dragokas / hijackthis

A free utility that finds malware, adware and other security threats
http://hjt.sf.net
GNU General Public License v2.0
703 stars 112 forks source link

HJT: List of updates #5

Open dragokas opened 7 years ago

dragokas commented 7 years ago

Here we'll public most recent HiJackThis Fork updates list.

If you want to test (experimental) version that is usually coming before actual pushing the source code, you can download nightly build by this link: https://dragokas.com/tools/HiJackThis_test.zip


For the full history (since v.2.6.1.0 Alpha Fork) - Oct 12, 2015 based on official v2.0.6, see: HiJackThis menu "Help" -> "About HJT" -> "History", or ./src/_ChangeLog_en.txt file. Russian version is here.

dragokas commented 7 years ago

2.6.4.21 - Apr 17, 2017 R4 - new whitelist mechanism for Bing. R4 - fix is improved. O4 - Startup other users: earlier the same user folder name was always displayed. O21 - added checking ShellIconOverlayIdentifiers. O21 - added checking EDS for pre-installed Microsoft dll-files. O7 - TroubleShoot: new group. It display damaged system settings that can lead to OS malfunction. O7 - TroubleShoot: added checking of environment variables - %TEMP%, %TMP%. O2,O3,O22: improved compatiblity with x64. Added interface locking while scanning via AutoLogger (key /silentautolog is affect).

dragokas commented 7 years ago

2.6.4.24 - Apr 24, 2017 File deletion mechanism is improved. Added section O26 - Image File Execution Options. Translation to Russian has been finished. Revision and additions to program's internal help is finished (Help => About program => Sections). Fixed error while starting program from read only drive.

dragokas commented 6 years ago

2.7.0.1 - Aug 17, 2017 The program is transferred to the Pre-Alpha status. The code is significantly reorganized (refactoring). Removed backup module due to the process of its full replacing.

v Added checking for updates avaliability via Internet. (!) called from menu "Help" or "Misc Tools" (!) available new option "Check updates automatically when program is starting".

v Ignore list: earlier you was unable to add entry with Russian or unicode characters.

v Added ASLR, DEP protection.

v Accelerated:

v Batch digital signature checker: added new fields to CSV report:

v Changed encryption:

v O26 - Image File Execution Options:

v Compatibility impovements:

v Security improvements:

v Hyperlinks have been replaced and devided by languages for:

v Added menu:

v Updated GitHub Wiki pages: https://github.com/dragokas/hijackthis/wiki v Opened common topic for discussing by English-speaking users: https://github.com/dragokas/hijackthis/issues/4

v Size of program:

dragokas commented 6 years ago

2.7.0.3 - Sep 02, 2017 O25 - WMI: fixed white lists. O7 - IPSEC: reworked. O17 - Added white list of good known DNS. R4 - detalization of parameter names; checking is appended. EDS: fixed cheking on Win 7 SP0. Safe obtaining of environment variables.

dragokas commented 6 years ago

2.7.0.4 - Sep 14, 2017 Added displaying of default browser (for http protocol)

dragokas commented 6 years ago

2.7.0.9 - Sep 27, 2017 Menu has been reorganized, added icons. Added output of OS version from NTDLL.dll file if it is different from the version obtained in the standard way. Added output of Uptime (OS operating time). Added output of "FirstRun" sign ("yes", if the scanning executed first time after system rebooting). Added output of message, whether integrity of program is corrupted (e.g. due to the infection by file virus or due to the downloading of HiJackThis from non-official source). O7 - TroubleShoot: added cheking of availability at least 1 GB of free disk space on system drive. Fix will call execution of Microsoft CleanMgr utility. O7 - TroubleShoot: [Network] added checking whether computer name has empty name. It can lead to network problems. Batch digital signature checker: added "Has internal signature?" field to the CSV report.

dragokas commented 6 years ago

2.7.0.10 - Sep 30, 2017 Accelerated work of the program on highly loaded systems on the CPU (due to the miners, etc.) Fixed crash (clsStringBuilder)

dragokas commented 6 years ago

2.7.0.3 - 2.7.0.10 v Added full registry backup: (!) called by pressing "Fix Checked" button, not more than once a week (!) saved to a folder C:\Windows\ABR\ (!) used utility ABR by Dmitriy Kuznetsov, so backups are compatible with UVs. (!) recovering from backup is available with several ways:

dragokas commented 6 years ago

2.7.0.11 - Oct 06, 2017 EDS: fixed critical error in caching mechanism. Now program will always run from the main menu, if not setted mark "Do not show this menu after starting the program". Earlier 2-nd program execution led to transition to the scan results window.

dragokas commented 6 years ago

2.7.0.12 - Oct 07, 2017 Added detection of OS Revision.

dragokas commented 6 years ago

2.7.0.13 - Oct 25, 2017 Added animation of progressbar in task bar when scanning processed. Fixed work of ignore list. Added O4 - HKLM..\BootExecute Added O4 - HKLM..\FileRenameOperations Cheking of launching from %temp% is now ignored for the switch /silentautolog and other switches. Added possibility to install HiJackThis in folder 'Program Files' and menu 'Start' (File -> Install HJT). Restored function of automatic HJT scanning at system startup. Added button "Add ALL to ignore list" in context menu. Added command line switch /install - to install HJT. Added command line switch /autostart - to set HiJackThis for automatical scanning at system startup (use with /install) Added warning if system has outdated Service Pack. Added jumping to file or registry record via the result scanning window (look to right mouse click, Context menu => Jump to Registry / File).

dragokas commented 6 years ago

2.7.0.14 - Oct 27, 2017 R3 - Default URLSearchHook is missing: added CLSID fix R3 - fixed error with redirector. O2 - added checking of HKCU keys O3 - added checking of HKCU keys O3 - removed some white lists O3 - added cheking of \Software\Microsoft\Internet Explorer\Explorer Bars O8 - added checking of HKLM keys Improved compatibility with Windows 2k.

dragokas commented 6 years ago

2.7.0.15 - Nov 03, 2017 All windows from 'tools' section will no longer lost the focus when you move mouse to the some items of main window. F0, F1 didn't work after 2.7.0.1 (fixed). F0, F1 is now show full path to file. O1 - accelerated fix. R1 - for ProxyServer: added displaying of status (enabled / disabled) R1 fix for ProxyServer: added disabling of proxy. O3 fix: added fix of WebBrowser and ShellBrowser keys.

dragokas commented 6 years ago

2.7.0.16 - Nov 06, 2017 O17 - DHCP DNS: fixed error when DNS is not displayed (curve code from Microsoft ^).

dragokas commented 6 years ago

2.7.0.17 - Nov 21, 2017 Added opportunity to download and launch programs for checking and cure shortcuts (Check Browsers' LNK & ClearLNK) via the menu Tools -> Shortcuts. Accelerated creating of huge and debugging logs (optimized class of strings concatenation StringBuilder). Accelerated creating of huge logs in /silentautolog mode (records are no longer added to ListBox). Fixed crash due to the ListBox overflow in /silentautolog mode.

dragokas commented 6 years ago

2.7.0.18 - Nov 25, 2017 Added cheking of registry type virtualization. No more double records for keys in log, if key has 'Shared' type. Added universal iteration of registry hives. Now all hives: HKLM / HKCU / HKU (default, SID of services and other logged users) will be checked in every section. Added O4 - Win9x BAT: C:\Windows\System32\Batinit.bat Added O4 - Win9x BAT: C:\Windows\WinStart.bat Added O4 - Win9x BAT: C:\Windows\DosStart.bat Added O4 - Win9x BAT: C:\AutoExec.bat Added O4 - WinNT BAT: C:\Windows\System32\AutoExec.nt Added O4 - WinNT BAT: C:\Windows\System32\Config.nt Added O4 - AlternateShell (SafeBoot): Added O4 - ScreenSaver: Added O4 - RunOnceEx: Added O4 - RunServicesOnceEx: Added O4 - Autorun.inf: Added O4 - MountPoints2: Added O7 - Taskbar policy: O16 - Trusted Zone and Trusted IP range: added checking of https protocol. O16 - ProtocolDefaults: added cheking of ldap, news, nntp, oecmd, snews, knownfolder protocols. Added O21 - ShellExecuteHooks: Introduces a new postfix "(folder missing)". Added selection of menu item in scan results window by right mouse button click.

dragokas commented 6 years ago

2.7.0.19 - Dec 02, 2017 Added new Microsoft root certificate's hash.

