at bring attention to you problems. [3] Seems more aggressive though.
     
  22. Jimbob1989

    Jimbob1989 Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    2,529
    I thought it might. Many forums seem to be shutting down their 'hijackthis analysis forums' and so there are fewer places to go. Plus, with this tool, you don't have to wait for an asap member to check it out for you.

    Just out of interest, are any asap members using this tool?

    Jimbob
     
  23. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Let me put the attention to Derek's reply #15 right above once more. Since he's a well-known and established expert in this context, I do advice all to take his message seriously.

    regards,

    paul
     
  24. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    Hi Bob, No not at all, it isn't doing anything good to the expert advice that is needed to clean certain malware.

    there is a lot more to be a spyware expert then only knowing the names and googling for it... ;)

    As Merijn (one more time: a humble thanx btw) clearely stated that this service isn't trustworthy enough and way too automatic, we will never forward a member of the community to hijackthis.de

    I do think they try to help and some of them are Expert at ASAP too but I (and a lot of others) hear too many stories bout not handling it right so....

    and that is an answer for Ronin's Post as well cause I don't think you can "test" such servers the way you did...

    that is soo not correct cause all his software setup is showing in the log and a true expert never guesses btw, like I said a lot more then guessing and names checking...

    Off course Paul, no prbs :)

    have a nice day



    Inf
     
  25. Jimbob1989

    Jimbob1989 Registered Member

    Joined:
    Oct 18, 2004
    Posts:
    2,529
    I understand that this program cannot purely be used by ASAP members, however i should imagine it is a usefull tool even for the proffessionals. As a kind of reference.

    Jimbob
     
Thread Status:
Not open for further replies.