Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Logfile "This entry is not running from the System32 folder, so it is probably nasty."


  • Please log in to reply
3 replies to this topic

#1 lewchootrain

lewchootrain

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 20 May 2010 - 02:31 AM

Ran a HijackThis logfile and it came up with a few processes with the following response.

"This entry is not running from the System32 folder, so it is probably nasty."

It had this response for these entries.

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\windows\System32\alg.exe (file missing)
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\windows\system32\vssvc.exe (file missing)

I don't know whether to trust http://www.hijackthis.de and it's feedback. I'm also afraid that I might delete crucial processes that Windows 7 requires and I don't want to mess up my new laptop. Should I remove these entries?

I really want to protect my laptop as my parents just bought me a new one after my old laptop died on me after 3 years in college. Please help. Thanks.

Edited by lewchootrain, 20 May 2010 - 02:32 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:29 AM

Posted 20 May 2010 - 08:05 AM

Are you using a 64-bit system? If so, be aware Microsoft created a new folder (C:\Windows\SysWOW64) that contains all the 32-bit .dll files required for compatibility which run on top of the 64-bit version of Windows. WOW64 is the x86 emulator that allows 32-bit Windows-based applications to run on 64-bit Windows but x86 applications are re-directed to the x86 \syswow64 when seeking the x64 \system32. For a more detailed explanation, please refer to Making the Move to x64: File System Redirection and WOW64 Implementation Details. Many of the tools we use for malware removal are designed for 32-bit systems and do not work or can give misleading results on 64-bit machines. For instance, running HijackThis on a 64-bit machine may show log entries which indicate indicate (file missing) when that is NOT always the case. Anti-malware scanners and many specialized fix tools have problems enumerating the drivers and services on 64-bit machines so they do not always work properly.

IMPORTANT NOTE: HijackThis is an advanced enumerator (similar in some respects to a registry editor) that is used to display certain areas of the Windows registry where the majority of malware reside. HijackThis will scan these areas of your system and then create a log to help diagnose the presence of undetected malware in known hiding places. However, since HijackThis only scans certain areas of your system/registry, a hijackthis log may not always show all the malware on your system. Most of the log entries are required to run a computer and removing essential ones can potentially cause serious damage such as loss of Internet connectivity or problems with your operating system which could preventing it from starting. Using HijackThis requires advanced knowledge about the Windows Operating System and relies on trained experts to interpret the log entries and investigate them in order to determine what needs to be fixed.

Online HijackThis analyzers work in a similar manner but rely on the user's ability to interpret the results and determine what needs to be fixed. However, they often provide misleading and/or questionable results. In my experience, they DO NOT always identify all the malware or all the files properly. They sometimes list legitimate files as bad and bad files as legitimate. They sometimes show entries with no file (file missing) as bad when that is not always the case. Although these sites are open to the public, the user needs to know what they are doing and how to research the displayed log entries before using the original HijackThis application to fix anything.

If you do not have advanced knowledge about computers or training in malware investigation, you should NOT rely on the results of online analyzers or attempt to fix anything without consulting an expert. Doing so on your own and using HijackThis incorrectly could adversely impact your system.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 lewchootrain

lewchootrain
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 20 May 2010 - 05:17 PM

Yes I am using Windows 7 in 64 bit so the hijackthis logfile could be wrong. I've only had my laptop for a couple of days so hopefully it isn't anything of concern. Thanks.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,939 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:29 AM

Posted 21 May 2010 - 05:47 AM

Are you having any specific issues that require a request for assistance with malware removal? If so, please describe any problem(s) in detail as they could provide a clue as to whether your issues are malware related or not.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users