How to Read HiJack This Log

I don't wanna be or ever expect to be an expert, but I would like to be a little more informed. Can you recommend some sites or books that could help me understand the logs I look at when I go into the Removing Spyware & Viruses forums.

I am more curious than anything else and I don't like being clueless.

Thanks

 

Hi Ranger SVO
First, take note of the first thing you see whan going to Pete's link....
Warning

With the way malware is now, it is very hard to just look at a HJT log and see bad stuff. some things pop right out while other things look legit that may not be and other don't show up at all.

You have to go line by line and research almost every file it shows.

Then HJT is not a show all or fix all tool as I'm sure you've seen.

Some malware just corrupt legit files, some create files and then change file names upon reboot of your system or create more files. or just switch or add a letter to a file to make it look legit.
Like this...
svchost to scvhost

It take many hours to go through a HJT log and a dss log, plus on-line scans and logs that the tools produce. and there is new garbage coming out almost daily or weekly and is very hard and time consuming to even try and keep up.

That is one reason that malware fighters are a community in it self, to try and keep each other informed because there is always something new and always something you need to learn.

Geri
and btw, I can thank Pete for being where I am.

 

Thanks for the link PeteC. It has a lot of information that will take a lot of time to digest.

And Geri, when you get to be my age you learn not to just jump into things. I am 48 years old and I will graduate from college this semester with a BS in Mathematics. The one thing math majors can do is look at things logically. After reading that tutorial, I realize that I have alot more to learn. So after my BS in Math, Computer Science is next.

And if I have a problem with my computer, I know where to come.

By the way, I was looking at a HiJack log in the Removing Spyware & Viruses forums. And I saw this entry

C:\Program Files\QdrModule\QdrModule11.exe
C:\Program Files\QdrPack\QdrPack11.exe

Where do I go to find information about this. When I did a search, I just got alot of other forums with HiJack This logs. I wanna find the info on my own, just point me in the right direction.

 

Hi Ranger SVO

When you get to be my age, you've learned that you've jumped into about everything you've ever wanted to jump into. I'm 49

Well Google is a good please to start. Most Anti-Virus sites have a search file function, and CastleCops also has a search.
But then like I said, some malware disguise themselves as legit files or just corrupt legit files. so that is why you can't just always delete the file. It may be needed in running your system.

It just takes a lot of searching and time. some resourses are just not available to the pulbic, it could have a devastating effect, could end up with a lot of paper weights sitting on peoples desks.
btw, those two files are trojan files, but just two of the files this trojan leaves on a system.

Geri

 

That's very common, and can be one of the more difficult aspects of sorting out good from bad. Often times we find it necessary to click through and read many, many of those search results trying to find something definitive enough for us to make well informed recommendations. Often times you can find more information contained within those topics, such as results from when a file was uploaded and analyzed. Sometimes you come across something as simple as the following, which is quoted from one of the search result links for the files you questioned.

Changing the search query can help too. While searching for the executable name will yield results requiring some digging to get answers, searching for the folder name containing the executable yields more favorable results.

Example:
Search query = QdrPack11.exe
http://www.google.com/search?num=30&hl=en&newwindow=1&safe=off&q=QdrPack11.exe&btnG=Search
Search query = QdrPack
http://www.google.com/search?num=30&hl=en&newwindow=1&safe=off&q=QdrPack&btnG=Search

Bottom line is that a considerable amount of time is spent researching ..... whether it's you spending the time to do your own analyzing, or someone else doing the time to do the analyzing for you.

 

I have no intention of trying to fix a computer on my own.

The reason I noticed the

C:\Program Files\QdrModule\QdrModule11.exe
C:\Program Files\QdrPack\QdrPack11.exe

entry is that I've seen something similar in my sons computer. what I saw in his is this

O4 - HKCU\..\Run: [QdrModule9] "C:\Program Files\QdrModule\QdrModule9.exe "

There is something else that I cannot identify.

F3 - REG:win.ini: load=C:\WINDOWS\system32\ssttt.exe

Out of curiosity I went to jotti and it identified the file next to it ssttt.dll as a W32/Trojan2.Sun.

His computer is like his room, a real mess. Anyway I recently upgraded his RAM from 512Mb to 2Gb. A couple of days later he complained that it took a long time to start. I ran a virus scan and it detected an astonding 147 errors. 138 of those was fixed.

I run a daily scan on mine and usually detect 0 errors, (I can not remember the last time it detected even 1 error) so I found 147 to be alarming.

Again I have no intention of fixing his computer without suprvision. But I will continue to go through this log to see what I can learn.

 

Hi Ranger SVO
Yes that file is also a trojan.

I would suggest you post a HJT log and a dss log in the Spyware and Virus removal forms.

Geri

 

Thanks Geri, I will get him to post that soon.

I think your level of knowledge is outstanding. I am a little more than half way through this log. And so far its been a lot of work for me. This is one incredible learning experience.

I will get him to post both logs soon.

I will finish going over this log tonight.

Again, thanks for your time. It is greatly appreciated, especially now that I know the amount of work that you all do.