I have been concerned that the sheer number of HJT logs and the hours they take to resolve manually would swamp the resources of various sites to resolve them with volunteers. I understand the decision Wilders made but I am concerned that it makes it harder for the other sites to keep up.
http://www.wilderssecurity.com/showthread.php?t=42148

It's sad really, but understandable.....

From another forum,

One of our efforts for many months in a row has been organizing (major) board owners having their HJT for swamped; funding one big well protected dedicated server in combo with solid commercial board software, redirecting all HJT posts to this central server/domain. All HJT experts centralized, no more cross posting scattered all over the decentralized forums. In our opinion the most professional way to go as a last barrier before the AV/AT companies will be forced to tackle these issues - which will be the logical next step.

Unfortunately, our efforts have been without avail.

regards.

Paul Wilders
»www.wilderssecurity.comNow on the main point, a large amount of experience with HijackThis log threads here has shown that far too often bad advice is given by people not experienced in the latest forms of spyware infections. This malware changes constantly and the fix advice can drastically change with it. Yesterday's sure fix is today's certainty of corrupting a person's system. That's why the HijackThis forum section here limited reply postings to authorized team members only, as almost all the other similar security forums do. (We were not alone in this approach.)

To you, it may sound like getting "some advice" or "partial advice", or advice "slightly above" the poster's own knowledge level would be helpful, but in reality it's a very bad idea. Partially good fix advice in HijackThis (i.e.: what to check and fix in HJT, or what files to delete, or whatever) can easily lead to rendering a system totally corrupted and causing a need to reformat it.

At the very least, such partial fixes end up masking the real problem. You see, some of the hijack symptoms are very easy to find in HijackThis logs, and telling people to fix those is also easy. (We can all do that.) Unfortunately, without expert understanding that those are only symptoms and not the root cause, which will remain following poor or incomplete fix advice, the person's PC will end up in worse shape, and it'll be far harder to find the root cause now that some of the symptoms have been lost.

While it'd be wonderful to think that we could just let people post HJT logs here and let anyone at all who wanted post fix advice... and hope that they'd only posted enlightened, intelligent and helpful fixes, unfortunately, that's just not reality.

In the end when some people have totally corrupted systems, what do we answer them when they asked why we allowed such bad advice to be posted, which caused all their problems, when we could have simply advised them to go to one of the many other available forums that still operate properly supervised HJT forums?

No, we're not going to do that here. We spent a couple months looking at the problem, many possible solutions and we even talked with other forum owners before taking this action. »www.wilderssecurity.com/showpost.php?s..

No, we're not going to do that here.
Thank you to all here who do the analysis on these logs, a valuable service indeed!

By the same token, there should be some reciprocity.
1) Don't post logs and fix problems and take money from customer and friends for the efforts of the volunteers. Be intellectually honest about what you are posting and why you are posting, if you get the fix here and get money for it, tip the Tip Jar for the site.
2) Scan and fix with Adaware/Spybot and reboot before running HJT. Empty the Temporary Internet files and other garbage so the readers (all of us) don't have to wade through the nonsense.

I read that at Wilders, this morning. I was surprised but I do understand their decision. I'm finding, in the shop as well as in my friends, neighbors and families computers, that almost ALL computers have spyware installed to one degree or another. Randomly named trojans (if that's what they really are) are everywhere.

The members of law enforcement that I know seem to think the whole CWS/trojan situation is an attempt by the "russian mafia" to pull off the largest identity theft racket in the world. I have no reason to doubt them. I think folks who bank online are misguided. I don't even feel right when ordering computer products online. I always recommend that if you are going to purchase things online, set aside one particular credit card for that sole purpose and monitor it closely. Try to limit the amount of personal info that is out there.

It has gotten out of control. If you look at some of the big anti-spyware sites you can see that hundreds of requests for help go unanswered. You can plant thousands of trojans automaticlly. Quickly. Each HJT log has to be analyzed individually by trained people. HJT is a great tool for the trained tech working on a computer. It's not the right tool to clean thousands of computers per day.

