OS 98
I have a computer who has a computer that was and still is a mess. The computer was infected by the Istbar Trojan. Supposedly now it is only in the system restore but I can't get it off because anytime I try to run AVG or Adaware the computer crashes. This also happens when I try to start AOL 8.0 for broadband. So, I brought her computer home and hooked it up to my cable so that I could download some additional programs and to consult with TSGF since I am stumped. I have run Spybot and cleaned everything off. I ran the registry scan from Norton and got a bunch of stuff off. She was having an error message with Quicktime, so I uninstalled and then still found more quicktime files in start up and in the registry which I had to delete one by one. Since that things are better, but still bad. I did run hijack this and got some bad programs off, but want to consult here berfore further deleting. Please note that I have a number of startup items checked to not load otherwise I cannot get into normal Windows, only save mode.
When the computer crashes when I try to run Avg or any other program, if I try to get directly into normal windows, I get a number of Kernel32.dll errors andthen it stalls. I then can open in Safe mode, and reboot without the kernel32.dll errors. The error messages include a number of start up things like task AVGcc.exe or NortonP.exe. All programs that usually load up. (Even though I had many of them checked up not to start via selective startup.)
Anyway here is the Hijack this. Could someone please look and advise. Also any other suggestions - a scan on the net, etc. will be appreciated!!!
Thanks in advance!
Logfile of HijackThis v1.97.7
Scan saved at 4:44:22 PM, on 4/1/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38044.3046990741
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
I have a computer who has a computer that was and still is a mess. The computer was infected by the Istbar Trojan. Supposedly now it is only in the system restore but I can't get it off because anytime I try to run AVG or Adaware the computer crashes. This also happens when I try to start AOL 8.0 for broadband. So, I brought her computer home and hooked it up to my cable so that I could download some additional programs and to consult with TSGF since I am stumped. I have run Spybot and cleaned everything off. I ran the registry scan from Norton and got a bunch of stuff off. She was having an error message with Quicktime, so I uninstalled and then still found more quicktime files in start up and in the registry which I had to delete one by one. Since that things are better, but still bad. I did run hijack this and got some bad programs off, but want to consult here berfore further deleting. Please note that I have a number of startup items checked to not load otherwise I cannot get into normal Windows, only save mode.
When the computer crashes when I try to run Avg or any other program, if I try to get directly into normal windows, I get a number of Kernel32.dll errors andthen it stalls. I then can open in Safe mode, and reboot without the kernel32.dll errors. The error messages include a number of start up things like task AVGcc.exe or NortonP.exe. All programs that usually load up. (Even though I had many of them checked up not to start via selective startup.)
Anyway here is the Hijack this. Could someone please look and advise. Also any other suggestions - a scan on the net, etc. will be appreciated!!!
Thanks in advance!
Logfile of HijackThis v1.97.7
Scan saved at 4:44:22 PM, on 4/1/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38044.3046990741
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = aoldsl.net
Please help if you have any suggestions. I just can't figure out why it starts a scan and then shuts off.
