Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT Log Help


  • Please log in to reply
6 replies to this topic

#1 johngreen168

johngreen168

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:42 PM

Posted 24 December 2012 - 11:38 PM

Hey, I really don't understand why this spoolsv.exe in HijackThis Log startup Headed is not really an issue. It clearly stated that it is a backdoor vulnerability in system in this website http://www.processlibrary.com/ and should it delete, right?

In fact, when we try to interpret an HJT log, do we need to look at those lines in startup Header or simply we could it ignore them? or we only need to see those entries from R1/R0.... O23 onward?

Any suggestion will be greatly appreciated and Merry Xmas, by the way, here is part of the HJT log generated from my PC

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\noname\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Unwired\UwSCT.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\noname\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\noname\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\noname\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\noname\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\noname\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\noname\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
C:\Documents and Settings\noname\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\noname\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\noname\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\noname\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\noname\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Edit: Moved topic from AntiVirus, Firewall and Privacy Products and Protection Methods to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:42 AM

Posted 26 December 2012 - 06:48 PM

hi

Really a process could be named anything.exe, including spoolsv.exe, see attachment. Most likely it is the real MS Windows process and should be left alone, unless you never print then you could stop the Print Spooler service.

Attached Files


How Can I Reduce My Risk to Malware?


#3 johngreen168

johngreen168
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:42 PM

Posted 27 December 2012 - 03:01 AM

Oh, I see, at the moment, I am studying HijackThis program, so according to what you said, we could ignore everything in the startup header, and only research entries from R0/R1.... O23. Please correct me if I am wrong

Thanks a lot

#4 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:42 AM

Posted 27 December 2012 - 12:52 PM

Well no, you shouldnt ignore them but confirmation is needed before you start to delete things.

How Can I Reduce My Risk to Malware?


#5 johngreen168

johngreen168
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:42 PM

Posted 28 December 2012 - 06:35 AM

uhm, how do you confirm that? can I use this efsdfgxg.exe to illustrate what you said?

Example 1:
If this file efsdfgxg.exe in Startup and also appears in O4 entry, so we definitely delete it
(is it possible for a file to appear in startup header as well as in O4 entry)

Example 2:
If this file efsdfgxg.exe is NOT in startup but appears in O4 entry, should we delete it?

Please clarify, thank you very much

#6 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:42 AM

Posted 28 December 2012 - 08:36 AM

To me it dosnt matter where or how many times it appears in a log. After doing this for awhile you start to recognize files that are probably malware, like your example. At least this was more true in the past. Some of todays malware may not even show up in a log. Confirmation comes from running available tools, utilities and antimalware software.

How Can I Reduce My Risk to Malware?


#7 johngreen168

johngreen168
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:42 PM

Posted 29 December 2012 - 04:19 PM

I believe that was the answer I looked for, thank you very much, and hope one day I could join the malware removal team here, lol.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users