1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

I seem to have multiple issues...help please

Discussion in 'Windows XP' started by Gandorr, Feb 4, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. Gandorr

    Gandorr Thread Starter

    Joined:
    Feb 3, 2004
    Messages:
    2
    I have run everything i can get my hands on to try and solve my problems and have gotten rid of a few. Now I have the SYSTEM32 folder showing up on boot up, there are some strange things being put into the startup registery...something is running that i just can't find. I would appreciate any help you guys can give me.

    Hijackthis file:

    Logfile of HijackThis v1.97.7
    Scan saved at 4:03:08 PM, on 2/4/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Matt\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {0CA54231-BB6F-3AB0-BADB-2D18E2BCB5BE} - (no file)
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {F85340C4-7CD9-CF3B-B51F-C20AD92B3069} - C:\WINDOWS\system32\expmmxav.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
    O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
    O4 - HKLM\..\Run: [ <td bgcolor="#000033" align="center"><img src="/icons/home_header.jpg" width="638" height="65"><] c:\WINDOWS\System32\ <td bgcolor="#000033" align="center"><img src="/icons/home_header.jpg" width="638" height="65"></td>
    O4 - HKLM\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
    O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <br>
    O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
    O4 - HKLM\..\Run: [ <td bordercolor="#FFFFFF" bgcolor="#000033"><font color="#FFFFFF" size="+1">Gett] c:\WINDOWS\System32\ <td bordercolor="#FFFFFF" bgcolor="#000033"><font color="#FFFFFF" size="+1">Getting
    O4 - HKLM\..\Run: [ Connected </font><] c:\WINDOWS\System32\ Connected </font></td>
    O4 - HKLM\..\Run: [ <td valign="top" bordercolor="#FFFF] c:\WINDOWS\System32\ <td valign="top" bordercolor="#FFFFFF">
    O4 - HKLM\..\Run: [ The below links will outline the procedu] c:\WINDOWS\System32\ The below links will outline the procedures
    O4 - HKLM\..\Run: [ to access the campus network. ] c:\WINDOWS\System32\ to access the campus network. <ul>
    O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ <ul>
    O4 - HKLM\..\Run: [ <li><a href="/Link2UM/index.html">On-Campus Students<] c:\WINDOWS\System32\ <li><a href="/Link2UM/index.html">On-Campus Students</a>
    O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <ul>
    O4 - HKLM\..\Run: [ <li> All students living in on-campus housing including So] c:\WINDOWS\System32\ <li> All students living in on-campus housing including South
    O4 - HKLM\..\Run: [ Campus Commons, University Courtyard, and Fraternity Row.] c:\WINDOWS\System32\ Campus Commons, University Courtyard, and Fraternity Row.<br>
    O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </li>
    O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </ul>
    O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </li>
    O4 - HKLM\..\Run: [ <li><a href="/Commuter/index.html">Commuter Students<] c:\WINDOWS\System32\ <li><a href="/Commuter/index.html">Commuter Students</a>
    O4 - HKLM\..\Run: [ <li>Students commuting to classes who want to use their lapt] c:\WINDOWS\System32\ <li>Students commuting to classes who want to use their laptops
    O4 - HKLM\..\Run: [ or PDAs from classrooms or computer labs.] c:\WINDOWS\System32\ or PDAs from classrooms or computer labs.<br>
    O4 - HKLM\..\Run: [ <li><a href="/Fac-Roam/index.html">Faculty and Staff <] c:\WINDOWS\System32\ <li><a href="/Fac-Roam/index.html">Faculty and Staff </a>
    O4 - HKLM\..\Run: [ <li>All faculty and staff who want to use their desktops, lapto] c:\WINDOWS\System32\ <li>All faculty and staff who want to use their desktops, laptops,
    O4 - HKLM\..\Run: [ or PDAs from their offices, classrooms, computer labs, or confere] c:\WINDOWS\System32\ or PDAs from their offices, classrooms, computer labs, or conference
    O4 - HKLM\..\Run: [ rooms. ] c:\WINDOWS\System32\ rooms. <br>
    O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </ul>
    O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
    O4 - HKLM\..\Run: [ <table border="0" cellspacing="0" cellpadding="5" align="center" width="6] c:\WINDOWS\System32\ <table border="0" cellspacing="0" cellpadding="5" align="center" width="680">
    O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\
    O4 - HKLM\..\Run: [ <td>This page is maintained by Networking and Telecommunications Servic] c:\WINDOWS\System32\ <td>This page is maintained by Networking and Telecommunications Services.
    O4 - HKLM\..\Run: [ Questions and comments should be sent to: [email protected] &copy; 1999-2] c:\WINDOWS\System32\ Questions and comments should be sent to: [email protected] &copy; 1999-2003
    O4 - HKLM\..\Run: [ University of Maryland<] c:\WINDOWS\System32\ University of Maryland</td>
    O4 - HKLM\..\Run: [ <td><img src="/icons/OITlogo_footer.gif" width="250" height="53"><] c:\WINDOWS\System32\ <td><img src="/icons/OITlogo_footer.gif" width="250" height="53"></td>
    O4 - HKLM\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk.disabled
    O4 - Global Startup: Microsoft Office.lnk.disabled
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37921.5156481481
     
  2. PC_Wiz

    PC_Wiz

    Joined:
    Nov 19, 2003
    Messages:
    1,245
    Run a virus scan online

    http://housecall.antivirus.com/housecall/start_corp.asp

    and adware http://www.lavasoftusa.com/support/download/


    all this should not be there:

