Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 3 of 3 Posts

·
Registered
Joined
·
7 Posts
Discussion Starter · #1 ·
hi
my mom and uncle bugged me to upgrade to xp that i'll love it and i fianlly did yesterday and stuff just started downloading to the desktop and on xp when i click on file and make new folder the window would close, (you can still see the wallpaper) and all icons, taskbar would dissapear and reapear i unintalled xp and still infected grrrrrrrrrrr :mad:
avg says i have 18 trojans and unable to heal or delete

here is my hijackthis log
please help!!!

Logfile of HijackThis v1.99.1
Scan saved at 12:23:15 PM, on 6/16/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\ZAPPER!\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\ZAPPER!\GRISOFT\AVG FREE\AVGEMC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ZAPPER!\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\E_S4I2G1.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SHUTTLE TECHNOLOGY\LEDTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SHUTTLE TECHNOLOGY\ICONFIG.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTS.SCR
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\ZAPPER!\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ZAPPER!\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [GRA] C:\Program Files\Gateway\gra\GRA.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\ZAPPER!\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\ZAPPER!\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\ZAPPER!\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SiSAudio] C:\WINDOWS\SYSTEM\MP_S3.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\SYSTEM\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O5 "LPT1:" /M "Stylus CX5400"
O4 - HKLM\..\Run: [LEDTRAY.EXE] C:\PROGRA~1\COMMON~1\SHUTTL~1\LEDTRAY.EXE
O4 - HKLM\..\Run: [ICONFIG.EXE] C:\PROGRA~1\COMMON~1\SHUTTL~1\ICONFIG.EXE "Software\Shuttle Technology\04E61010"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg SchedulerV2.exe
O9 - Extra button: Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\PROGRA~1\INTERN~1\Toolbar\toolbar.hta (file missing)
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\PROGRA~1\INTERN~1\Toolbar\toolbar.hta (file missing)
O9 - Extra button: ShellSearch - {11EE3180-04BE-4eb2-AAD3-248C1E72654E} - C:\Program Files\Extentions\ShellSearch\ss.exe (HKCU)
O9 - Extra 'Tools' menuitem: ShellSearch - {11EE3180-04BE-4eb2-AAD3-248C1E72654E} - C:\Program Files\Extentions\ShellSearch\ss.exe (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409

please help me!
thanks in advance!
suri
 

·
Registered
Joined
·
7 Posts
Discussion Starter · #3 ·
Thanks for the bump. which remimded me that a friend gave me norton 2004 yesterday and it removed 2 viruses but it didn't finish installing and was removed. did avg scan twice came back with 0 infected which is better than the first scan which i had 23.

but here is my updated hjt log, sorry to confuse you

Logfile of HijackThis v1.99.1
Scan saved at 2:41:28 PM, on 6/18/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\ZAPPER!\GRISOFT\AVG FREE\AVGCC.EXE
C:\PROGRAM FILES\ZAPPER!\GRISOFT\AVG FREE\AVGEMC.EXE
C:\PROGRAM FILES\ZAPPER!\GRISOFT\AVG FREE\AVGAMSVR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\SYSTEM\E_S4I2G1.EXE
C:\PROGRAM FILES\COMMON FILES\SHUTTLE TECHNOLOGY\LEDTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SHUTTLE TECHNOLOGY\ICONFIG.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTS.SCR
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\WUAUCLT.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\ZAPPER!\HIJACKTHIS\HIJACKTHIS.EXE

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ZAPPER!\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [GRA] C:\Program Files\Gateway\gra\GRA.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\ZAPPER!\GRISOFT\AVGFRE~1\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\ZAPPER!\GRISOFT\AVGFRE~1\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\ZAPPER!\GRISOFT\AVGFRE~1\AVGAMSVR.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SiSAudio] C:\WINDOWS\SYSTEM\MP_S3.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5400] C:\WINDOWS\SYSTEM\E_S4I2G1.EXE /P19 "EPSON Stylus CX5400" /O5 "LPT1:" /M "Stylus CX5400"
O4 - HKLM\..\Run: [LEDTRAY.EXE] C:\PROGRA~1\COMMON~1\SHUTTL~1\LEDTRAY.EXE
O4 - HKLM\..\Run: [ICONFIG.EXE] C:\PROGRA~1\COMMON~1\SHUTTL~1\ICONFIG.EXE "Software\Shuttle Technology\04E61010"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: PowerReg SchedulerV2.exe
O9 - Extra button: Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\PROGRA~1\INTERN~1\Toolbar\toolbar.hta (file missing)
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\PROGRA~1\INTERN~1\Toolbar\toolbar.hta (file missing)
O9 - Extra button: ShellSearch - {11EE3180-04BE-4eb2-AAD3-248C1E72654E} - C:\Program Files\Extentions\ShellSearch\ss.exe (HKCU)
O9 - Extra 'Tools' menuitem: ShellSearch - {11EE3180-04BE-4eb2-AAD3-248C1E72654E} - C:\Program Files\Extentions\ShellSearch\ss.exe (HKCU)
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gateway.com/support/profiler/PCPitStop.CAB
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
 
1 - 3 of 3 Posts
Status
Not open for further replies.
Top