The next step, which I have mentioned before and which is mentioned in the post at Wilders, is for the major anti-virus companies (or anyone with millions of dollars to invest) to take the lead to fight the problem. The time has come. The criminals have millions of dollars to put into this. It's going to take deep pockets to fight it successfully.

I'll continue to help folks, one at a time and I know that many others will also. It's the least we can do. I hope that not to many sites follow Wilders lead. That would be a shame. I do understand if Charles and the owners of the other help sites restrict analyzing HJT logs to those they feel comfortable with, just incase there is some kind of liability or reputation issue involved.

Boy, the times sure are changin' fast...:)

I'm new to these boards but I could see this coming from day one. HJT is an incredible tool and the "free" services provided here and on some of the other boards are nothing short of a Godsend for the average novice who is simply overwhelmed my anything more than a point and click of the mouse when it doesn't work as expected.

The problems here are 1) the overwhelming numbers of the afflicted, 2) the limited numbers of qualified "healers', 3) the absolute need for those healers/experts to manually do the analysis and recommend fixes, 4) the understandable and genuine concern for the potential damage that an incorrect diagnosis and directed treatment might cause, and 4) the cost of potential liability if something goes wrong.

IMHO, the mega-corporations just aren't going to "take the lead to fight the problem" primarily due to problem number 3 that I cite above. Case in point ... got a problem with Windoze? What adivice/help do you get from their websites? Research and solve it yourself and/or go to a forum and/or ask someone else.

These problems also present an opportunity that I would think those of you who are experts with HJT have already considered and may already be doing in one form or another. Continue to offer expert HJT services with certain qualifications. Have a separate HJT services board that can only be accessed by paying a nonminal fee (say $10-20) and acceptance of a limited liability/warrantee agreement. Use/overuse could be constrained by certain limitations which might be time, number of problems, number of PCs involved, etc. Only certified experts would man the board, perform analysis, and make recommendations. The fees could go to support operation and maintenance of the board and maybe a portion fed back to the HJT developer.

You guys have already established a great reputation that is growing. The malware problem is growing. Hiding your heads in the sand and hoping the Microsoft's, Symantec's, and McCaffee's will eventually take the lead will not solve it. There is strength in numbers and boards like yours and Wilders and others are the strength of those numbers. We need you and we damned sure appreciate what you do. Don't give up, please.:(

I spend most of my volunteer time training other people to fight spyware... If we start charging to do fixes and certifying people to be qualified to collect money, do I get a cut of each fix?? Quite honestly, I don't want it and the day that is the mode I will move on to other interests... I agree that people would pay for the help, but I don't see it as a business opportunity and most of the people out there that do are scam artists and crooks... They create ripped off faked fixes that they trick you into paying for and then infect you in the bargain as they get you to happily pay for the privilege...

I understand Wilder's move and I both regret and appreciate it... One of the most frustrating things for me is to spend 30 minutes working out a complex fix for someone, posting it and having that person post back they they already got a fix from one of the other 2 or 3 forums they posted to... Unfortunately, they will still do that with Wilder's closed to logs... Or they post to 3 or 4 threads in the same forum... I understand that users are panicked, but I still resent that they create a big part of the problem by squandering the limited people resources that we have to wage this war... Not to mention running unprotected to begin with in many cases....

Also, as that quote indicates... I really would prefer that people who are interested get trained since doing partial fixes makes my job harder...

Quite honestly, I don't want it and the day that is the mode I will move on to other interests... I agree that people would pay for the help, but I don't see it as a business opportunity

An admirable philanthropic attitude, Budfred. We wish there were more out there like you. Another tangible benefit that you all and these forums provide is education. I think getting people educated and aware of the problem and what they can do THEMSELVES is half the battle and will ultimately ease the burden you guys face every day.

Strength in numbers ... educated numbers.

Thanks, again.

