Hi friends!
I need a good online hijackthis log analyzer.
What can you suggest to me?
http://hijackthis.de/
But double-check everything on google before you do anything drastic.
Halio avatar2005,
Tools like FreeFixer, and the one that validates online like there is X-RayPC have all come along in the slipstream of HijackThis, and I consider them programs to be able to work better cleansing routines.
There are online sources to evaluate the outcome of FreeFixer or its reports rather, and they have a very interesting forum to discuss the findings of FreeFixer. You also have to note that FreeFixer is still in beta. But I have installed it, and it seems a valuable addition in finding things that should not be on a malware-free computer. It is nice that you can work the logs of X-RayPC to cleanse in a similar way as you handle the HJT-logs. These aren’t programs for the meek, and certainly not to be used without help of an expert.
You can search the file database here: http://www.kephyr.com/filedb/
polonus
Hi :
As far as I am concerned, they do NOT exist ; much more trustworthy
is the EXPERIENCE of 2 Malware Experts and what they shared at
www.landzdown.com/index.php?topic=438.0 .
Hi Spiritsongs,
We have experts here as well. I know essexboy has the same qualifications as the people you advertise for. And then we have noadfear among the members of our webforum, developer of may special cleansing tools himself… Why should not avatar2005 not learn to work these specific tools himself as well, He can go to sites and analyse particular cleansing routines at majorgeeks, analyse cleansing routines we have solved here etc. He can ask essexboy how he did it, and essexboy will be too glad to instruct him how it is done.
I cannot see why the folks at landzdown should have the exclusivety, while we have competent people here as well, and like essexboy got the training, why avatar2005 couldn’t is beyond me.
I’d like to say to avatar2005: “Naboj!”,
Also consider this nice program Brute Force Uninstaller: http://metallica.geekstogo.com/BFUinstructions.html
polonus
There really is nothing wrong with using an on-line analyser, provided you don’t take what it says as gospel and check those that are indicated as nasty, potentially nasty and unknown. Using google on the file names to see if that confirms the analysis.
Also at hijackthis.de you can even upload the suspect file for scanning not to mention the suspect files can be uploaded to virustotal and or jotti for scanning.
With the best will in the world not everyone who needs to use HJT and as you keep saying go to landzdown.com they couldn’t possibly cope with the load. So using an on-line analysis tool as outlined above will break the back of the task and any further questions, etc. can be asked here, ‘avast users helping avast users.’
Hi DavidR,
I fully agree here with you. We like to share our expertise amongst ourselves, and help our fellow forum members as best as we can. This is a good information database to evaluate the hijackthis logs:
http://www.short-media.com/forum/showthread.php?t=35982
You can view and search the database here:
http://spywareshooter.com/search/search.php
Or the quick URL:
http://spywareshooter.com/entrylist.html
polonus
You must have missed Spyros’ post. Its just a couple above yours.
Use it as part of a learning process and it will show you much. Temper it with good sense and it will help you out of some difficulties and save you a little time.
Or do you mean to imply that the experts never, ever have occasion to double check themselves?
Hi mauserme,
Especially when the malware does not seem to come out of the book, it is an evolving process. Also hijackthis is an ever changing tool, well anyway it better stays that way. You have various online databases for executables, processes, dll’s etc. etc. to check and re-check. What I like especially and always renders best results is co-operation in a cleansing procedure. You would not believe how much I learned from simple being into it. The so-called experts had to go through the very same routines, and if they can almost “sniff out” the baddies only comes with time and experience. You must be very accurate, and keep to the prescribed routines,
polonus
Or do you mean to imply that the experts never, ever have occasion to double check themselves?No I never double check, triple or quadruple yes, but never double ;D
But as the links say many types of malware now have protection routines built in along with morphing dll/exe files. All the tools out there are only as good as the mind wielding them, which is where the analysis tools like silent runners, DSS and Winpfind come in
After some searching & looking to provided links I’m wondering why HiJackThis shows PC Tools firewall plus service as " Possible nasty" ??? :
Was it an unknown process? It is kind of new so if that’s all it said don’t read too much into it.
If there’s more to it than simply an unknown process post what it did say about it.
After some searching & looking to provided links I'm wondering why HiJackThis shows PC Tools firewall plus service as " Possible nasty"
Because it is possible that you are running it from a different location, hence reference to where it might normally be installed. It is also saying ‘do you know this process’ if so and you installed it then there is less likelihood of it being nasty. That is what we mean by checking and don’t take everything as gospel, they to advise scanning with and AV if you are suspicious, etc.
There is also a means of adding user input to state that it is a safe program, etc.
Strange that the HiJackThis does not ‘discover’ the path by the Registry and not only the ‘default’ location: this way you does not the freedom to install an application in any other path than the dafault one… am I wrong?
HijackThis does show the actual path. But if the installation path is not the default, or at least not something the online analyzer expects, it gets reported as possibly nasty or unknown or whatever. That’s one reason human input is so important.
It makes more sense if you think of in terms of something like lsass.exe. If the path is c:\windows\system32 its normally ok and the analyzer will report it as such. If its c:\program files\temp its reported as possibly nasty because lsass.exe is a name known to be used by malware and its not the right path for the lsass.exe that’s known to be good. Doesn’t mean its absolutely bad, but it needs closer scrutiny.
The default will be only in English… the default could be changed… the online analyzer should be improved…
This should be done by the antivirus signatures… I suppose.
Ok, I’m not bashing HJT, just thinking loudly about its behavior…
I don’t know what languages it can handle other than English. I was involved with a log recently where the paths had both English and Spanish and I think the combination threw things off a bit.
The online scanners for sure. I mean, if its on the computer already the resident scanner may not help.
Also some of the specialized tools like FindAwf that provide more information while doing nothing destructive. Google and sometimes other threads where a similar entry has been analyzed also comes into play. Sometimes its not only the location but also how it loads. Its uncommon to be able to make a decision based upon a single line in a hjt log. Not with the really nasty stuff, anyway.
Sites to check out:
HijackThis log analysis :
http://www.hijackthis.de/ (this one is the best IMHO)
http://www.prevx.com/hijackthis.asp
HijackThis tutorials and help :
http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php
http://www.spywareinfo.com/~merijn/htlogtutorial.php
http://www.castlecops.com/HijackThis.html
http://www.malwarehelp.org/understanding-and-interpreting-hjt1.html
http://netsecurity.about.com/od/popupsandspyware/a/aahijackthis.htm
http://forums.majorgeeks.com/showthread.php?t=38752
I’m sure there are plenty more helpful websites out there but these should be enough i believe .
Browse safely !
Hard Rocker
Hi Hard_ROCKER,
Also check this site for info on processes: http://www.justtext.com/menu-program-list/program-tasks.html
or for instance for info on SisPower.dll:
http://www.file.net/process/sispower.dll.html
or here:
http://www.fbmsoftware.com/spyware-net/SearchComponentResults.aspx?af=2&searchtype=1
or
http://www.spywaredata.com/spyware/malware/rmma.exe.php
polonus
Thankyou guys for help, & specially for Polonus: dziekuje za pomoc 8)