How To Use HiJackThis to find Malware infection Part One

How To Use HiJackThis to find Malware infection Part One

HijackThis – Trend Micro USA (Genuine Freeware) [wrkx w/ Netbooks]
Trend Micro HijackThis is a free utility that generates an in depth report of registry and file settings from your computer.
http://free.antivirus.com/hijackthis/
http://en.wikipedia.org/wiki/Hijackthis
http://sourceforge.net/projects/hjt/
HiJackThis UPDATED:
Trend Micro Releases HijackThis Source Code to sourceforge.net
MarketWatch (press release)
http://www.marketwatch.com/story/trend-micro-releases-hijackthis-source-code-to-sourceforgenet-2012-02-17

RUNNING A HJT LOG ANALYSIS PART ONE

There is always this need to review this magic utility – how to use it responsibly and SAFELY.

( FYI…. (for your information) The niks [nick names] are “HJT” and “HJT Log Help” and “HJT Log Analysis” – HiJackThis Log help – you may see around at forums etc. )

If you have never performed a HiJackThis Analysis, they are a simple quick look at start up items which may reveal malware installed that is starting up with the computer system and other softwares installed, and set to run every start up. An HJT Log may show a resident threat in some areas. It can reveal malware toolbars installed and possibly other threats misusing an Active X item. HJT generates a sort of system read out snapshot in a text log file that can be examined in depth.

HiJack This was NEVER designed to be a malware remover. It is NOT to be used as one or as a substitute for one. It is always mentioned to the average user to NEVER make changes to the computer with HiJackThis, but rather go to an Advanced User or Professional help online or elsewhere as a friend in the know and savvy at malware removal help. Mistaken use may cause damage to the system and/or other softwares rendering them inoperable.

IF YOU WERE TO CHOOSE “FIX THIS” ….. UH-OHH

If you clicked “Fix This” on any valid process or software – it may delete or corrupt that part of the Windows OS (operating system) or other softwares – now rendering them inoperable. NEVER click “Fix This” unless you are an Advanced User or Professional or have been directed to do so by one.

This may delete the executable file and possibly a “run” registry key, etc.

It can not delete/uninstall malware payload files and registry key entries – the FULL threat – and these left overs can be re-used by malware and potentially hide from antimalware products now. They may also, being orphaned (executable deleted, payload remnant = orphans), being orphaned may be used by a rootkit to hide from detection as an inert file not deemed as a threat during antimalware scans. At best, quality antimalware products may detect these possibly – possibly – as variants and quantine / remove these during a scan. Proabaly not.
 
In cases of in the wild threats or other severe threats rifling and hijacking control of the PC, their executable showing up in the scan/log HJT Log —- to regain control of the computer for the User it may possibly be used to delete the start up entry – the executable generally – “malware.exe” fantasy example. If it is a known malware threat (s) – their payload installation files can be found in full from online malware databases. Having regained control of the computer by deleting the executable from start up, the rest of the payload can now be manually removed. In cases of in’the-wild threats’ – the executable deleted can give control back of the PC, and a follow up to delete the entire installation manually will have to be performed when the payload is known and posted publicly. It should be cautioned to the user in this state to either not use the PC or just very sparingly as instability may occur or further infection activity.

That/this is all because generally the user has no Emergency Repair CD to reinstall Windows and needs the hail mary scenario to save their Computer from the trash – purchased by their hard earned sawbucks and as not being able to replace in the near future – stuck without a PC. It may be used in cases just to regain control of the PC to be able to access private files one wishes to back up – make a copy of – before reinstalling the system to Factory Fresh – wiping the entire disk first, another hail mary to save important files or documents, pictures, movies, etc. If the User is aware of that, proceed with that understanding.

Bottom line….. If you irresponsibly use, or give instructions to irresponsibly use, HJT – ignoring example hazards and damge warnings above – you may find it all come back on you by some smear blitz over the internet about “so and so destroyed my computer that creep ! ” to say the least. If you are a professional or company, you may be sued for damages for gross negligence and deceptive practices and destruction of computer equipment. That would have to be defined by Lawyers and the Court.

