Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Won't Open, Avg Won't Open, Etc


  • Please log in to reply
16 replies to this topic

#1 digitalfixit

digitalfixit

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 04 June 2007 - 07:07 AM

I am running AVG Free, but it won't open. It flashes open when you click on it then it closes. Hijack this won't open (closes right away). If you try and go into the folders that contain these programs they also close right away. This happens in safe mode as well. I currently have the machine offline as well so that no one can connect to the machine. I have tried renaming hijackthis didn't seem to make a difference. I first ran adaware se and spybot. I then installed Spy Sweeper. Ran and removed what it found and rebooted, but the problem still persists.

Do you have any idea what virus/spyware I am dealing with here?


Thanks

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 04 June 2007 - 07:36 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum digitalfixit :thumbsup:

My name is Richie and i'll be helping you to fix your problems,hopefully.

See if the following helps:
If you have not disabled System Restore,boot into 'Safe Mode with Command Prompt'.
At the prompt,type,or copy and paste the following bold text,then press Enter:
%systemroot%\system32\restore\rstrui.exe
Follow the onscreen instructions.
Posted Image
Posted Image

#3 digitalfixit

digitalfixit
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 04 June 2007 - 07:47 AM

System Restore is already disabled. I have found it never fixes any problems in the past and I know spyware and viruses hide in there so it has been disabled since I installed XP. Should I still run the script as a precautionary measure in case for some reason the virus/spyware has re-enabled it in some way?

Thanks for your help Richie!

ps. I am at work right now so I may not be able to use your suggestions immediatley, but I will try right when I get home

#4 digitalfixit

digitalfixit
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 04 June 2007 - 07:56 AM

I just reread your post and you weren't instructing me to disable you were telling me how to recover from command prompt. Sorry I misinterpreted.

System Restore is disabled

#5 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 04 June 2007 - 08:43 AM

Download McAfee AVERT Stinger,save it to cd/flash drive etc,transfer it over to the infected pc and see if you can run it:
http://download.nai.com/products/mcafee-avert/stinger.exe

McAfee AVERT Stinger website:
http://vil.nai.com/vil/stinger/

******************************

Try doing the same with Norman Malware Cleaner 2007.06.01:
http://download.norman.no/public/Norman_Malware_Cleaner.exe

******************************

Download AVG Anti-Rootkit and save to your desktop
1. Double click avgarkt-setup-1.1.0.42.exe to install. By default it will install to C:\Program Files\GRISOFT\AVG Anti-Rootkit.
2. Accept the license and follow the prompts to install.
3. You will be asked to reboot to finish the installation so click "Finish".
4. After rebooting, double-click the icon for AVG Anti-Rootkit on your desktop.
5. You will see a window with four buttons at the bottom.
6. Click "Search For Rootkits" and the scan will begin.
7. You will see the progress bar moving from left to right. The scan will take some so be patient and let it finish.
8. When the scan has finished, a small window will open so you can view the results.
9. Right click and select "Save Result To File".
10. By default the file will be saved with a .csv extension. (You can use notepad to open the .cvs file). Copy and paste the results in your next reply.
11. If anything was found, click "Remove selected items"
12. If nothing was found, please click the "Perform in-depth Search" saving anything found to file as before.
Posted Image
Posted Image

#6 digitalfixit

digitalfixit
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 04 June 2007 - 08:49 AM

I should be home in 6-7 hours. I will try then. Thanks again for your help!

#7 digitalfixit

digitalfixit
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 04 June 2007 - 05:11 PM

AVERT and Norman found nothing and AVG Anti-Root suffered from same problem as my AVG Free and Hijack this. It opens for a split second then whatever ad-ware or virus I have closes it immediately. hmmmm

Any other suggestions?

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 05 June 2007 - 09:29 AM

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.

