hijackthis
hijackthis copied to clipboard
dragokas
HJT: List of updates
Here we'll public most recent HiJackThis Fork updates list.
If you want to test (experimental) version that is usually coming before actual pushing the source code, you can download nightly build by this link: https://dragokas.com/tools/HiJackThis_test.zip
For the full history (since v.2.6.1.0 Alpha Fork) - Oct 12, 2015 based on official v2.0.6, see: HiJackThis menu "Help" -> "About HJT" -> "History", or ./src/_ChangeLog_en.txt file. Russian version is here.
2.6.4.21 - Apr 17, 2017 R4 - new whitelist mechanism for Bing. R4 - fix is improved. O4 - Startup other users: earlier the same user folder name was always displayed. O21 - added checking ShellIconOverlayIdentifiers. O21 - added checking EDS for pre-installed Microsoft dll-files. O7 - TroubleShoot: new group. It display damaged system settings that can lead to OS malfunction. O7 - TroubleShoot: added checking of environment variables - %TEMP%, %TMP%. O2,O3,O22: improved compatiblity with x64. Added interface locking while scanning via AutoLogger (key /silentautolog is affect).
2.6.4.24 - Apr 24, 2017 File deletion mechanism is improved. Added section O26 - Image File Execution Options. Translation to Russian has been finished. Revision and additions to program's internal help is finished (Help => About program => Sections). Fixed error while starting program from read only drive.
2.7.0.1 - Aug 17, 2017 The program is transferred to the Pre-Alpha status. The code is significantly reorganized (refactoring). Removed backup module due to the process of its full replacing.
v Added checking for updates avaliability via Internet. (!) called from menu "Help" or "Misc Tools" (!) available new option "Check updates automatically when program is starting".
v Ignore list: earlier you was unable to add entry with Russian or unicode characters.
v Added ASLR, DEP protection.
v Accelerated:
- EDS checking.
- saving huge reports.
- O1 - Hosts: if there are more than 40 records, the log will contain all of them, and results window will contain only first 20 and last 20 records + item "Reset contents to default".
- inteface navigation.
v Batch digital signature checker: added new fields to CSV report:
- is PE (whether the file is PE EXE format)
- Signer name
- Signer email
- Catalog path (path to the security catalogue, in which hash of the file was found)
- PE hash
- Algorithm of certificate hash
- Algorithm of signature digest
- Time Stamp (time when file was signed)
v Changed encryption:
- Program settings is now stored in HKLM\Software\TrendMicro\HiJackThisFork
v O26 - Image File Execution Options:
- added detection of AVRF Hook/DoubleAgent
- added checking of HKCU ш Wow64.
v Compatibility impovements:
- Windows Server with Terminal services.
- Cheking OS version.
v Security improvements:
- Blocked removing of Microsoft services. (!) Now system services can be removed only via menu "Tools" => "Delete Service". (!) "Tools" => "Delete Service" is now allows to enter display name of the service. (!) HTTP links have been replaced by HTTPS.
v Hyperlinks have been replaced and devided by languages for:
- "Analyze report" button
- sending error messages
- list of updates
- Online Guide in main menu
- Help => Support
v Added menu:
- Help => Support
- Help => Users' Manual => Sections' description
- Help => Users' Manual => Command line keys
v Updated GitHub Wiki pages: https://github.com/dragokas/hijackthis/wiki v Opened common topic for discussing by English-speaking users: https://github.com/dragokas/hijackthis/issues/4
v Size of program:
- HiJackThis.exe is now not packed by UPX due to the fact that UPX brokes binary compatibility when analyzing Crash-dumps.
2.7.0.3 - Sep 02, 2017 O25 - WMI: fixed white lists. O7 - IPSEC: reworked. O17 - Added white list of good known DNS. R4 - detalization of parameter names; checking is appended. EDS: fixed cheking on Win 7 SP0. Safe obtaining of environment variables.
2.7.0.4 - Sep 14, 2017 Added displaying of default browser (for http protocol)
2.7.0.9 - Sep 27, 2017 Menu has been reorganized, added icons. Added output of OS version from NTDLL.dll file if it is different from the version obtained in the standard way. Added output of Uptime (OS operating time). Added output of "FirstRun" sign ("yes", if the scanning executed first time after system rebooting). Added output of message, whether integrity of program is corrupted (e.g. due to the infection by file virus or due to the downloading of HiJackThis from non-official source). O7 - TroubleShoot: added cheking of availability at least 1 GB of free disk space on system drive. Fix will call execution of Microsoft CleanMgr utility. O7 - TroubleShoot: [Network] added checking whether computer name has empty name. It can lead to network problems. Batch digital signature checker: added "Has internal signature?" field to the CSV report.
2.7.0.10 - Sep 30, 2017 Accelerated work of the program on highly loaded systems on the CPU (due to the miners, etc.) Fixed crash (clsStringBuilder)
2.7.0.3 - 2.7.0.10 v Added full registry backup: (!) called by pressing "Fix Checked" button, not more than once a week (!) saved to a folder C:\Windows\ABR<Date> (!) used utility ABR by Dmitriy Kuznetsov, so backups are compatible with UVs. (!) recovering from backup is available with several ways:
- via HiJackThis: Main Menu => List of Backups => select item "<Date>: REGISTRY BACKUP" => Restore.
- run file C:\Windows\ABR<Date>\restore.exe
- via UVs v.4.0.8+ => Menu "File" => Restore registry from catalogue ... => select backup you need => Recover.
- via Windows RE: In command line of recovery environment enter
:\Windows\ABR<Date>\restore : (!) recovery from backup will call system rebooting without warnings. (!) Uninstallation of HJT will lead to removing of backups from the folder C:\Windows\ABR, if only they was create via HJT. (!) All backups that is older than 28 days are removed automatically when new backup is created. (!) If system drive contains less than 1 GB of free disk space backups will not be created (!). You will see a warning in the section O7 - TroubleShoot: Free disk space on C: is too low = NNN MB.
2.7.0.11 - Oct 06, 2017 EDS: fixed critical error in caching mechanism. Now program will always run from the main menu, if not setted mark "Do not show this menu after starting the program". Earlier 2-nd program execution led to transition to the scan results window.
2.7.0.13 - Oct 25, 2017 Added animation of progressbar in task bar when scanning processed. Fixed work of ignore list. Added O4 - HKLM..\BootExecute Added O4 - HKLM..\FileRenameOperations Cheking of launching from %temp% is now ignored for the switch /silentautolog and other switches. Added possibility to install HiJackThis in folder 'Program Files' and menu 'Start' (File -> Install HJT). Restored function of automatic HJT scanning at system startup. Added button "Add ALL to ignore list" in context menu. Added command line switch /install - to install HJT. Added command line switch /autostart - to set HiJackThis for automatical scanning at system startup (use with /install) Added warning if system has outdated Service Pack. Added jumping to file or registry record via the result scanning window (look to right mouse click, Context menu => Jump to Registry / File).
2.7.0.14 - Oct 27, 2017 R3 - Default URLSearchHook is missing: added CLSID fix R3 - fixed error with redirector. O2 - added checking of HKCU keys O3 - added checking of HKCU keys O3 - removed some white lists O3 - added cheking of \Software\Microsoft\Internet Explorer\Explorer Bars O8 - added checking of HKLM keys Improved compatibility with Windows 2k.
2.7.0.15 - Nov 03, 2017 All windows from 'tools' section will no longer lost the focus when you move mouse to the some items of main window. F0, F1 didn't work after 2.7.0.1 (fixed). F0, F1 is now show full path to file. O1 - accelerated fix. R1 - for ProxyServer: added displaying of status (enabled / disabled) R1 fix for ProxyServer: added disabling of proxy. O3 fix: added fix of WebBrowser and ShellBrowser keys.
2.7.0.16 - Nov 06, 2017 O17 - DHCP DNS: fixed error when DNS is not displayed (curve code from Microsoft ^).
2.7.0.17 - Nov 21, 2017 Added opportunity to download and launch programs for checking and cure shortcuts (Check Browsers' LNK & ClearLNK) via the menu Tools -> Shortcuts. Accelerated creating of huge and debugging logs (optimized class of strings concatenation StringBuilder). Accelerated creating of huge logs in /silentautolog mode (records are no longer added to ListBox). Fixed crash due to the ListBox overflow in /silentautolog mode.
2.7.0.18 - Nov 25, 2017 Added cheking of registry type virtualization. No more double records for keys in log, if key has 'Shared' type. Added universal iteration of registry hives. Now all hives: HKLM / HKCU / HKU (default, SID of services and other logged users) will be checked in every section. Added O4 - Win9x BAT: C:\Windows\System32\Batinit.bat Added O4 - Win9x BAT: C:\Windows\WinStart.bat Added O4 - Win9x BAT: C:\Windows\DosStart.bat Added O4 - Win9x BAT: C:\AutoExec.bat Added O4 - WinNT BAT: C:\Windows\System32\AutoExec.nt Added O4 - WinNT BAT: C:\Windows\System32\Config.nt Added O4 - AlternateShell (SafeBoot): Added O4 - ScreenSaver: Added O4 - RunOnceEx: Added O4 - RunServicesOnceEx: Added O4 - Autorun.inf: Added O4 - MountPoints2: Added O7 - Taskbar policy: O16 - Trusted Zone and Trusted IP range: added checking of https protocol. O16 - ProtocolDefaults: added cheking of ldap, news, nntp, oecmd, snews, knownfolder protocols. Added O21 - ShellExecuteHooks: Introduces a new postfix "(folder missing)". Added selection of menu item in scan results window by right mouse button click.
2.7.0.20 - Dec 04, 2017 /silentautolog - fixed error, when logfile cannot be created O22 - Task: Reworked. Removed dependency from task scheduler service. O22 - Task: Added support of output of several actions for 1 job. O22 - Task: Added checking of legitimacy of ComHandler-jobs. O22 - Task: The output of the job status (Running / Ready / Queued) is abolished, only the status "Disabled" is left. O22 - Task: Added ability to remove damaged jobs. Removed section O4 - Autorun.inf: Removed section O4 - MountPoints2:
2.7.0.21 - Dec 07, 2017 Updated whitelists. Added horizontal scrollbar to the ignore list window. O4 - HKLM..\FileRenameOperations: disabled output of entries, related to delayed deletion ( -> DELETE marks). O22 - Task: added mark "(telemetry)" for entries, related to collection of statistics and tranferring to Microsoft server. O22 - Task: removed marks "(Microsoft)" in tasks, that executes via host-process (cmd.exe, schtasks.exe e.t.c.) Switch /ihatewhitelists - fixed. Added switch /default - to load default settings (useful together with /silentautolog in case user changed settings himself). It is not affect ignore list. Added switch /skipIgnoreList - do not load ignore list. Added switch /timeout:sec, where 'sec' is a number of seconds allowed for HiJackThis to be run in /silentautolog mode until emergency shutdown (180 sec. by default); 0 - to disable. Added output of time zone. Correcting errors in the backup module.
2.7.0.22 - Dec 09, 2017 Updated whitelists. O17 - Removed ControlSet[x], referenced by the CurrentControlSet.
2.7.0.23 - Dec 10, 2017 O22 - Task: Added parsing of .job files O7 - Policy: [Untrusted Certificate] - added verification of the list of untrusted digital signature certificates and their analysis.
[2.7.0.24] - Dec 15, 2017 Fixed error where log file created as trimmed due to the NUL characters. Uptime is removed. Finished translation of the list of updates into English. Lists of updates of HJT, StartupList and ADSSpy are added to the tab in menu "Help" -> About HJT -> History. R4 - SearchScopes: Changed format of log line.
[2.7.0.26] - 23.12.2017 Updated list of DNS. O4 - Added output of folders in Autostart directories. O2, O3 - fixed heuristic cleaning. R4 section - DefaultScope is merged with R4 - SearchScopes. Little speed optimizations.
[2.7.0.27] - 25.12.2017 O7 - Fixed output of certificates' owner name. O7 - Added output of owner's name for certificates not listed in HJT database. O7 - Added item "Policy: [Untrusted Certificate] Fix all items from the log", to fix all certificates at once listed in the log, if number of lines > 10.
[2.7.0.28] - 01.01.2018 Fixed app crash when program is finishing its working. Updated and improved script for retrieving new crash dump of program: http://dragokas.com/tools/debug/GetHJT_dump.zip
[2.7.0.29] - 19.01.2018 All sections of the log are unified to cover a single template "Section prefix-bitness" - "optional, section name": "hive..\key": "optional, subkey" [parameter] = value "Compressed" log O7 - IPSec: in case system has several identical rules. Deleted attribute O7 - TroubleShoot: [EV] (environment value is altered) Added attribute O7 - TroubleShoot: [EV] (folder is not exist) Added attribute O1 - Hosts: is damaged (contains NUL characters only) Attempting to fix a line with a legitimate file will now call SFC for it. Separated into several lines with the possibility of separate fixes:
- O4 - HKLM..\Session Manager: [BootExecute]
- O17 - ... Parameters: [NameServer] (finalized)
- O20 - HKLM..\Windows: [AppInit_DLLs]
- O26 - IFEO (global). Added a forbiddance to the program to reboot the server OS with a request to the user to do it manually. Fixed the detection of some editions of server OS. Added bringing of the HJT window to the foreground as soon as the scan is complete. Improved file search by %PATH%.
[2.8.0.2] - February 02, 2018 Logs: Log "Environment variables" replaced by with the output of all environment variables of the current process. O7 - Policy: [Untrusted Certificate] Black list of certificates and "Well-Known cert." attribute are removed. Added option "Additional scan" (disabled, by default). It can be enabled in File -> Settings
Scan: O4 - PendingFileRenameOperations (moved to "Additional scan") O4 - Autorun.inf (added to "Additional scan") O4 - MountPoints2 (added to "Additional scan") O22 - Task: added attribute "(activation)" for tasks related to OS activation. O22 - Task: added attribute "(update)" for GWX tasks ("Get Windows 10"). O23 - Service: added output of arguments.
Errors: Fixed bug, that lead to absence of process list in XP. Fixed bug in working with collections, that could lead to application crash. Fixed several errors, when O23 malware entries were not included in report. Fixed app crash when user attempt to close it before StartupList2 finishes its working. Fixed work of checkbox "Mark everything found for fixing after scan". Fixed bug when trying to add HJT to startup beeing launched via Start menu and also on XP/2k systems.
Protection: Improved protection against removing system files when EDS mechanism is damaged. Added protection from finishing system critical processes.
Fixes: O21: added restarting of Explorer. O4: added process freezing. O22: added finishing of task.
Interface and other: Added icons to the tools and removed unused from resources. Added multilingual description in file properties (DE/FR/EN/RU). Menu "Misc Tools" is reorganized:
- additional settings is moved to main settings menu;
- added section "Plugins";
- added buttons "Registry Keys Unlocker" and "Digital signature checker".
Main settings are splitted into categories:
- Scan area
- Scan options
- Fix & Backup
- Interface
Option "Ignore Microsoft files" is renamed into "Ignore Microsoft entries" Option "Ignore non-standard but safe domains in IE (e.g. msn.com, microsoft.com)" is absorbed by "Ignore Microsoft entries". Added tooltips to some checkboxes. When HiJackThis.exe launches from archive, now it is asking for unpacking into {Desktop}\HiJackThis subfolder, not a root of desktop. Improved scan speed on highly-loaded systems in /silentautolog mode. Added command line keys: /Area:Process - include list of running processes in report /Area:Environment - include environment variables in report /Area:Additional - execute "Additional scan" Whitelists has been updated.
[2.8.0.3] - February 03, 2018 Disabled O7 - IPSEC items is removed from the log. Improved working of options "Ignore Microsoft entries" and "Ignore All whitelists" when switching a checkbox to non-default value. O22 - Task: fixed error in output of status "(disabled)".