Ok, so my comp has been actin funny lately. so I went thru the scans, and then tried to run Hijack this. I opened it, and it closes itself after several seconds, and sometimes immediatly! Whats wrong?

Thanks
Andrew

Did you just recently download HiJackThis ? Is this the 1st time using the program? If so, you have downloaded the installation software (zip folder?). When you open this file, it will then go thru a short process, completing the installation of the program onto your computer.

At this point, it should also have placed a NEW shortcut on your desktop with a file folder icon, labeled hijackthis.

Now, open this folder, click on the hijackthis file (the logo looks like a package of dynamite with a detonator.)

This is the program. It should then open and offer you options, such as "Do a system scan and save a logfile".

If you have already done this, please disregard my ignorance. I'm sure someone more knowledgeable will be able to help you :)

lol.... ya thats what i did and it's not working

Thanks for trying tho :)

I have used Hijack thsi before, it just wont work now :crazy:

Some spyware item on your computer is preventing Hijackthis from running.

Three things you can do:

1) Rename hijackthis.exe to something else like "ihatespyware.exe". See if it still closes :D (if it doesn't recognize the name of the program, it can't close it :D)

2) Alternately, Go to http://housecall.trendmicro.com and do a scan and repair there, then reboot, THEN run Hijackthis and see if it still occurs.

Housecall should find some items to repair if you're infected.

3) Boot Windows in Safe mode and try to run Hijackthis there.


I have seen this before, but never seen anything do this to Hijackthis.

k renaming it didn't work... and I cant get to housecall from that link so I'm trying the link in your sticky post

edit... housecall won't load for me now?

I'll try safe mode.

also- I think i got what I have thru MSN messenger, clicking on a link that a virus sent :(

Nice.

Try things in safe mode. If nothing else, please download SmitRem.exe from here and run it:

http://noahdfear.geekstogo.com/click%20counter/click.php?id=1

Details: Download smitRem.exe, saving the file to your desktop. Double click it to extract the contents to a

folder of it’s own. Restart your computer in safe mode, logon to the user account that is infected,

open the smitRem folder and double click the RunThis.bat file to start the tool.

Follow the prompts on screen and allow disk cleanup to complete.

Upon reboot, you can reset your desktop background. Note: XP users using the XP theme may ex-

perience a change to the Classic Windows theme. This can be changed on the themes tab of

desktop properties.



SmitRem should kill some items and I doubt this thing is gonna stop it from running.

Meanwhile, before you do anything else, do this for me:

Click on Start menu, choose "Run" and copy and paste tasklist > c:\tasklist.txt into the run box, click OK, then open the file C:\tasklist.txt file and post the contents here. I'll try to locating a problematic background process and we'll kill it :)

PS - I leave town in 3 hours. After that I can't help ya :D

ahhhh 3 hours and counting :P

tasklist > c:\tasklist.txt wouldnt run anything???

should i run the smitrem prog?

Thanks!

I am assuming you're using XP.

Try this for the tasklist (I'm assuming you're using XP). Go into the Start menu under All Programs, Accessories, open "Command Prompt". At the blinking cursor, type tasklist

Does it output anything? If it does, type that previous command (tasklist[space]>[space]c:\tasklist.txt) (don't type in the word [space], just make sure there is a space there!)

Meanwhile, if you're using XP, you can use System Restore to "roll back" to a previous date when you werent infected, then run a cleanup tool

Alternately, yes, run SmitRem. It might clean up the problem, if it is allowed to run.

yes XP

tasklist thing still no worky.

ran smitrem, It doesnt have a finish screen? do I need to restart?

gonna redownload hijack this and try it

k hijack this still doesnt work.

ummm... any ideas? I'm so lost lol

How do I go about the system restore? (if theres no other fixes)

Yes, you need to restart after SmitRem.


Ok, I am 99% sure I know exactly what you're infected with and damnit, if I could sit in front of your computer I could fix it :D I bet you'll find you can't go into the Run menu and open regedit either :D

I wonder if what you have turned off System Restore also?

Look in the Start Menu under Accessories and System Tools. System Restore is there. Tell it you want to restore the computer to a previous state. Find a date in bold on the provided calendar which occured BEFORE the infection and restore to that date. Once you do, You should find Hijackthis is able to be opened.

Any programs you installed since then will need to be reinstalled. You may find some files end up disappearing or getting moved as well, hopefully nothing major :) Beats formatting and reinstalling and since I can't be there to help directly....

Ok, I lied. Free wireless here at the B&B, so I might actually be able to check in over the weekend.

Shifffffty come over to my house, I'll make you breakfast lol


k, it let me open regedit quickly then shut it down.

System Restore was turned off.

Nothing works to get at Hijack this, whats next? Please don't say format and reinstalling (although I kinda want to get Vista to play with lol)

Thanks again

lol.