PART TWO WILL SHOW THE ACTUAL ANALYSIS. >>>
Click > Do System Scan and Create Log File

Webmaster:

BlueCollarPC.US

Malware Removal / Amateur Forensics

HOME http://bluecollarpc.us/

Alternate https://sites.google.com/site/pcsecurityhelper/

HELP http://tech.groups.yahoo.com/group/BlueCollarPCSecurity/

Membership/Join List:

Subscribe: BlueCollarPCSecurity-subscribe@yahoogroups.com

Free Malware Removal Help / A Community Website Since 2005

Typical Question – How did I get infected with trojan and virus

Typical Question – How did I get infected with trojan and virus…

http://answers.yahoo.com/question/index?qid=20110923202712AAmHzZF

(I am antibotnet Yahoo ID as webmaster www.bluecollarpc.us)

It

may help a little with orientation with the behavior of malware. A trojan takes control and wants to do something and will rifle actions to get it done. A crash may occur because it is not normal expected behavior of the healthy system as is giving control command in an underhanded way as brute force. Trojans have evolved greatly and they have security software disabling trojans which disable free products and some shareware products as well. There are now Downloader Trojans that install more and more malware as the rootkit usually does. There are backdoor trojans that affect connectivity and control vital areas.

The crash you mention probably did occur from the trojan infection and spyware does this too as opposed to a computer virus or worm. AVG did indicate a trojan infection found.

Viruses take over files to spread themselves. Some are specifically created to destroy computer files, systems, or drive itself. Newer ones have been crafted to steal passwords.

Your problem seems to be you are using the free AVG version which will NOT protect the computer because Real Time Protection is only activated in paid subscription antivirus and antispware products. If you had AVG paid antivirus – it would have blocked the trojan infection from occurring. NOTE today there are many newer and sophisticated trojans that simple antivirus no longer detects all. Antispyware will detect many of these and particularly ones used in spyware installations.

These can happen anywhere on the world wide web at any infected website whether hacked or intentionally a malicious content website. This is called a “drive by infection” meaning the unprotected computer will get infected just by visiting a bad website. This can include and is not limited to virus, trojan, spyware, and botnet infections. You MUST have Real Time Protection activated or there is NO protection.

The free home version scanners are called stand alone on demand scanning as “reactive” protection. Paid subscription security softwares have all this plus the “proactive” Real Time Protection processes (heuristics) that block all infections from occurring in the first place. All that gets past this is generally embedded malware in some software download that can be found by scanning the package FIRST before clicking to install OR will detect it trying to execute when the installer package is double clicked to execute the installation.

Threatfire is great as just the Real Time Protection processes protection themselves for both ativirus and antispwyare catagory threats. You can add that and scan regularly with AVG free. http://www.threatfire.com/
You forgot antispware with Real Time Protection – get free from Microsoft, Windows Defender to add to this package….. http://www.microsoft.com/athome/security/spyware/software/default.mspx

There are only two or three known antivirus and antispwyare programs in the world that have offered free Real Time Protection products, and fortunately they are far from dog programs. They have won several prestigious awards that the big companies have such as the VB100 Award and West Coast Certification to name a couple. I would pick one and install it immediately and keep AVG off to the side as a secondary stand alone scanner.

Microsoft Security Essentials
http://www.microsoft.com/security_essentials/

Comodo Free Anti Virus
http://antivirus.comodo.com/

ALSO
Spyware Terminator
(Antispyware and antivirus. Real time protection added ! )
http://www.spywareterminator.com/
* Fast spyware scanning
* 100% real-time protection
* HIPS protection
* Antivirus protection
* Multilanguage Support

Source(s):

http://bluecollarpc.us/Threats_FAQs.html

Lavasoft Ad-Aware back in the News

Lavasoft Ad-Aware back in the News….

