1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

HELP! I'm desperate! and Hijack this

Discussion in 'Virus & Other Malware Removal' started by melonhead, Apr 1, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. melonhead

    melonhead Thread Starter

    Joined:
    May 6, 2002
    Messages:
    882
    OS 98

    I have a computer who has a computer that was and still is a mess. The computer was infected by the Istbar Trojan. Supposedly now it is only in the system restore but I can't get it off because anytime I try to run AVG or Adaware the computer crashes. This also happens when I try to start AOL 8.0 for broadband. So, I brought her computer home and hooked it up to my cable so that I could download some additional programs and to consult with TSGF since I am stumped. I have run Spybot and cleaned everything off. I ran the registry scan from Norton and got a bunch of stuff off. She was having an error message with Quicktime, so I uninstalled and then still found more quicktime files in start up and in the registry which I had to delete one by one. Since that things are better, but still bad. I did run hijack this and got some bad programs off, but want to consult here berfore further deleting. Please note that I have a number of startup items checked to not load otherwise I cannot get into normal Windows, only save mode.

    When the computer crashes when I try to run Avg or any other program, if I try to get directly into normal windows, I get a number of Kernel32.dll errors andthen it stalls. I then can open in Safe mode, and reboot without the kernel32.dll errors. The error messages include a number of start up things like task AVGcc.exe or NortonP.exe. All programs that usually load up. (Even though I had many of them checked up not to start via selective startup.)

    Anyway here is the Hijack this. Could someone please look and advise. Also any other suggestions - a scan on the net, etc. will be appreciated!!!


    Thanks in advance!

    Logfile of HijackThis v1.97.7
    Scan saved at 4:44:22 PM, on 4/1/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38044.3046990741
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
     
  2. melonhead

    melonhead Thread Starter

    Joined:
    May 6, 2002
    Messages:
    882
    Oops the first line should say I have a client who has a computer!! Sorry for the confusion.
     
  3. melonhead

    melonhead Thread Starter

    Joined:
    May 6, 2002
    Messages:
    882
    Oh, one more thing. I just tried to run housecall. It gets about 95% of the engine downloaded and then freezes.
     
  4. melonhead

    melonhead Thread Starter

    Joined:
    May 6, 2002
    Messages:
    882
    I've solved a lot more since post, ie. Ican always get into normal windows now. However, I still cannot run avg or adaware or panda etc. And I guess I'm going goo goo eyes. I am running Windows ME. I've only seen the 50 times I rebooted today! :) Please help if you have any suggestions. I just can't figure out why it starts a scan and then shuts off.

    Thanks
     
  5. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Hi:)
    Theres nothing showing up in your log,but if you r using MSConfig that could be why.......your going to have to enable all and somehow post a log af the full running processes so`s we can see everything thats happening.

    Also......do i see both AVG and NAV running......not a good idea.

    I would disable both for now till your able to give us a full HijackThis log.
    ;)
     
  6. melonhead

    melonhead Thread Starter

    Joined:
    May 6, 2002
    Messages:
    882
    Oops posted this on wrong thread. Sorry if there is a duplication. Thanks, steve for replying. I've been on this stupid computer for more hours thanI want to admit!
    I don't have NAV and avg running. Was clean sweep and utilities. However I uninstalled and it was still on. Tried to remove again and was unable because so files were missing. I did disable in start up so that I could at least get in to normal windows.

    Heres the scan.
    Logfile of HijackThis v1.97.7
    Scan saved at 4:44:22 PM, on 4/1/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
    O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38044.3046990741
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
     
  7. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    Its a clean log:up
     
  8. melonhead

    melonhead Thread Starter

    Joined:
    May 6, 2002
    Messages:
    882
    Thanks. I thought I cleaned it out. But do you have any other suggestions? It just shuts down anytime I try adaware panda etcc. There has got be something that is hanging it up and then stopping. I'm kind of at a loss of what to do. Thanks!
     
  9. $teve

    $teve

    Joined:
    Oct 9, 2001
    Messages:
    9,396
    What shuts down......the program or the comp?
     
  10. melonhead

    melonhead Thread Starter

    Joined:
    May 6, 2002
    Messages:
    882
    the computer and then I have to go into safe mode and reboot otherwise I can't get into normal windows
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/216678

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice