CastleCops® HijackThis Log file analysis

Need help? Click here to register for free! Absolutely zero advertisements on this site!

**$9736.22 of $21422.68**

Help CastleCops serve the community on new servers, Donate Here to reach our goal.

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Survey

Forum FAQ

Usergroups

Profile

Select FavForums

HijackThis Log file analysis

All -> FavForums -> Prevx

[del.icio.us!] [digg it!] [reddit!]

View previous topic :: View next topic

Author

Message

stubbs100

Prevx Host

Joined: Nov 21, 2004
Posts: 198
Location: UK

Posted: Wed May 24, 2006 10:21 am Post subject: HijackThis Log file analysis

Hi All, If you use HijackThis log files to help analyze your system for issues then you might be interested in a new feature we have implemented on the website. Our free to use HijackThis log file analyzer can be used to paste the log file output directly into the webpage to allow a scan of the content against the malware details we hold in the community database. Go to http://www.prevx.com/hijackthis.asp to access the routine and just simply cut and paste the entire log file into the web page. The results of the analysis against the community database will be displayed for you with details of the malware found in the log file. The analysis of the HijackThis log file may not find anything malicious on your system, but it doesn�t mean you are not infected. These tools scan specific areas of the system and may not always find hidden malware. We would always recommend installing Prevx1 (free of charge) to ensure you are free of infection. We would as always welcome your feedback. Regards, Prevx Support

horseman

Lieutenant

Premium Member

Joined: Apr 15, 2003
Posts: 230

Posted: Thu May 25, 2006 11:34 pm Post subject: Re: HijackThis Log file analysis

stubbs100 wrote:

Hi All,

If you use HijackThis log files to help analyze your system for issues then .......

We would as always welcome your feedback.

Regards,

Prevx Support

Nice one! - Potentially usefull analyser - thanks!��.. But ( and there always is one..... or two in this case<g>).

1. I would suggest it's a lot more useful actually listing any found malware AGAINST the original HJT source line?.
That way we can all check the results and more easily identify any suspect false+ 's!
(Of course the uncharitable cynic in me would point out that you deliberately ommitted the source stanza in order to leverage the employment/purchase of a PrevX1 version anyway? Shrewd move! <vbg>)

2. For extra "atta-boy" awards you could consider to list and call HJT direct from the Px console (you can gracefully handle the error if executable is not allready in user's local Paws database anyway &/or subsequently invoke the link to
http://www.prevx.com/hijackthis.asp

Oh nearly forgot, the suspect HJT false+'s :-

Only two so far on my limited test suite - so you might like to check out:

(i) Covert.Sys.Exec

Eg HJT stanza: "C:\WINDOWS\system32\ctfmon.exe"

File size: 15360 bytes
MD5: 24232996a38c0b0cf151c2140ae29fc8
SHA1: b36d03b56a30187ffc6257459d632a4faac48af2
PX5: 5cafeb7d00e5509f3c0d00f14b5a5100a007d8ef
PXC: 5caf61101

http://virusinfo.prevx.com/pxparall.asp?returnpage=default&PXC=5caf61101

(ii) Rogue.AS.Checkflow

Eg HJT stanza: "O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll"
Version: 6.0.2900.2877 Created: 12 August 2004, 19:27:06
File size: 1492480 bytes
MD5: fa59f72d3aca6000e5c796b87610982b
SHA1: 953b0ac3b6e359bbd5d67d75b9b72d1eabcfab39

The latter dll is a little more problematic due to difficulty in identifying on Community Db as it's is obviously not listed in Px console and no other version/time stamps are shown. Both items fwiw pass negative on all other tests (including the PX scan!) I can find. So it appears to be either a false+ from HJT or (worse) a false- from Px scan?

NB: Not having a facility to easily generate a PX5/PXC ident on any file is somewhat of a hindrance. No doubt the algorithm's proprietary but does that still preclude making a standalone utility or at least an option within Px console available?
The other option would be to retain a MD5 hash within database and allow a search on that but I suspect that this no longer feasible due to size of db? No doubt the need to retain file path info complicates matters further but is a MD5 <> PX5 <> PXC conversion utility still not feasable by say appending path info to a MD5 hash and recalculating a PX5/PXC transform? Or am I totally wet? (I'll get my towel out just in case<g>)

Have a fun day�..

_________________
Regards Tony

Draco Dormiens Nunquam Titillandus

bspz

Cadet
Cadet

Joined: Sep 14, 2004
Posts: 1
Location: USA

Posted: Sat Oct 06, 2007 4:02 pm Post subject:

this seems to be broken...i get a 500 error after my log is processed.

	All -> FavForums -> Prevx	All times are GMT
Page 1 of 1

You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 192ppm 1.780s (1.451s) Making cybercriminals unhappy since 2002*