[SOLVED!] Friends PC- HJT Log

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.
J

Jonesiegirl

Thread Starter
Hiya Gang... :)
I've been helping a friend with his laptop... :eek: Anyway, after running Norton and Spybot, it seems there's lots of baddies on here. Any help is appreciated. :) And here we gooooo...

Logfile of HijackThis v1.97.2
Scan saved at 8:05:00 PM, on 10/4/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\SYSTEM32\Drivers\DadTray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mo-net.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qatar.net.qa/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Mo-Net, Inc
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycomp5_1_3_0.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_1_3_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
O4 - HKLM\..\Run: [DadApp] C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [windows auto update] msblast.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [explorer] C:\WINDOWS\System32\explorer.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.qatar.net.qa/
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0312.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{8F75CE53-A1B3-4C46-B913-DFFDE8A42282}: NameServer = 12.14.225.10 12.14.225.11
 
J

Jonesiegirl

Thread Starter
Thanks Mark... will go tend to that right now. :)
 
Joined
Jul 26, 2002
Messages
46,331
Here's another:

Run Hijack This again and put a check by this one. Close all browser windows and "Fix checked"

O4 - HKCU\..\Run: [explorer] C:\WINDOWS\System32\explorer.exe

Restart to Safe Mode: press f8 on startup and select Safe Mode from the boot menu.

In Safe Mode delete:

The C:\WINDOWS\System32\explorer.exe

Be sure not to confuse this explorer.exe in C:\WINDOWS\System32 with the valid explorer.exe which is in C:\WINDOWS
 
Joined
Oct 9, 2001
Messages
9,396
MSBlast is not running.....may have been taken out already,theO4 entry is the updater.
if the fix comes back saying it cant find the worm its ok....just "fix" the entry with H/T.
Always a good policy to run the fixblast though.

;)
 
J

Jonesiegirl

Thread Starter
$teve... I believe Norton quarantined it awhile ago when I scanned his system. And you're right, I got the notice saying it couldn't be found... (y)

Now on my way to install the patch. :)

Will post back in a few... thanks guys. :)
 
J

Jonesiegirl

Thread Starter
Hey guys... after downloading the patch and trying to install, I'm getting the error message 'Setup could not verify the integrity of the file Update.inf.' (Make sure the Cryptographic service is running on this computer) :confused:
 
Joined
Oct 9, 2001
Messages
9,396
Jonesie............
01. Control Panel / Administrative Tools / Services.

02. Right-click Cryptographic Services and press Properties.

03. Set Startup type to Automatic.

04. Press the Apply button.

05. Press the Start button.

06. Press OK.

re-boot with pinkies crossed.

;)
 
J

Jonesiegirl

Thread Starter
$teve... it was already set at 'automatic'... :(

The link I chose the patch from is for Windows XP 32 Bit Edition. Wrong one possibly?
 
Joined
Oct 9, 2001
Messages
9,396
That should be the correct patch.

Try this.

Go to My Computer......go to your C: drive, find the Windows folder..... find the System32 folder, and within it, rename the CatRoot2 folder to any other name. To rename the folder - right-click on it, choose rename, and type a new name like "oldcatroot"]

This is really not my forte but if this dont work then i would pm Acacandy.

;)
 
J

Jonesiegirl

Thread Starter
Ok $teve... I renamed that bad boy. :)

Rebooting his system right now... lets just hope for the best. :eek: :p
 
J

Jonesiegirl

Thread Starter
Just fired off a PM to Candy... still can't get the patch to take... hope she can help! ;)
 

~Candy~

Retired Administrator
Joined
Jan 27, 2001
Messages
103,706
Just a wild guess here, but did you turn off system restore when you were dealing with the virus?

Not too hot on XP here guys, so I may not be the best choice of the person to PM :)

Also, a quick thought, since you downloaded the patch, can you try installing it in safe mode?????
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top