Okay, you're definitely infected. I definitely know what it is. I have definitely killed it in the past. The only other thing I can suggest .... hmmmmm

Can you tell me exactly what you saw when you tried to run 'tasklist'? Basically, I need to see a list of running tasks on your computer so I can identify the one that doesn't belong and we can nuke it.

Please try to download and install this sodtware:

http://www.neuber.com/taskmanager/taskmanager.html

Run it once it's done instlaling. Hopefully it will open. If it does, please capture a screenshot so I can find the bad process and we can nuke it, then get to work on cleanup.

I'll driving back from Savannah in about an hour, can't get around to helping until tonight.

ok, tasklist won't bring anything up when I type it in 'Run'

but... ctrl alt del gets me this will this work for you?

alrighty... tried to download your program, it would download but runs the same way as hijack this.

???

Thanks!!

gah!

lol... Alright, Shifty, hopefuly you get home soon lol but don't worry bout me til tommorow if you dont want to! :)

I've decided if I need to reformat my computer and reinstall everything... thats ok. I'll stick with XP until we get a new computer (wont be for another year or so) and I need to get office. How much should I be able to get it for? We have a terrible version of corel and some Office, but nothing that works great, also making school tough when i need to download assignments.

All I really have to save is our pictures, 12GB of music (didnt relize I had that much lol) and a few files.

If I dont need to delete it all, thats good too :D


Show me the way Obi-Wan

That task list is awfully small :D

whagent.exe is the only task I see that I know is bad.

Please do this - --

Type this into a RUN box and click OK:

notepad %windir%\system32\drivers\etc\hosts

A file should open. It should look like this:

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

Ignore the lines that start with "#". Ignore the line starting with "127". Do you see any other lines underneath the "127" line? If you do, that is probably NOT a good thing. Put a "#" symbol at the beginning of any line tht is showing under the "127.0.0.1 localhost" line and try to save the file.

Download AVG AntiSpy:

http://downloads.grisoft.cz/softw/70/filedir/inst/avgas-setup-7.5.0.50.exe

When you download it, install it. Open it up. Choose "update", but don't run a scan yet.

Reboot Windows into 'Safe Mode'. From safe mode, open AVG Antispy and do a full scan.

After the full scan is complete, try running Hijackthis while still in Safe Mode.

aha hey man welcome back :D

gonna do all that. how do i boot in safe mode? I forget lol

thanks :D



ps... theres about 30 lines underneath the 127 line
do you have msn we can chat?

after putting in my "#'s"


127.0.0.1 localhost
#1.1.1.1 f-secure.com
#1.1.1.1 www.f-secure.com
#1.1.1.1 ftp.f-secure.com
#1.1.1.1 ftp.sophos.com
#1.1.1.1 liveupdate.symantec.com
#1.1.1.1 customer.symantec.com
#1.1.1.1 dispatch.mcafee.com
#1.1.1.1 download.mcafee.com
#1.1.1.1 rads.mcafee.com
#1.1.1.1 mast.mcafee.com
#1.1.1.1 my-etrust.com
#1.1.1.1 www.my-etrust.com
#1.1.1.1 nai.com
#1.1.1.1 www.nai.com
#1.1.1.1 networkassociates.com
#1.1.1.1 secure.nai.com
#1.1.1.1 securityresponse.symantec.com
#1.1.1.1 service1.symantec.com
#1.1.1.1 sophos.com
#1.1.1.1 www.sophos.com
#1.1.1.1 support.microsoft.com
#1.1.1.1 symantec.com
#1.1.1.1 www.symantec.com
#1.1.1.1 update.symantec.com
#1.1.1.1 updates.symantec.com
#1.1.1.1 us.mcafee.com
#1.1.1.1 vil.nai.com
#1.1.1.1 viruslist.com
#1.1.1.1 www.viruslist.com
#1.1.1.1 grisoft.com
#1.1.1.1 www.grisoft.com
#1.1.1.1 free.grisoft.com
#1.1.1.1 trendmicro.com
#1.1.1.1 housecall.trendmicro.com
#1.1.1.1 www.trendmicro.com
#1.1.1.1 pandasoftware.com
#1.1.1.1 www.pandasoftware.com
#1.1.1.1 usa.kaspersky.com
#1.1.1.1 ewido.net
#1.1.1.1 www.ewido.net
#1.1.1.1 zonelabs.com
#1.1.1.1 www.zonelabs.com
#1.1.1.1 bitdefender.com
#1.1.1.1 www.bitdefender.com
#1.1.1.1 download.bitdefender.com
#1.1.1.1 upgrade.bitdefender.com
#1.1.1.1 spywareinfo.com
#1.1.1.1 www.spywareinfo.com
#1.1.1.1 merijn.org
#1.1.1.1 www.merijn.org
#1.1.1.1 sysinternals.com
#1.1.1.1 www.sysinternals.com
#1.1.1.1 onguardonline.gov
#1.1.1.1 www.onguardonline.gov
#1.1.1.1 avast.com
#1.1.1.1 www.avast.com
#1.1.1.1 safety.live.com
#1.1.1.1 www.paretologic.com
#1.1.1.1 paretologic.com
#1.1.1.1 virusscan.jotti.org
#1.1.1.1 services.google.com

OK, you fixed a major part of the problem. :D I will explain later - basically, this spyware/malware/trojan/virus you got modified your HOSTS file to tell your computer that the actual IP address of all of the websites listed was 1.1.1.1, which is a fake IP :D

Please go to http://housecall.trendmicro.com - - Do a full scan. Clean up everything. If it doesn't work I will be surprised!

Meanwhile, I am going to PM you my MSN info ASAP. I will be popping on my work computer to check for messages every few minutes.

Dummies :D They didn't block the AVG website!

I'll stick with XP until we get a new computer (wont be for another year or so) and I need to get office. How much should I be able to get it for? We have a terrible version of corel and some Office, but nothing that works great, also making school tough when i need to download assignments.


Hey Stingray42...I'm glad that you're getting your issue(s) worked out. When you are back stable again, you might want to try this...

For a decent FREE MS Office compatible suite, go to www.openoffice.org . 56K beware, but with BB you should be happy. As far as I've been able to tell, it's compatible with all Office docs.

Shifty has also recommended another FREE suite which I'm unfamiliar with, but he does seem to make good recommendations :)

Just a thought, since you were remarking about needing Office for school downloads. Hope I'm not jumping the gun with ya'.

Best 'o luck to ya'

I will check it out! Is it good ony for viewing? Because I also need to be able to create and mod excel and powerpoint... I'll have a look tho cuz corel is leaving my comp in about 2 mins :D thanks!

And a HUUUUUUUUUUUGE thanks goes out to shifty tonight. He spent more time than I could have ever asked for helping me clean up my computer and gettin it running right again! Anything you need in the future, just ask man.

OO is not a reader. It is open-source Freeware. I don't know about the PwrPt (never used it), but you can create spreadsheet, database, written docs, ect, and they will (should) be compatible with MS suite.

I use primarily the OO Writer (Word) and Calc (Excel), but the suite seems pretty complete.

I found it after doing a pretty long search for free MS Office. All I could find was readers and pirateware. No thanks. Its worked well for me so far, and it doesn't cost a dime.

shifty- for you!

Logfile of HijackThis v1.99.1
Scan saved at 2:10:16 AM, on 2/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchosts.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://westjet.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O4 - Global Startup: AdwareFilter Background Protection.lnk = C:\Program Files\AdwareFilter\adwarefilter.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Norton Confidence Online - {144FDEB7-A23D-4D39-A00E-AA44195535B6} - C:\WINDOWS\wcidButton.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: SearchAssistant=
O14 - IERESET.INF: CustomizeSearch=
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O15 - Trusted Zone: http://*.67-72chevytrucks.com
O15 - Trusted Zone: http://*.break.com
O15 - Trusted Zone: *.classmates.com
O15 - Trusted Zone: http://www.msgpluslive.net
O15 - Trusted Zone: http://www.newgrounds.com
O15 - Trusted Zone: http://www.partypoker.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://jcs.chat.dcn.yahoo.com/v45/yacscom.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://carky42.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122848561671
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134707711203
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/PhotoSwap/PhtPkMSN.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O16 - DPF: {CCC46940-DED0-476C-A27E-115B10DAE0B4} - https://td.nortonconfidenceonline.com/plug-in/NCO/WSAS.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zone.msn.com/binary/WoF.cab31267.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e te-110-12-0000282 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

OO is not a reader. It is open-source Freeware. I don't know about the PwrPt (never used it), but you can create spreadsheet, database, written docs, ect, and they will (should) be compatible with MS suite.

I use primarily the OO Writer (Word) and Calc (Excel), but the suite seems pretty complete.

I found it after doing a pretty long search for free MS Office. All I could find was readers and pirateware. No thanks. Its worked well for me so far, and it doesn't cost a dime.

downloaded it... awesome! I really like it, def worth the download.

Hey Andrew, Looks like the hacking we got done helped a lot.

Couple of things:

I'm a little pissed these items came back, has me a little worried:

O14 - IERESET.INF: SearchAssistant=
O14 - IERESET.INF: CustomizeSearch=
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL

Please do the following:

1) Open Hijackthis and choose "Scan only".

2) Put a checkmark next to those four items.

3) Put a checkmark next to every single item in the 'O16' area (these can all be automatically re-downloaded later).

