Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log [Windows Server 2003]


  • This topic is locked This topic is locked
19 replies to this topic

#1 ThunderPeel2001

ThunderPeel2001

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 05 June 2009 - 01:06 PM

Hi! I've tried to run the DSS.SCR file thingie, but, obviously, it doesn't work on my OS. I hope someone can still help me.

We're a small company and we were hacked sometime last year. We have successfully prevented further similar hacks (we think), but we still needed to make 100% that nothing has been left lingering from the successful hack. We also want as clean a system as possible, for obvious reasons! :thumbup2:

I'm unfortunately a bit of a newb, but it's fallen to me to get up to speed as quickly as possible!

Here's my HijackThis log. It should be quite straight forward, but the first entry is troublesome!

C:\Documents and Settings\XXXXX\WINDOWS\System32\smss.exe


There is no such directory "C:\Documents and Settings\XXXXX\WINDOWS\System32" (XXXXX was added by me)

What's going on?? Is it a bug in HijackThis or is it a seriously weird virus?

I hope someone can help!

Thanks,
- J

PS - I'm running Windows Server 2003: Standard Edition (x86)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:28:08 PM, on 6/5/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\Documents and Settings\XXXXX\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\SmarterTools\SmarterMail\Service\MailService.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\OLAP\bin\msmdsrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\Program Files\SmarterTools\SmarterMail\Web Server\SMWebSvr.exe
C:\WINDOWS\system32\lserver.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\SQLAGENT90.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\90\COM\logread.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
c:\windows\system32\inetsrv\w3wp.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\MsFTEFD.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\oobechk.exe
C:\WINDOWS\system32\mshta.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/hardAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = res://shdoclc.dll/hardAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-930248560-2327225148-2110722888-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'XXXXX')
O4 - HKUS\S-1-5-18\..\Run: []  (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: []  (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\XXXXX\windows\system32\mswsock.dll' missing
O15 - ESC Trusted Zone: http://runonce.msn.com
O15 - ESC Trusted Zone: http://www.trendsecure.com
O15 - ESC Trusted Zone: http://*.windowsupdate.com
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O15 - ESC Trusted Zone: http://*.windowsupdate.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172669653382
O17 - HKLM\System\CCS\Services\Tcpip\..\{DC11A6A5-E355-4ABB-BBB9-4987B9BE12E7}: NameServer = XXX.XXX.XXX.161,XXX.XXX.XXX.163
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: SmarterMail Service (MailService) - Unknown owner - C:\Program Files\SmarterTools\SmarterMail\Service\MailService.exe
O23 - Service: SmarterMail Web Server (SMWebSvr) - SmarterTools Inc - C:\Program Files\SmarterTools\SmarterMail\Web Server\SMWebSvr.exe

--
End of file - 4925 bytes

Edited by ThunderPeel2001, 05 June 2009 - 01:34 PM.


BC AdBot (Login to Remove)

 


#2 ThunderPeel2001

ThunderPeel2001
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 08 June 2009 - 03:22 AM

I know we're not supposed to bump topics....... but I was 19 pages down the list! Can't anyone help??

===========

Hello

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our HJT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Orange Blossom, 08 June 2009 - 03:28 AM.


#3 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:48 AM

Posted 15 June 2009 - 05:16 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#4 ThunderPeel2001

ThunderPeel2001
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 16 June 2009 - 04:06 AM

Hi, thanks for your response, unfortunately the DDS.SCR is not compatible with Windows Server 2003.

Thanks for any help.

Edited by ThunderPeel2001, 16 June 2009 - 04:06 AM.


#5 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:11:48 AM

Posted 18 June 2009 - 03:33 PM

Howdy, my name is Hoov, and I will be helping you with your dilemma.

Please make sure you watch this thread for responses. If you click the options tab at the top of your first post, you can select to track this thread.

Here is what I am asking you to do during the repair of your computer

*Tell me everything that you have done, if anything, to try and fix this problem.

*Please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

*Follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go. Don't install anything, even other programs that have nothing to do with security or malware, it could cause things to change, and I would never know it.

*Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

*Stick with me to the end. My aim is to fix your problems, and give you the tools and knowledge to keep this from happening again.

Now onto trying to fix your computer.

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

May I ask why you edited out the name? Also did you edit out the IP address's from the 017 line? Are there any problems with the system, even something small?

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#6 ThunderPeel2001

ThunderPeel2001
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 19 June 2009 - 06:45 AM

Hi, I already did this scan a few days ago. Here are the results:

(As for your question, there are no known problems at the moment -- just that we were hacked a few months back.)

Malwarebytes' Anti-Malware 1.37
Database version: 2234
Windows 5.2.3790 Service Pack 2

6/8/2009 2:36:06 PM
mbam-log-2009-06-08 (14-36-06).txt

Scan type: Quick Scan
Objects scanned: 89573
Time elapsed: 3 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by ThunderPeel2001, 19 June 2009 - 06:47 AM.


#7 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:11:48 AM

Posted 19 June 2009 - 09:44 PM

Please download RunScanner
  • Save it to a folder you create such as C:\Runscanner (this assumes Windows is installed on your C: drive).
  • Launch Runscanner by double-clicking runscanner.exe within the C:\Runscanner folder.
  • Vista users must also click Continue to open Runscanner when prompted by User Account Control (UAC)
  • Check Beginner Mode
  • Click Scan computer
  • Your will see a "Runscanner scan in progress" window displayed while Runscanner scans your system
  • At the conclusion of the scan, save the run file called runscanner.run to your documents folder or directly to the Runscanner folder. This is the file you will need to upload.
  • A runscanner.log file will automatically open in Notepad. Just close the Notepad window because, it is ONLY the runscanner.run file that we are interested in.
  • Next, zip up the runscanner.run file that you just saved.
  • I want you to upload the zipped runscanner.run file as an attachment in your next reply
  • To do that choose "Additional Options" under "Post Reply"
  • Browse to the zipped RUN file location and then click the "Post" button to attach the file.
  • I will review the run file, and then upload it back to you with items marked for deletion.
  • Please await my directions and the returned RUN file, and do not delete anything in the interim

Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#8 ThunderPeel2001

ThunderPeel2001
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 23 June 2009 - 06:06 AM

Here you go. Thanks for any help.

As per you previous question: The reason I hid IP addresses and other person information was for security reasons. Perhaps overly paranoid, but still...

Attached Files



#9 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:11:48 AM

Posted 23 June 2009 - 11:57 AM

Now, I want you to fix some autostart items by using the RUN file that I have attached with items marked for deletion:
  • Please download and extract the attached Zip file called runscannerThunderPeel2001.zip to your Runscanner folder
  • Open Runscanner in Expert Mode by double-clicking runscanner.exe, checking "Expert" and clicking OK.
  • Click the "Open Run File" button
  • Browse to "runscannerThunderPeel2001.run" (the run file you just unzipped) located in the Runscaner folder, and click Open
  • The screen will refresh after the run file loads
  • Click the "Item Fixer" button
  • The items selected to be fixed will be displayed and checked for removal
  • Click "Fix Selected items"
  • Confirm that you want to fix these items by clicking OK in the confirmation dialog box.
  • You will receive a "Done fixing items" message when removal is complete.
  • Reboot
  • Launch Runscanner again, save another .RUN File called runscannerThunderPeel20012.run
  • Zip up runscannerThunderPeel20012.run and attach it to your next reply please.
Also can you also include a hijackthis file that is unedited. The parts you edited out may point to the problem. If you are uncomfortable about leaving that info in, please send me the log in a PM unedited.

Attached Files


Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#10 ThunderPeel2001

ThunderPeel2001
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 23 June 2009 - 01:19 PM

Hi Hoov, thanks for your help. I'm curious: What is "the problem" that you mention?

Edit: Our site will be too busy for the next 12 hours to reset, I'll post the things you requested tomorrow. Thanks again.

