Farbar (frst), OTL, HijackThis log analyzing

I am working on a “multiple log file analyzer” at the moment.

I’m trying to make it work with:

  • Farbar logs (FRST.txt and addition.txt)
  • HijackThis logs (hijackthis.log)
  • OTL logs
  • Other log files ?

I have the analyzing part for FRST.txt (kinda?) working.
Ofcourse the database is still very small, but it will grow :slight_smile:

Things that I want/thinking of to add (in random order):

  • Detection for things in addition.txt (Farbar)
  • Completely rewritten HijackThis log analyzing part
  • OTL log file analyzing
  • Admin console
  • Settings file to customize some things

A sneak(y) preview can be found at:
http://www.ache.nl/cgi-bin/download.pl?file=Ala

To use it:
place FRST.txt in the same folder as you installed the analyzer and run ALA.exe

If you run it and get to see “You are using a old version of Farbar.”,
just change the end of the first line in FRST.txt to “11-03-2015”

Have I done something wrong Eddy ?

Yes, the log file need be named FRST.txt

:slight_smile: fixt and now running

Where does it save the fixlist ?

In the same folder as the tool is installed.
Or at least it should do so ;D

Hmm did not appear there, I will do a search :slight_smile:

Interesting, thanks for sharing Eddy.

Note: I got the following Avast warning. (See Screenshot)

It is a false positive that I have reported to avast about 3 weeks ago already.
They still haven’t fixed it :cry:

It might help to PM Milos.

Project update:

1]
Added analyzing for addition.txt

2]
Made a (small) start on the analyzing part for HijackThis log files.

  • Added checking for things in addition.txt
  • Added detection for Poweliks! in addition.txt
  • Added detection for items in the Farbar logfile
  • Fixed a bug where Addition.txt wasn’t scanned.

http://www.ache.nl/cgi-bin/download.pl?file=Ala-B10

NOTE:
The tool is still under development and is released for testing purposes only.

Avast still doesn’t like it Eddy … Nor does windows smart filter :slight_smile:

Only avast detects it.
Reported it through the contact form.
Reported it multiple times by submitting through the UI.
Still not fixed by avast :cry:

https://www.virustotal.com/en/file/2f807a9aded209ed5c04061b0a582f813d5bedf2516634d02a292703eca604b9/analysis/1427392091/
http://www.virscan.org/scan/b3a9b0fb57560700c31202e71dba10fd

Little information about the current development status (Hijackthis part):

  • Routine for checking which Hijackthis version is used is ready.
  • Routine for checking what OS/SP is used is ready.

These are ready but not implemented yet.

As said, best you drop Milos a line.
http://sitecheck.sucuri.net/results/downloads.ache.nl/ala-b10-20150327.exe
http://zulu.zscaler.com/submission/show/b9a720aeeed53f58fa33d78c43fee7ff-1427430583

PS: Seems your Apache sever needs an update. :wink:

I already was informed by my host that they are installing PHP 5.4 next month.
It is supposed to have all things needed to smoothly update to the upcoming PHP 7 version.

Dropped a line on Milos.
Could take a while till it is fixed.
I dropped a heavy anchor chain on him to make sure he noticed the line ;D

Reply from avast about the false positive:

The problem is, what we detect is this string: "AUTOIT3EXECUTESCRIPT C:\\GOOGLE\\GOOGLEUPDATE". That is in all the infected lnk files, but unfortunatelly in your .dat file as well. I suppose you are changing the file quite often, so whitelisting (which is hash-based) would not help much, right? (I whitelisted it now anyway.) I will try to change the detection so it does not flag your file...

New test version is now online:
Added detection for items in the farbar log
Added detection for things in addition.txt
Added the first (small) things to support checking the Hijackthis log
Added colors

http://www.ache.nl/cgi-bin/download.pl?file=MFLA

I could use some HJT logs from people who are running Windows 7, 8.1 and the preview of version 10.
All updates must be installed, not only for Windows but also for IE and such.

Windows 10 build 10049
Using Spartan as my browser

Thank you essexboy,
I see your system is really badly infected with the Essexboy virus ;D

I was asking for HijackThis logs :wink: