Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. 
Join 
Before starting this exercise, it is strongly recommended that you read through the following:
- What Do Victims Expect?
- HJT Log Investigation & Troubleshooting For New Freshman
- Tools, Websites, More Tools For Hijackthis Logs
- A Collection Of Autostart Locations
- How to Disable Security Programs
- How to research malware, and how to stay safe doing it!
- Forum BBCODE Tutorial
One of the most, if not the most important part of fighting malware, is research. When you find an entry in a log that you are not familiar with, it is essential that you research that entry to find out if it is indeed malicious, or whether it it is from a legitimate program that the user has on his computer.
In this exercise, you are going to start to learn how to research log entries. The exercise is split into two parts. Only after you have sucessfully completed Part 1 will a Classroom Teacher instruct you to move on to Part 2.
Part 1.
The first part of this exercise deals with the various sections found in a HJT log. The answers can be found in the above links that you have read through.
You can use Copy/Paste to put this in a program like Notepad to answer the questions then post your reply.
A HJT log can be divided into three sections: List them.
1.
2.
3.
Using the top part of a HijackThis log. Identify each line.
Logfile of HijackThis v1.99.1
Scan saved at 3:43:57 PM, on 3/14/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
1.Logfile of HijackThis v1.99.1
A.
2.Scan saved at 3:43:57 PM, on 6/14/2005
A.
3.Platform: Windows XP (WinNT 5.01.2600)
A.
4.MSIE: Internet Explorer v6.00 (6.00.2600.0000)
A.
Are the four items OK? If not, what should they be?
1.Logfile of HijackThis v1.99.1
A.
2.Scan saved at 3:43:57 PM, on 6/14/2005
A.
3.Platform: Windows XP (WinNT 5.01.2600)
A.
4.MSIE: Internet Explorer v6.00 (6.00.2600.0000)
A.
Using the above information, which must be changed before proceding with a fix?
A.
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\regprot\regprot.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Any User\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe
Are these OK?
1.C:\Documents and Settings\Any User\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe
A.
2.C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
A.
What must be done before proceding with the fix?
A.
What instructions would you give to correct the above?
A.
Part 2.
This next part deals with researching entries in the body of the HJT log. In each of the following, you need to tell us what whether it is good or bad, what the entry belongs to, explaining in your own words what it does, and where you found your information.
Each response must correspond to the following layout:
Example 1.
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = [url="""]http://localhost;[/url]
- This line is good.
- Used often by web designers, it tells the computer that addresses that do not belong at a proxied address actually belong to your computer. localhost = 127.0.0.1 = My Computer.
- Microsoft TechNet: http://social.techne...y=proxyoverride
Make sure you leave a blank space between each numbered answer, and don't forget to include as much information as possible to show us that you do understand what each entry refers to.
- R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
- R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.ksu.edu/
- O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
- O4 - HKLM\..\Run: [realteczs] "C:\Documents and Settings\Me\Application Data\Google\pfysw721318.exe" 2
- O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
- O4 - HKLM\..\Run: [sysfbtray] C:\windows\freddy40.exe
- O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
- O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLauncher/ActiveLauncher.cab
- O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.124,85.255.112.233
- O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
- O23 - Service: lxci_device - - C:\WINDOWS\system32\lxcicoms.exe
- O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
Key:
