[Fizzix]

sorry guys posted this orignaly int he wrong bit

but hes a copy of what i said

"Hello, first post i belive!

besides the point, not to sure if this should of been posted in here.

and before you ask me to post a HJT log i cant..

main reson being it closes as soon as it opens, so dose tasmanager so dose regedit etc.

had this problem before, how ever this time i can pinpoint anything that is doing it

not only that, i get rid of one virus/worm/REALLY ANNOYIN PROGRAM! and another one comes on

had to get rid of some pokapoka thing, then some nakedx.exe thing.

now what ever is causing this

anyway peeps, thanks for reading hopeyou can help/point my in the direction of help

or the nearest shotgun!"


thanks for reading...again

hehe

[Advertisements]

OK, let's see if I can be of any assistance

Did you remove anything before this happened (besides the removals by the spyware scans)?

What was the infection/worm you had that you removed?

See if you can do this:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\Program Files\MsConfigs\MsConfigs.exe
C:\WINDOWS\system32\p2pnetwork.exe
C:\WINDOWS\system32\CMD.COM
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\tracert.com

If you get a PendingOperations message, just close it and restart your computer manually.

Restart and post a new HijackThis log.

[greyknight17]

OK, let's see if I can be of any assistance

Did you remove anything before this happened (besides the removals by the spyware scans)?

What was the infection/worm you had that you removed?

See if you can do this:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\Program Files\MsConfigs\MsConfigs.exe
C:\WINDOWS\system32\p2pnetwork.exe
C:\WINDOWS\system32\CMD.COM
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\tracert.com

If you get a PendingOperations message, just close it and restart your computer manually.

Restart and post a new HijackThis log.

[Fizzix]

hey again
First off

when i go to "paste from clipboard" nothing appears to happen, tried clicking the red X (identicle to the program icon)

and it said, you have not specified anything to delete, and that i have to in a yellow box.

advice as to were to go?

and no, nothing i deleted by hand, apart from the "nakedx.exe" file in system files, and i belive the main virus i had was pokapoka one?

but ive had a few. seemed to slow my downlods down, and close windows.

Thanks..

Sam.

ps.

i did copy the list of items from the notepad

well these to be pricese

C:\Program Files\MsConfigs\MsConfigs.exe
C:\WINDOWS\system32\p2pnetwork.exe
C:\WINDOWS\system32\CMD.COM
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\taskmgr.com
C:\WINDOWS\system32\tracert.com

Edited by Fizzix, 05 October 2005 - 12:36 PM.

[greyknight17]

Hmmm, how about looking for those files manually and deleting them (if found)?

OK, try renaming HijackThis.exe to something like HJT1.exe instead. Now try opening it and running a scan. Still closes on you? If it still does it, try running this program first and then run HijackThis again.

[Fizzix]

ah good stuff, remaned it, never knew about that little trick, how dose that work exactually? intresting to know

anyway enough blab

heres log

Logfile of HijackThis v1.99.1
Scan saved at 8:48:45 PM, on 10/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\System32\GSICON.EXE
C:\WINDOWS\System32\dslagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\System32\msnmsgrs.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\All Users.WINDOWS\Desktop\HJT1.exe

O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Kernel Service Driver] msnmsgrs.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunServices: [Kernel Service Driver] msnmsgrs.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Kernel Service Driver] msnmsgrs.exe
O4 - HKCU\..\RunServices: [Kernel Service Driver] msnmsgrs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{2F545B9F-79F4-46D4-B48B-0DDBAAAD2EF6}: NameServer = 194.74.65.68 194.72.0.114
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


i fankyou! hehe

[greyknight17]

You renamed it? Delete them...delete those exactly as I listed them with ONLY those extensions and filenames. If they look similar, don't touch them.

You must install XP SP1a (hold off on SP2 until your computer is clean). Without SP1a, you are wide open to re-infection. When you are ready, post a new HijackThis log here.

[Fizzix]

delete them using HJT?

also i did try sp1. but woudent let me use the net for some reason.

[greyknight17]

Oh, that I thought you were referring to the files I asked you to delete No, renaming it does the trick since there are some spyware/trojans that prevent you from running known spyware/virus fighting programs.

Can you go online at all on this computer? If so, do this:

Please go HERE (Microsoft website) using Internet Explorer (not Firefox or any other browser as they won't work)

• Click on Windows Validation Assistant
• Click on the Validate Now button.
• Be patient while the ActiveX loads, do not click on any links.
• Read the instructions on this page while it's loading. You will be prompted to install - click YES.
• Enter your product key then click continue
• When it says "Validation Complete" please click Continue to return to your previous activity
• Copy what it says and paste it here.

[Fizzix]

We’re sorry, but there is no Microsoft.com Web page that matches your entry. It is possible you typed the address incorrectly, or the page may no longer exist. You may wish to try another entry or choose from the links below, which we hope will help you find what you’re looking for.


what i get when i click the "Here" link.

so for now do nothing with HJT?

[greyknight17]

Try clicking here and see if it takes you to the Microsoft site. Then click on the Windows Validation Assistant...follow the previous post I gave you.

We need to do the above first before we do the HJT fixes because you don't have SP1 installed.

[Fizzix]

is it worth me gettin sp1 one first then? then coming back once i got that?

if so i shall, i have a disk with it on i belive..

some comp mag came with it.

[greyknight17]

Yes, please install SP1 first (hold off on SP2). I must wait for you until you installed it before we can continue any further.

After you are done (which should take a good 30 minutes or so), restart and post a new HijackThis log here. We will begin then

[greyknight17]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.