Posted Image
Posted Image

#9 digitalfixit

digitalfixit
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 05 June 2007 - 03:45 PM

Combofix log will not open for some reason (says it is in use) but it seemed to fix the problem with AVG opening. I am going to try to run hijack this and send a log

#10 digitalfixit

digitalfixit
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 05 June 2007 - 03:51 PM

Logfile of HijackThis v1.99.1
Scan saved at 16:46, on 2007-06-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Grisoft\AVG7\avgwb.dat
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\svchost.exe
G:\MP3's\HijackThis\HijackThis.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {26141A09-FE7D-4B22-B633-6DC2856D90AC} - (no file)
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - (no file)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Diskeeper - Unknown owner - -"C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe (file missing)
O23 - Service: NBService - Unknown owner - -C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe (file missing)
O23 - Service: NMIndexingService - Unknown owner - -"C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: Microsoft Office Diagnostics Service (odserv) - Unknown owner - -"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (file missing)
O23 - Service: Office Source Engine (ose) - Unknown owner - -"C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 05 June 2007 - 06:20 PM

Connect the pc to the internet.
Run 'BitDefender Online Scanner' using Internet Explorer:
http://www.bitdefender.com/scan8/ie.html
Read the 'END USER SOFTWARE LICENSE AGREEMENT' then click 'I agree'.
You'll be prompted to install the activex control,please do so.
Once installed,disable your current antivirus program,then click the 'Click here to scan' button.
The virus signatures will then load.
Once loaded the scan will start.
The scan will take quite some time so please be patient.
Once the scan has finished select the 'Detected Problems' tab.
Click on 'Click here to export scan'.
Save the file as an HTML file to your desktop.
Then click on the saved file and allow it to open with your browser.
Go to 'Edit'/'Select All' then copy and paste that log into your next reply.
*Note*
Don't forget to re-enable your antivirus program.

Also post a new Hijackthis log.
Posted Image
Posted Image

#12 digitalfixit

digitalfixit
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 06 June 2007 - 08:51 AM

Last night I reinstalled my AVG free and ran a scan and removed a few things. It seems to be running fine right now, but there could still be something lurking, waiting to resurface. I will do as you suggest when I get home and post the new hijack this for you.


Thanks,


Matthew

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 06 June 2007 - 01:47 PM

If BitDefender does'nt work for any reason,do the following:

First make sure you're logged on to your pc as Administrator,or at least logged on with an account with administtrators privileges.

Go here,download the Sysclean Package (3.3MB):
http://www.trendmicro.com/download/pattern-dcs.asp

Go here,download the latest Virus Pattern File for Windows (lpt513.zip) (18.5MB):
http://www.trendmicro.com/download/viruspattern.asp

Now create a new folder on your desktop,rename it Sysclean.
Now place the Sysclean Package inside that new folder.
Unzip/extract the Virus Pattern File to that new folder.

Close all open applications,and DISABLE your current antivirus software.
Open the Sysclean folder and double-click on sysclean.com to start the scan.
It will take some time to complete.
Be patient and let it clean whatever it finds.

When you've done,enable your antivirus program.
Posted Image
Posted Image

#14 digitalfixit

digitalfixit
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:07 AM

Posted 06 June 2007 - 10:36 PM

The virus scan ran for about 2 hours. Deleted 15 or so files, but the computer froze right when the scan was ending and I couldn't get the log. I will try running again tomorrow. Here is new hijack this log. Looking good...

Logfile of HijackThis v1.99.1
Scan saved at 11:31:50 PM, on 2007-06-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wwSecure.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\USERNAME\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Window Washer] "C:\Program Files\Webroot\Washer\wwDisp.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Microsoft Office Diagnostics Service (odserv) - Unknown owner - -"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE (file missing)
O23 - Service: Office Source Engine (ose) - Unknown owner - -"C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Washer Security Access (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:07 PM

Posted 07 June 2007 - 06:29 AM

Well your log is clean.
If you experience any more problems running Trend Micro try the following online scan:

Run the F-Secure online virus/spyware scan using Internet Explorer:
http://support.f-secure.com/enu/home/ols.shtml
Follow the directions in the F-Secure page for proper Installation.
Accept the License Agreement.
Once the ActiveX installs,Click ‘Custom Scan’ and be sure the following are checked:
1.Scan whole System
2.Scan all files
3.Scan whole system for rootkits
4.Scan whole system for spyware
5.Scan inside archives
6.Use advanced heuristics
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the ‘I want to decide item by item’ button.
For each item found,Select ‘Disinfect’ and click ‘Next’.
Click the ‘Show Report’ button,then copy and paste the entire report into your next reply.
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users