CatRoot... needed?

[OSidiot]

Is the folder "CatRoot" inmy system32 needed? I have run hijackthis and it looks pretty crazy.. and i am a bit hesitant to delete anything. but I dont know...at least if i mess up big time itll give me more incentive to remformat my c drive... what should i do?

 

[Goalie]

http://www.microsoft.com/resources/...Windows/XP/all/reskit/en-us/prgg_det_sbnz.asp

Describes what it is (assuming you are running XP). I would assume in other OSes it will assume similar roles. The file really isn't that needed, but should be left there. I forget if there are any special things you need to do before removing it to avoid b0rking your system.

 

[OSidiot]

Well I am running W2k, and it only holds two files SYSMAST.cbd and SYSMAST.cbk. Ill look them up on google. Otherwise it just held two folders that I was told were trojans or something. Thanks for the info Goalie.

 

[RealBlackStuff]

Catroot, or more specific, the folder with the {F7503E etc} or similar name, holds the system-updates since you first installed W2K. Don't delete it. If there were trojans etc., programs like Adaware and Spybot and Hijackthis would have found them.

 

[OSidiot]

oops... i deleted those folders... am I screwed? but... how is explored.exe, explore.exe, ntsyskrnl.exe getting on my computer then? I modify the registry and it just comes back... im getting fed up with this. reformat here i come...

[size=1]Edited by sngx1275: Watch your language. [/size]

 

[RealBlackStuff]

You CAN live without that info. Just next time you do a Windoze update, it will probably give you an enormous list of available updates.
Looks like you found yourself a proper username....
Sorry, don't want to get personal here.

If you have virus/trojan problems, next time publish the Hijackthis complete logfile here, we will be able to help you much better.

Get yourself a program like Drive Image, and make a full Image when your PC is freshly installed and updated. When you then mess up, all you need to do is restore that image (in 5-10 minutes) and you are back in business.

 

[OSidiot]

ok ill post my Hijackthis log then:

Logfile of HijackThis v1.97.7
Scan saved at 2:25:37 PM, on 04/05/14
Platform: Windows 2000 SP4
MSIE: Internet Explorer v6.00 SP1

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Messenger Plus! 2\MsgPlus.exe
C:\WINNT\StartupMonitor.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\system32\taskmgr.exe
C:\Documents and Settings\chris\Desktop\Tcpview.exe
E:\aim\aim.exe
F:\anime\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearchnow.com/searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchnow.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchnow.com/searchbar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: IncrediFindBHO Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
F2 - REG:system.ini: UserInit=C:\WINNT\System32\Userinit.exe
O2 - BHO: (no name) - {000000DA-0786-4633-87C6-1AA7A4429EF1} - C:\WINNT\System32\emesx.dll
O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - c:\PROGRA~1\CLIENT~1\run\NEWADS~1.DLL (file missing)
O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - (no file)
O2 - BHO: (no name) - {27557cf1-a237-496d-8c8f-08f3844c6a8b} - C:\Program Files\whistlesoftware\WselServices\WhistleHelper.dll
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44A} - (no file)
O2 - BHO: (no name) - {316E1F39-A6C4-68A5-CFB7-156625067894} - C:\PROGRA~1\ONLINE~1\Part boob.dll
O2 - BHO: (no name) - {447160CD-ECF5-4EA2-8A8A-1F70CA363F85} - c:\program files\clientman\run\bundleaef94639.dll (file missing)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {63CF97E8-4133-438a-A831-CC9C6D47D673} - (no file)
O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - c:\program files\clientman\run\urlcli67806664.dll (file missing)
O2 - BHO: (no name) - {B549456D-F5D0-4641-BCED-8648A0C13D83} - C:\WINNT\BrowserHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINNT\AdRoar.dll
O2 - BHO: (no name) - {E0F0E0E1-5D45-11D4-BC00-2DCC73302D70} - C:\WINNT\system32\cpr.dll (file missing)
O3 - Toolbar: README JUGS AXIS - {343B5DDD-327E-97CA-677F-0D906ECE322A} - C:\PROGRA~1\ONLINE~1\Part boob.dll
O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart
O4 - Global Startup: Anti-Virus&Trojan.lnk = C:\Program Files\Anti-Virus&Trojan\Anti-Virus&Trojan.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\WebRebates\System\Temp\topr1150_script0.htm
O9 - Extra button: Whistle (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


thats it right?

oh ya thanks for that friendly jibe there, haha.

 

[RealBlackStuff]

To start with, you have 2 AntiVirus programs running at the same time (NAV and AVG). That is a big NO-NO.
My advice: throw out Norton completely, it is an enormous resource-hogger, and AVG (even the free version) works just as good, and in some cases even better. Go to the Symantec website to finfd the complete uninstall instructions for your NAV-version. This is a pig of a job, though. Otherwise uninstall AVG.

O2 - BHO: (no name) - {0982868C-47F0-4EFB-A664-C7B0B1015808} - c:\PROGRA~1\CLIENT~1\run\NEWADS~1.DLL (file missing)
O2 - BHO: (no name) - {0BA1C6EB-D062-4E37-9DB5-B07743276324} - (no file)
O2 - BHO: (no name) - {27557cf1-a237-496d-8c8f-08f3844c6a8b} - C:\Program Files\whistlesoftware\WselServices\WhistleHelper.dll
O2 - BHO: (no name) - {2CF0B992-5EEB-4143-99C2-5297EF71F44A} - (no file)
O2 - BHO: (no name) - {316E1F39-A6C4-68A5-CFB7-156625067894} - C:\PROGRA~1\ONLINE~1\Part boob.dll
O2 - BHO: (no name) - {447160CD-ECF5-4EA2-8A8A-1F70CA363F85} - c:\program files\clientman\run\bundleaef94639.dll (file missing)
O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL
O2 - BHO: (no name) - {63CF97E8-4133-438a-A831-CC9C6D47D673} - (no file)
O2 - BHO: (no name) - {94927A13-4AAA-476A-989D-392456427688} - c:\program files\clientman\run\urlcli67806664.dll (file missing)
O2 - BHO: (no name) - {BDF6CE3D-F5C5-4462-9814-3C8EAC330CA8} - C:\WINNT\AdRoar.dll
O2 - BHO: (no name) - {E0F0E0E1-5D45-11D4-BC00-2DCC73302D70} - C:\WINNT\system32\cpr.dll (file missing)
O3 - Toolbar: README JUGS AXIS - {343B5DDD-327E-97CA-677F-0D906ECE322A} - C:\PROGRA~1\ONLINE~1\Part boob.dll
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\WebRebates\System\Temp\topr1150_script0.htm
O9 - Extra button: Whistle (HKLM)

All the above are suspicious, check what Hijackthis says about them, and if it can fix them.
That should give you something to do for a while.