1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[SOLVED!] Friends PC- HJT Log

Discussion in 'Virus & Other Malware Removal' started by Jonesiegirl, Oct 4, 2003.

Mark Solved
Thread Status:
Not open for further replies.
Advertisement
  1. Jonesiegirl

    Jonesiegirl Guest Thread Starter

    Hiya Gang... :)
    I've been helping a friend with his laptop... :eek: Anyway, after running Norton and Spybot, it seems there's lots of baddies on here. Any help is appreciated. :) And here we gooooo...

    Logfile of HijackThis v1.97.2
    Scan saved at 8:05:00 PM, on 10/4/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
    C:\PROGRA~1\NORTON~1\navapw32.exe
    C:\WINDOWS\SYSTEM32\Drivers\DadTray.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Yahoo!\Messenger\ypager.exe
    C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
    C:\PROGRA~1\WINZIP\wzqkpick.exe
    C:\unzipped\hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mo-net.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.qatar.net.qa/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Mo-Net, Inc
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycomp5_1_3_0.dll
    O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_1_3_0.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off
    O4 - HKLM\..\Run: [DadApp] C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [windows auto update] msblast.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
    O4 - HKCU\..\Run: [explorer] C:\WINDOWS\System32\explorer.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
    O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O9 - Extra button: MoneySide (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://www.qatar.net.qa/
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/essentials/ymmapi_0312.dll
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8F75CE53-A1B3-4C46-B913-DFFDE8A42282}: NameServer = 12.14.225.10 12.14.225.11
     
  2. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
  3. Jonesiegirl

    Jonesiegirl Guest Thread Starter

    Thanks Mark... will go tend to that right now. :)
     
  4. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Here's another:

    Run Hijack This again and put a check by this one. Close all browser windows and "Fix checked"

    O4 - HKCU\..\Run: [explorer] C:\WINDOWS\System32\explorer.exe

    Restart to Safe Mode: press f8 on startup and select Safe Mode from the boot menu.

    In Safe Mode delete:

    The C:\WINDOWS\System32\explorer.exe

    Be sure not to confuse this explorer.exe in C:\WINDOWS\System32 with the valid explorer.exe which is in C:\WINDOWS
     
  5. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    MSBlast is not running.....may have been taken out already,theO4 entry is the updater.
    if the fix comes back saying it cant find the worm its ok....just "fix" the entry with H/T.
    Always a good policy to run the fixblast though.

    ;)
     
  6. Jonesiegirl

    Jonesiegirl Guest Thread Starter

    $teve... I believe Norton quarantined it awhile ago when I scanned his system. And you're right, I got the notice saying it couldn't be found... (y)

    Now on my way to install the patch. :)

    Will post back in a few... thanks guys. :)
     
  7. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Your welcome..cred goes to firman.

    ;)
     
  8. Jonesiegirl

    Jonesiegirl Guest Thread Starter

    Hey guys... after downloading the patch and trying to install, I'm getting the error message 'Setup could not verify the integrity of the file Update.inf.' (Make sure the Cryptographic service is running on this computer) :confused:
     
  9. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Jonesie............
    01. Control Panel / Administrative Tools / Services.

    02. Right-click Cryptographic Services and press Properties.

    03. Set Startup type to Automatic.

    04. Press the Apply button.

    05. Press the Start button.

    06. Press OK.

    re-boot with pinkies crossed.

    ;)
     
  10. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    In fact,it should work without a re-boot.
     
  11. Jonesiegirl

    Jonesiegirl Guest Thread Starter

    $teve... it was already set at 'automatic'... :(

    The link I chose the patch from is for Windows XP 32 Bit Edition. Wrong one possibly?
     
  12. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    That should be the correct patch.

    Try this.

    Go to My Computer......go to your C: drive, find the Windows folder..... find the System32 folder, and within it, rename the CatRoot2 folder to any other name. To rename the folder - right-click on it, choose rename, and type a new name like "oldcatroot"]

    This is really not my forte but if this dont work then i would pm Acacandy.

    ;)
     
  13. Jonesiegirl

    Jonesiegirl Guest Thread Starter

    Ok $teve... I renamed that bad boy. :)

    Rebooting his system right now... lets just hope for the best. :eek: :p
     
  14. Jonesiegirl

    Jonesiegirl Guest Thread Starter

    Just fired off a PM to Candy... still can't get the patch to take... hope she can help! ;)
     
  15. ~Candy~

    ~Candy~ Retired Administrator

    Joined:
    Jan 27, 2001
    Messages:
    103,706
    Just a wild guess here, but did you turn off system restore when you were dealing with the virus?

    Not too hot on XP here guys, so I may not be the best choice of the person to PM :)

    Also, a quick thought, since you downloaded the patch, can you try installing it in safe mode?????
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/169494

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice