Interpreting HiJackThis Logs in Windows XP - Process Analysis, an Example
(Page 2 of 4 )
Entry under examination: C:WINDOWSSystem32smss.exe
File for analysis: smss.exe
Step 1: Enter smss.exe in the search box found on the home page of http://www.processslibrary.com , and click "Find."
Step 2: After clicking on the results, you will see this screen shot:
The tool returned six results for smss.exe. Bear in mind that only the GREEN result contains the specification for the correct/non-malware file; the rest of the results (in red) are reported malware or Trojans.
Step 3: Click the GREEN result (first result) in the list. You will then see the description of the process under analysis, and most of the information which you should know in this page is under "General information."
You will see the author and the default/standard process path; in this example it is:
Part of:Microsoft Windows Operating System
The common path starts with %system%; path notations like this are called "environment variables" by Windows. The path actually points to the system32 folder in Windows XP. So in this case it will be:
Another nearly complete list of environment variables commonly used is here:
Based on the result provided above, the common path coincides with the HJT entry for this process, so this means that it is not a malware or a Trojan entry.
This is just a simple illustration of how to analyze a process entry in HJT logs. By doing this on a daily basis, you will soon be acquainted with what is normal and what is not, so in the long run, you will not need always need to look at processlibrary.com as you slowly acquaint yourself with interpreting process- related entries.
You can even put the HJT log into an Excel file and shade those entries that are malware. This way, you can systematically analyze processes one by one.
KEITHLEE2zdeconfigurator/configs/INFUSIONSOFT_OVERLAY.phpzdeconfigurator/configs/ OFFLOADING INFUSIONSOFTLOADING INFUSIONSOFT 1debug:overlay status: OFF overlay not displayed overlay cookie defined: TI_CAMPAIGN_1012_D OVERLAY COOKIE set: status off