Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91733 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Junior 2


  • Please log in to reply
2 replies to this topic

#1 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 10 February 2015 - 04:41 PM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Before starting this exercise, it is strongly recommended that you read through the following: 
One of the most, if not the most important part of fighting malware, is research. When you find an entry in a log that you are not familiar with, it is essential that you research that entry to find out if it is indeed malicious, or whether it it is from a legitimate program that the user has on his computer.

In this exercise, you are going to start to learn how to research log entries. The exercise is split into two parts. Only after you have sucessfully completed Part 1 will a Classroom Teacher instruct you to move on to Part 2.


Part 1.

The first part of this exercise deals with the various sections found in a HJT log. The answers can be found in the above links that you have read through.

You can use Copy/Paste to put this in a program like Notepad to answer the questions then post your reply.

A HJT log can be divided into three sections: List them.

1.

2.

3.


Using the top part of a HijackThis log. Identify each line. 

Logfile of HijackThis v1.99.1
Scan saved at 3:43:57 PM, on 3/14/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)



1.Logfile of HijackThis v1.99.1
A.

2.Scan saved at 3:43:57 PM, on 6/14/2005
A.

3.Platform: Windows XP (WinNT 5.01.2600)
A.

4.MSIE: Internet Explorer v6.00 (6.00.2600.0000)
A.



Are the four items OK? If not, what should they be?

1.Logfile of HijackThis v1.99.1
A.

2.Scan saved at 3:43:57 PM, on 6/14/2005
A.

3.Platform: Windows XP (WinNT 5.01.2600)
A.

4.MSIE: Internet Explorer v6.00 (6.00.2600.0000)
A.


Using the above information, which must be changed before proceding with a fix?

A.


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\regprot\regprot.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Any User\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe


Are these OK?

1.C:\Documents and Settings\Any User\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe
A.

2.C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
A.

What must be done before proceding with the fix?
A.

What instructions would you give to correct the above?

A.




Part 2.

This next part deals with researching entries in the body of the HJT log. In each of the following, you need to tell us what whether it is good or bad, what the entry belongs to, explaining in your own words what it does, and where you found your information.

Each response must correspond to the following layout:

Example 1.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = [url="""]http://localhost;[/url]
  • This line is good.
  • Used often by web designers, it tells the computer that addresses that do not belong at a proxied address actually belong to your computer. localhost = 127.0.0.1 = My Computer.
  • Microsoft TechNet: http://social.techne...y=proxyoverride
There may be more than one source for your research, so if you find several, include them in your reply.

Make sure you leave a blank space between each numbered answer, and don't forget to include as much information as possible to show us that you do understand what each entry refers to.
  • R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
  • R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.ksu.edu/
  • O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
  • O4 - HKLM\..\Run: [realteczs] "C:\Documents and Settings\Me\Application Data\Google\pfysw721318.exe" 2
  • O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
  • O4 - HKLM\..\Run: [sysfbtray] C:\windows\freddy40.exe
  • O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
  • O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
  • O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.124,85.255.112.233
  • O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
  • O23 - Service: lxci_device - - C:\WINDOWS\system32\lxcicoms.exe
  • O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
 
Key:

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

    Advertisements

Register to Remove


#2 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 10 February 2015 - 05:04 PM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Before starting this exercise, it is strongly recommended that you read through the following: 
One of the most, if not the most important part of fighting malware, is research. When you find an entry in a log that you are not familiar with, it is essential that you research that entry to find out if it is indeed malicious, or whether it it is from a legitimate program that the user has on his computer.

In this exercise, you are going to start to learn how to research log entries. The exercise is split into two parts. Only after you have sucessfully completed Part 1 will a Classroom Teacher instruct you to move on to Part 2.


Part 1.

The first part of this exercise deals with the various sections found in a HJT log. The answers can be found in the above links that you have read through.

You can use Copy/Paste to put this in a program like Notepad to answer the questions then post your reply.

A HJT log can be divided into three sections: List them.

1.

2.

3.


Using the top part of a HijackThis log. Identify each line. 

Logfile of HijackThis v1.99.1
Scan saved at 3:43:57 PM, on 3/14/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)



1.Logfile of HijackThis v1.99.1
A.

2.Scan saved at 3:43:57 PM, on 6/14/2005
A.

3.Platform: Windows XP (WinNT 5.01.2600)
A.

4.MSIE: Internet Explorer v6.00 (6.00.2600.0000)
A.



Are the four items OK? If not, what should they be?

1.Logfile of HijackThis v1.99.1
A.

2.Scan saved at 3:43:57 PM, on 6/14/2005
A.

3.Platform: Windows XP (WinNT 5.01.2600)
A.

4.MSIE: Internet Explorer v6.00 (6.00.2600.0000)
A.


Using the above information, which must be changed before proceding with a fix?

A.


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\regprot\regprot.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Any User\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe


Are these OK?

1.C:\Documents and Settings\Any User\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe
A.

2.C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
A.

What must be done before proceding with the fix?
A.

What instructions would you give to correct the above?

A.




Part 2.

This next part deals with researching entries in the body of the HJT log. In each of the following, you need to tell us what whether it is good or bad, what the entry belongs to, explaining in your own words what it does, and where you found your information.

Each response must correspond to the following layout:

Example 1.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = [url="""]http://localhost;[/url]
  • This line is good.
  • Used often by web designers, it tells the computer that addresses that do not belong at a proxied address actually belong to your computer. localhost = 127.0.0.1 = My Computer.
  • Microsoft TechNet: http://social.techne...y=proxyoverride
There may be more than one source for your research, so if you find several, include them in your reply.

Make sure you leave a blank space between each numbered answer, and don't forget to include as much information as possible to show us that you do understand what each entry refers to.
  • R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
  • R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.ksu.edu/
  • O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
  • O4 - HKLM\..\Run: [realteczs] "C:\Documents and Settings\Me\Application Data\Google\pfysw721318.exe" 2
  • O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
  • O4 - HKLM\..\Run: [sysfbtray] C:\windows\freddy40.exe
  • O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
  • O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
  • O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.124,85.255.112.233
  • O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
  • O23 - Service: lxci_device - - C:\WINDOWS\system32\lxcicoms.exe
  • O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
 
Key:

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

#3 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 10 February 2015 - 05:41 PM

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Before starting this exercise, it is strongly recommended that you read through the following:
•What Do Victims Expect?
•HJT Log Investigation & Troubleshooting For New Freshman
•Tools, Websites, More Tools For Hijackthis Logs
•A Collection Of Autostart Locations
•How to Disable Security Programs
•How to research malware, and how to stay safe doing it!
•Forum BBCODE Tutorial


One of the most, if not the most important part of fighting malware, is research. When you find an entry in a log that you are not familiar with, it is essential that you research that entry to find out if it is indeed malicious, or whether it it is from a legitimate program that the user has on his computer.

In this exercise, you are going to start to learn how to research log entries. The exercise is split into two parts. Only after you have sucessfully completed Part 1 will a Classroom Teacher instruct you to move on to Part 2.


Part 1.

The first part of this exercise deals with the various sections found in a HJT log. The answers can be found in the above links that you have read through.

You can use Copy/Paste to put this in a program like Notepad to answer the questions then post your reply.

A HJT log can be divided into three sections: List them.

1.

2.

3.


Using the top part of a HijackThis log. Identify each line.

Logfile of HijackThis v1.99.1
Scan saved at 3:43:57 PM, on 3/14/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)



1.Logfile of HijackThis v1.99.1
A.

2.Scan saved at 3:43:57 PM, on 6/14/2005
A.

3.Platform: Windows XP (WinNT 5.01.2600)
A.

4.MSIE: Internet Explorer v6.00 (6.00.2600.0000)
A.



Are the four items OK? If not, what should they be?

1.Logfile of HijackThis v1.99.1
A.

2.Scan saved at 3:43:57 PM, on 6/14/2005
A.

3.Platform: Windows XP (WinNT 5.01.2600)
A.

4.MSIE: Internet Explorer v6.00 (6.00.2600.0000)
A.


Using the above information, which must be changed before proceding with a fix?

A.


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\regprot\regprot.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Any User\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe


Are these OK?

1.C:\Documents and Settings\Any User\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe
A.

2.C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
A.

What must be done before proceding with the fix?
A.

What instructions would you give to correct the above?

A.




Part 2.

This next part deals with researching entries in the body of the HJT log. In each of the following, you need to tell us what whether it is good or bad, what the entry belongs to, explaining in your own words what it does, and where you found your information.

Each response must correspond to the following layout:

Example 1.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
•This line is good.
•Used often by web designers, it tells the computer that addresses that do not belong at a proxied address actually belong to your computer. localhost = 127.0.0.1 = My Computer.
•Microsoft TechNet: http://social.technet.microsoft.com/Search...y=proxyoverride

There may be more than one source for your research, so if you find several, include them in your reply.

Make sure you leave a blank space between each numbered answer, and don't forget to include as much information as possible to show us that you do understand what each entry refers to.
1.R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
2.R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.ksu.edu/
3.O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
4.O4 - HKLM\..\Run: [realteczs] "C:\Documents and Settings\Me\Application Data\Google\pfysw721318.exe" 2
5.O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
6.O4 - HKLM\..\Run: [sysfbtray] C:\windows\freddy40.exe
7.O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
8.O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
9.O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.124,85.255.112.233
10.O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
11.O23 - Service: lxci_device - - C:\WINDOWS\system32\lxcicoms.exe
12.O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


Key:

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users