HJT: List of updates

[dragokas]

Here we'll public most recent HiJackThis Fork updates list.

If you want to test (experimental) version that is usually coming before actual pushing the source code, you can download nightly build by this link: https://dragokas.com/tools/HiJackThis_test.zip

---

For the full history (since v.2.6.1.0 Alpha Fork) - Oct 12, 2015 based on official v2.0.6, see: HiJackThis menu "Help" -> "About HJT" -> "History", or ./src/_ChangeLog_en.txt file. Russian version is here.

[dragokas]

2.6.4.21 - Apr 17, 2017 R4 - new whitelist mechanism for Bing. R4 - fix is improved. O4 - Startup other users: earlier the same user folder name was always displayed. O21 - added checking ShellIconOverlayIdentifiers. O21 - added checking EDS for pre-installed Microsoft dll-files. O7 - TroubleShoot: new group. It display damaged system settings that can lead to OS malfunction. O7 - TroubleShoot: added checking of environment variables - %TEMP%, %TMP%. O2,O3,O22: improved compatiblity with x64. Added interface locking while scanning via AutoLogger (key /silentautolog is affect).

[dragokas]

2.6.4.24 - Apr 24, 2017 File deletion mechanism is improved. Added section O26 - Image File Execution Options. Translation to Russian has been finished. Revision and additions to program's internal help is finished (Help => About program => Sections). Fixed error while starting program from read only drive.

[dragokas]

2.7.0.1 - Aug 17, 2017 The program is transferred to the Pre-Alpha status. The code is significantly reorganized (refactoring). Removed backup module due to the process of its full replacing.

v Added checking for updates avaliability via Internet. (!) called from menu "Help" or "Misc Tools" (!) available new option "Check updates automatically when program is starting".

v Ignore list: earlier you was unable to add entry with Russian or unicode characters.

v Added ASLR, DEP protection.

v Accelerated:

• EDS checking.
• saving huge reports.
• O1 - Hosts: if there are more than 40 records, the log will contain all of them, and results window will contain only first 20 and last 20 records + item "Reset contents to default".
• inteface navigation.

v Batch digital signature checker: added new fields to CSV report:

• is PE (whether the file is PE EXE format)
• Signer name
• Signer email
• Catalog path (path to the security catalogue, in which hash of the file was found)
• PE hash
• Algorithm of certificate hash
• Algorithm of signature digest
• Time Stamp (time when file was signed)

v Changed encryption:

• Program settings is now stored in HKLM\Software\TrendMicro\HiJackThisFork

v O26 - Image File Execution Options:

• added detection of AVRF Hook/DoubleAgent
• added checking of HKCU ш Wow64.

v Compatibility impovements:

• Windows Server with Terminal services.
• Cheking OS version.

v Security improvements:

• Blocked removing of Microsoft services. (!) Now system services can be removed only via menu "Tools" => "Delete Service". (!) "Tools" => "Delete Service" is now allows to enter display name of the service. (!) HTTP links have been replaced by HTTPS.

v Hyperlinks have been replaced and devided by languages for:

• "Analyze report" button
• sending error messages
• list of updates
• Online Guide in main menu
• Help => Support

v Added menu:

• Help => Support
• Help => Users' Manual => Sections' description
• Help => Users' Manual => Command line keys

v Updated GitHub Wiki pages: https://github.com/dragokas/hijackthis/wiki v Opened common topic for discussing by English-speaking users: https://github.com/dragokas/hijackthis/issues/4

v Size of program:

• HiJackThis.exe is now not packed by UPX due to the fact that UPX brokes binary compatibility when analyzing Crash-dumps.

[dragokas]

2.7.0.3 - Sep 02, 2017 O25 - WMI: fixed white lists. O7 - IPSEC: reworked. O17 - Added white list of good known DNS. R4 - detalization of parameter names; checking is appended. EDS: fixed cheking on Win 7 SP0. Safe obtaining of environment variables.

[dragokas]

2.7.0.4 - Sep 14, 2017 Added displaying of default browser (for http protocol)

[dragokas]

2.7.0.9 - Sep 27, 2017 Menu has been reorganized, added icons. Added output of OS version from NTDLL.dll file if it is different from the version obtained in the standard way. Added output of Uptime (OS operating time). Added output of "FirstRun" sign ("yes", if the scanning executed first time after system rebooting). Added output of message, whether integrity of program is corrupted (e.g. due to the infection by file virus or due to the downloading of HiJackThis from non-official source). O7 - TroubleShoot: added cheking of availability at least 1 GB of free disk space on system drive. Fix will call execution of Microsoft CleanMgr utility. O7 - TroubleShoot: [Network] added checking whether computer name has empty name. It can lead to network problems. Batch digital signature checker: added "Has internal signature?" field to the CSV report.

[dragokas]

2.7.0.10 - Sep 30, 2017 Accelerated work of the program on highly loaded systems on the CPU (due to the miners, etc.) Fixed crash (clsStringBuilder)

[dragokas]

2.7.0.3 - 2.7.0.10 v Added full registry backup: (!) called by pressing "Fix Checked" button, not more than once a week (!) saved to a folder C:\Windows\ABR\ (!) used utility ABR by Dmitriy Kuznetsov, so backups are compatible with UVs. (!) recovering from backup is available with several ways:

• via HiJackThis: Main Menu => List of Backups => select item ": REGISTRY BACKUP" => Restore.
• run file C:\Windows\ABR\\restore.exe
• via UVs v.4.0.8+ => Menu "File" => Restore registry from catalogue ... => select backup you need => Recover.
• via Windows RE: In command line of recovery environment enter :\Windows\ABR\\restore : (!) recovery from backup will call system rebooting without warnings. (!) Uninstallation of HJT will lead to removing of backups from the folder C:\Windows\ABR, if only they was create via HJT. (!) All backups that is older than 28 days are removed automatically when new backup is created. (!) If system drive contains less than 1 GB of free disk space backups will not be created (!). You will see a warning in the section O7 - TroubleShoot: Free disk space on C: is too low = NNN MB.

[dragokas]

2.7.0.11 - Oct 06, 2017 EDS: fixed critical error in caching mechanism. Now program will always run from the main menu, if not setted mark "Do not show this menu after starting the program". Earlier 2-nd program execution led to transition to the scan results window.

[dragokas]

2.7.0.12 - Oct 07, 2017 Added detection of OS Revision.

[dragokas]

2.7.0.13 - Oct 25, 2017 Added animation of progressbar in task bar when scanning processed. Fixed work of ignore list. Added O4 - HKLM..\BootExecute Added O4 - HKLM..\FileRenameOperations Cheking of launching from %temp% is now ignored for the switch /silentautolog and other switches. Added possibility to install HiJackThis in folder 'Program Files' and menu 'Start' (File -> Install HJT). Restored function of automatic HJT scanning at system startup. Added button "Add ALL to ignore list" in context menu. Added command line switch /install - to install HJT. Added command line switch /autostart - to set HiJackThis for automatical scanning at system startup (use with /install) Added warning if system has outdated Service Pack. Added jumping to file or registry record via the result scanning window (look to right mouse click, Context menu => Jump to Registry / File).

[dragokas]

2.7.0.14 - Oct 27, 2017 R3 - Default URLSearchHook is missing: added CLSID fix R3 - fixed error with redirector. O2 - added checking of HKCU keys O3 - added checking of HKCU keys O3 - removed some white lists O3 - added cheking of \Software\Microsoft\Internet Explorer\Explorer Bars O8 - added checking of HKLM keys Improved compatibility with Windows 2k.

[dragokas]

2.7.0.15 - Nov 03, 2017 All windows from 'tools' section will no longer lost the focus when you move mouse to the some items of main window. F0, F1 didn't work after 2.7.0.1 (fixed). F0, F1 is now show full path to file. O1 - accelerated fix. R1 - for ProxyServer: added displaying of status (enabled / disabled) R1 fix for ProxyServer: added disabling of proxy. O3 fix: added fix of WebBrowser and ShellBrowser keys.

[dragokas]

2.7.0.16 - Nov 06, 2017 O17 - DHCP DNS: fixed error when DNS is not displayed (curve code from Microsoft ^).

[dragokas]

2.7.0.17 - Nov 21, 2017 Added opportunity to download and launch programs for checking and cure shortcuts (Check Browsers' LNK & ClearLNK) via the menu Tools -> Shortcuts. Accelerated creating of huge and debugging logs (optimized class of strings concatenation StringBuilder). Accelerated creating of huge logs in /silentautolog mode (records are no longer added to ListBox). Fixed crash due to the ListBox overflow in /silentautolog mode.

