Hi, all. I've been lurking for a while and doing research in an attempt to answer my own questions, but there are still some things I'd like to ask the experts. I figured it made more sense to put them all into one post, hoping the answers would be helpful to others. If that is poor etiquette please let me know, and I won't do it again.


1) I've never seen anyone talk about registering HijackThis as a service, and can't find any info because the search results are always flooded with unrelated logs that have been posted. I execute HJT with my user credentials (obviously) and the account is part of the administrator group. HJT doesn't show all the processes that Ewido does, and the latter is registered as a system service.

Specifically there are a couple entries in Ewido that start with "\??\C:\Windows\system32", one is "csrss.exe" and the other is "winlogon.exe". HJT shows the winlogon.exe process, but not the other. Searches have indicated that the "\??\" means its a system file and I therefore can't modify it. Not sure if I buy it though because HJT doesn't render the "\??\" when it shows the path.


2) Spybot shows all of the processes, but the lower window doesn't automatically show all of the dlls that have been used. I noticed that there was a vertical scroll bar, but nothing on the page. After clicking in the blank area Spybot pops up details about the dlls, but it seems weird to me that the details aren't showing on that page.


3) I recently chose to install Avast as my AV utility, and was configuring the settings. The web scanner ignores *.gif and *.png files by default, but not *.jpg files which are found all over the place. I've seen warnings about ".jpg.exe" exploits, but my PC is configured to show hidden files and extensions including most of the ones hidden by default, such as *.scf. Scanning every jpg file causes pages to load a lot slower. Is there some other exploit that I just haven't heard about yet, or am I safe to skip that scan? I've started using Firefox, if that impacts the answer.

Input on any of these questions would be very much appreciated. Thanks in advance, and for all the great responses in the past.

I am not entirely sure what your questions are, but I will try to respond to what I think you are asking...

1. HJT is intended to scan the Registry for Startup programs and Ewido is meant to scan the entire system for malware... HJT is a scanning tool only, it is not meant to do any automatic fixes and it requires a trained eye to sort out what may need to be fixed.... It will delete Registry entries and do a few other functions at the user's request... Ewido is meant to do automatic scan and cleanup... it is more comparable to Spybot or an AV program than to HJT....

2. It sounds like you are talking about how the Spybot people chose to do the interface... I am not sure what the problem is...

3. It depends on the degree of risk you are comfortable with... If you are surfing porn sites, I would say to definitely keep maximum protection on... If you are careful about where you go on the web, you may be able to skip it... Setting Windows to show file extensions will not reliably tell you if a file on the web is showing those extensions... There are many jpgs that may download without you even knowing it as you surf...

Thanks for the reply, Budfred. Sorry if I wasn't very clear before. Please allow me to sum up.

Regarding HJT: Why is it unable to see processes that appear in other process analysis tools? Is that because its running as a user account, or does it indicate that there may be a problem? I likened it to ewido only because they both show the running processes, although ewido runs as a service vs the HTJ credentials. Perhaps I used the wrong terminology. Specifically I am referring to the Itty Bitty Process Manager that comes bundled with the HJT tool set.

Regarding Spybot: I can see all the dlls for some processes, while the dlls of some other processes initially appear to be hidden. In some cases only about 30% are displayed in a readable format. Does that indicate the possiblity of a problem or is it just poor interface design? Seems to me that such a "feature" would be documented somewhere, considering the security-minded demeanor of their target demographic.

Regarding JPGs: You said "There are many jpgs that may download without you even knowing it as you surf". This doesn't really seem like a big deal to me, as I am not trying to block any graphic images. I am simply wondering if there is a need to check every single jpg for viruses, or if I can exlude the analysis of those files. Avast will let me skip scanning for specific file extensions. I am unaware of any viruses infecting a computer by simply rendering a jpg, either in the browser or an image utility application. Is this a false sense of safety on my part, or is the Avast tool simply being overzealous in what it chooses to scan?

Hope this clears up my rambling from before, and would appreciate further feedback from anyone who cares to take the time. Thanks again for everything.

I am not really sure what you are asking about HJT... It is a basic tool that reads entries in the Registry... Ewido and other similar tools read a much wider array of files and programs in your system... They don't read the same stuff by design, not due to a problem...

Your best bet on the Spybot question might be to visit their forums and ask there...

My point about the JPGs is that they can have code embedded in them and they can hide extensions... If you don't have active protection, you are at some risk... If your AV is visibly slowed by this, you may want to consider trying a different AV... I don't notice any slowing with NOD32...

I am not trying to be disrespectful, but I don't think we're going to be able to agree on the first point. I will concede that the first window you see when launching HijackThis, scans the registry. If you then click "config" in the lower right corner, you're taken to additional tools. There is a system tool labeled "Open Process Manager." This takes you to a screen displaying currently running processes, including the current process ID. This is likely to be different every time you boot up, and every time you stop a process that gets restarted. There is also a checkbox to show all the dlls that each process invoked.

I have a hard time believing that this information is continuously written to and read from the registry. New processes are always firing off, and the task manager can show how their allocated memory and cpu time varies at any given moment. The processes themselves are volatile and are stored in memory, othewise our resources wouldn't be limited by RAM, they'd be limited by hard drive space. Pagefile excepted, because the registry isn't stored there or we'd lose it when putting the swap space on another drive.


Fair enough on the Spybot point.


This hidden code in the jpgs is specifically what I was asking about. I've not been able to find any info about their dangers, other than hidden extensions. Thanks for your input.

I am afraid that I don't even know what the question is that you are trying to sort out... My point is that HJT is not a service and that is why you don't see anything in Services... The only things it can scan are at the level of a program that is not integrated into Windows.... It can look at various things that are available at that level... Have you looked at Merijn's information about it??

http://www.merijn.org/

I apologize if I came across as rude, I was just a little frustrated. I'll look deeper into Merijn's site and see what turns up. Seems like the obvious place to look for the info, I just didn't see anything when I was there last time.

This horse I'm beating has no more life in it, but I just want to let you know what was the impetus behind all of this. Ewido is just an executable file, but it was able to be registered in the services, and run with the authority of "system"

You can register an executable as a service from the command prompt. Presumably, you can then modify the Log On settings in the services control panel to run as Local System account. I surmised that this would allow HTJ to interact with Windows at a lower level than my user account.

It is now quite evident that a little bit of research on my part could produce the answer to this. Thanks a lot for the back and forth though, this idea didn't come to me until I read your comments and thought through the problem a little further.

User defined service:

Creating Services:
Adding Service (Note: Space between binpath= and "C:\ has to be there.
<path>\sc.exe create "Service Name" binPath= "C:\Your Program.exe"
Removing Service
<path>\sc.exe delete "Service Name"

Controlling Services:
Starting Service
<path>\sc.exe start "Service Name"
Pausing Service
<path>\sc.exe pause "Service Name"
Stoping Service
<path>\sc.exe stop "Service Name"

One thing, I understand hjt will not show user x's info if your logged on as user y.

Merijn may be changing that in the next version...