Jump to content

Build Theme!
  • Infected?


Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92059 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Identifying Good, Bad & Optional Files - Hjt

  • Please log in to reply
No replies to this topic

#1 phawgg


    New Member

  • New Member
  • Pip
  • 4 posts
  • Interests:computer use...malware removal, music library, photo editing, database maintenance & construction, communication, creative writing.

Posted 07 October 2004 - 02:54 PM

Hi, :wavey: I'm impressed with your site's organized fight against malware. Problems I experienced in June led me to Net-Integration. (member joejensen). I migrated to bleepingcomputer.com to continue problem resolution. As a novice, I felt at home there, and learned a lot. In lieu of a monetary contribution, I decided to help by learning HJT analysis. A lot of reading is involved, and to supplement my undestanding of good files and bad ones, I chose to review threads. While googling leads, I visit many anti-spyware sites. I've joined several, and have found quite a few inconclusive leads when tracking down suspected files. I also have learned a lot about the techniques employed in steering amateurs through the fix process. Of particular value to me is your "SOLVED HJT HIJACKS" forum. Closed cases. Applying a technique I have developed, I have "mined your data" so to speak. I hope you don't mind, it's been very helpful to me as a replacement for months of experience identifying problems to be able to compress the learning curve. Its very simple, really. I open this forum and "copy link location" to wordpad. Double space and add a number in sequence. (85tc) that reflects that it's the 85th log from tom coyote forum. I copy the member name, and add the OS. The individual wordpad then has a topline that reads, ie: 85tc wyfireman winXP to the right of the link location. Double "enter" and minimize. Copy the opening remarks and the HJT header block. Max the wordpad. Paste. Scroll down to the first reply and repeat through the thread. Each fix has comments/steps & the deletions. Some editing to eliminate redundancy. When I see a clean log, I copy all entries to an Excel workbook. Several workbook files are active and contained in a folder. winXP TC HJT winME TC HJT win2000 TC HJT winNT TC HJT win98se TC HJT Each one is similar. Sheet 1=good. Column A=width:131 Column B=width:5 Sheet 2=step one Column A=width:131 Column B=width:5 Sheet 3=undone Column A=width:131 Column B=width:5 The entire clean log is pasted to "step one". Total rows might be 78. "cut" 78. Paste it to the "good" sheet. ADD 85tc to Column B. Drag/fill all 78 rows of column B with this "value". Minimize file. Maximize untitled wordpad. Scroll to beginning. Copy topline, w/o link. Close window, paste to filename. Save in TC HJT folder. Go to topic beginning. Go back one page and find the next thread not yet treated to this method. Repeat. Some variables exist, not many. If the clean log has one or two final deletions, these are done at the "step one" sheet. Of course when operating systems differ, appropriate modification to the routine is done. It is a routine, after all. Repetitive but fairly quick. Bad files are then pulled out of the original titled wordpads in a similar fashion. I intend to use Column C and others to the right of the entries for additional identification: CWShredder, getservice, aboutbuster, infection name or the like to further track where the bad file came from, or what you might expect when encountering it These active files will continue to build. I let 'em. At 85, 3814 entries exist. Probably 85 C:\WINDOWS\system32\lsass.exe, and it would take 10 seconds to reduce the list size to managable in any case. At a point in time, a copy of the whole workbook is made. Sheet 1=good. (duplicate file elimination is optional, but this sheet will be alphabetized. Hit A-Z descending.) Sheet 2=step one. (to review or edit duplicates prior to commission to final sheet) Note: maybe optional entries will eventually reside here... ones I call "ugly" such as resource hogs & quasi-valuable ones Sheet 3=bad. (No duplicate file elimination for frequency indications. Source & desciption of each line included from additional columns. Hit A-Z desceding, all columns) I can't think of a way as of yet to organize a dynamic database for quick search, but I'm certain having the excel files in such a manner will facilitate that step. Suggestions? I learn from repetition, and although I'm scanning as I go, I can spot good files easier now. It's at the placing of bad files into a spreadsheet that really helps reinforce the lessons that have been, in many cases, hard-learned by the volunteers in the first place. I'm just following the parade, so to speak, with a shovel. Any comments are welcome. Let me know. Thank you. Regards to all the principles and volunteers in the effort... :mellow: phawgg


Register to Remove

Related Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users