[dragokas]

2.7.0.18 - Nov 25, 2017 Added cheking of registry type virtualization. No more double records for keys in log, if key has 'Shared' type. Added universal iteration of registry hives. Now all hives: HKLM / HKCU / HKU (default, SID of services and other logged users) will be checked in every section. Added O4 - Win9x BAT: C:\Windows\System32\Batinit.bat Added O4 - Win9x BAT: C:\Windows\WinStart.bat Added O4 - Win9x BAT: C:\Windows\DosStart.bat Added O4 - Win9x BAT: C:\AutoExec.bat Added O4 - WinNT BAT: C:\Windows\System32\AutoExec.nt Added O4 - WinNT BAT: C:\Windows\System32\Config.nt Added O4 - AlternateShell (SafeBoot): Added O4 - ScreenSaver: Added O4 - RunOnceEx: Added O4 - RunServicesOnceEx: Added O4 - Autorun.inf: Added O4 - MountPoints2: Added O7 - Taskbar policy: O16 - Trusted Zone and Trusted IP range: added checking of https protocol. O16 - ProtocolDefaults: added cheking of ldap, news, nntp, oecmd, snews, knownfolder protocols. Added O21 - ShellExecuteHooks: Introduces a new postfix "(folder missing)". Added selection of menu item in scan results window by right mouse button click.

[dragokas]

2.7.0.19 - Dec 02, 2017 Added new Microsoft root certificate's hash.

[dragokas]

2.7.0.20 - Dec 04, 2017 /silentautolog - fixed error, when logfile cannot be created O22 - Task: Reworked. Removed dependency from task scheduler service. O22 - Task: Added support of output of several actions for 1 job. O22 - Task: Added checking of legitimacy of ComHandler-jobs. O22 - Task: The output of the job status (Running / Ready / Queued) is abolished, only the status "Disabled" is left. O22 - Task: Added ability to remove damaged jobs. Removed section O4 - Autorun.inf: Removed section O4 - MountPoints2:

[dragokas]

2.7.0.21 - Dec 07, 2017 Updated whitelists. Added horizontal scrollbar to the ignore list window. O4 - HKLM..\FileRenameOperations: disabled output of entries, related to delayed deletion ( -> DELETE marks). O22 - Task: added mark "(telemetry)" for entries, related to collection of statistics and tranferring to Microsoft server. O22 - Task: removed marks "(Microsoft)" in tasks, that executes via host-process (cmd.exe, schtasks.exe e.t.c.) Switch /ihatewhitelists - fixed. Added switch /default - to load default settings (useful together with /silentautolog in case user changed settings himself). It is not affect ignore list. Added switch /skipIgnoreList - do not load ignore list. Added switch /timeout:sec, where 'sec' is a number of seconds allowed for HiJackThis to be run in /silentautolog mode until emergency shutdown (180 sec. by default); 0 - to disable. Added output of time zone. Correcting errors in the backup module.

[dragokas]

2.7.0.22 - Dec 09, 2017 Updated whitelists. O17 - Removed ControlSet[x], referenced by the CurrentControlSet.

[dragokas]

2.7.0.23 - Dec 10, 2017 O22 - Task: Added parsing of .job files O7 - Policy: [Untrusted Certificate] - added verification of the list of untrusted digital signature certificates and their analysis.

[dragokas]

[2.7.0.24] - Dec 15, 2017 Fixed error where log file created as trimmed due to the NUL characters. Uptime is removed. Finished translation of the list of updates into English. Lists of updates of HJT, StartupList and ADSSpy are added to the tab in menu "Help" -> About HJT -> History. R4 - SearchScopes: Changed format of log line.

[dragokas]

[2.7.0.25] - 17.12.2017 Updated list of certificates on XP.

[dragokas]

[2.7.0.26] - 23.12.2017 Updated list of DNS. O4 - Added output of folders in Autostart directories. O2, O3 - fixed heuristic cleaning. R4 section - DefaultScope is merged with R4 - SearchScopes. Little speed optimizations.

[dragokas]

[2.7.0.27] - 25.12.2017 O7 - Fixed output of certificates' owner name. O7 - Added output of owner's name for certificates not listed in HJT database. O7 - Added item "Policy: [Untrusted Certificate] Fix all items from the log", to fix all certificates at once listed in the log, if number of lines > 10.

