HiJackThis Fork v3

[Parisien_entraide]

HiJackThis Fork v3


HijackThis : On le croyait oublié depuis que Trend Micro avait acquis le logiciel en 2007 et l'avait transformé en programme open source en 2012.
Depuis 2013 plus aucune version n'était apparu et à l'usage était devenu obsolète car il ne voyait pas tout

1_Hijackthise.png

C'est un UKRAINIEN du nom de Polshyn Stanislav qui a repris le travail et sa dernière version date du 9/11/2018

Le programme est compatible avec les dernières versions de Windows et antérieurs : 10 / 8.1 / 8 / 7 / Vista / XP / 2000 (32/64-bit Desktop et serveur)

Il est portable

HiJackThis Fork détecte principalement les problèmes d'Hijacking (1) et le développeur a ajouté un support de détection pour les nouvelles méthodes de piratage

Il est nécessaire de parcourir la liste des éléments un par un pour savoir si ce qui est affiché est dangereux ou inoffensif.

Hijackthise.png

ATTENTION ! Même si il y a un bouton "Info" ce n'est pas lui qui prendra la décision pour vous. Il n'y a AUCUNE évaluation, et il faudra l'aide d'un helpeur

Comme le souligne l'auteur :

_______________________
"IMPORTANT: HiJackThis Fork ne fait pas d'appels basés sur les valeurs pour ce qui est considéré comme bon ou mauvais. Vous devez faire preuve de prudence lorsque vous utilisez cet outil. Évitez d’apporter des modifications aux paramètres de votre ordinateur sans étudier en profondeur les conséquences de chaque modification.
Si vous n'êtes pas déjà un expert, nous vous recommandons de soumettre votre cas à un forum d'aide en ligne."
______________________

Le menu PREFERENCES :

2_Hijackthise.png

Le menu OUTILS :

Ecran.jpg

Dans ce menu outils on note effectivement une fonction assez rare, le scan ADS
SInon (à tester) un outil pour détecter des .LNK
et d'autres


Pour les nouveautés, plus de détails à :

https://github.com/dragokas/hijackthis/



Pour le téléchargement

https://github.com/dragokas/hijackthis/ ... vel/binary
https://dragokas.com/tools/HiJackThis.zip

Une version "Nightly" est dispo également à https://dragokas.com/tools/HiJackThis_test.zip


Un tuto en anglais : http://dragokas.com/tools/help/hjt_tutorial.html

__________________________________________________________________
(1) Définition : L’Hijacking est aussi appelé Ip Splicing. Cette technique de piratage est une action sur une Session active établie est interceptée par un utilisateur non autorisé. Les pirates peuvent agir une fois qu’il y a eu identification, le Pirate pouvant ainsi se faire passer pour un utilisateur autorisé

[Malekal_morte]

Salut,

Ca fait 10 fois qu'on le réanime
Y a du boulot avant qu'il arrive au pied de FRST au niveau des infos rendues.

[Parisien_entraide]

Nan nan, 2 fois seulement :-) Et la dernière date de 2013

Bah c'est juste pour signaler qu'il existe une autre version, vu qu'il y a encore un tas de gens qui se servent de l'ancienne

Au delà de cela il est vrai que lorsqu'on regarde le log généré... ça fait un peu pingre par rapport à FRST :-)

[Colok]

Salut tout le monde,

J'ai réalisé la traduction française de la future version 3 de HiJackThis Fork et le développeur m'a demandé de vous faire suivre le message ci-dessous!

"Colok, I have some personal request for you, if it's ever possible.
I compiled an answer to this forum: viewtopic.php?t=61637
But unfortunately, my country is in spam-list and I can't register there even using French VPN.
Is it possible you left 1 post in that topic on my behalf? (I attached it)
I would really appreciate it."

Voici ce message:

"Hi @all. I'm a developer of HiJackThis Fork and I do like to clarify some details.
Since my country is in spam-list, I asked my friend to post here my message.

If you think HiJackThis missing some items important for malware cure,
feel free to propose improvements in 'issue' section of github repository.

HiJackThis will never become a FRST. It has a different phylosofy:
- compact logs
- fast scan
- open sourse
- item fix using interface
- individual backups
- scan at system boot up using ignore-list

HiJackThis has scan areas that FRST doesn't see, and vice versa,
FRST has areas, that HJT doesn't see, but it doesn't matter,
because, e.g. for browser hijacker there is a better tools, such as AdwCleaner.
Detection of most modern malware hijacking methods (excepting rootkits)
was included for these 3+ years of active development of the Fork.

List of modified files is not required if you removed all autorun points. Everything else is a garbage.
List of installed software can be equired using integrated Uninstall manager tool.
List of system events is mostly needed for system troubleshooting, not malware cases.
Anyway, HJT also has new section in O7 with similar but unique functionality. See manual.
LNK checker is a separate plugin, much powerful than FRST, becauses it has analysis core,
trained by real malware for several years and also produces compact log (not a full LNK list).
Also, you can check a mark "additional scan" to say HiJackThis to scan specific areas like:
- PendingRenameOperations
- Drivers, etc ...

Eventually, you can't compare these tools without deep understanding.
All at all, HJT Fork is 100% rewritten project, it has another analysis methods,
even in such "simple" task like digital signature check.

We are using bunch of tools called 'Autologger' for 8+ years (HJT Fork for 3+ years)
in several large forums, including Kaspersky Club forum.
This automatic logs collectior includes:
- AVZ (include antirootkit)
- RSIT (include additional info like in FRST)
- HiJackThis
- Check Browsers' LNK
And he proved to be effective in most cases of curing the malware.

By the way, the closest HJT version will be translated into French

Since I can't post here, if you want please ask further questions in our github repository section.

Kind regards,
Stanislav Polshyn."

Cordialement
Colok

[devadip]

Y a plus qu'à tester sur un PC infecté

[Parisien_entraide]

Hello :-)

Evidemment avec une IP Ukrainienne il ne risque pas de passer les barrières de certaines contrées, vu que le pays est à l'origine de pas mal d'infections et autres mafias malfaisantes :-)

En tous les cas c'est sympa de relayer le message de l'auteur

Et j'en profite pour indiquer ce que tu fais, ce qui n 'est pas négligeable, et demande beaucoup de travail

https://www.colok-traductions.com/

[Colok]

Merci Parisien_entraide et à vous pour le travail que vous faites!

La version béta en téléchargement en français, n'est pas finalisée.
Je peux vous donner la dernière version de la traduction française, si vous voulez l'essayer !
Vous pourrez me retourner les erreurs...

[Parisien_entraide]

Bonjour,

De retour.. :-) Et bien effectivement pourquoi pas ?

Il y a cependant une version FR dans la V 2.9.0.11 (et un bouton non traduit)

2018-12-01_061404.jpg

[Colok]

Ben oui, comme je l'ai écrit dans mon précédent post, l'auteur n'implémente pas aussi rapidement que je corrige...

Je t'envoie ma mise à jour !

[Parisien_entraide]

J'en profite pour indiquer que le programme est bien francisé, preuve en est :

Section Paramètres

2020-03-16_094206.jpg

Section outils

2020-03-16_094019.jpg

Et je précise que l'outil utilisé sur le forum pour les analyses est FRST https://www.malekal.com/tutoriel-farbar ... tool-frst/
et non HijackThis https://www.malekal.com/tutoriel-hijackthis/

[Parisien_entraide]

Visiblement l'outil continue de progresser puisque la dernière version "Nightly" date du 3 septembre 2022 et est à ce jour en version 2.10.0.23

https://github.com/dragokas/hijackthis


Petite précision, bien que l'auteur se déclare Ukrainien, on peut lire sur la page du projet

"Bonjour, je suis Stanislav Polshyn - un avocat, un observateur de la sécurité et un chercheur de logiciels malveillants d'Ukraine ( Tchernobyl , Na'Vi , Щедрик , Colony of USA). Yankee rentre chez toi ! "

Les différents menus se sont étoffés au fil du temps

Le programme fonctionne bien en Français, mais l'aide en ligne ne fonctionne pas (au moment du test)
Néanmoins toute l'aide et fonctionnement du programme est disponible en interne via le menu, "Aide" du programme
https://dragokas.com/tools/help/hjt_tutorial.html

1.jpg

2.jpg

Idem pour la section "Paramètres"

parametre.jpg

Le "changelog" est trouvable dans le programme lui même, et on peut voir que l'auteur, depuis mars 2020 (mon précédent message) a travaillé


[2.10.0.23] - Sep 03, 2022
- Context menu: Added button "Copy" - "File Argument".
- Search: Save lastly entered phrase after program exits.
- ADS Spy: fixed functionality of "Browse" button (thanks to Alexyz21 for report).
- Uninstall manager: fixed location of "Remove Software" button.

