sandy said:Hi all. I seem to have the system32 folder appearing every
now and again. Can someone tell me why? Is it viral
checking/applying updates press the-----Original Message-----
This can also be caused by a failed Malware Installer (We think LOP) that
leaves incorrect entries in the autostart registry section, one of them
being one that can open system32.
Create a directory on your hardrive to save HijackThis.exe. A directory
like c:\hijackthis. If you do not do this, you will not be able to use the
backup/restore features.
Download HijackThis from:
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
or here:
http://www.bleepingcomputer.com/files/spyware/hijackthis.z ip
Save this file into the directory you made previously and then run the
program named hijackthis.exe. When the program opens click on the Config
button, then click on the Misc Tools button, and click on the Check for
update online button. When it completes
http://www.bleepingcomputer.com and rightback button.
Now click on the Scan button and when it is finished click on the Save Log
button. A Notepad window will open with the contents of this log. Click on
Edit then click on Select all. Then click on Edit and then Click on Copy.
Create a reply to this post here or register an account and post a message
in the HijackThis Logs forums at
-----Original Message-----
Hi this is what I was told to do. Can someone decipher it
for me? The original message ta the bottom. Thanks
Logfile of HijackThis v1.97.7
Scan saved at 12:54:56 PM, on 31/08/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security
Professional\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security
Professional\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security
Professional\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-
LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5
\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\windows\system32\cddrv32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Samsung\Digimax Viewer 2.0
\STImgBrowser.exe
C:\Program Files\Common Files\Panda
Software\PavShld\pavprsrv.exe
C:\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.google.ca
R1 - HKCU\Software\Microsoft\Internet
Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start
Page = http://www.google.ca
R0 - HKLM\Software\Microsoft\Internet
Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-
1C38C7065C3B}_ - (no file)
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-
00C04FD64497}_ - (no file)
O2 - BHO: Clear Search - {00000000-0000-0000-0000-
000000000240} - C:\Program Files\ClearSearch\IE_ClrSch.DLL
(file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-
784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0
\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2CFB10AE-1E2B-668C-0037-
E854A6DEAC7D} - C:\WINDOWS\system32\rygefoib.dll (file
missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-
206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-
298DDF1699E1} - C:\Program Files\Common Files\Symantec
Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-
FADC6B084872} - C:\Program Files\Norton Internet Security
Professional\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CD209A08-98B5-4669-AF9F-
447AC5253356} - C:\WINDOWS\System32\CSapp.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-
7859DF00B1D6} - C:\Program Files\Norton Internet Security
Professional\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program
Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program
Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [<H] c:\WINDOWS\System32\<HEAD>
O4 - HKLM\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32
\ <TITLE>Error</TITLE>
O4 - HKLM\..\Run: [</H] c:\WINDOWS\System32\</HTML>
O4 - HKLM\..\Run: [<B] c:\WINDOWS\System32\<BODY>
O4 - HKLM\..\Run: [The site you have requested doesn't ex]
c:\WINDOWS\System32\The site you have requested doesn't
exist.
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [The associated domain name has probably
been reserved by a client ] c:\WINDOWS\System32\The
associated domain name has probably been reserved by a
client from
O4 - HKLM\..\Run: [<A
HREF="http://www.gandi.net/">GANDI</A> then par]
c:\WINDOWS\System32\<A
HREF="http://www.gandi.net/">GANDI</A> then parked.
O4 - HKLM\..\Run: [</B] c:\WINDOWS\System32\</BODY>
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common
Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton
Internet Security Professional\UrlLstCk.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1
\NORTON~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Cddrv32] c:\windows\system32 \cddrv32.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common
Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [<H] c:\WINDOWS\System32\<HEAD>
O4 - HKCU\..\Run: [ <TITLE>Error</TI] c:\WINDOWS\System32
\ <TITLE>Error</TITLE>
O4 - HKCU\..\Run: [</H] c:\WINDOWS\System32\</HTML>
O4 - HKCU\..\Run: [<B] c:\WINDOWS\System32\<BODY>
O4 - HKCU\..\Run: [The site you have requested doesn't ex]
c:\WINDOWS\System32\The site you have requested doesn't
exist.
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [The associated domain name has probably
been reserved by a client ] c:\WINDOWS\System32\The
associated domain name has probably been reserved by a
client from
O4 - HKCU\..\Run: [<A
HREF="http://www.gandi.net/">GANDI</A> then par]
c:\WINDOWS\System32\<A
HREF="http://www.gandi.net/">GANDI</A> then parked.
O4 - HKCU\..\Run: [</B] c:\WINDOWS\System32\</BODY>
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1
\SYMNET~1\SNDMon.exe
O4 - Global Startup: Digimax Viewer 2.0.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program
Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
<snip>sandy said:Just wondering what the status is on this. I have a client
waiting for their computer. Thanks
Want to reply to this thread or ask your own question?
You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.