[dragokas]

[2.7.0.28] - 01.01.2018 Fixed app crash when program is finishing its working. Updated and improved script for retrieving new crash dump of program: http://dragokas.com/tools/debug/GetHJT_dump.zip

[dragokas]

[2.7.0.29] - 19.01.2018 All sections of the log are unified to cover a single template "Section prefix-bitness" - "optional, section name": "hive..\key": "optional, subkey" [parameter] = value "Compressed" log O7 - IPSec: in case system has several identical rules. Deleted attribute O7 - TroubleShoot: [EV] (environment value is altered) Added attribute O7 - TroubleShoot: [EV] (folder is not exist) Added attribute O1 - Hosts: is damaged (contains NUL characters only) Attempting to fix a line with a legitimate file will now call SFC for it. Separated into several lines with the possibility of separate fixes:

• O4 - HKLM..\Session Manager: [BootExecute]
• O17 - ... Parameters: [NameServer] (finalized)
• O20 - HKLM..\Windows: [AppInit_DLLs]
• O26 - IFEO (global). Added a forbiddance to the program to reboot the server OS with a request to the user to do it manually. Fixed the detection of some editions of server OS. Added bringing of the HJT window to the foreground as soon as the scan is complete. Improved file search by %PATH%.

[dragokas]

[2.8.0.2] - February 02, 2018 Logs: Log "Environment variables" replaced by with the output of all environment variables of the current process. O7 - Policy: [Untrusted Certificate] Black list of certificates and "Well-Known cert." attribute are removed. Added option "Additional scan" (disabled, by default). It can be enabled in File -> Settings

Scan: O4 - PendingFileRenameOperations (moved to "Additional scan") O4 - Autorun.inf (added to "Additional scan") O4 - MountPoints2 (added to "Additional scan") O22 - Task: added attribute "(activation)" for tasks related to OS activation. O22 - Task: added attribute "(update)" for GWX tasks ("Get Windows 10"). O23 - Service: added output of arguments.

Errors: Fixed bug, that lead to absence of process list in XP. Fixed bug in working with collections, that could lead to application crash. Fixed several errors, when O23 malware entries were not included in report. Fixed app crash when user attempt to close it before StartupList2 finishes its working. Fixed work of checkbox "Mark everything found for fixing after scan". Fixed bug when trying to add HJT to startup beeing launched via Start menu and also on XP/2k systems.

Protection: Improved protection against removing system files when EDS mechanism is damaged. Added protection from finishing system critical processes.

Fixes: O21: added restarting of Explorer. O4: added process freezing. O22: added finishing of task.

Interface and other: Added icons to the tools and removed unused from resources. Added multilingual description in file properties (DE/FR/EN/RU). Menu "Misc Tools" is reorganized:

• additional settings is moved to main settings menu;
• added section "Plugins";
• added buttons "Registry Keys Unlocker" and "Digital signature checker".

Main settings are splitted into categories:

• Scan area
• Scan options
• Fix & Backup
• Interface

Option "Ignore Microsoft files" is renamed into "Ignore Microsoft entries" Option "Ignore non-standard but safe domains in IE (e.g. msn.com, microsoft.com)" is absorbed by "Ignore Microsoft entries". Added tooltips to some checkboxes. When HiJackThis.exe launches from archive, now it is asking for unpacking into {Desktop}\HiJackThis subfolder, not a root of desktop. Improved scan speed on highly-loaded systems in /silentautolog mode. Added command line keys: /Area:Process - include list of running processes in report /Area:Environment - include environment variables in report /Area:Additional - execute "Additional scan" Whitelists has been updated.

[dragokas]

[2.8.0.3] - February 03, 2018 Disabled O7 - IPSEC items is removed from the log. Improved working of options "Ignore Microsoft entries" and "Ignore All whitelists" when switching a checkbox to non-default value. O22 - Task: fixed error in output of status "(disabled)".

[dragokas]

Added notice about test (experimental) version in the 1-st post.

[dragokas]

Short tutorial on HiJackThis is now updated to cover Fork v.2.8.0.50 and newer.

[dragokas]

Short English tutorial on HiJackThis is now updated and moved to dragokas.com official site

[dragokas]

[2.9.0.1] - October 20, 2018 Log: v Improved format of the log lines. v Added mark "No suspicious items found!", if the number of entries = 0. v Added display of 'Scan mode': if enabled "Additional scan", "Environment variables", "Ignore ALL Whitelists" or disabled "Processes", "Hide Microsoft entries".

Backups: v Added backup/restore of O23, O25. v Restoring of library registration. v Restoring of the file attributes and time stamps. v Restoring of initial security rights on file / registry key (thanks to Kazakevich Aleh for help). v ABR from Dmitriy Kuznetsov is updated to v1.05 (improved compatibility with Win10 build 1803).

Main scan: v O5 - 'Blocked IE Options' - section is renamed and expanded to cover any hidden control panel items; added compatibility with Vista+. v O7 - Added detection of policies: NoViewOnDrive, RestrictRun, DisallowRun, NoControlPanel, LockTaskbar, NoDispCpl, NoDrives, DisableTaskMgr. v O7 - Added detection of restricted DACL permissions on some Policy and Certificate keys. v O7 - TroubleShooting: (EV) - added checking presence of essential system folders in %PATH%. v O10 - LSP: whitelist is removed. Checking is performed by EDS. v O10 - LSP: is now display all chain gaps and unknown providers and doesn't stop on the first found. v O18 - Protocols/Filters: criteria of checking is replaced with EDS; added check for registry subkeys. v O22, O23 - Windows Defender items are temporarily added to whitelist. v O26 - Added detection of UWP applications debugger

"Additional scan": v Added subsection O23 - Drivers: - list of loaded drivers. v Added subsection O23 - Dependency: (experimental), consist of 3 groups:

• Microsoft Service 'X' depends on non-legit service: 'Y'
• Microsoft Service 'X' depends on non-legit group: 'Y'
• Microsoft Service Group 'X' contains non-legit service: 'Y' (Note: some 3d-party services can legally add their records to Microsoft Service Group)

"Environment variables" scan: v Added listing of special folders. v The environment variables are supplemented and divided into categories "[User]", "[System]", "[Current process]".

Fixes: v O22 - Added removing of task's executable (if it is not belong to Microsoft). v O23 - Added cleaning of legit services dependency from the service that is being deleted.

Compatibility: v Added compatibility with DBCS-systems (locale-independence). v Added compatibility when launch via Local System context:

• also mark "<=== Attention! ('Local System' account)" will be displayed in the log.
• some tools will not be available in this mode due to security reasons. v Reduced CPU loading in the "Scan on system boot" mode. v File choosing dialog boxes are now support x64 bit folders (c:\Windows\System32). v Checking the write access for new log is replaced by AccessCheck() API to not interfere with AV. v Improved protection against BSOD.

Errors: v Bug: Fixed cases in Win8/10 when line O4 is marked as StartupApproved (disabled) instead of Run\Run32. v Bug: Fixed crash while HiJackThis finishing its work when launched from archive. v Bug: Fixed issue with 0 bytes size of the log, if StartupList was start just right before. v Bug: Fixed access denied while reading some tasks (thanks to Sandor for testing). v Bug: Fixed the failure of some functions when setting a specific date format in the system. v Bug: Fixed issue with displaying binary data in LSP log. v Finished "Jump to Registry/File" menu for O23 and other sections. v StartupList: added tracing the errors in /debug mode, fixed some errors that caused crash (thanks @Hostn4me for testing).

Updates checking: v Bug: Fixed updates checking. The program is untied from github due to problems with https on XP and is now downloaded from dragokas.com. v Added proxy support (Note: Socks5 is not supported) (thanks Sandor for testing). v Added option "Update to test versions" - if you want to receive the latest updates without waiting for a stable release. v Added option "Update in silent mode" - the program will automatically update and restart with the initial command line keys.

Interface: v Added ability to choose the font (for whole interface or for scan results list and input fields only). v Improved interface navigation during scanning. v The autoscrolling of the scan results list has been removed. v Horizontal scroll bar is added before scan is complete.

Translation:

• The translation into Russian of the list of changes to individual Misc tools was completed.
• Added ProcMan list of updates.
• The Netherlands part is translated into English.
• The spelling of the Ukrainian translation has been improved.
• Updated English text with spell and grammar checking (thanks to Tanner Helland).

