On pre-analyzing hjt log files

[polonus]

Well you could see what your hjt logs have here: http://hjt.networktechs.com/ , where you can parse the contents of your hjt logs. As it says the analysis is only a mere guide, and you should check everything from a to z before doing something to a process or registry. Hjt is a mighty weapon, and in the hands of the ignorant has ruined many a user's OS. There should be a disclaimer with every hjt log file.

The other online analyzing site is to be found here: http://www.hijackthis.de/
Your logs can be saved online there for three consequent days.

Evaluating hjt logs is a painstaking thing, you have to be trained, and even have to "unlearn" things, you have to learn to work all the additional programs and tools. If you have enough time on you hands you can en-register at some forums, and asked to become a trained hjt log analyzer, and there even are malware fighter academies, where you also can enroll, after some qualified helpers vote to have you in.

The program was originally developed by a Dutchman, a student by the name of Merijn. This is a mirror-site of his:
http://www.richardthelionhearted.com/~merijn/faq.html The program is evolving ever further since, new categories were added. Additional help tools came about.

There were even people that developed automatic analyzing programs for hjt, rather unique. Everyone here knows about Eddy, an Avast Webforum member, developing these. Never seen anywhere else. Some even use these up to to-day.

All this info did not scare you off, and you're up to it, then on with it: http://www.tomcoyote.org/hjt/#Top (but only to look at a log!!!).
Good forums to aid: http://www.richardthelionhearted.com/~merijn/forums.html

And then off course there are forces, that want it banned: http://www.motherboards.org/forums/viewtopic.php?t=73823&sid=5d169820ae85e63d41f9b0fa9fb6479d
And rightly so. It is not for the over 5 years old.

Because if you do not know about scumware, and what it does it in all its ins and outs, do not touch a hjt log cleansing routine with a broomstick, because the witchcraft will kill not you but your OS.. The complicating factor is that there is so much misleading information, rogue anti-scumware information and rogue programs around, that it is very hard even for evaluation lore to keep on the right track. Only a small portion of the info out on the Internet is mere fact, a smaller portion is more or less fact, a large portion is wrong information intermingled with some fact(s), the rest is crap or intendedly misleading. Only slow diligent learning will give you the insights you need.

As an extra a nice hjt faq: http://www.russelltexas.com/malware/faqhijackthis.htm

polonus

[CharleyO]

***

Nice write-up on this subject, Polonus.   


***

[Spiritsongs]

   Hi Polonus ( and others ) :

     About a yr ago I asked an Experienced Malware Fighter
     about "pre-analyzing HJT log files"; below is my question
     and his Response :

    Quote from: Spiritsongs on July 17, 2005, 07:55:53 PM
  Was wondering what the HijackThis Experts here think of the value of "HijackThis Log file-On line
      Analysis" available at http://highjackthis.de/index.php, which seems to be put out by Mathias
      Mattner ? And of the "HijackThis Log File Analyzer" ? Both of these are advocated to be used by
     2 different regular "advisers" on the Avast Antivirus Support forums.


I went to the site once, out of curiousity, and I wasn´t impressed. The online tool recognize the baddies and give an explanation to what it is, mostly.
But!.... todays infections are complex. A file shown in a log could many times only be the "top of an iceberg". Deleting that visible file is of no good, when the offending files are hidden and there are guards watching it. When the visible file is removed, it´s immediately replaced by  another file, randomly named.
Neither of the "serious" techs would never use that tool other than curiosa .

Die Hard
     

[polonus]

Hi Spiritsongs,

I agree with you that the online hjt evaluation tools are only informative, and whenever you want to work on a log you need extensive information from a tutorial like this:
http://hometown.aol.co.uk/jrmc137/hjttutorial/tutorial.htm
One of the best I have spotted recently. Even Merijn Bellekom, the Dutch student, that came up with the program, had to admit that in the end he was more or less exhausted against the intrigate malware of the transponder gang. And the forces that oppose us had almost the better of us, in the case of webhelper4unet, where webhelper was Ddossed almost into oblivion by malware spreaders, while American servers were taken to Ukraine. This was just a matter of depleted resources against an adversary that can command enormous resources.
Webhelper4u had to switch to a site, where you are only accepted as a registered member, and it is well worth it to realize what we are facing and why these forces are almost thinking they are above the law.

Hijackthis is not the ultimate word against all malware, and a lot of additional programs have to be used to come to a successful cleansing routine. VSB runners is such a solution, but is not either the final word.
It will always be a combination of means: start up routine analysis, processes and registry analysis and technical info on the malware, tools like toolbarcop, avenger, killbox, process explorer, filealyzer etc. etc.
Then one final word, and I hold that to be very true, prevention is always and under all circumstances much and much better than ever have to resort to cleansing routines like a guided hjt log session.

polonus