Lavasoft Ad-Aware was one of the pioneers in antispyware defense program software applications. I remember it well and was one of the ‘first loves’ way back in the beginning of the Windows XP years. Originally it was obviously among the top defenders. Graciously they offered a free home version to the public along with gaining more defenses by purchasing the full version. Along the way, the industry leaders kind of left it in the dust – among some Trend Micro Antispyware,  Spysweeper, CounterSpy, to name the few. Surprisingly, they are back in the news but I rely on independent labs results rather than ‘newbie hype’ or perhaps tainted news editors departments ‘test results’. ….for what it is worth…

ARTICLE: Lavasoft’s Ad-Aware Awarded PC Magazine Editors’ Choice

Zawya (press release)

Respected PC Magazine lead security analyst Neil Rubenking, who recently reviewed both versions of Ad-Aware said, “This latest Ad-Aware remains very effective at keeping malware out of a clean system and adds new technology that improves its ability to …

http://www.zawya.com/story.cfm/sidZAWYA20110327064724

___Next they will have to catch up to “Cloud Computing” products as industry leaders Trend Micro and Webroot have innovated…. I have a short blog blast here on that subject…

Desktop/Laptop Cloud Computing – new “super antivirus” for the New Decade

March 8, 2011 — bluecollarpc

https://bluecollarpcwebs.wordpress.com/2011/03/08/desktoplaptop-cloud-computing-new-super-antivirus-for-the-new-decade/

ALWAYS OBSERVE BAD PRODUCTS LISTS

Title: The Spyware Warrior List of Rogue/Suspect Anti-Spyware Products & Web Sites

Description: Bad, False, Fake products

URL: http://www.spywarewarrior.com/rogue_anti-spyware.htm

LavaSoft — The Rogue Gallery

http://www.lavasoft.com/mylavasoft/rogues/latest

The Rogue Gallery, powered by the Malware Labs at Lavasoft, is a resource dedicated to keeping computer users safe from rogue security software. By providing a comprehensive database of current rogue security applications, you have the ability to clearly see what programs are considered rogue – and avoid them.

Partial list of rogue security software

http://en.wikipedia.org/wiki/Rogue_security_software

Scareware / From Wikipedia, the free encyclopedia

http://en.wikipedia.org/wiki/Scareware

Rogue security software / From Wikipedia, the free encyclopedia

http://en.wikipedia.org/wiki/Rogue_software

For reference I am webmaster http://BlueCollarPC.US/  (Windows – Community Help malware removal/info)

Since 2005

Rogue Gallery Helps IDentify Scam Software

Rogue Gallery Helps IDentify Scam Software

If you’re trying to figure out whether that “MalwareDefender2009″ program is a legit app or a scam, a new listing of the known scams can help. …..
http://www.networkworld.com/news/2009/120109-rogue-gallery-helps-id-scam.html?source=NWWNLE_nlt_security_2009-12-02

SEE

LavaSoft (makers of Ad-Aware, more)
The Rogue Gallery
The Rogue Gallery, powered by the Malware Labs at Lavasoft, is a resource
dedicated to keeping computer users safe from rogue security software. By
providing a comprehensive database of current rogue security applications, you have the ability to clearly see what programs are considered rogue – and avoid them. Navigate the Rogue Gallery by displaying the latest threats or by searching for specific programs, listed in alphabetical order. Use the “Submit a Rogue” link to quickly and easily send any suspicious programs directly to Malware Labs to be analyzed.
http://www.lavasoft.com/mylavasoft/rogues/latest

SEE
Title: The Spyware Warrior List of Rogue/Suspect Anti-Spyware Products & Web Sites 
Description: Bad, False, Fake products 
URL:  http://www.spywarewarrior.com/rogue_anti-spyware.htm 
About This Page – Please Read:
Those who have followed the development of this page since 2004 will have noted that the list of “rogue/suspect” anti-spyware products has not been updated since May 2007. Unfortunately, other time commitments have precluded our efforts to keep that list up to date. Since the last update dozens of “new” rogue anti-spyware programs have hit the ‘Net. The vast majority of them, however, are not really new, but are simply re-branded clones and knockoffs of the same rogue applications that have been around from years. In most cases, they are being pushed through the same deceptive practices by the same parties responsible for earlier versions. See in particular these “families” of anti-spyware products, which continue to live on through shameless re-branding: 15, 18, 19, 21, 22, & 23. 
If you are looking for information on the most recent rogue anti-spyware applications, we recomend visiting these sites:

BleepingComputer.com: Spyware & Malware Removal Guides
MalwareBytes: Newest Rogue Threats
MalwareBytes Blog
Bharath’s Security Blog
VitalSecurity.org
Sunbelt Blog

TO FIGHT FAKE ROUGE PRODUCTS YOU ARE GOING TO HAVE TO BECOME FAMILIAR WITH AGE OLD TRUSTED PUBLICATIONS SUCH AS ARSTECHNICA.COM AND PCWORLD.COM AND CNET.COM AND ON AND ON….. FAMILIAR AND POPULAR DESTINATIONS ON THE WORLD WEB THAT ARE WELL ESTABLISHED AND WELL KNOWN AND HAVE WRITE UPS ABOUT REAL PRODUCTS.

I HAVE JUST SEEN A FAKE PRODUCT VARIANT OF MALWARE VIRUSBURST SITE THAT LOOKS LIKE A REAL ANTIVIRUS PRODUCT WEBSITE WITH SEARCH ENGINE RESULTS CLAIMING IT JUST WAN ITS 4TH VB100 AWARD !!!! 

FBI Releases Warning about Scareware (US-CERT) http://www.us-cert.gov/current/index.html#fbi_releases_warning_about_scareware
KNOW AND ASK ABOUT AGE OLD KNOWN PUBLICATION WEBSITES FOR CROSS REFERENCES OF PRODUCTS – BELOW ARTICLE SHOWS 16 TOP PRODUCT NAMES THAT YOU NOW KNOW ARE NOT ROGUE FAKE ANTIVIRUS PRODUCTS. IT HAS TURNED INTO A NIGHTMARE CURRENTLY !!! BELOW ARE YOUR TOP WORLD PRODUCTS – SHAREWARE ……PRELIMINARY LIST WILL ADD MORE / JAN 2010

Rating the best anti-malware solutions
http://arstechnica.com/security/news/2009/12/av-comparatives-picks-eight-antipua-winners.ars

Here are the results of this particular test:

1.G DATA Antivirus 2010: 99.8 percent
2.Trustport Antivirus 2010: 99.8 percent
3.AVIRA AntiVir Premium 9.0: 98.9 percent
4.McAfee VirusScan Plus 2010: 98.9 percent
5.BitDefender Antivirus 2010: 98.6 percent
6.eScan AntiVirus 10.0: 98.6 percent
7.F-Secure Anti-Virus 2010: 98.6 percent
8.Symantec Norton Antivirus 2010: 98.6 percent
9.Kaspersky Anti-Virus 2010: 96.7 percent
10.ESET NOD32 Antivirus 4.0: 96.5 percent
11.avast! Free 5.0: 96.3 percent
12.Sophos Antivirus 9.0.1: 95.4 percent
13.Microsoft Security Essentials 1.0: 94.6 percent
14.AVG Anti-Virus 9.0: 93.9 percent
15.Norman Antivirus & Anti-Spyware 7.30: 88.5 percent
16.Kingsoft AntiVirus 9 Plus: 87.1 percent

VB100 Award = Perfect scores ! (Top AntiVirus World Prize)
http://www.virusbtn.com/vb100/index
http://en.wikipedia.org/wiki/Virus_Bulletin
About the Virus Bulletin 100% award
The Virus Bulletin 100% awards recognise those products best able to detect viruses known to be ‘in the wild’. Unlike some other similar-sounding schemes, Virus Bulletin uses the most up-to-date WildList in its tests. This means that products that are ‘up with the game’ are the ones most likely to be granted VB100 awards. More information about Virus Bulletin can be found on its website: www.virusbtn.com.