Tools: v START menu is appended with shortcuts of separate tools and plugins (upon installation of HiJackThis). v Accordingly, added command line keys:

• /tool+StartupList
• /tool+UninstMan
• /tool+DigiSign
• /tool+RegUnlocker
• /tool+ADSSpy
• /tool+Hosts
• /tool+ProcMan
• /tool+CheckLNK
• /tool+ClearLNK

v Uninstall programs manager is updated to v2.0:

• Interface and format of the log lines is changed.
• Improved x64 compatibility.
• Added "Hidden" mark for the programs that could not be uninstalled via default Control Panel snap-in.
• Added (no Uninstall command) mark for the programs that have no string to call uninstaller.
• Added (User: username) mark for the programs that requires log in of another user to be properly uninstalled.
• Added jump to registry key.
• Added filter by HKCU / HKLM / HKU / Hidden / No uninstall command / Common Software.

v Digital Signature Checker:

• Fixed errors "Access denied" when verifying some files, protected with DACL.
• Increased speed of system folder verifying.
• Fixed issue with failure to work on Windows 7x64 SP0 and under some another conditions.
• Added ability to verify and show 3d-party publisher of drivers on Vista+.

v ProcMan: added ability to enum modules of 64-bit processes. v ADS Spy: added button "Save log". v ADS Spy: added support of ReFS file system.

Tutorial: v Completed work on the renewed Russian manual for the Fork and v2.0.5: https://regist.safezone.cc/hijackthis_help/hijackthis.html (thanks to regist) v Updated short help on sections (on English, Russian and Ukrainian), available inside the program and web-site: http://dragokas.com/tools/help/hjt_tutorial.html

Command line keys: v Added and modified /Area command line keys (the old version will remain working for backward compatibility):

• /Area:Processes is replaced by /Area+Processes.
• /Area:Modules is replaced by /Area+Modules.
• /Area:Environment is replaced by /Area+Environment.
• /Area:Additional is replaced by /Area+Additional.
• Added key: /Area+Modules - adds a list of modules loaded by processes. In this case, their PIDs are displayed in the list of processes.
• Added keys: /Area-Processes, /Area-Modules, /Area-Environment, /Area-Additional - forcibly exclude the corresponding section from the log, even if it is enabled by user settings.
• Keys /Area have the highest priority over the others. v Added key /saveLog "Path" (or /saveLog "Path\File.log") - saves the report to the specified folder (and under the specified name, if the extension is specified as .log). v The key /silentautolog is now display a window in a miniature form. v The syntax of all keys is extended and now allows you to specify them with a hyphen, for example: -autolog

Other: v Installation of HiJackThis Fork is now available via command line (Chocolatey): 'choco install hijackthis' v Maximum limit of the file size to calculate MD5 is increased up to 100 MB. Added MD5 calculation to sections where it was forgotten. v Whitelists are updated for R4, O4, O7 - Untrusted certificates, O22, O23.

[dragokas]

[2.9.0.2] - Nov 6, 2018 Fixed cases with failures in reading O23 (error: "Collection key in not unique"). Fixed issues when copying to the clipboard.

[dragokas]

[2.9.0.4] - Nov 7, 2018 Fixed critical error when recursive read registry key (app crash on some backups). Improved speed of regular expressions.

[dragokas]

[2.9.0.5] - Nov 8, 2018 Improved speed of O7 - IPSec analysis.

[dragokas]

[2.9.0.6] - Nov 9, 2018 CSV-reports are now open in Notepad if association is not defined.

[dragokas]

[2.9.0.7] - Nov 16, 2018 Fixed false positives (e.g. O26) due to problems with buffer cleaning in registry operations.

[dragokas]

[2.9.0.9] - Nov 19, 2018 Added translation into French (thanks to Colok { Colok-Traductions.com }). Fixed problems with displaying extended character set of ANSI codepage. O22, O23 databases are updated.

[dragokas]

[2.9.0.10] - Nov 23, 2018 French translation is improved.

[dragokas]

[2.9.0.11] - Nov 26, 2018

• Source code builder script (makefile.cmd) has been improved:
  1. now it include compilation of dependencies.
  2. build Chocolatey project.
  3. source code building is verified and guaranteed on fresh Windows XP / 7 / 10.
• Most exe-files (helper-dependencies) have been removed from the GitHub repository due to false positives.
• R4 databases are updated.
• Donation information has been updated.
• MajorGeeks and Softpedia quality badges is added on project description page.

