Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A Checkup


  • This topic is locked This topic is locked
8 replies to this topic

#1 DemonSui

DemonSui

  • Members
  • 325 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hammond, IN
  • Local time:05:16 PM

Posted 17 November 2006 - 09:28 PM

I get popups from time to time, but it's not a huge distubance. is there anything visibly infectious?

Logfile of HijackThis v1.99.1
Scan saved at 8:07:11 PM, on 11/17/2006
Platform: Unknown Windows (WinNT 6.00.1504) <yes, Vista
MSIE: Internet Explorer v7.00 (7.00.5600.16384)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Users\DSMaster\Documents\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\DSMaster\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxsrvc.dll
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)

Edited by DemonSui, 17 November 2006 - 09:29 PM.

Let free your emotions so I can destroy them!

PSP M33 USER.

MY new PC is a laptop and I love it.

BC AdBot (Login to Remove)

 


#2 DemonSui

DemonSui
  • Topic Starter

  • Members
  • 325 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hammond, IN
  • Local time:05:16 PM

Posted 20 November 2006 - 04:26 PM

Updated log, haven't had a reply in 4 days anyway

Logfile of HijackThis v1.99.1
Scan saved at 3:17:44 PM, on 11/20/2006
Platform: Unknown Windows (WinNT 6.00.1504)
MSIE: Internet Explorer v7.00 (7.00.5600.16384)

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trillian\trillian.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Microsoft Windows OneCare Live\WinSSNotifyE.exe
C:\Users\DSMaster\Documents\hijackthis\scanme.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\DSMaster\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxsrvc.dll
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
Let free your emotions so I can destroy them!

PSP M33 USER.

MY new PC is a laptop and I love it.

#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Location:South Carolina, USA
  • Local time:05:16 PM

Posted 25 November 2006 - 04:38 PM

Welcome to the BleepingComputer forum. We are currently studying your log and will have instructions for you shortly. Thank you for your patience.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Location:South Carolina, USA
  • Local time:05:16 PM

Posted 27 November 2006 - 01:29 PM

Please be patient with me. This is my first experience in diagnosing a HijackThis log from a Vista machine. Your HijackThis log is small. It may be small due to your using Vista, but please check the information below.

If you haven't done any of the following, please tell me in your next reply. If you have done any of the following, please follow the directions to correct the procedure and then post a new HijackThis log.
  • Have you already "fixed stuff" using HijackThis? If so, please restore all the backups and then post another log. Please do not do anything else until you get further instructions.
  • Have you used the following button in HJT: "Add checked to ignorelist" ?
    Such items would no longer appear in the HJT log ("ignored when scanning for hijacks") as they can only be viewed in Configuration>Ignorelist (button) unless you select the "Delete all" button for the Ignore list. Please start HijackThis in this method instead: hijackthis.exe /ihatewhitelists
  • Did you run the HijackThis scan in Safe Mode?
    Safe Mode starts Windows using only basic files and drivers (mouse, except serial mice; monitor; keyboard; mass storage; base video; default system services; and no network connections). If your computer does not start successfully using Safe Mode, you might need to use the Recovery Console feature to repair your system. Safe Mode loads a version of Windows that bypasses all but the most basic drivers and will not run any additional software. Windows XP Safe Mode provides you with a basic graphics driver (enough to display the user interface), access to your drives and windows configuration, and very little else. Safe Mode does not load auto loading software (browser hijackers for example) or device drivers. Malware may be hiding on your computer but scanning with HijackThis in Safe Mode will fail to show it. We need to be able to see everything that is loading in Normal Mode to detect the malware.
  • Are you using Selective Startup?
    This means that you may have selectively removed some items in the past from the startup procedure. This can be bad if they are malware, so we would like you to enable those startup entries by doing the following:
    Please go to:
  • Start > Run, and type: MSConfig . Press Enter
  • In the General tab, Startup Selection, choose: Normal Startup-load all device drivers and services
  • Press OK until you are out of the program.
  • Reboot and post a new HijackThis log.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#5 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Location:South Carolina, USA
  • Local time:05:16 PM

Posted 27 November 2006 - 01:44 PM

You may want to print this page. Make sure to work through the fixes in the order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step 1

Please download Spybot-S&D.
Please check this link, Using Spybot- Search and Destroy To Remove Spyware From Your Computer, for instructions on how to download, install and use Spybot-S&D. Run this program as soon as possible.

Step 2

Please download Ad-Aware SE.
Please check this link, Using Ad-Aware To Remove Spyware From Your Computer for instructions on how to download, install and use Ad-Aware. Run this program as soon as possible.

Step 3

To help prevent further infection, please download SpywareBlaster. SpywareBlaster helps to:
  • Prevent the installation of Active X-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
  • Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
  • Restrict the actions of potentially unwanted sites in Internet Explorer.
Step 4

Please print out the following instructions as this page will be unavailable to you while you are working in Safe Mode.

