Interpreting HijackThis Logs – With Practice, It’s Not Too Hard!

HijackThis is known by every serious security expert in the world, or so it seems, and it is available for download from numerous websites. Here are, for instance, three:

HijackThis is not hard to install.

  • Make a new folder, for instance “C:\Program Files\HijackThis”, or one of your choosing.
  • Copy the module “HijackThis.exe” to the new folder.
  • If desired, make a shortcut and copy the shortcut wherever it’s appropriate. It’s your computer, and you need to be able to run HJT conveniently.
  • Start HijackThis.
  • Hit the “Config…” button, and make sure that “Make backups…” is checked, before running. You may occasionally remove something that needs to be replaced, so always make sure backups are enabled!

HijackThis is not hard to run.

  • Start it.
  • Choose “Do a system scan and save a logfile”.
  • Wait patiently.
  • When Notepad pops up with a new window, that’s your logfile.
  • Save, or print, the logfile, and get started.

You have several options now – you can get free, reliable online help, or you can interpret the log yourself.

Based upon your findings, or the recommendations of the experts (or a combination of the 2, at your discretion), you then

In some cases, you may have to do more intensive work.

NOTE: I recommend a combination of these techniques. Even if YOU don’t see anything interesting in the log, someone who’s currently helping with other folks problems may see something in YOUR log that’s been seen in others.

Use the power of the web. As I say so many times, anything YOU might be experiencing has probably been experienced by someone else before you. Give the experts a chance with your log. They might find something to help YOU, and they might find something that will help the next guy.

Interpret The Log Yourself
There are several tutorials to teach you how to read the HJT Log. Spend a while reading them, practice a bit, and you can be at least as good as I am at spotting the bad stuff.

Merijn Belekom, author of HijackThis, gives a good tutorial in Merijn.org. Two other tutorials which I have used are:

There are three basic ways of checking out your HJT log, and all leverage the power of the web to disperse knowlege. The bad guys spread their bad stuff thru the web – that’s the downside. But the spreading of the bad stuff can be severely restricted, if we use the web for good – and that’s the upside.

Component Analysis
The absolutely most reliable way of checking out any suspicious entry in a HijackThis log, IF you can find the file referenced, uses the concept of Strength Thru Diversity. There are two websites which will submit any actual suspicious file for examination to a dozen different scanning engines, including both heuristic and signature analysis. See Online Analysis Of Suspicious Files for further discussion.

Signature Analysis
Before online component analysis, we would commonly use online databases to identify the bad stuff. Depending upon the type of log entry, you’ll need one of two online databases.

The two databases, to which you’ll be referring, look for entries using one of two key values – process name, and ActiveX Class ID.

You can identify process names from one or more Startup Items Lists:

You can identify scripting objects (ActiveX) from one or more CLSID Lists:

For extensive research, you may also try whole web searches, using your favourite search engine, like Google, or Yahoo, or any other of your chosing. Just paste the CLSID, or process name, into the search window on the web page.

Unless you are totally living on the edge, any HJT Log entry that may interest you has probably already been discussed, and if it’s a bad one, someone has likely already defined it for removal. Just check carefully, as many search hits will simply be to other folks complete HJT logs, not necessarily to your questionable item as their problem. So verify carefully, in any hit articles, that the item of interest actually represents a problem.

Log Analysis
The most obvious, and reliable, log analysis is provided by various Online Security Forums. Advice from, and membership in, all forums is free, and worth the time involved. Be sure to read the instructions provided by each forum. Proper analysis of your log begins with careful preparation, and each forum has strict requirements about preparation.

Alternatively, there are several automated HijackThis log parsing websites. I have found 3 to date:

Just paste the complete text of your HJT log into the box on the web page, and hit the Analyse or Submit button.

The automated parsing websites are good to start with, but they suffer from false negatives and false positives, just as any other automated security tool. So verify their output, against other sources as noted, before using HJT to remove something.

Heuristic Analysis
If you do all of the above, try any recommended removals, and still have symptoms, there is one way of checking each entry in the log for unknown malice. Go carefully thru the log, entry by entry.

  • Look for any application that you don’t remember installing.
  • Look for entries with names containing complete words out of the dictionary.
  • Look for entries with names containing unpronounceable random jumbles of letters.
  • Look for entries that use paths completely different from other entries, in that same HJT section.
  • Remember, malware is limited by the requirement of uniqueness. Windows (at least Windows XP) is very protective of known system components, and will ensure that “C: \Windows \Explorer.exe”, for instance, is not modified, or replaced, by malware in any way.
  • However, even Windows XP can do nothing about malware that installs “C: \Windows \System32 \Explorer.exe”, “Expl0rer.exe”, or “Exp1orer.exe”, or “C: \Explorer.exe”.
  • So look very carefully at each entry, and its complete path. When in doubt, copy the entire path and module name (highlight and Ctrl-C, don’t type by hand), and research the copied entry in one or more of the Startup Items Lists databases, or online searches, described above.

Remove The Bad Stuff

If you find an interesting entry, which points to a file with a complete path name, see if you can locate the file. Make sure that “Show hidden files and folders”, under Control Panel – Folder Options – View, is selected.

Once you find any suspicious files, check the entire computer, identify the malware by name, and make sure that the files found are not protected by other processes.

Finally, go to one or more of the expert online forums, and search for threads where your particular malware is discussed and / or removed. Observe which techniques and tools are used in the removal process. Try some of those techniques and tools, against all of your identified bad stuff, or post your diagnostic tools (diligently following the rules of each forum, and don’t overemphasise your starting analysis), and ask for help.

Only with knowledge will you solve your problems. Just remember, if you’re not on the absolute cutting edge of Internet use (abuse), somebody else has probably already experienced your malware, and with patience and persistence, you can benefit from those other experiences. That’s the way to use the Internet for good purposes.

Remember the header information in any HijackThis log identifies the version of HijackThis run, and occasionally there are new releases of the program. Always make sure that you get the latest version before scanning, to maximise your chances of identifying all questionable software. If you post into any of the expert forums with a log from an old version of the program, the first reply will, almost always, include instructions to get the newer version.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: