Help With Vista Please

I am running Vista home premium sp1 and have developed a small problem in that a task bar flag called "Interactive sevices" keeps coming on now i know the function of this but my problem is when i open it and it says "show me the message" i click it and i just get a blue screen with "return now" in a box (it will not let me take a screen shot) so i then return and cancel the screen,with that it goes away but after about 3 minutes it returns in the same form, if i request "show details" it tells me that it's a problem with Outlook Express (see screen shot ) but i have the Microsoft Office 2007 compatability pack with all updates installed so can anyone tell me how to stop it??

 

Has no one any idea what is causing this??

 

Sorry, Bill. I've never seen that message.
Hold on and someone will see your post and help.

 

Didn't take you long to pick up malware.


There is no Outlook Express directory in Vista. svchost.exe is a legit app, but not in that location.
mydns is a legitimate program...on Unix.


Head to the malware forum.

http://forums.majorgeeks.com/showthread.php?t=35407

 

i can not understand malware problem i have not downloaded anything other than microsoft updates and drivers from HP:confused

i loaded MS Office from my genuine disk

 

Well, either way, it is what it is.

I'd run through the readme.

 

OK i will give it a shot

 

It's always nice to see you Bill
Even here! LOL

You only downloaded updates for Vista and and the driver for HP? Well see? There you go.

It won't hurt to go through the READ ME. I probably will give you to chas though.

abri

 

Good morning
although i trust no one other than you guys to tamper with my PC, before i went through the laborious job of malware clean up i used SYSTEM RESTORE and removed MS Office, left the PC running overnight, this morning the problem seems to have gone away so please don't feel offended that i did not go straight to clean up, if the problem returns i will do it but at the moment all seems OK.

I will re-install MS Office later today and see what happens.

thanks for the input
BILL

 

Here are the logs

 

and the rest, spybot found nothing
I see Norton files in there but i have deleted N security

 

Hi Bill,

Well, that was easy! The thing that was listed in the pop-up was taken out by MalwareBytes, so now you should be free of both the symptoms and the cause. I'll check through your other logs to see if there's anything there, but with the name showing up both in the popup and then in the tool that removed it, I don't expect to find much more. What I have noticed is that you still have a lot of Symantec on your computer. It might be worth it to run these if you still can: Removing Files from Norton Antivirus Quarantine and Norton Removal Tool (SymNRT).

abri

 

Hi Bill,

I'm going to add a few items to my last post. Nothing serious.

1) Please run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (Note: if using Vista, don't double click, use right click and select Run As Administrator). Select Do a system scan only). In the box that opens, find the following entries and put a checkmark next to them (if you need some of them to be in the trusted zone, leave them). After check-marking them, close all your open browser windows and click on FIX:

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)

The following lines are both Symantec lines. If you are removing Symantec, I don't know that you would need them anymore. (also, the removal tool may have already removed them)

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

After you click fix, just close hijackthis.


2) Next I would like to have you use ComboFix to remove some files.

• Make sure that combofix.exe (cf.exe) that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
• If it is not on your Desktop, the below will not work.
• Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ): (You don't need Wild Tangent, do you? We usually ask people to remove it.)

Code:

KILLALL::

FOLDER::
C:\ProgramData\WildTangent

FILELOOK:
C:\Windows\System32\ezsidmv.dat

REGISTRY:
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"HideLegacyLogonScripts"=-
"HideLogoffScripts"=-
"RunLogonScriptSync"=-
"RunStartupScriptSync"=-
"HideStartupScripts"=-

• Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe (cf.exe)
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
• Now use your mouse to drag CFscript.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note: Do not mouseclick combofix's window while it is running. That may cause it to stall.

3) Now run CCleaner at the default setting with the Windows tab as the top one.

4) Please attach your Combofix log.


Let me know how things are running now?

abri

 

the PC is running fine but i can not execute your requests

cf.exe i can acess it from the desktop but NOT from notepad ACESS DENIED

I am logged in as admin

 

Hi Bill,
Is UAC still disabled?
abri

 

I hope it has worked

 

Hi Bill,
It simply ran without accepting the text you were to pull onto the top of the icon. Did you do that? If not, please repeat the instructions. If that doesn't work, it can all be done another way.
abri

 

I have tried 4 or 5 times and it keeps saying "can not execute specified request"
it then reboots the PC

 

Hi Bill!

I just reread what you wrote. You said you can access cf.exe from the desktop but not from notepad. You don't need to access it from notepad. You merely need to copy the text from the box into Notepad and create a file, give it the name CFScript.txt and store it on your desktop. Then you close everything so you can see your desktop and pull the new file you created called CFScript.txt onto the cf.exe icon with the red M&M with the white X on it. This will cause Combofix to run, but it runs the code in the CFScript text file as well as just running. If this is what you did, and you keep getting the error message, then just do it the following way:

If analyse.exe (HijackThis) ran as it was supposed, then just continue this way:

1) Download and install Erunt. Use it to create a backup of your registry.

2) Please copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the File Type is set to "all files" Once you have saved it, look for it on your desktop and when you find it, double-click it and allow it to merge with the registry.

3) Go to Windows Explorer and delete this folder:

C:\ProgramData\WildTangent

And while you're in Windows Explorer, please right-click on the following file and see if there is any information about what it is or who made it: (this file may not be bad, I just wondered. Also, don't left click on it)

C:\Windows\System32\ezsidmv.dat

4) Now run CCleaner at the default setting with the Windows tab as the top one.


Let me know how things are running now and if you got a success message when you ran the registry patch (REGEDIT4) ?

abri

 

All is running OK

I got the succes message with reg edit

C:\Windows\System32\ezsidmv.dat says windows can not open this file

thanks for your time and help Abri if i shows signs of trouble i will get back to you

 

You're welcome Bill!
Hope we saved you from every evil and that your computer days will be blessed with contentment.
abri