    O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
    O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
    O4 - HKLM\..\Run: [ <td bgcolor="#000033" align="center"><img src="/icons/home_header.jpg" width="638" height="65"><] c:\WINDOWS\System32\ <td bgcolor="#000033" align="center"><img src="/icons/home_header.jpg" width="638" height="65"></td>
    O4 - HKLM\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
    O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <br>
    O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
    O4 - HKLM\..\Run: [ <td bordercolor="#FFFFFF" bgcolor="#000033"><font color="#FFFFFF" size="+1">Gett] c:\WINDOWS\System32\ <td bordercolor="#FFFFFF" bgcolor="#000033"><font color="#FFFFFF" size="+1">Getting
    O4 - HKLM\..\Run: [ Connected </font><] c:\WINDOWS\System32\ Connected </font></td>
    O4 - HKLM\..\Run: [ <td valign="top" bordercolor="#FFFF] c:\WINDOWS\System32\ <td valign="top" bordercolor="#FFFFFF">
    O4 - HKLM\..\Run: [ The below links will outline the procedu] c:\WINDOWS\System32\ The below links will outline the procedures
    O4 - HKLM\..\Run: [ to access the campus network. ] c:\WINDOWS\System32\ to access the campus network. <ul>
    O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ <ul>
    O4 - HKLM\..\Run: [ <li><a href="/Link2UM/index.html">On-Campus Students<] c:\WINDOWS\System32\ <li><a href="/Link2UM/index.html">On-Campus Students</a>
    O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\ <ul>
    O4 - HKLM\..\Run: [ <li> All students living in on-campus housing including So] c:\WINDOWS\System32\ <li> All students living in on-campus housing including South
    O4 - HKLM\..\Run: [ Campus Commons, University Courtyard, and Fraternity Row.] c:\WINDOWS\System32\ Campus Commons, University Courtyard, and Fraternity Row.<br>
    O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </li>
    O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </ul>
    O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </li>
    O4 - HKLM\..\Run: [ <li><a href="/Commuter/index.html">Commuter Students<] c:\WINDOWS\System32\ <li><a href="/Commuter/index.html">Commuter Students</a>
    O4 - HKLM\..\Run: [ <li>Students commuting to classes who want to use their lapt] c:\WINDOWS\System32\ <li>Students commuting to classes who want to use their laptops
    O4 - HKLM\..\Run: [ or PDAs from classrooms or computer labs.] c:\WINDOWS\System32\ or PDAs from classrooms or computer labs.<br>
    O4 - HKLM\..\Run: [ <li><a href="/Fac-Roam/index.html">Faculty and Staff <] c:\WINDOWS\System32\ <li><a href="/Fac-Roam/index.html">Faculty and Staff </a>
    O4 - HKLM\..\Run: [ <li>All faculty and staff who want to use their desktops, lapto] c:\WINDOWS\System32\ <li>All faculty and staff who want to use their desktops, laptops,
    O4 - HKLM\..\Run: [ or PDAs from their offices, classrooms, computer labs, or confere] c:\WINDOWS\System32\ or PDAs from their offices, classrooms, computer labs, or conference
    O4 - HKLM\..\Run: [ rooms. ] c:\WINDOWS\System32\ rooms. <br>
    O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </ul>
    O4 - HKLM\..\Run: [ <] c:\WINDOWS\System32\ </tr>
    O4 - HKLM\..\Run: [ <table border="0" cellspacing="0" cellpadding="5" align="center" width="6] c:\WINDOWS\System32\ <table border="0" cellspacing="0" cellpadding="5" align="center" width="680">
    O4 - HKLM\..\Run: [ ] c:\WINDOWS\System32\
    O4 - HKLM\..\Run: [ <td>This page is maintained by Networking and Telecommunications Servic] c:\WINDOWS\System32\ <td>This page is maintained by Networking and Telecommunications Services.
    O4 - HKLM\..\Run: [ Questions and comments should be sent to: [email protected] © 1999-2] c:\WINDOWS\System32\ Questions and comments should be sent to: [email protected] © 1999-2003
    O4 - HKLM\..\Run: [ University of Maryland<] c:\WINDOWS\System32\ University of Maryland</td>
    O4 - HKLM\..\Run: [ <td><img src="/icons/OITlogo_footer.gif" width="250" height="53"><] c:\WINDOWS\System32\ <td><img src="/icons/OITlogo_footer.gif" width="250" height="53"></td>
    O4 - HKLM\..\Run: [ </ta] c:\WINDOWS\System32\ </table>
     
  3. Gandorr

    Gandorr Thread Starter

    Joined:
    Feb 3, 2004
    Messages:
    2
    I should have pointed out that I have run housecalls, Norton AV 2004, Adaware 6.0, TrojanHunter, and Spybot...none of these are showing anything. I am alos aware that the 04 - HKLM entries should not be there, but if I delete them they come back...so i know soething is running i just can't find out what!
     
  4. PC_Wiz

    PC_Wiz

    Joined:
    Nov 19, 2003
    Messages:
    1,245
    Have you looked in task manager to see what is running?
    Also check services to see if you find something unusual?

    Test in safe mode to see if you have same issue.

    You stated that a system32 folder shows up. is it pointing to a specific file what is the path..
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/200818

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice