Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can I Find A System32 Whitelist, Blacklist, Or Both?


  • Please log in to reply
2 replies to this topic

#1 ejames82

ejames82

  • Members
  • 404 posts
  • OFFLINE
  •  
  • Location:oswego, ny
  • Local time:08:36 PM

Posted 21 December 2007 - 01:08 AM

watching a hijackthis analyst clean up malware from an infected computer has become a hobby for me.
i have noticed that system32 files get alot of focus. i can't tell if they are missing or not, most anaysts don't elaborate on why they do what they do, but when an analyst repairs a system32 file, it's probably because it's infected (my guess).
is there some kind of whitelist available that says "these are the common legitimate system32 files", or maybe even a blacklist like "this is a surefire infection system32 file", or some website dedicated to system32 files with a dialog box where you put the name of the file in there and push "enter" and it tells whether it's legitimate or not, or common for a certain location.
not only that, but i would be interested in any kind of resources that help hijackthis analysts.
sorry if i posted this in the wrong place. thanks, Ed

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:36 AM

Posted 21 December 2007 - 04:19 AM

Although I do not get the impression that you are actually doing this on your own computer, I feel obliged to give a warning just incase yourself or others decide to do such a thing. Messing around with and deleting files in the System32 folder can have serious implications; the computer can be rendered inoperable and a format will be necessary.
As for researching file names, I would personally say that in the early stages, Google is your best friend. Typing in the whole path and filename will generally give you reliable results as to whether it is legitimate and necessary or malware-related. It was certainly a great help to me when I began my HijackThis training. Over time however, you learn to understand which are the common (legit) files on a computer, and any that you do not recognise starts to ring bells and you investigate further. Whilst it is not always the case, and infact some harmless files do this as well, a tell-tale sign of a malware file is a long string of random letters and numbers. Something like C:\WINDOWS\System32\H7jkI00mLGyAnn98.exe is going to be malware 99% of the time.
if you are interested in learning more about malware detection and removal, we do offer a HijackThis training programme here at BleepingComputer, but as far as I know we are not accepting applicants at the moment. Obviously this is extremely popular, and with only a limited number of mentors, if we accepted too many people we would be completely snowed under. Malware Removal Training Programme.
Finally, whilst malware does often hide in the System32 folder; people are rightfully scared to poke around there in the fear of removing a legitimate file, so the malware's chances of survval remain higher, this is not necessarily the case. There are many other locations in which a malicious file can hide, but you are correct in stating that System32 is probably the most common, but essentailly this varies with each infection.
I hope this helps you and clears up things a little.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 ejames82

ejames82
  • Topic Starter

  • Members
  • 404 posts
  • OFFLINE
  •  
  • Location:oswego, ny
  • Local time:08:36 PM

Posted 21 December 2007 - 10:36 AM

rookie147,
i don't use hjt without expert supervision. i just spectate.

Google is your best friend


that's what i have been doing. but can't anybody get anything on google?

a tell-tale sign of a malware file is a long string of random letters and numbers. Something like C:\WINDOWS\System32\H7jkI00mLGyAnn98.exe is going to be malware 99% of the time.


i didn't know that.

we do offer a HijackThis training programme here at BleepingComputer,


other great forums do as well. my availability is sporatic at best. maybe later when i can devote more time to it.
i was hoping i could avoid relying on my memory. it doesn't make sense if nobody has thought of this system32 list, yet. it seems like somebody would have seen the need for it.
thanks for the excellent detailed explanation. Ed




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users