TechSpot

CatRoot... needed?

By OSidiot
May 12, 2004
Topic Status:
Not open for further replies.
  1. Is the folder "CatRoot" inmy system32 needed? I have run hijackthis and it looks pretty crazy.. and i am a bit hesitant to delete anything. but I dont know...at least if i mess up big time itll give me more incentive to remformat my c drive... what should i do?
     
  2. Goalie

    Goalie TS Rookie Posts: 703

  3. OSidiot

    OSidiot TS Rookie Topic Starter Posts: 19

    Well I am running W2k, and it only holds two files SYSMAST.cbd and SYSMAST.cbk. Ill look them up on google. Otherwise it just held two folders that I was told were trojans or something. Thanks for the info Goalie.
     
  4. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    Catroot, or more specific, the folder with the {F7503E etc} or similar name, holds the system-updates since you first installed W2K. Don't delete it. If there were trojans etc., programs like Adaware and Spybot and Hijackthis would have found them.
     
  5. OSidiot

    OSidiot TS Rookie Topic Starter Posts: 19

    oops... i deleted those folders... am I screwed? but... how is explored.exe, explore.exe, ntsyskrnl.exe getting on my computer then? I modify the registry and it just comes back... im getting fed up with this. reformat here i come...

    Edited by sngx1275: Watch your language.
     
  6. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    You CAN live without that info. Just next time you do a Windoze update, it will probably give you an enormous list of available updates.
    Looks like you found yourself a proper username....
    Sorry, don't want to get personal here.

    If you have virus/trojan problems, next time publish the Hijackthis complete logfile here, we will be able to help you much better.

    Get yourself a program like Drive Image, and make a full Image when your PC is freshly installed and updated. When you then mess up, all you need to do is restore that image (in 5-10 minutes) and you are back in business.
     
  7. OSidiot

    OSidiot TS Rookie Topic Starter Posts: 19

    ok ill post my Hijackthis log then:

    Logfile of HijackThis v1.97.7
    Scan saved at 2:25:37 PM, on 04/05/14
    Platform: Windows 2000 SP4
    MSIE: Internet Explorer v6.00 SP1

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Messenger Plus! 2\MsgPlus.exe
    C:\WINNT\StartupMonitor.exe
    C:\Program Files\Netscape\Netscape\Netscp.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\WINNT\system32\taskmgr.exe
    C:\Documents and Settings\chris\Desktop\Tcpview.exe
    E:\aim\aim.exe
    F:\anime\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
    O2 - BHO: (no name) - {000000DA-0786-4633-87C6-1AA7A4429EF1} - C:\WINNT\System32\emesx.dll
    O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - c:\PROGRA~1\CLIENT~1\run\NEWADS~1.DLL (file missing)
    O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - (no file)
    O2 - BHO: (no name) - {27557cf1-a237-496d-8c8f-08f3844c6a8b} - C:\Program Files\whistlesoftware\WselServices\WhistleHelper.dll
    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44A} - (no file)
    O2 - BHO: (no name) - {316E1F39-A6C4-68A5-CFB7-156625067894} - C:\PROGRA~1\ONLINE~1\Part boob.dll
    O2 - BHO: (no name) - {447160CD-ECF5-4EA2-8A8A-1F70CA363F85} - c:\program files\clientman\run\bundleaef94639.dll (file missing)
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {63CF97E8-4133-438a-A831-CC9C6D47D673} - (no file)
    O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - c:\program files\clientman\run\urlcli67806664.dll (file missing)
    O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINNT\BrowserHelper.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINNT\AdRoar.dll
    O2 - BHO: (no name) - {E0F0E0E1-5D45-11D4-BC00-2DCC73302D70} - C:\WINNT\system32\cpr.dll (file missing)
    O3 - Toolbar: README JUGS AXIS - {343B5DDD-327E-97CA-677F-0D906ECE322A} - C:\PROGRA~1\ONLINE~1\Part boob.dll
    O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
    O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
    O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
    O4 - Global Startup: Anti-Virus&Trojan.lnk = C:\Program Files\Anti-Virus&Trojan\Anti-Virus&Trojan.exe
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\WebRebates\System\Temp\topr1150_script0.htm
    O9 - Extra button: Whistle (HKLM)
    O9 - Extra button: AIM (HKLM)
    O9 - Extra button: Yahoo! Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


    thats it right?

    oh ya thanks for that friendly jibe there, haha.
     
  8. RealBlackStuff

    RealBlackStuff TS Rookie Posts: 8,165

    To start with, you have 2 AntiVirus programs running at the same time (NAV and AVG). That is a big NO-NO.
    My advice: throw out Norton completely, it is an enormous resource-hogger, and AVG (even the free version) works just as good, and in some cases even better. Go to the Symantec website to finfd the complete uninstall instructions for your NAV-version. This is a pig of a job, though. Otherwise uninstall AVG.

    O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - c:\PROGRA~1\CLIENT~1\run\NEWADS~1.DLL (file missing)
    O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - (no file)
    O2 - BHO: (no name) - {27557cf1-a237-496d-8c8f-08f3844c6a8b} - C:\Program Files\whistlesoftware\WselServices\WhistleHelper.dll
    O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44A} - (no file)
    O2 - BHO: (no name) - {316E1F39-A6C4-68A5-CFB7-156625067894} - C:\PROGRA~1\ONLINE~1\Part boob.dll
    O2 - BHO: (no name) - {447160CD-ECF5-4EA2-8A8A-1F70CA363F85} - c:\program files\clientman\run\bundleaef94639.dll (file missing)
    O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
    O2 - BHO: (no name) - {63CF97E8-4133-438a-A831-CC9C6D47D673} - (no file)
    O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - c:\program files\clientman\run\urlcli67806664.dll (file missing)
    O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINNT\AdRoar.dll
    O2 - BHO: (no name) - {E0F0E0E1-5D45-11D4-BC00-2DCC73302D70} - C:\WINNT\system32\cpr.dll (file missing)
    O3 - Toolbar: README JUGS AXIS - {343B5DDD-327E-97CA-677F-0D906ECE322A} - C:\PROGRA~1\ONLINE~1\Part boob.dll
    O8 - Extra context menu item: Web Rebates - file://C:\Program Files\WebRebates\System\Temp\topr1150_script0.htm
    O9 - Extra button: Whistle (HKLM)

    All the above are suspicious, check what Hijackthis says about them, and if it can fix them.
    That should give you something to do for a while.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.