Question, is the problem from un patched, not up to date anti-virus and the right protection tools such as spybot, ad-aware and spywareblaster or do these new vermin get thru anyway.
I have followed Budfred and Steves advice as what to run to protect myself and my computers.
Is this enough? Or are we all fighting a losing battle.
By the way Steve I went to the 1 credit card approach [the safest American Express] along time ago and so far have seen no problems
Mark:eek:

I agree with everything Budfred said. The moment this becomes a business, things have gone very wrong. The forums and the people behind these forums that handle HJT logs are motivated by the want to help others and try to put a dent in crapware. When money is involved a whole other set of motivations comes into play. We have already seen the negative effects of that with "rouge spyware programs". It just makes things harder for those like Budfred.


Budfred, would it help for some of us "non experts" to come in on the first post and tell them to run the standard tools Ad-Aware, Spybot and CWSSchedder. Then tell them to run and post a HJT log and wait for an expert?

Would this lighten the load or just make things harder?

Also I would like to suggest if one of the experts starts to work on a log that they post something like "I have started to work on your log, please be patient as this may take some time". That way we don't have 3 or 4 people working on the same thing at once. Freeing up the experts to help others.

I know this is the policy of some of the other forums. Just thought I would mention it here. I know this forum is not dedicated to spyware removal, but anything to help consolidate the resources we do have here seems like a good idea to me. IMHO

Unfortunately, as it says in that quote.... attempts to help often make the situation worse... Asking a user to post an HJT log is helpful if there isn't one... If you know how to recognize a version 1.97 versus 1.98 log or a partial log, it can be helpful to ask for an updated and full log... Running the spyware scans might be helpful, but it may also disguise the presence of the new CWS variants.... Running CWShredder these days is often NOT a good idea because it is likely to make it harder to find the problem if the user hasn't already posted a clearly infected first log...

Mark,

Generally if you run protections and you are careful about what you download and where you go, you are unlikely to get infected... That may not be true tomorrow, but it is for right now... This is a very dynamic thing with the scumwriters making a lot of money producing verminware and those of us on the other side investing a lot of time to try to stop them... Throw into that mix the rageful scriptkiddies who do evil things for bragging rights or just because they want to hurt a few million people and you have a very unstable situation... Even if all the profit went out of the game (not likely in this lifetime), the people that started all of this simply to satisfy their rage will still be out there trying to hurt us... Just keep protecting yourself and teach others to do so and hope they don't come up with an internet killer....

Thanks Budfred,
You are really doing a great job!!!
And I for one appreciate it
Mark

Just to tag a little onto this thread, you can check out the new policy over at Net-Integration here...

http://forums.net-integration.net/index.php?showtopic=20290

Hi steve,
I guess I am going to start following this stuff on other security forums, like the link you have.
Who knows I may learn something
Hope all is well
Mark

Looks like they are getting tough over there... It is getting overwhelming, so I won't be surprised to see similar moves in other forums as well... My main worry is that the scammers who offer bogus help for money and the less qualified helpers in some forums are going to just get worse... :eek: :eek:

Heh heh...can't help but learn something at most of these sites, Mark. Can you imagine folks threatening to sue because they ended up having to format and reinstall after being choked with spyware? Even more amazing is that Eagle1 has to take that kind of stuff seriously. I think people might be taking this whole thing a little to seriously.

Learning enough about spyware and HJT to take care of your own computer and maybe help out a poster or two isn't all that difficult. That's why I post information for self help whenever I can. It just takes some interest and some time. There is a ton of info out there on dozens of sites. As Eagle1 points out, there are many inflated egos in the anti-spyware group who would like people to think there is some magic to all of this. There isn't.

