|
|
#11
7th Nov 2008, 14:54
|
||||||||||||
|
||||||||||||
|
No worries.
__________________
Pretty close - HJT is essentially a Registry Editor. As you say, it scans the Registry and produces a log of its results. It does have several other functions as well - take some time and get to know what they are. Here's the Services part of a log from my PC: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 21:49:17, on 07/11/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\spoolsv.exe E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe C:\WINDOWS\system32\CTsvcCDA.exe E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe E:\PROGRA~1\AVG\AVG8\avgrsx.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe E:\FAH\smpd.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\SnoopFreeSvc.exe C:\WINDOWS\system32\svchost.exe E:\PROGRA~1\AVG\AVG8\avgemc.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\SnoopFreeUI.exe C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe E:\Program Files\Winamp\winampa.exe E:\PROGRA~1\AVG\AVG8\avgtray.exe E:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\WINDOWS\system32\ctfmon.exe E:\Program Files\Logitech\SetPoint\SetPoint.exe E:\Program Files\Microsoft Office\Office10\msoffice.exe C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE E:\Program Files\SpywareGuard\sgmain.exe E:\Program Files\SpywareGuard\sgbhp.exe F:\Iain\Drivers and Software\CoreTemp\Core Temp.exe E:\FAH\fah6.exe.exe E:\FAH\mpiexec.exe E:\FAH\smpd.exe E:\FAH\FahCore_a1.exe E:\FAH\FahCore_a1.exe E:\FAH\FahCore_a1.exe E:\FAH\FahCore_a1.exe E:\Program Files\Mozilla Firefox\firefox.exe E:\Program Files\HJTHotkey\HJTHotkey.exe E:\Program Files\KeyNote\keynote.exe C:\WINDOWS\System32\svchost.exe C:\Documents and Settings\All Users\Application Data\LGMOBILEAX\B2C_Client\LGUserCSTool.exe F:\Iain\HijackThis\HiJackThis.exe I make that 52 processes. My Task Manager says 81 processes. Have a look at the processes listed in your log and the ones listed in your Task Manager and tell me what's different. My System: It's all mine...
|
|
#12
7th Nov 2008, 15:06
|
|||
|
|||
|
I meant to add this - this is the bottom section of my log
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgemc.exe O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - E:\PROGRA~1\AVG\AVG8\avgwdsvc.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe O23 - Service: Diskeeper - Diskeeper Corporation - E:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe O23 - Service: FAH@E:+Program Files+Folding@Home Windows SMP Client V1.01+fah.exe - Unknown owner - E:\Program Files\Folding@Home Windows SMP Client V1.01\fah.exe (file missing) O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe O23 - Service: MPICH2 Process Manager, Argonne National Lab (mpich2_smpd) - Unknown owner - E:\FAH\smpd.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Snoop Free Service (SnoopFreeSvc) - Unknown owner - C:\WINDOWS\System32\SnoopFreeSvc.exe O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - E:\Program Files\VMware\VMware Workstation\vmware-authd.exe O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Program Files\Common Files\VMware\VMware Virtual Image Editing\vmount2.exe O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe Not many services there, are there? Can you think of a reason why so few services actually appear? |
|
#13
7th Nov 2008, 16:25
|
|||
|
|||
|
Your first question is easy. The HJT log is not showing any of my system processes. What I don't know is why. I have been pursuing this at Malware U as well, and have had a couple of answers, but none have been definitive. One is that perhaps HJT is not configured for Vista64, another says this is normal for any Vista HJT log. Yet another pointed out that all my 023 (service) entries were not properly displayed which brings us back to either an incompatibility to Vista64 or Vista as a whole. I do not have UAC turned on, heck, I don't have any of the MS security stuff turned on.
As to why yoou have 81 processes running and HJT shows only 52, I don't know. I have a HJT log for this computer (I did my first PL00a with it), and i will compare what is showing on the HJT log with what is showing in task manager and get back to you. I will also look at the services and see what I can figure out Note: As I type this, I am using my old machine which is a Vista machine. |
|
#14
8th Nov 2008, 03:14
|
|||
|
|||
|
You might find a tutorial on HJT to be some help - it's something I advise trainees to read first anyway.
