Just experianced about 1000 popups so bad that I had to shutdown to clear them...this started after letting my younger brother touch my laptop (I'm gonna kill him lol) anyways I see some noticable things to remove but won't untill I get some expert advice (as usual)


Logfile of HijackThis v1.99.1
Scan saved at 3:23:38 PM, on 2/22/2007
Platform: Unknown Windows (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Jon Sadler\Downloads\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.us.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: ShowBarObj Class - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\system32\ActiveToolBand.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe
O4 - HKCU\..\Run: [?????????] ??????????????e
O4 - HKCU\..\Run: [{0C175902-6987-07F3-3DA5-38F56A67619C}] C:\Users\Jon Sadler\AppData\Roaming\msnsnm.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\windows\system32\nlaapi.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\napinsp.dll
O11 - Options group: [INTERNATIONAL] International*
O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - [url]http://www.crucial.com/controls/cpcScanner.cab[/url]
O20 - Winlogon Notify: igfxcui - C:\Windows\SYSTEM32\igfxdev.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %ProgramFiles%\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

This appears to be Vista and it is not clear yet how well HJT works with Vista... It is also not clear what tools work with Vista... Given those limits, follow my suggestions at your own risk, I can't tell you how they will work...

Open a HJT scan and check:

O4 - HKCU\..\Run: [?????????] ??????????????e

I couldn't find any info on this one... That may mean it is too new, but I suspect it means it is bad... if you can find it, check Properties and then check it if it is not from a program you recognize and trust... Also, delete the file itself, but leave it in the Recycle Bin in case you need to restore it...

O4 - HKCU\..\Run: [{0C175902-6987-07F3-3DA5-38F56A67619C}] C:\Users\Jon Sadler\AppData\Roaming\msnsnm.exe

Close all open windows and press Fix checked...

Reboot and post a fresh log, let me know how things are going... And yes, do not let your brother anywhere near this again... Or use the Vista security options to block access if you are away for a few minutes...

Thanks Budfred I will try when I get home....yes it is Vista and I have no clue on half of the crap that is installed on it, I actually didn't think about Hijackthis not being compatibale with Vista either.

Thanks

Quick question Budfred, I noticed on this one
O4 - HKCU\..\Run: [{0C175902-6987-07F3-3DA5-38F56A67619C}] C:\Users\Jon Sadler\AppData\Roaming\msnsnm.exe

that the 0C175902-6987-07F3-3DA5-38F56A67619C part was in my available wireless network list and had me trying to connect to it, I was wondering what the hell it could have been or what it is?

Or I may just be crazy Lol.

Thanks

Btw has anyone really told you how much your appreciated around here? well you are to me at least, thus the reason I keep coming back here only!

Quick question Budfred, I noticed on this one
O4 - HKCU\..\Run: [{0C175902-6987-07F3-3DA5-38F56A67619C}] C:\Users\Jon Sadler\AppData\Roaming\msnsnm.exe

that the 0C175902-6987-07F3-3DA5-38F56A67619C part was in my available wireless network list and had me trying to connect to it, I was wondering what the hell it could have been or what it is?

Or I may just be crazy Lol.

That is called a CLSID number and normally you will find references to it if you Google it... In this case, I couldn't find references to the CLSID or the file itself, so that is why I think it is suspicious and probably a good idea to fix it... Malware will often generate random files and want them to look legit to throw us off... If it turns out to cause a problem to fix it, you can restore it... The fact that it is in the folder AppData makes it even more likely it is malware...

Well I am now getting this error, I am spectulating that Hijackthis has a compatibal issue with Vista

an unexpected error occured
Error#52 (Bad file name or number) in sub getlongpath (?????????????e.exe)

any other suggestion on removal?

That doesn't sound like a compatibility issue... Please post more details about where the warning is coming from and anything else that you observe...

Also, I am pretty sure AVG Antispyware (Ewido) is ready for Vista, so try this:

Please download, install, and update Ewido anti-spyware (http://www.ewido.net/en/download/)



Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.

After the update finishes (the status bar at the bottom will display "Update successful")

Close ewido. Do not run it yet.


Please reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads. Select Safe Mode on the screen that appears.


In Safe Mode, load Ewido and click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.

Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.

Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).

Restart back into Normal Mode.


Please perform another scan with Hijack This, and then post back with a copy of the Ewido log and the new HijackThis log.

Ok I am getting a error with the AVG too attached is what Iam getting on both HJT and AVG
this one is the AVG error
http://www.bolt.com/jonsadler/photo/Errors/3058130
This is the error I get when doing a system scan on HJT it happens 2 times during the scan.
http://www.bolt.com/jonsadler/photo/Error3/3058132

and

http://www.bolt.com/jonsadler/photo/Error2/3058131

Sorry, I don't do links to sites I don't know...

Try running this:

Next: Download the HostsXpert Here (http://www.funkytoad.com/download/HostsXpert.zip) and unzip it to your desktop.
Next, open the HostsXpert
Make sure that the "make hosts writable?" button in the upper right corner is checked
Now, click on 'back up Host files'
then click on 'Restore orginal host files'
Finally, close the hoster


Then try running the tools again... If you still get the error message, please copy/paste the text of the message here...

ERROR:Cannot create file C:\Windows\system32\DRIVERS\ETC\host
When trying to restore backups also you said "Make sure that the "make hosts writable?" button in the upper right corner is checked" the only thing I seen was under editing tools was Make host readonly? anyway I didn't mess with any of that.

http://i151.photobucket.com/albums/s128/jonsadler/ErrorHjt2.jpg
http://i151.photobucket.com/albums/s128/jonsadler/ErrorHjt1.jpg
http://i151.photobucket.com/albums/s128/jonsadler/ErrorAVG.jpg
Here are them earlier pics the first 2 are the HJT errors the last is the AVG error

ERROR:Cannot create file C:\Windows\system32\DRIVERS\ETC\host
When trying to restore backups also you said "Make sure that the "make hosts writable?" button in the upper right corner is checked" the only thing I seen was under editing tools was Make host readonly? anyway I didn't mess with any of that.

It looks like the program may have changed a bit... It is defaulting to being able to write the HOSTS file... Just go with backing it up and restoring the Windows default HOSTS file which is on the right in the middle...

Still getting this

ERROR:Cannot create file C:\Windows\system32\DRIVERS\ETC\host

Go to that file and open it in Notepad... Copy and paste what you find here...

You may need to set Windows to show hidden and system files to find it... Here are instructions for that:

In Windows XP, on the taskbar, click Start > My Computer.
In the Tools menu, click Folder Options.
On the View tab, uncheck Hide file extensions for known file types.
Uncheck Hide protected operating system files. Then, under the "Hidden files" folder, click Show hidden files and folders.
If you see a warning message, click Yes.
Click Apply.
Click OK.

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
::1 localhost
Is that what your looking for?

Yes...

Please put a # next to this entry:

::1 localhost and save it to the original location, then try the tools and see if they work properly...

Yes...

Please put a # next to this entry:

::1 localhost and save it to the original location, then try the tools and see if they work properly...

So basicaly it would look like this

::1 localhost# ?

No, like the other entries at the beginning of the file:

# ::1 localhost

You can just copy and paste this over that entry if you would like...

Cannot create file C:\Windows\system32\DRIVERS\ETC\hosts file.


make sure the path and file name is correct

Cannot create file C:\Windows\system32\DRIVERS\ETC\hosts file.


make sure the path and file name is correct

I assume you are saying that you got that message?? So you are saying you are able to open the file from the correct location and edit it, but then you can't save the edit?? If so, right click on the file and choose Properties... If it says it is Read Only in the Attributes, change it to Archive... Then try it again...

I am sorry I should have said that was the error I was getting, I did as you said but it isn't set for read only

Go ahead and try AVA Antispyware in Safe Mode... I am not sure what is going on with the HOSTS file, but we can move on and come back to it if needed...

Am still getting this message when trying to open the app.

The application failed to initialize properly (0xc0000142) click ok to terminate the application

I forgot you are running Vista... These problems are probably due to that...

Backing up, are you still having any problems other than running these programs??

No not really...I went and changed my security options on internet and have not had anymore multible windows open "YET" so I guess I will have to deal with it, do you think a system restore to before the time he messed with it would fix it or would the restore files be infected too? or if I am not having anymore issues don't worry about it?

System Restore is infected and you need to reset it, so don't do a Restore...

Turn off System Restore
To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.
Turn on System Restore
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

I can't tell if you are clean or not since the tools may not work on Vista... If you have any symptoms of infection, I will find a tool that will scan accurately for Vista... You could try SuperAntiSpyware and see if it will work...

Download Superantispyware (http://www.superantispyware.com/?tag=GOOGLE-SUPERANTISPYWARE)

Install the programme and when the first page opens on the bottom left will be a check for updates button click this to update the programme

Then run SuperAntispyware

On the first page select SCAN YOUR COMPUTER
On the next page select COMPLETE SCAN and tick ALL your drives
The next stage will take a while as your entire drive(s), memory and registry are scanned
When it has completed click NEXT
The next screen shows the problems found click OK
On the next screen place a tick against all items and select NEXT

Now to get the log Go to the PREFERENCES button on the right bottom
Select the STATISTICS/LOG tab
Highlight the scan just completed and click VIEW LOG
This will open a notepad text file copy and paste this to your next reply...

Did you want the results or the log too?
SUPERAntiSpyware Scan Log
Generated 02/25/2007 at 11:21 PM

Application Version : 3.5.1016

Core Rules Database Version : 3189
Trace Rules Database Version: 1199

Scan type : Complete Scan
Total Scan Time : 00:51:20

Memory items scanned : 671
Memory threats detected : 0
Registry items scanned : 6577
Registry threats detected : 0
File items scanned : 53451
File threats detected : 151
all of them Adware.Tracking Cookies

It says it was only tracking cookies, so it shouldn't be necessary to post the log...

Are you still seeing evidence of infection??

no not now. I guess this will do until we learn more about Vista...thanks for your help Budfred sorry for all the troubles

Okay... Make sure you are using a Vista compatible firewall and antivirus so that you are protected... Eventually there will be a number of choices, but most are still catching up at this point...

I am wondering if avast is compatible? it is currently installed and I am not having any issues yet

I am wondering if avast is compatible? it is currently installed and I am not having any issues yet

Look here:

http://www.avast.com/eng/avastantivirusandwindowsvista1.html

Look here:

http://www.avast.com/eng/avastantivirusandwindowsvista1.html

Thanks Budfred!:)