[dragokas]

[2.9.0.23] - June 09, 2020 (Nightly build)

• New certificates are added
• OSinfo: Windows Embedded is now detected and informed in log
• OSinfo: new OS Edition names are added
• Strict rules for HJT own command line parser
• Fixed ignore list broken due to Windows 10 specific update mechanism
• Some fixes on GUI, reboot, file access, path find, error description, HJT close, terminate process, shortcuts logic
• New private command line keys for donators are added:
  • Silently check system using 3rd party tools such as from Sysinternals and NirSoft
  • Automatically remove items detected on Virustotal if found
  • Selective silent HotFixes (like clear Hosts, Policies, bad certificates and so)
  • Basic anti-rootkit
• New public command line keys are added:
  • /noBackup - disable backup creation during the fix
  • /install /autostart d:X - install HJT in task scheduler to autorun with X sec. delay
  • /instDir:"PATH" - alternate installation path for HJT (by default: "%ProgramFiles(x86)%\HiJackThis Fork").
  • /noShortcuts - disable creation of shortcuts during HJT installation via /install
  • /! - stop command line keys parsing. Everything found after this key considers as keys for HJT autorun (instead of default /startupscan).
• Increased GUI max lines limit for O23 up to 750 items (default for other section is 250).
• Added detection of: ...\Policies\Explorer\DisallowRun
• O23 - Service Backup is improved.
• O25 - Revert Backup is fixed.
• Windows 7 EOS (and future Win 8/8.1 EOS) detection are added to O22 - Tasks

[dragokas]

[2.9.0.25] - Aug 2, 2020 (Nightly build - Release candidate)

Databases:

• Updated O22, O23 bases (MS Office, MS Visual Studio are also whitelisted if possible).
• O22 - Added the ability to analyze Microsoft rundll32 based tasks.
• Updated names of Windows editions.
• Appended well-known DNS lists.
• Reference IE StartPage, SearchPage, Search & Custom Assistant are replaced with msn.com or removed due to broken links.

Functional:

• Added checking of Windows / user startup-shutdown scripts policies.
• Added O18 - Printer Port: detecting suspicious file ports for Spooler Shadow Jobs (thanks to Alex Ionescu for the article and NickM for helping with the fix).
• When you request to restore from an ABR backup, a new backup is automatically created to enable rollback (may help to recover from a non-bootable state).
• Added calculation of files SHA1 hash; you can switch between SHA1 / MD5 in the settings.
• New switch: /sha1 - calculate SHA1 hash of files.
• Context menu: added "Disable / Enable" item for services and tasks.

Fixes:

• O22 - added compatibility with tasks in UTF16 encoding.
• Uninstall Manager: Fixed the "Save List" button (thanks to Severnyj for the notification).
• Improved ini file disinfection functions, added Unicode format processing.
• Improved registry backup functions, QWord support.
• The function to get the file size sometimes returned 0 for files from System32.
• Context menu is no longer blocked during ReScan.

Interface:

• Font for scan results changed "10" => "9" (Bold).
• Added left and right indents in the "About ..." menu windows.
• "About" - "Version history": fixed trimming of the end of the text.
• The scrolling position is no longer reset at the end of the scan.
• Fixed the transparency of the program icon.

Other:

• Updated internal manual on switches.
• All internet links are replaced with https.
• Added https protocol to the verification criteria.
• R4 - PendingFileRenameOperations disabled in /startupscan mode due to false positives.

[dragokas]

[2.9.0.26] - Aug 5, 2020

• Added partial compatibility when running as a limited user.

[dragokas]

[2.9.0.28] (Nightly) - Sep 1, 2020

• [New] Added subsection O26 - Tools:
• various tools run by user manually, that hijacked in some way, will live there.
• [New] Detection of Logon Screen Backdoor (Accessibility tools) is added to O26.
• [New] Detection of My Computer properties tools hijack (Defragger, Cleaner, Backup) is added to O26.
• [Fix] Fixed critical error in service whitelisting for x32 systems (thanks Sandor for report).
• [Fix] Registry Jumper didn't want to jump to parent key when target doesn't exist.
• Registry Key Unlocker: added the button "Open in Regedit".
• Size and position of every tool and main window as well are now preserved after exiting the program.
• [Limited user] Fixed crash when user updates HJT.
• [Limited user] Some HJT functions and tools are blocked for limited user. Run utility as admin!
• [Limited user] Generic improvement, preventing false positives in scan results caused by access deny.

[dragokas]

[2.10.0.1 beta] (Nightly) - Feb 01, 2021

New detections are added:

• O4 - some new detections and improved fixes.
• O5 - Applet: to detect custom and hijacked control panel items.
• O7 - AppLocker:
  • NOTE!!! Applocker is by default in whitelisting mode: everything that is not explicitly allowed, is blocked.
  • If you remove "(allow)" rule, this particular application/folder will be blocked, until you'll remove all the rules.
  • To remove all rules at once, it's better to fix the special line "O7 - AppLocker: fix all"
• O7 - KnownFolder: to detect and fix hijacked locations of "Known Folders".
• O7 - TroubleShooting: new environment variables are added.
• O22 - BITS Job: to detect foreign Windows Update Service jobs.
• O22 - Tasks: (damage) subsection is added to detect damaged and garbage tasks of such types:
  • (user missing) - when user/group is removed;
  • (no xml) - when xml file doesn't exist;
  • (key missing) - when associated reg. key doesn't exist;
  • (no key) - when no task keys are referred to;
  • (empty) - when tasks folder or key contains an empty record;
  • This doesn't include xml integrity/CRC check and "DynamicInfo / Triggers" validation.

Interface:

• Added ability to mark multiple items for fixing with 'Shift + Click'.
• Added "Copy" multi-context menu in scan results window (thanks @TheTrick for helping with Clipboard).
• Added "VirusTotal" multi-context menu in scan results window with options to check file/URL by hash or to submit file with SysInternals Autoruns.

Report:

General:

• Sorting is now going in correct alphabetical order + increased the speed.
• O4 - Startup subsections are renamed to improve the sorting. /Area:Environment:
• Added registry report of "User Shell Folders" and "Shell Folders" in addition to CLSID-based report. Why? Because Microsoft doesn't follow its own 'Best Practice' from MSDN. lol. Modules "Check Browsers' LNK" & "ClearLNK":
• Suppressed "Allow to download..." request when silent mode is selected in "Update" settings.
• Added auto-update feature (whenever you run the tool) - not often than once per month.
• Introduced the strong verification for the file digital signature before execution.
• Tools are now will be downloaded in \Tools\Scan subfolder of HiJackThis dir or installation dir if one is performed.

Other:

• O4 - Fixed reading the other users startup folder; added user name postfix in log.
• O25 - Fixed rare error in connecting to WMI.
• Updated and improved LoLBin list check mechanism.
• Improved registry functions.
• Corrected free buffer (ILFree => CoTaskMemFree).
• Explicitly allowed expired Microsoft certificates (without timestamp).
• Updated whitelists of O2, O22, O23.
• Added switch /skipErrors - do not show error messages and prevent warnings and errors from writing to log file at all.
• Added switch /sha256 - calculate SHA256 hash of files.
• Fixed hash progressbar.

Tools:

Digital Signature Checker:

• Improved speed, sorting, added columns - Certificate "Valid From", "Valid Until"; exchanged columns "File Name" / "File Path". Uninstall Manager:
• Fixed "Uninstall application" button is not always worked. Process Manager:
• "Save" button auto-refreshes process list.

Special thanks to Sandor and regist for samples, testing and suggestions.

[dragokas]

[2.10.0.2 beta] (Nightly) - Feb 03, 2021

• VirusTotal: added compatibility with Windows XP SP3 (thanks to @wqweto for help).
• Fixed error in O21 scan (thanks to @Sandor-Helper for reporting).
• Fixed BSOD on AppLocker fix, caused by MS GPUpdate. Instead, reboot will be prompted.
• Fixed error in hashing the backup while fixing the items (thanks to regist for testing).
• Updated certificates (thanks to @akokSZ for reporting).
• Improved reset ACL, icacls.exe / takeown.exe are no more used.
• Fixed ability to restore the item even if backup system failed to retrieve the file hash.

[dragokas]

[2.10.0.3 beta] (Nightly) - Feb 05, 2021

• All HKU.DEFAULT prefixes are replaced by "HKU\S-1-5-18".
• O4 - Run* - is now contains postfix with username for service Sids as well.
• O7 - Policy: fixed DisallowRun item state.
• Fixed unicode strings detection in US Locale.
• Fixed missing restore feature in ABR backup.

[dragokas]

[2.10.0.4 beta] (Nightly) - Feb 07, 2021

• Micro-optimizations.

[dragokas]

[2.10.0.5 beta] (Nightly) - Feb 08, 2021

• Search window: added option to search in filtering mode (only scan results window).
• Search window: added option to mark all items automatically in filtering mode.
• Search window: options are now can be saved with a diskette button.
• Fixed throwing error when you close the program after fixing the item.
• Improved path arguments parser.
• Improved file/folder permissions reset.