ESET NOD32 Currently 59 VB100 awards !
http://www.eset.com/
http://en.wikipedia.org/wiki/ESET_NOD32
This brings the ESET Antivirus VB100 award total to 59 – still
the highest of any antivirus vendor!
December 2009 – ESET antivirus scoops 59th VB100 Award
http://www.betterantivirus.com/nod32-and-virus-news/archives/1456-December-2009-ESET-antivirus-scoops-59th-VB100-Award.html

Sophos Antivirus (UK)
http://www.sophos.com/
http://en.wikipedia.org/wiki/Sophos
Sophos’s anti-virus engine and identities are now packaged into
Webroot Spy Sweeper with Anti-Virus (Webroot Spysweeper one of world’s best)
http://www.webroot.com/
Sophos wins VB100 on Windows XP
http://www.sophos.com/pressoffice/news/articles/2009/04/vb100.html
…..the 46th VB100 that Sophos has received !
(Note, Sophos is a corporate business application only available to Home Desktop in the new “marriage” combo suite created recently with industry leader Webroot Spysweeper.)

F-Secure
http://www.f-secure.com/
F-Secure Awards – Award-Winning Antivirus and Protection Products
http://www.f-secure.com/en_US/about-us/awards-reviews/2009/

Advanced +++ in AV-Comparatives Performance test
Dec 23, 2009
Anti-virus (Award)
F-Secure Internet Security 2010 receives VB100 award in the latest Virus Bulletin comparative review.
http://www.f-secure.com/en_US/products/home-office/internet-security/
VB100 award
Dec 01, 2009
Internet Security (Award)

Kaspersky (Russia)
http://www.kaspersky.com/
Kaspersky Lab’s antivirus solutions win prestigious VB100 award in testing on Windows 7 platform
http://www.kaspersky.com/news?id=207575987
One of the most popular anti-virus solutions among computer users, Kaspersky Anti-Virus 2009, won a VB100 award from Virus Bulletin on Windows Vista Business Edition.

Avast
http://www.avast.com/
http://www.avast.com/eng/awards.html

PC Tools Spyware Doctor with AntiVirus (PC Tools Spyware Doctor one of world’s best)
http://www.pctools.com/consumer/products/
PC Tools receives prestigious Virus Bulletin VB100 awards
for Spyware Doctor and PC Tools AntiVirus
http://www.pctools.com/news/view/id/177/

Avira
http://www.avira.com/
http://www.avira.com/en/company_news/avira_receives_again_vb_100_award_on_windows_xp.html
Desktop Products
 Avira AntiVir Premium
 Avira Premium Security Suite
 Avira AntiVir Professional

CounterSpy (antispyware) with Vipre Antivirus (CounterSpy one of world’s best)
http://www.sunbeltsoftware.com/
VIPRE® Antivirus + Antispyware from Sunbelt Software Wins VB100 Award for Malware Detection on Windows 7 Platform
http://www.sunbeltsoftware.com/Press/Releases/?id=322
http://www.counterspy.com/

Kingsoft Internet Security
http://www.binarynow.com/
Kingsoft Internet Security 2009 obtains VB100 award from Virus Bulletin for April 2009
http://www.binarynow.com/internet-security/kingsoft-internet-security-2009-obtains-vb100-award-from-virus-bulletin-for-april-2009/
Kingsoft Internet Security 9 Plus
Internet security suite that contains anti-virus, anti-malware, a vulnerability scanner and personal firewall.
Find and fix rootkits, spyware, trojans, virus and malware infections. Protect your PC for less!
Forefront Client Security
http://www.microsoft.com/forefront/clientsecurity/en/us/product-information.aspx
Forefront Client Security wins VB100 award for Windows Server 2008 anti-malware
http://blogs.technet.com/forefront/archive/2008/10/02/forefront-client-security-wins-vb100-award-for-windows-server-2008-anti-malware.aspx