3.5) Click the "Fix" button.

4) Open a RUN box, and copy/paste this into it: sc delete "Client IP-IPX"

(Be sure to copy everything, even the quotes - a window will pop up and go away really fast! Too fast to see the response!).

5) Please Download MsnVirRem.exe to your desktop http://downloads.malwareremoval.com/MsnVirRem.exe

First, close any other programs you have running as this will require a reboot. Double click MsnVirRem.exe to run it. Once open, click the button labelled "Search and Destroy".

Your computer will now be scanned for Infected Files.

When scanning is finished you will be prompted to reboot only if infected, Click OK. Now click the "REBOOT" Button. After the Reboot, you might receive file not found errors (like last night, usually 4, but might not happen this time) please acknowledge them and continue.

A Message should popup from MsnVirRem. If not, double click the program again and it will finish.

6) Download (save) combofix from one of these two sites:

http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

Double click combofix.exe & follow the prompts. When finished, it will produce a log for you.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.


7) Reboot. "Scan and save logfile" with Hijackthis. Give me the new logfile, pls. Please Post the contents of C:\msnvirrem.log also, and finally, post the combofix log summary as well.


If I see anything else I don't like, rest assured, I will want to open a remote assistance line with you again and find whatever it is that's still nested on your system/hidden somewhere.

hey man havent even gotten on that comp today, I'll have an update tommorow tho!

Sounds good.

This is apparently something known as the "MSN Virus" or something like that. I've been really interested in it, I Googled around for some of the features I saw while working on your stuff....It's pretty interesting stuff! They're getting sneakier and sneakier every day! One of these days I'm not gonna be able to figure this crap out :D

msnvirrem log


MsnVirRem Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\Owner\Desktop
2/6/2007
12:05:29 PM

---Infection Files Found---
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\netstat.com

Rebooting...
Fixing Registry Permissions...
Editing Registry...
Fixing Host File...
**Fix Complete!**

no combofix log. said done... log will be posted at c:\combofix.txt but nothing there?

Heres the HJT log

Logfile of HijackThis v1.99.1
Scan saved at 13:13, on 07-02-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\OpenOffice.org 2.1\program\soffice.BIN
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/firefox
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://westjet.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIACA.EXE /P26 "EPSON Stylus CX3800 Series" /O6 "USB001" /M "Stylus CX3800"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OpenOffice.org 2.1.lnk = C:\Program Files\OpenOffice.org 2.1\program\quickstart.exe
O4 - Global Startup: AdwareFilter Background Protection.lnk = C:\Program Files\AdwareFilter\adwarefilter.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Norton Confidence Online - {144FDEB7-A23D-4D39-A00E-AA44195535B6} - C:\WINDOWS\wcidButton.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: SearchAssistant=
O14 - IERESET.INF: CustomizeSearch=
O14 - IERESET.INF: SEARCH_PAGE_URL=
O14 - IERESET.INF: START_PAGE_URL=
O15 - Trusted Zone: http://*.67-72chevytrucks.com
O15 - Trusted Zone: http://*.break.com
O15 - Trusted Zone: *.classmates.com
O15 - Trusted Zone: http://www.msgpluslive.net
O15 - Trusted Zone: http://www.newgrounds.com
O15 - Trusted Zone: http://www.partypoker.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe


BTW I bought Trend Micro's Internet security. It deleted some of your suggested free programs (said they wont run together) is that ok? What else if anything should I have on here?

MSN virus sounds right... I think thats where i got it :D Hope we get it all figured out!

Talk to you soon

oh... one more. After I ran the MSNvirrem and rebooted.... the comp is telling me I dont have a 'genuine copy of Windows' Any thoughts?

Great....

I think Combofix puts the log in the same folder you run the *.exe file from - if you run it direct from the internet (vs. donwloading it to your computer ans saving it somewhere, then running it), then you probably won't see a logfile.

As for the "Not valid WGA authenticated Windows" problem, I think this was probably caused by the virus/trojan and not by MSNvirrem. I think the virus kept you from hitting Windows Update, and when it finally was wiped from the computer, you hit Windows Update (auto updates) and failed WGA.

Either way - let's figure it out: Hit this site - http://www.microsoft.com/genuine/diag/

I think Trend Micro Internet Security should cover your bases. Shouldn't need much else. I think the O14 lines are being caused by SpywareGuard, which is OK.

That will give us a start on figuring out why WGA is failing.

cool! fixed that it says I'm good to go, just gonna reboot so I can get rid of that little icon. Anything else we need to do?

Thanks again

I think that's it! I believe you have successfully cleaned your system :thumbs: Congrats!

(That was a pain in the ass! Thanks for hanging in there through it and being patient on the Remote Assistance stuff :D)