dragokas commented 6 years ago

2.7.0.20 - Dec 04, 2017 /silentautolog - fixed error, when logfile cannot be created O22 - Task: Reworked. Removed dependency from task scheduler service. O22 - Task: Added support of output of several actions for 1 job. O22 - Task: Added checking of legitimacy of ComHandler-jobs. O22 - Task: The output of the job status (Running / Ready / Queued) is abolished, only the status "Disabled" is left. O22 - Task: Added ability to remove damaged jobs. Removed section O4 - Autorun.inf: Removed section O4 - MountPoints2:

dragokas commented 6 years ago

2.7.0.21 - Dec 07, 2017 Updated whitelists. Added horizontal scrollbar to the ignore list window. O4 - HKLM..\FileRenameOperations: disabled output of entries, related to delayed deletion ( -> DELETE marks). O22 - Task: added mark "(telemetry)" for entries, related to collection of statistics and tranferring to Microsoft server. O22 - Task: removed marks "(Microsoft)" in tasks, that executes via host-process (cmd.exe, schtasks.exe e.t.c.) Switch /ihatewhitelists - fixed. Added switch /default - to load default settings (useful together with /silentautolog in case user changed settings himself). It is not affect ignore list. Added switch /skipIgnoreList - do not load ignore list. Added switch /timeout:sec, where 'sec' is a number of seconds allowed for HiJackThis to be run in /silentautolog mode until emergency shutdown (180 sec. by default); 0 - to disable. Added output of time zone. Correcting errors in the backup module.

dragokas commented 6 years ago

2.7.0.22 - Dec 09, 2017 Updated whitelists. O17 - Removed ControlSet[x], referenced by the CurrentControlSet.

dragokas commented 6 years ago

2.7.0.23 - Dec 10, 2017 O22 - Task: Added parsing of .job files O7 - Policy: [Untrusted Certificate] - added verification of the list of untrusted digital signature certificates and their analysis.

dragokas commented 6 years ago

[2.7.0.24] - Dec 15, 2017 Fixed error where log file created as trimmed due to the NUL characters. Uptime is removed. Finished translation of the list of updates into English. Lists of updates of HJT, StartupList and ADSSpy are added to the tab in menu "Help" -> About HJT -> History. R4 - SearchScopes: Changed format of log line.

dragokas commented 6 years ago

[2.7.0.25] - 17.12.2017 Updated list of certificates on XP.

dragokas commented 6 years ago

[2.7.0.26] - 23.12.2017 Updated list of DNS. O4 - Added output of folders in Autostart directories. O2, O3 - fixed heuristic cleaning. R4 section - DefaultScope is merged with R4 - SearchScopes. Little speed optimizations.

dragokas commented 6 years ago

[2.7.0.27] - 25.12.2017 O7 - Fixed output of certificates' owner name. O7 - Added output of owner's name for certificates not listed in HJT database. O7 - Added item "Policy: [Untrusted Certificate] Fix all items from the log", to fix all certificates at once listed in the log, if number of lines > 10.

dragokas commented 6 years ago

[2.7.0.28] - 01.01.2018 Fixed app crash when program is finishing its working. Updated and improved script for retrieving new crash dump of program: http://dragokas.com/tools/debug/GetHJT_dump.zip

dragokas commented 6 years ago

[2.7.0.29] - 19.01.2018 All sections of the log are unified to cover a single template "Section prefix-bitness" - "optional, section name": "hive..\key": "optional, subkey" [parameter] = value "Compressed" log O7 - IPSec: in case system has several identical rules. Deleted attribute O7 - TroubleShoot: [EV] (environment value is altered) Added attribute O7 - TroubleShoot: [EV] (folder is not exist) Added attribute O1 - Hosts: is damaged (contains NUL characters only) Attempting to fix a line with a legitimate file will now call SFC for it. Separated into several lines with the possibility of separate fixes:

dragokas commented 6 years ago

[2.8.0.2] - February 02, 2018 Logs: Log "Environment variables" replaced by with the output of all environment variables of the current process. O7 - Policy: [Untrusted Certificate] Black list of certificates and "Well-Known cert." attribute are removed. Added option "Additional scan" (disabled, by default). It can be enabled in File -> Settings

Scan: O4 - PendingFileRenameOperations (moved to "Additional scan") O4 - Autorun.inf (added to "Additional scan") O4 - MountPoints2 (added to "Additional scan") O22 - Task: added attribute "(activation)" for tasks related to OS activation. O22 - Task: added attribute "(update)" for GWX tasks ("Get Windows 10"). O23 - Service: added output of arguments.

Errors: Fixed bug, that lead to absence of process list in XP. Fixed bug in working with collections, that could lead to application crash. Fixed several errors, when O23 malware entries were not included in report. Fixed app crash when user attempt to close it before StartupList2 finishes its working. Fixed work of checkbox "Mark everything found for fixing after scan". Fixed bug when trying to add HJT to startup beeing launched via Start menu and also on XP/2k systems.

Protection: Improved protection against removing system files when EDS mechanism is damaged. Added protection from finishing system critical processes.

Fixes: O21: added restarting of Explorer. O4: added process freezing. O22: added finishing of task.

Interface and other: Added icons to the tools and removed unused from resources. Added multilingual description in file properties (DE/FR/EN/RU). Menu "Misc Tools" is reorganized:

Main settings are splitted into categories:

Option "Ignore Microsoft files" is renamed into "Ignore Microsoft entries" Option "Ignore non-standard but safe domains in IE (e.g. msn.com, microsoft.com)" is absorbed by "Ignore Microsoft entries". Added tooltips to some checkboxes. When HiJackThis.exe launches from archive, now it is asking for unpacking into {Desktop}\HiJackThis subfolder, not a root of desktop. Improved scan speed on highly-loaded systems in /silentautolog mode. Added command line keys: /Area:Process - include list of running processes in report /Area:Environment - include environment variables in report /Area:Additional - execute "Additional scan" Whitelists has been updated.

dragokas commented 6 years ago

[2.8.0.3] - February 03, 2018 Disabled O7 - IPSEC items is removed from the log. Improved working of options "Ignore Microsoft entries" and "Ignore All whitelists" when switching a checkbox to non-default value. O22 - Task: fixed error in output of status "(disabled)".

dragokas commented 6 years ago

Added notice about test (experimental) version in the 1-st post.

dragokas commented 6 years ago

Short tutorial on HiJackThis is now updated to cover Fork v.2.8.0.50 and newer.

dragokas commented 6 years ago

Short English tutorial on HiJackThis is now updated and moved to dragokas.com official site

dragokas commented 6 years ago

[2.9.0.1] - October 20, 2018 Log: v Improved format of the log lines. v Added mark "No suspicious items found!", if the number of entries = 0. v Added display of 'Scan mode': if enabled "Additional scan", "Environment variables", "Ignore ALL Whitelists" or disabled "Processes", "Hide Microsoft entries".

Backups: v Added backup/restore of O23, O25. v Restoring of library registration. v Restoring of the file attributes and time stamps. v Restoring of initial security rights on file / registry key (thanks to Kazakevich Aleh for help). v ABR from Dmitriy Kuznetsov is updated to v1.05 (improved compatibility with Win10 build 1803).

Main scan: v O5 - 'Blocked IE Options' - section is renamed and expanded to cover any hidden control panel items; added compatibility with Vista+. v O7 - Added detection of policies: NoViewOnDrive, RestrictRun, DisallowRun, NoControlPanel, LockTaskbar, NoDispCpl, NoDrives, DisableTaskMgr. v O7 - Added detection of restricted DACL permissions on some Policy and Certificate keys. v O7 - TroubleShooting: (EV) - added checking presence of essential system folders in %PATH%. v O10 - LSP: whitelist is removed. Checking is performed by EDS. v O10 - LSP: is now display all chain gaps and unknown providers and doesn't stop on the first found. v O18 - Protocols/Filters: criteria of checking is replaced with EDS; added check for registry subkeys. v O22, O23 - Windows Defender items are temporarily added to whitelist. v O26 - Added detection of UWP applications debugger

"Additional scan": v Added subsection O23 - Drivers: - list of loaded drivers. v Added subsection O23 - Dependency: (experimental), consist of 3 groups:

"Environment variables" scan: v Added listing of special folders. v The environment variables are supplemented and divided into categories "[User]", "[System]", "[Current process]".

Fixes: v O22 - Added removing of task's executable (if it is not belong to Microsoft). v O23 - Added cleaning of legit services dependency from the service that is being deleted.

Compatibility: v Added compatibility with DBCS-systems (locale-independence). v Added compatibility when launch via Local System context:

Errors: v Bug: Fixed cases in Win8/10 when line O4 is marked as StartupApproved (disabled) instead of Run\Run32. v Bug: Fixed crash while HiJackThis finishing its work when launched from archive. v Bug: Fixed issue with 0 bytes size of the log, if StartupList was start just right before. v Bug: Fixed access denied while reading some tasks (thanks to Sandor for testing). v Bug: Fixed the failure of some functions when setting a specific date format in the system. v Bug: Fixed issue with displaying binary data in LSP log. v Finished "Jump to Registry/File" menu for O23 and other sections. v StartupList: added tracing the errors in /debug mode, fixed some errors that caused crash (thanks @Hostn4me for testing).

Updates checking: v Bug: Fixed updates checking. The program is untied from github due to problems with https on XP and is now downloaded from dragokas.com. v Added proxy support (Note: Socks5 is not supported) (thanks Sandor for testing). v Added option "Update to test versions" - if you want to receive the latest updates without waiting for a stable release. v Added option "Update in silent mode" - the program will automatically update and restart with the initial command line keys.

Interface: v Added ability to choose the font (for whole interface or for scan results list and input fields only). v Improved interface navigation during scanning. v The autoscrolling of the scan results list has been removed. v Horizontal scroll bar is added before scan is complete.

Translation:

Tools: v START menu is appended with shortcuts of separate tools and plugins (upon installation of HiJackThis). v Accordingly, added command line keys:

v Uninstall programs manager is updated to v2.0:

v Digital Signature Checker:

v ProcMan: added ability to enum modules of 64-bit processes. v ADS Spy: added button "Save log". v ADS Spy: added support of ReFS file system.

Tutorial: v Completed work on the renewed Russian manual for the Fork and v2.0.5: https://regist.safezone.cc/hijackthis_help/hijackthis.html (thanks to regist) v Updated short help on sections (on English, Russian and Ukrainian), available inside the program and web-site: http://dragokas.com/tools/help/hjt_tutorial.html

Command line keys: v Added and modified /Area command line keys (the old version will remain working for backward compatibility):

Other: v Installation of HiJackThis Fork is now available via command line (Chocolatey): 'choco install hijackthis' v Maximum limit of the file size to calculate MD5 is increased up to 100 MB. Added MD5 calculation to sections where it was forgotten. v Whitelists are updated for R4, O4, O7 - Untrusted certificates, O22, O23.

dragokas commented 5 years ago

[2.9.0.2] - Nov 6, 2018 Fixed cases with failures in reading O23 (error: "Collection key in not unique"). Fixed issues when copying to the clipboard.

dragokas commented 5 years ago

[2.9.0.4] - Nov 7, 2018 Fixed critical error when recursive read registry key (app crash on some backups). Improved speed of regular expressions.

dragokas commented 5 years ago

[2.9.0.5] - Nov 8, 2018 Improved speed of O7 - IPSec analysis.

dragokas commented 5 years ago

[2.9.0.6] - Nov 9, 2018 CSV-reports are now open in Notepad if association is not defined.

dragokas commented 5 years ago

[2.9.0.7] - Nov 16, 2018 Fixed false positives (e.g. O26) due to problems with buffer cleaning in registry operations.

dragokas commented 5 years ago

[2.9.0.9] - Nov 19, 2018 Added translation into French (thanks to Colok { Colok-Traductions.com }). Fixed problems with displaying extended character set of ANSI codepage. O22, O23 databases are updated.

dragokas commented 5 years ago

[2.9.0.10] - Nov 23, 2018 French translation is improved.

dragokas commented 5 years ago

[2.9.0.11] - Nov 26, 2018

dragokas commented 4 years ago

[2.9.0.23] - June 09, 2020 (Nightly build)

dragokas commented 4 years ago

[2.9.0.25] - Aug 2, 2020 (Nightly build - Release candidate)

Databases:

Functional:

Fixes:

Interface:

Other:

dragokas commented 4 years ago

[2.9.0.26] - Aug 5, 2020

dragokas commented 4 years ago

[2.9.0.28] (Nightly) - Sep 1, 2020

dragokas commented 3 years ago

[2.10.0.1 beta] (Nightly) - Feb 01, 2021

New detections are added:

Interface:

Report:

General:

  • Sorting is now going in correct alphabetical order + increased the speed.
  • O4 - Startup subsections are renamed to improve the sorting. /Area:Environment:
  • Added registry report of "User Shell Folders" and "Shell Folders" in addition to CLSID-based report. Why? Because Microsoft doesn't follow its own 'Best Practice' from MSDN. lol. Modules "Check Browsers' LNK" & "ClearLNK":
  • Suppressed "Allow to download..." request when silent mode is selected in "Update" settings.
  • Added auto-update feature (whenever you run the tool) - not often than once per month.
  • Introduced the strong verification for the file digital signature before execution.
  • Tools are now will be downloaded in \Tools\Scan subfolder of HiJackThis dir or installation dir if one is performed.

Other:

Tools:

Digital Signature Checker:

  • Improved speed, sorting, added columns - Certificate "Valid From", "Valid Until"; exchanged columns "File Name" / "File Path". Uninstall Manager:
  • Fixed "Uninstall application" button is not always worked. Process Manager:
  • "Save" button auto-refreshes process list.

Special thanks to Sandor and regist for samples, testing and suggestions.

dragokas commented 3 years ago

[2.10.0.2 beta] (Nightly) - Feb 03, 2021

dragokas commented 3 years ago

[2.10.0.3 beta] (Nightly) - Feb 05, 2021

dragokas commented 3 years ago

[2.10.0.4 beta] (Nightly) - Feb 07, 2021

dragokas commented 3 years ago

[2.10.0.5 beta] (Nightly) - Feb 08, 2021