And thanks Mark, all is well here. Very well, in fact. I hope the same is true with you...:)

Steve of course is correct on being easy to find how this stuff works, here is a link on how to use HJT, I just wish they required reading this stuff before someone downloads and posts logs.
bleepingcomputer (http://www.bleepingcomputer.com/forums/index.php?showtutorial=42)

I don't think it takes anything magical to know how to do this stuff... I can do it and I am not a magical kind of guy... However, I do think that the malware is getting trickier all the time and it is being designed to thwart the casual helper... I have had a number of cases of having to do more work to undo some of the help that people have been given or have done themselves which resulted in hiding the problem more effectively or even making things worse...

I think it is great when people make the effort to find the information and set up good protections, but I think it is often not a good idea for untrained people to deal with it once the infection is there... Some infections will go with very little protest, but some are only pried out with a digital crowbar...

There is no exclusive club... anyone who wants to can get into Boot Camp and take advantage of the training and all the resources that are there... If someone wants to start helping, that is what I suggest you do... If you think that represents my inflated ego... so be it...

Wow...I knew the overall situation was going downhill, and was getting there fast, but I didn't think it would get to the point some forums would see a need to stop supporting malware removal/tools this soon. It had to happen, it's basically consuming support forums...

Good info though, and some of it very true, especially in Eagle1's comments a number of things I've noticed (and expected) here for a good while. I hate to see both sites taking the stance they are, but I understand it at the same time. The HJT logs are clogging just about every forum site I know of. Wilders and Net Integration both show up quite regularly when I run searches for info on filenames. I have to admit I haven't paid attention to what forum section most of those posts are in, I'm usually just looking for confirmation that a particular file is definitely a problem.

But I know that here I spend more of my time moving posts around than just about anything else. Also, I see on this and other forums a tendency for inexperienced volunteers to offer advice that's not accurate. (Admittedly it's less of a problem here because I and others try to inform them and get them to do some serious research before posting.)

I've also been "dragging my heels" so to speak about getting the malware oriented sections of the forums more organized, mainly because I don't have a lot of time online and most of it is spent trying to dig up info to keep up with the increasing problems caused by the nastier versions of malware that we have to deal with. I sometimes spend 5-6 hours searching for information on customers' computers...Sometimes I don't get more than about an hour or so on the forums after spending 3-6 hours searching for the bits of decent information scattered here and there for a computer sitting on my bench.

I don't have any answers, but I would like to point out that the two notices linked here do bring up issues that need to be seriously considered.

First and foremost, if you want to help on Hijack This logs, PLEASE research your advice before posting. As pointed out already, here and in the links referred to in this thread, mistakes can be disastrous. Budfred has the last word as far as I'm concerned, I don't even pretend to be as aknowledgeable about dealing with HJT logs, Budfred has really done his homework on this issue. If you're the least bit unsure, have the person wait until Budfred confirms it, or don't post, one of the two.

Budfred: As I mentioned, I haven't had time to be here a lot, if you feel someone else is also well enough trained on HJT to handle confirmations, let us know here and I'll trust your judgement, I can't read every post every night any more, just too many of them...Also, please post the link to the boot camp here, if you will, I don't have it handy.

Second, Learn to recognize the older versions of HJT so you can let people know they need to start over with the new one, and watch for that. It's slipped by me quite a few times, I'm trying to remember it too...
This is a partial header of a HJT log:

Logfile of HijackThis v1.97.7
Scan saved at 3:11:11 PM, on

The version is in the first line of the log, shown here in bold. This one is v 1.97.7, I think we're on 1.98 now, not sure if it has a lesser revision number. Someone correct me if that's wrong, I didn't want to spend 20 minutes trying to find somewhrere that had a definitive answer. I'm on a 28,800 connection, bear with me here...hehe

Also learn to instruct people on how to get Hijack This into its own folder, running it from temp files or the desktop is not a good idea. Do it yourself, by creating a folder in Windows Explorer, copy & paste the executable there, and place step by step SIMPLE AND UNDERSTANDABLE instructions into a notepad file you can copy into a post. Remember some of the people you're trying to advise might not know the first thing about creating a new folder, much less copying anything into it.
It's late, I can't think straight and have to drive 6 hours tomorrow, I'm probably already not making a lot of sense, I guess I'd better leave it at that for now...

You are right Pete, the latest version of HJT is 1.98...

The link to the SWI where people can sign up to join Boot Camp is here... You just register, post a request and pretty soon you get a PM from me telling you about the how the Boot Camp works and where to start...

http://forums.spywareinfo.com/index.php?showtopic=34

If you think that represents my inflated ego... so be it...

I wasn't refering to you Bud'. But I'm sure you know what Eagle1 was talking about.

The Bootcamp at Spyware Info is truly an "everyones welcome" kind of place. CNM and Budfred ask no one to jump through hoops to come in. It is one of the places where "a ton of info" might be an understatement. It might be a little hard to find specific information for the first timer but it won't take long for the interested to find their way around.

I just don't think people need to be an "expert" to help. I analyze logs and am certainly no expert. There are many simple to moderatly difficult logs out there that just need someone with a basic understanding of the situation to clean them up. If we keep inferring that one needs to be an expert to do this stuff, there are going to be less and less people who try. Cleaning up a simple CWS infection with a Peper trojan thrown in doesn't take an expert.

Absolutely Steve... However, recognizing when it is not a simple CWS can be tricky and that is the problem... Especially if someone has already done some cleanup that hides the signs...

By the way... Peper seems to be getting a little meaner and it is getting to be harder to get rid of it...

And yes, I know the people that are ego tripping abound... they tend not to last long though... If their fixes are challenged because they are wrong or partial and they can't intimidate the person who notes that into taking it back, they tend to take their "expertise" off somewhere else... There are lots of forums out there that will be happy to make you an "Expert" or even an admin if you have a little bit of expertise... We lose a lot of promising people at Boot Camp because we don't just make them experts right away...:rolleyes: :rolleyes:

We lose a lot of promising people at Boot Camp because we don't just make them experts right away
I know we're drifting off topic here but I've never been all that focused...:rolleyes:

I think the anti-spyware sites would be best off if they loose the status designations. Helper Trainee, Helper, Trusted Advisor, Expert, Moderator, Global Moderator! :eek: (what the hell is a global moderator?) , Classroom, Slyware Warrior, Classroom Teacher, Technical Assistant, Technical Experts and on and on it goes, ad nauseum. There would be less hard feelings about status and more focus on getting the job done if the status came down to one thing. You're either allowed to analyze logs or your not.

OK. End of rant. Carry on...;)

Hi Steve,
I just joined The swi site and was wondering the same thing, what is a global moderator?:)
All things aside i was and am pretty impressed with the amount of knowledge on the site.
Being a little older[ alright a lot older] I think I will be able to tell what is bravado and what is helpful information. { I had a firm of 300 people]
The premise is good and unfortunately in todays internet well needed.
Hope to see ya on the boards, though this site will always be my favorite:)

The reason for all the titles is that each one has slightly different access, privileges and responsibilities... The Global Mod has the ability to edit, remove, move and so on all over the site... The Boot Camp Mod (my title) can do those things only in Boot Camp, although I can do some things in the main forums that other levels can't... Helpers have more tools available than Trainees and both have more resources than casual Members and so on... It does make it more complicated, but it makes sense when you look at how it all fits together... Also, there is a wide range of ability between the typical Helper and the typical Expert...

I just don't think people need to be an "expert" to help.

I hope nobody thinks that is my position...I don't think you should have to be an "expert", just know what you're doing. Due to issues already pointed out, the HJT logs at the heart of this discussion are not to be taken lightly. Removing the wrong registry entry and forcing a complete reinstall is a bit different from putting an IDE cable on backward...the cable only takes 30 seconds to rectify...

So I do and will continue to urge those wishing to help to do some homework before trying it. To the largely uninformed average user your advice might sound perfect, and some may not read all the way through or wait for a confirmation.

Budfred Thanks for the link and the info.

Gotta go, storm outside...