PDA

View Full Version : HJT version, newest??

malcore
07-13-2004, 02:17 AM
Just curious what is the newest version of HJT?

I downloaded 1.98.0 on 6/29. It includes the F0 and F2 items as below:

Logfile of HijackThis v1.98.0
Scan saved at 14:09:32, on 7/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Grisoft\AVG6\avgserv.exe
D:\AGNITUM\OUTPOS~1\outpost.exe
C:\WINDOWS\Explorer.EXE
D:\HijackThis\HijackThis.exe

F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Outpost Firewall] D:\Agnitum\Outpost Firewall\outpost.exe /waitservice

I downloaded what Merjin called an updated version on 7/2, the F0 and F2 items are now gone as below:

Logfile of HijackThis v1.98.0
Scan saved at 14:08:59, on 7/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Grisoft\AVG6\avgserv.exe
D:\AGNITUM\OUTPOS~1\outpost.exe
C:\WINDOWS\Explorer.EXE
D:\HijackThis\1.98\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Outpost Firewall] D:\Agnitum\Outpost Firewall\outpost.exe /waitservice

Both are labeled version 1.98.0, but are different. I have seen Budfred mention that the F0 and F2 items may now be considered possible signs of malware, the comma after user.init.

Is there yet a third version now, where the F0 and F2 items are back?

These items can't be signs of malware, as they show up on another computer I just built, using all new parts and has never been connected to the net.
shanmuga
07-13-2004, 05:39 AM
AFAIK :) Just curious what is the newest version of HJT? The latest version is still 1.98. The 1.98 recently made available for download includes the hotfix which among other things fixes the ghost F0, F2 items. As you rightly put, 'Both are labeled version 1.98.0, but are different'.

I have seen Budfred mention that the F0 and F2 items may now be considered possible signs of malware, the comma after user.init. F0 - Changed inifile value
F2 - Changed inifile value, mapped to Registry

Even if you try to fix those ghost F0, F2 entries in your first log (Using the first version of 1.98) HJT won't fix them, it's probably because there's nothing to fix.

F0 - system.ini: Shell=
This is an empty entry, no need for HJT to tag. Now fixed in the hotfix.

F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\System32\System32.exe
This is an example of a baddie loading from system.ini

Likewise for F2, the default value is C:\WINDOWS\SYSTEM32\Userinit.exe, (note the comma at the end).This value could be hacked by malware to read:
C:\WINDOWS\SYSTEM32\Userinit.exe, trojan.exe
If there is nothing after the comma, no need to fix.

HijackThis should tag the contents of this key if the comma is missing (now fixed) and it's OK to have it fixed though it's harmless.
malcore
07-13-2004, 05:59 AM
Pretty much what I figured also. Just wanted to be sure, as many are still posting logs using the first 1.98.0.

Thanks shanmuga.:)
Sylvander
07-13-2004, 06:53 AM
So when did it change from the old to the new version of 1.98.0?

I got mine on June 30th.
malcore
07-13-2004, 07:14 AM
Maybe a day or two after you got yours Sylvander. I got the first on June 29 and the second on July 2, which I believe is when it was available.

I checked the .exes of both. The first 1.98.0 version is 185,344 bytes.

The second is 185,856 bytes.
Sylvander
07-13-2004, 07:53 AM
I just updated to the latest version of 1.98.0 and it was a slightly bigger file than the previous 1.98.0.

I think I'll post a new log before making an ignorelist.
Budfred
07-13-2004, 11:09 PM
Merijn did a hotfix to 1.98 to deal with some glitches, so it isn't a totally new version and he apparently didn't add a version sub-number to identify it...

The F2 thing is still being debated, but it is looking like what shanmuga said is right... The comma only indicates a problem if there is something bad VISIBLE after it...