http://www.bleepingcomputer.com/tuto...utorial42.html |
|
#15
9th Nov 2008, 09:39
|
|||
|
|||
|
Correction first from my above post. My old machine (which I'm doing this one on too lol), is an XP machine not a Vista machine. Processes question revisted from the XP machine:
I reran HJT and copied the Process portion then immedially opened up Task Manager and compared the numbers. I had 50 processes on HJT and 58 on task manager. I typed the task manager list onto a notepad doc and then went through the HJT list. I deleted from the Task manager list everything that was showing on the HJT list to see what was left. Two questions before I go further: 1). Is there a way to get the process list from Task manager instead of doing what I did, IE: open a notepad doc and manually type each entry in? 2). Task manager just shows an entry such as "Winlogon.exe" while HJT shows the full path (is path the correct term?) such as C:\WINDOWS\system32\winlogon.exe. Since the process I used as an example, winlogon.exe can be malware (trojan I think), if it is NOT from the path C:\WINDOWS\system32, it would be nice to know the full path. So how do I get the full path from Windows task manager? Back to my processes, I actually ended up with 11 left on my list, not 8. I can think of two reasons for that.Off the 11, three were svchost.exe's. I possibly missed one when deleting from one list to the other. One process showing on the HJT list was HJT which of course was not open when I did task manager so it did not show up there. That eliminates 2. Of the remaining 9, 2 were notepad.EXE's which were not open when I did the HJT, and two would be the other two SVChost.exe's. I have found nothing yet which tells what opens those, just that they are widely used by Windows. Of the remaining 5 processes not shown on HJT two were: System: system is a process which shows up on the tasks on mainly Windows XP, Windows 2003 server and later version of Windows. This is a default system counter and cannot be removed. System Idle Process: the system idle process is not a process, more a counter which is displayed in WinTasks used for measuring how much idle time the CPU is having at any particular time. This counter will display how much CPU Resources, as a percentage are 'idle' and available for use. Cannot be killed. I am assuming that these two open up with task manager and as such would not have been seen. That leaves three, two of which I am clueless as to why they were not displayed by HJT, especially the one for Media player since media player has in the past been exploited by malware has it not? They are: alg.exe: The alg.exe executable allows applications (such as IM clients, RTSP, BitTorrent, SIP, and FTP) from a client computer to dynamically utilize passive TCP/ UDP ports in communicating with known ports on a server. wmpnetwk.exe: wmpnetwk.exe is the main executable for Windows Media Player Network Sharing Service. It is used to share Windows Media Player libraries. taskmgr.exe The remaining process is: csrss.exe: The Microsoft Client Server Runtime Server subsystem utilizes the process csrss.exe for managing the majority of the graphical instruction sets under the Microsoft Windows operating system. Csrss.exe controls threading and Win32 console window features. Threading is where the application splits itself into multiple simultaneous running tasks. While I'm not entirely sure, I THINK this could have opened after I ran HJT when I opened multiple instances of notepad to write down and compare data. Any thoughts or critiques you have on what I just wrote would be appreciated. I have finished my first excercise, (and had it critiqued by an instructor), at Malware U, so this is something extra for my own desire to learn more, and better understand processes, and as such I will not be "cheating" by asking you about it. As to your services question: I have not researched it fully yet, nor carefully looked at the data, I plan to do something similar with my own HJT log as I did with my process log, comparing the 023 list with there actual services list, but off the cuff............ The little I have read and been able to understand about services would lead me to believe that your list is short because it is only showing the open services, not the pending ones, or the......... crap, I forget the other two classes of sevices lol, which is why I need to do more research. Anyways, if I am on the right path with that, let me know. thanks. I appreciate you taking the time and challenging me to be sure of what I am learning before I spout it off. I don't believe that there is ever such a thing as "too much teaching" or "too much learning". Heck, there is so much knowledge that it is impossible to ever begin to learn it all. |
|
#16
10th Nov 2008, 14:32
|
|||
|
|||
|
You're getting there. Did you read the tutorial at BC? It mentions whitelists - that might help a bit.
As I said before, I'm not going to answer specific questions, such as those concerning winlogon, because your tutors at MU will deal with things like that in their own way. Those of us involved in teaching all have our own methods and "ways" and it would not be right for me to try and pre-empt the style of someone else. A process is just software running on a PC. Some services are processes as well, starting when the PC boots - in other words, no user interaction is needed to start them. Any idea why you had more than one svchost service showing? |
|
#17
10th Nov 2008, 20:55
|
|||
|
|||
|
I have been reading that tutorial since I started lol, and almost understand about a 1/4 of it (it is linked as one of the first things they want us to read). I must have missed the white lists but I'll go back and check specifically for that.
As to folks at Malware U answering the questions I posed to you, they haven't. I've had a thread posted there for nearly two days without a single reply. I has been viewed 40 times, so I knpow it's been seen, but no answers. It is slowly sinking down the list and will be forever buried into obscurity, unanswered I fear, by late tomorrow or early Wednesday. There are so many instances of SVCHost for redundancy and reliability (the whole thing abut taking away so many .exe's and turning them into .dll's ect....). That is probably the only thing i knew before I started this course, but as usual, didn't understand it completely and didn't know how to tell what SVChost was servicing what. I just found however a great tutorial about it on howtogeek.com which shows how to get to the command line. LOL I just looked again and it details how to get to and use process explorer. I have asked about that over there as well. Here's the link, it looks great to me. I t shows how to do it in both XP and Vista. I need to go read that now and follow all the links from it. http://www.howtogeek.com/howto/windo...is-it-running/ |
|
#18
12th Nov 2008, 12:57
|
|||
|
|||
|
Hi again
That's a pretty good explanation of svchost. You might also want to use something like Process Explorer to look at which dll files are being loaded on your own system. It can be quite revealing. Also check out Autoruns. Again, I don't want to pre-empt anything that may be coming your way from MU, but I suspect they may also be looking for your to do some research and at least have a go at answering your questions (that's the way I would work...). If you are really stuck for an answer, post back here and either myself or EF will try our best to provide an answer. |