[2.10.0.22] - Aug 29, 2022
- Digital Signature Checker Tool: New buttons "Add folder", "Clear list".
- Translation corrected.

[2.10.0.21] - Aug 28, 2022
- Added free memory info and total CPU loading*.
* loading data may be overestimated on weak processors.
- Cut down icon metadata causing false positive detection by Yara rules (VT).
- Fixed Hosts template and its ACL permissions according to reference.
- O22 - Added -32 prefixes for 32-bit tasks on 64-bit OS.
- Tools=>Unlock file/folder: Improved recurvive procedure of reset permissions.

[2.10.0.20] - Aug 02, 2022
- Several AppLocker fixes are done (thanks to regist for report, analytics and support):
- O7 - AppLocker: Added detection of "ManagedInstaller" rule.
- O7 - AppLocker: Fixed hash-based rule displayed one record instead of multiple.
- O7 - Applocker: Improved "Fix all" procedure.

[2.10.0.19] - Jul 24, 2022
- Whitelist services is updated.
- Some adjustment in O4 to show "(Microsoft)" postfix for more cases.
- O22 - Tasks_Migrated: Added detection of migrated tasks in Windows 11.
- O22 - Tasks: Added detection of tasks in SysWow64.
- O22 - Tasks: fixed incorrect decoding of non-English characters by xml parser.

[2.10.0.18] - May 28, 2022
- Returned missing buttons in Uninstall Manager ^^
- Fixed broken functionality of 01 - Hosts (thanks to Boxersteavee for report).
- Improved Hosts file read speed.
- Improved registry export speed.
- [Backup] CRC32 calculation speed and reliability are improved.

[2.10.0.17] - Apr 07, 2022
- Added new Microsoft certificates.
- Files unlocker: Added buttons "Add File(s) / Folder(s)".

[2.10.0.16] - Jan 12, 2022
- Added Spanish translation (thanks to Andago).
- Added key /LangSP - force use Spanish language for user interface.
- Corrected size of the forms for better match the translation.
- Minor edits of RU/UA/FR translations.
- Updated Merijn Bellekom donation link in StartupList tool.
- StartupList (and HJT): fixed "Show file" context menu didn't work with System32 files.

[2.10.0.14] - Dec 26, 2021
- O22 - BITS: Fixed throwing error when URL is missing (thanks to @Sandor-Helper for report).
- Certificates are updated.

[2.10.0.13] - Dec 02, 2021
- Fixed potential crash related to bad buffer size in codepage encoder (thanks to @thetrik for letting me know).
- Fixed missing translation.
- Fixed font size on some controls.
- [Updates checker] Corrected error code returned.
- System errors description are now displayed on selected language.
- [Uninstall manager] Fixed double-unicode in registry snapshot report on some locales.

[2.10.0.12] - Nov 23, 2021
- Updated MS certificates list.

[2.10.0.11] - Nov 21, 2021
- Improved error logging.

[2.10.0.10] - Oct 14, 2021
- Added detection of Windows 11, Windows Server 2019, Windows Server 2022.
- Added DisplayVersion in addition to ReleseId where possible.
- O22 - Tasks: whitelists are updated.

[2.10.0.9]
- Moved status to a stable release.
- O26 - Fixed false "file missing".
- O7 Policy - Added more keys for detection DisableTaskMgr.

[2.10.0.8 beta] (Nightly) - Mar 16, 2021
- More code clear.
- Improved filter of O22 - Bits whitelists.

[2.10.0.7 beta] (Nightly) - Feb 20, 2021
- Added new 'Files Unlocker' tool (see 'Tools' menu => Files => Unlock File / Folder).
- Global code clear and optimization (thanks to LaVolpe and his 'Project Scaner' tool).
- Some errors are fixed.
- Improved source code building script.

[2.10.0.6 beta] (Nightly) - Feb 12, 2021
- Fixed: HJT uninstallation removes not all keys.
- Fixed: Explorer is restarted in 'Limited Mode' after O21 Fix.
- Fixed: O26 - Tools false positives.
- Hotkeys: 'Ctrl' + 'Mouse Wheel' to change the font size of results window list.
- More optimizations.

[2.10.0.5 beta] (Nightly) - Feb 08, 2021
- Search window: added option to search in filtering mode (only scan results window).
- Search window: added option to mark all items automatically in filtering mode.
- Search window: options are now can be saved with a diskette button.
- Fixed throwing error when you close the program after fixing the item.
- Improved path arguments parser.
- Improved file/folder permissions reset.

[2.10.0.4 beta] (Nightly) - Feb 07, 2021
- Micro-optimizations.

[2.10.0.3 beta] (Nightly) - Feb 05, 2021
- All HKU\.DEFAULT prefixes are replaced by "HKU\S-1-5-18".
- O4 - Run* - is now contains postfix with username for service Sids as well.
- O7 - Policy: fixed DisallowRun item state.
- Fixed unicode strings detection in US Locale.
- Fixed missing restore feature in ABR backup.

[2.10.0.2 beta] (Nightly) - Feb 03, 2021
- VirusTotal: added compatibility with Windows XP SP3 (thanks to @wqweto for help).
- Fixed error in O21 scan (thanks to @Sandor-Helper for reporting).
- Fixed BSOD on AppLocker fix, caused by MS GPUpdate. Instead, reboot will be prompted.
- Fixed error in hashing the backup while fixing the items (thanks to regist for testing).
- Updated certificates (thanks to @akokSZ for reporting).
- Improved reset ACL, icacls.exe / takeown.exe are no more used.
- Fixed ability to restore the item even if backup system failed to retrieve the file hash.

[2.10.0.1 beta] (Nightly) - Feb 01, 2021

New detections are added:
- O4 - some new detections and improved fixes.
- O5 - Applet: to detect custom and hijacked control panel items.
- O7 - AppLocker:
* NOTE!!! Applocker is by default in whitelisting mode: everything that is not explicitly allowed, is blocked.
* If you remove "(allow)" rule, this particular application/folder will be blocked, until you'll remove all the rules.
* To remove all rules at once, it's better to fix the special line "O7 - AppLocker: fix all"
- O7 - KnownFolder: to detect and fix hijacked locations of "Known Folders".
- O7 - TroubleShooting: new environment variables are added.
- O22 - BITS Job: to detect foreign Windows Update Service jobs.
- O22 - Tasks: (damage) subsection is added to detect damaged and garbage tasks of such types:
* (user missing) - when user/group is removed;
* (no xml) - when xml file doesn't exist;
* (key missing) - when associated reg. key doesn't exist;
* (no key) - when no task keys are referred to;
* (empty) - when tasks folder or key contains an empty record;
* This doesn't include xml integrity/CRC check and "DynamicInfo / Triggers" validation.

Interface:
- Added ability to mark multiple items for fixing with 'Shift + Click'.
- Added "Copy" multi-context menu in scan results window (thanks @thetrik for helping with Clipboard).
- Added "VirusTotal" multi-context menu in scan results window with options to check file/URL by hash or to submit file with SysInternals Autoruns.

Report:
> General:
- Sorting is now going in correct alphabetical order + increased the speed.
- O4 - Startup subsections are renamed to improve the sorting.
> /Area:Environment:
- Added registry report of "User Shell Folders" and "Shell Folders" in addition to CLSID-based report.
Why? Because Microsoft doesn't follow its own 'Best Practice' from MSDN. .
> Modules "Check Browsers' LNK" & "ClearLNK":
- Suppressed "Allow to download..." request when silent mode is selected in "Update" settings.
- Added auto-update feature (whenever you run the tool) - not often than once per month.
- Introduced the strong verification for the file digital signature before execution.
- Tools are now will be downloaded in \Tools\Scan subfolder of HiJackThis dir or installation dir if one is performed.

Other:
- O4 - Fixed reading the other users startup folder; added user name postfix in log.
- O25 - Fixed rare error in connecting to WMI.
- Updated and improved LoLBin list check mechanism.
- Improved registry functions.
- Corrected free buffer (ILFree => CoTaskMemFree).
- Explicitly allowed expired Microsoft certificates (without timestamp).
- Updated whitelists of O2, O22, O23.
- Added switch /skipErrors - do not show error messages and prevent warnings and errors from writing to log file at all.
- Added switch /sha256 - calculate SHA256 hash of files.
- Fixed hash progressbar.

Tools:
> Digital Signature Checker:
- Improved speed, sorting, added columns - Certificate "Valid From", "Valid Until"; exchanged columns "File Name" / "File Path".
> Uninstall Manager:
- Fixed "Uninstall application" button is not always worked.
> Process Manager:
- "Save" button auto-refreshes process list.

Special thanks to Sandor and regist for samples, testing and suggestions.