Please download and install AVG Anti-Spyware (formerly Ewido).
  • Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security:
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active Internet connection to perform this)
    • Wait until you see the Update successful message.
  • Right-click the AVG Anti-Spyware Tray Icon. and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
  • If you are having problems with the updater, you can use this link, AVG Anti-Spyware manual updates, to manually update AVG Anti-Spyware..
  • Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Scan With AVG Anti-Spyware
  • Close ALL open Windows / Programs / Folders. Reboot to Safe Mode (without networking support !) If you don’t know how to boot in Safe Mode, here is a tutorial, How To Start Windows in Safe Mode.
  • Please start AVG Anti-Spyware and run a full scan.
    • Click on Scanner on the toolbar.
    • Click on the Settings tab.
      • Under How to act?
        • Click on Recommended Action and choose Quarantine from the popup menu.
      • Under How to scan?
        • All boxes should be checked.
      • Under Possibly unwanted software:
        • All boxes should be checked.
      • Under Reports:
        • Select Automatically generate report after every scan and uncheck Only if threats were found.
      • Under What to scan?
        • Select Scan every file.
    • Click on the Scan tab.
    • Click on Complete System Scan to start the scan process.
    • Let the program scan the machine.
    • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
  • Reboot in Normal Mode.
Step 5

In normal mode, run an online antivirus check from at least two and preferably three of the following sites
BitDefender
Computer Associates Online Virus Scan
Panda's ActiveScan
Trend Micro Housecall
Windows Live Safety Center Free Online Scan
This scanner from Trend does not require an Active X to run.
  • Detects and removes malware ( viruses, worms, trojans, etc. )
  • Detects and removes grayware and spyware
  • Restores damage caused by malware to your system.
  • Notifies about vulnerabilities in installed programs and connected network services.
  • Multi-platform support for: Windows, Linux, Solaris.
  • Easy-to-use with the Microsoft Internet Explorer and Mozilla Firefox.
When you have completed the scans, if you get a report of files that can’t be cleaned / deleted, please write down the filenames and locations and post that in your reply.

Step 6

Please download the ATF-Cleaner.
ATF-Cleaner features include:
  • Cleaning of all user temp folders, (only the administrator can use this feature.)
  • Cleaning of the Java cache, which seems to be harboring more and more malware.
  • Cleaning the cache, cookies, history, download history, visited links and saved passwords. (You have the option of checking no if you want to save your passwords)
  • For Firefox or Opera
    • Click Firefox or Opera at the top and choose: Select All.
    • Click the Empty Selected button.
    • NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
  • If needed, please see this tutorial, Tutorial on ATF Cleaner with pictures.
Do not run it yet.

Step 7

Now we will address the HijackThis fixes.

Please run HijackThis and click [b[Scan[/b] Place checks next to the following entries (make sure not to miss any):

O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\DSMaster\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O13 - Gopher Prefix:


These are optional fixes. These programs are not required to start automatically as you can start them manually if you need them. It is advised that you disable these programs so that they do not take up necessary resources. Many users have reported these processes slow their boot time. Please run HijackThis and click Scan. Place checks next to the following entries.

VCDDaemon.exe (VirtualCloneDrive) process can be removed to free up resources without compromising system performance. VCDDaemon.exe (Virtual Clone Drive) is part of CloneCD CD/DVD copying sofware. This program is not required to start automatically as you can start it manually if you need it. It is advised that you disable this program so that it does not take up necessary resources. Many users have reported this process slows their boot time. It may be worthwhile to fix it with HijackThis. This is the item to fix in HijackThis:

O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s

If you did not add the listed domain to the Trusted Zones yourself, have HijackThis fix it.

O1 - Hosts: ::1 localhost

Close all browsers and other windows except for HijackThis, and click Fix Checked to have HijackThis fix the entries you checked.

Step 8

Let’s run ATF-Cleaner to ensure no malware is hiding in temporary folders and for general computer cleanup to free space on your computer.

Step 9

Please run HijackThis in Normal Mode and post a new HijackThis log so I can make sure that all the malware was deleted according to plan.

Please post the logs from AVG Anti-Spyware and the list of filenames and locations for any files that can’t be cleaned / deleted that were reported after you completed the online scans.

Please advise me of any problems you still have.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#6 DemonSui

DemonSui
  • Topic Starter

  • Members
  • 325 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hammond, IN
  • Local time:05:16 PM

Posted 28 November 2006 - 04:07 PM

3rd edit: Yes, it seems Vista does give short logs.

wow, that was kinda quick.. sorry I forgot to check back the last few days.

AVG willl not run, but does install. compatability modes do not help. Trendmicro doesn't work either.

I have Adaware, and all it fives me are tracking cookies, the ones I usually get.
Sbybot doesn't run either. Will run ATF shrotly.

Step 7

Now we will address the HijackThis fixes.

Please run HijackThis and click Scan Place checks next to the following entries (make sure not to miss any):

O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\DSMaster\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O13 - Gopher Prefix:


I have done this before, it doesn't remove them.

also, I have not checked anything for ignore, I had a few there but removed them before scanning.

one last thing: I have reason to believe that "013 - Gopher Prefix:" as well as "01 - Hosts: ::1 localhost" are from vista, because a scan when I first installed it gave me that, and removing them does nothing.

another Edit: spyware blaster disabled all images here, as well as fast reply, how do I fix that?

Edited by DemonSui, 29 November 2006 - 02:53 PM.

Let free your emotions so I can destroy them!

PSP M33 USER.

MY new PC is a laptop and I love it.

#7 DemonSui

DemonSui
  • Topic Starter

  • Members
  • 325 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hammond, IN
  • Local time:05:16 PM

Posted 28 November 2006 - 04:26 PM

As requested, a new log (how more items got there is beyond me)

Logfile of HijackThis v1.99.1
Scan saved at 3:22:19 PM, on 11/28/2006
Platform: Unknown Windows (WinNT 6.00.1504)
MSIE: Internet Explorer v7.00 (7.00.5600.16384)

Running processes:
C:\Windows\system32\taskeng.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Users\DSMaster\Documents\hijackthis\scanme.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: ZDWLan Utility.lnk = C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\DSMaster\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxsrvc.dll
O23 - Service: @%SystemRoot%\ehome\ehstart.dll,-101 (ehstart) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
Let free your emotions so I can destroy them!

PSP M33 USER.

MY new PC is a laptop and I love it.

#8 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Location:South Carolina, USA
  • Local time:05:16 PM

Posted 01 December 2006 - 03:28 PM

one last thing: I have reason to believe that "013 - Gopher Prefix:" is a vista thing, because a scan when I first installed it gave me that

That entry has been around before Vista and usually is part of an infection.

Step 7

Now we will address the HijackThis fixes.

Please run HijackThis and click Scan Place checks next to the following entries (make sure not to miss any):

O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\DSMaster\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O13 - Gopher Prefix:

I have done this before, it doesn't remove them.


This tells me that we may have a CWS variant. Let's do this.

Please download the Pocket Killbox. If needed, Tutorial on Using Pocket Killbox. It will guide you through the installation process and the removal process.
  • Unzip the contents of KillBox.zip, to a convenient location.
  • Disconnect from Internet and shut down all running programs.
  • Double‑click on KillBox.exe,.
  • Click on Tools > Delete Temp Files, and click OK,.
  • Use Pocket Killbox to end process on all instances of explorer.exe and rundll32.exe
    Your desktop will disappear but that's normal. It will come back after the reboot part of this fix.
  • As you paste each entry into Killbox, place a check by any of these selections available.
    • Delete on Reboot
    • Unregister .dll before Deleting
    • End Explorer Shell while Killing File
  • Paste this file into the top Full Path of File to Delete box.

    C:\WINDOWS\System32\syst1.exe

  • Click the Delete File, button which looks like a stop sign.
  • Click Yes, at the Replace on Reboot, prompt.
  • Click No, at the Pending Operations prompt.
  • Repeat steps 5-10 above for these files:

    C:\WINDOWS\System32\syst2.exe
    C:\WINDOWS\System32\syst3.exe
    C:\WINDOWS\System32\cidft.dll
    C:\WINDOWS\System32\cidpoq32.dll
    C:\WINDOWS\System32\gupd.dll
    C:\WINDOWS\System32\hst32.dll
    C:\WINDOWS\System32\icnfe.dll
    C:\WINDOWS\System32\icqrt.dll
    C:\WINDOWS\System32\icvbr.dll
    C:\WINDOWS\System32\sdfup.dll
    C:\WINDOWS\System32\thun.dll
    C:\WINDOWS\System32\wcnl32.dll
    C:\WINDOWS\System32\wecxg32.dll
    C:\WINDOWS\System32\wirl.dll
    C:\WINDOWS\System32\xcwer32.dll
    C:\WINDOWS\System32\zxmsn.dll


  • Click the Delete File, button which looks like a stop sign.
  • Killbox will tell you that all listed files will be deleted on next reboot, click YES
  • When it asks if you would like to Reboot now, click YES
  • If you get a PendingFileRenameOperations Registry Data has been Removed by External Process! message then just restart manually.
Now let's try this again.

Please run HijackThis and click Scan. Place checks next to the following entries (make sure not to miss any):

O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Users\DSMaster\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O13 - Gopher Prefix:


Close all browsers and other windows except for HijackThis, and click Fix Checked to have HijackThis fix the entries you checked.

Please post a new HijackThis log.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#9 DemonSui

DemonSui
  • Topic Starter

  • Members
  • 325 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hammond, IN
  • Local time:05:16 PM

Posted 01 December 2006 - 08:00 PM

I moved down to XP, and am workign on SP2 right now. this can be closed. I moved back for reasons other than malware, but will not get into it here
Let free your emotions so I can destroy them!

PSP M33 USER.

MY new PC is a laptop and I love it.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users