Edited by ThunderPeel2001, 23 June 2009 - 01:36 PM.


#11 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:11:48 AM

Posted 23 June 2009 - 06:18 PM

In your first post you mention,

There is no such directory "C:\Documents and Settings\XXXXX\WINDOWS\System32" (XXXXX was added by me)

, I am assuming that this is a problem. When there is a profile that no one claims, it can either be one created by default in windows, or by someone who was either on your system legally, or by the hack. There are several other entries in the hijackthis log that is of the same user, yet you have not been able to find this user, there for it is a problem. It may have been just a misunderstanding, or it could have been created by accident, but then you should be able to find it in the user control panel. But you mention there is no such directory, so until proven otherwise I assume it is malware related. The name used may give a hint to what caused it (the problem).

Basically I am of the opinion that anything that is unexplained that is running is a problem. I don't trust unknown things running on my computers, and when I am helping someone with a system that has been hacked in the past, I treat Thier system as I would treat mine.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#12 ThunderPeel2001

ThunderPeel2001
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 24 June 2009 - 04:08 AM

Hi Hoov, there is indeed a small misunderstanding, probably my fault for not making things clearer. Sorry! The XXXXX is actually our admin user, which, for security reasons, I felt it would be better to keep anonymous (although, I suppose these days it doesn't make too much difference?). There is, and I should have made this clearer - sorry, an "extra" directory listed by HJT within this user's directory: "WINDOWS\System32". You cannot navigate to this directory, so it made me suspicious.

However, it turns out that this is a quirk of HTJ and Windows Server 2003 and nothing to worry about (which you probably knew, hence the confusion -- I was confused by the sub-directors, you were thinking it was the XXXX!).

Anyways, I will run the RunScanner as you requested. (I'll admit to being a little scared, though -- nothing bad can happen to our server! Eep.)

I appreciate you taking the level of care you would for our own machine.

Thanks again,
- Johnny

#13 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:11:48 AM

Posted 24 June 2009 - 09:05 AM

OK, that clears up some issues. I did think you were implying that the user directory was unknown. As for directories showing up in hijackthis, and not in windows explorer, that is a fairly common issue. Windows hides somewhere between 25 and 50% of the content of the windows installation. This is because Microsoft has decided that stupid people like us users, are not capable of not messing up a windows installation.

About Runscanner, if you want to run it go ahead, if not, no worries there either. Basically it is just going to clean up some entries for files that are no longer installed. The entries can be left alone if you are really worried.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#14 ThunderPeel2001

ThunderPeel2001
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:48 PM

Posted 24 June 2009 - 09:27 AM

OK, that clears up some issues. I did think you were implying that the user directory was unknown. As for directories showing up in hijackthis, and not in windows explorer, that is a fairly common issue. Windows hides somewhere between 25 and 50% of the content of the windows installation. This is because Microsoft has decided that stupid people like us users, are not capable of not messing up a windows installation.

About Runscanner, if you want to run it go ahead, if not, no worries there either. Basically it is just going to clean up some entries for files that are no longer installed. The entries can be left alone if you are really worried.


Ah! That makes more sense! This directory, though, REALLY doesn't exist. I mean, it's not hidden or anything. I have all files set to being visible. It's not even there in CMD/DOS. (Unless there are directories that you can NEVER see?)

I think I probably will do the Runscanner entries, like you recommended, but not right now. I'm still learning things and I'm afraid of messing something up! (Especially since I'm administering remotely.) I'll probably do in the next day or so.

Should I take it that our system looks reasonable clean, other than that, then?

#15 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:11:48 AM

Posted 25 June 2009 - 01:04 PM

Yep. As for the runscanner thing, because of the system it is on, make sure you do a system restore point first. Then if it does create a problem, you can go back. About the directory, when you were using a command prompt, where you running it from inside windows? If so, the same rules apply as if you were just in windows. Even logging in as an Admin may not let you see it if the user has set the privacy options.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users