[2.9.0.29] - Oct 23, 2020
- Security improvements

[2.9.0.28] (Nightly) - Sep 1, 2020
- [*New*] Added subsection O26 - Tools:
* various tools run by user manually, that hijacked in some way, will live there.
- [*New*] Detection of Logon Screen Backdoor (Accessibility tools) is added to O26.
- [*New*] Detection of My Computer properties tools hijack (Defragger, Cleaner, Backup) is added to O26.
- [Fix] Fixed critical error in service whitelisting for x32 systems (thanks Sandor for report).
- [Fix] Registry Jumper didn't want to jump to parent key when target doesn't exist.
- Registry Key Unlocker: added the button "Open in Regedit".
- Size and position of every tool and main window as well are now preserved after exiting the program.
- [Limited user] Fixed crash when user updates HJT.
- [Limited user] Some HJT functions and tools are blocked for limited user. Run utility as admin!
- [Limited user] Generic improvement, preventing false positives in scan results caused by access deny.

[2.9.0.26] - Aug 5, 2020
- Added partial compatibility when running as a limited user.

[2.9.0.25] - Aug 2, 2020
Databases:
- Updated O22, O23 bases (MS Office, MS Visual Studio are also whitelisted if possible).
- O22 - Added the ability to analyze Microsoft rundll32 based tasks.
- Updated names of Windows editions.
- Appended well-known DNS lists.
- Reference IE StartPage, SearchPage, Search & Custom Assistant are replaced with msn.com or removed due to broken links.

Functional:
- Added checking of Windows / user startup-shutdown scripts policies.
- Added O18 - Printer Port: detecting suspicious file ports for Spooler Shadow Jobs (thanks to Alex Ionescu for the article and NickM for helping with the fix).
- When you request to restore from an ABR backup, a new backup is automatically created to enable rollback (may help to recover from a non-bootable state).
- Added calculation of files SHA1 hash; you can switch between SHA1 / MD5 in the settings.
- New switch: /sha1 - calculate SHA1 hash of files.
- Context menu: added "Disable / Enable" item for services and tasks.

Fixes:
- O22 - added compatibility with tasks in UTF16 encoding.
- Uninstall Manager: Fixed the "Save List" button (thanks to Severnyj for the notification).
- Improved ini file disinfection functions, added Unicode format processing.
- Improved registry backup functions, QWord support.
- The function to get the file size sometimes returned 0 for files from System32.
- Context menu is no longer blocked during ReScan.

Interface:
- Font for scan results changed "10" => "9" (Bold).
- Added left and right indents in the "About ..." menu windows.
- "About" - "Version history": fixed trimming of the end of the text.
- The scrolling position is no longer reset at the end of the scan.
- Fixed the transparency of the program icon.

Other:
- Updated internal manual on switches.
- All internet links are replaced with https.
- Added https protocol to the verification criteria.
- R4 - PendingFileRenameOperations disabled in /startupscan mode due to false positives.

[2.9.0.23] (Nightly) - June 09, 2020
- New certificates are added
- OSinfo: Windows Embedded is now detected and informed in log
- OSinfo: new OS Edition names are added
- Strict rules for HJT own command line parser
- Fixed ignore list broken due to Windows 10 specific update mechanism
- Some fixes on GUI, reboot, file access, path find, error description, HJT close, terminate process, shortcuts logic
- New private command line keys for donators are added:
* Silently check system using 3rd party tools such as from Sysinternals and NirSoft
* Automatically remove items detected on Virustotal if found
* Selective silent HotFixes (like clear Hosts, Policies, bad certificates and so)
* Basic anti-rootkit
- New public command line keys are added:
* /noBackup - disable backup creation during the fix
* /install /autostart d:X - install HJT in task scheduler to autorun with X sec. delay
* /instDir:"PATH" - alternate installation path for HJT (by default: "%ProgramFiles(x86)%\HiJackThis Fork").
* /noShortcuts - disable creation of shortcuts during HJT installation via /install
* /! - stop command line keys parsing. Everything found after this key considers as keys for HJT autorun (instead of default /startupscan).
- Increased GUI max lines limit for O23 up to 750 items (default for other section is 250).
- Added detection of: ...\Policies\Explorer\DisallowRun
- O23 - Service Backup is improved.
- O25 - Revert Backup is fixed.
- Windows 7 EOS (and future Win 8/8.1 EOS) detection are added to O22 - Tasks

1.jpg