M
mstrspy
My daughter's computer has eetu.exe running. Wen I delete it, it comes
back, eventually. How do i permanently get rid of it.
M
back, eventually. How do i permanently get rid of it.
M
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
D
David H. Lipman
From: "mstrspy" <[email protected]>
| My daughter's computer has eetu.exe running. Wen I delete it, it comes
| back, eventually. How do i permanently get rid of it.
| M
For non-viral malware...
Please download, install and update the following software...
* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/
* SpyBot Search and Destroy v1.4
http://security.kolla.de/
After the software is updated, I suggest scanning the system in Safe Mode.
I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.
* BHODemon
http://www.definitivesolutions.com/bhodemon.htm
http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d
For viral malware...
* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe
To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close
Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.
C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm
* * * Please report back your results * * *
| My daughter's computer has eetu.exe running. Wen I delete it, it comes
| back, eventually. How do i permanently get rid of it.
| M
For non-viral malware...
Please download, install and update the following software...
* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/
* SpyBot Search and Destroy v1.4
http://security.kolla.de/
After the software is updated, I suggest scanning the system in Safe Mode.
I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.
* BHODemon
http://www.definitivesolutions.com/bhodemon.htm
http://www.majorgeeks.com/downloadget.php?id=3550&file=11&evp=245a87539eea8ed6904332b4b8b8442d
For viral malware...
* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe
To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close
Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.
C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm
* * * Please report back your results * * *
A
Art
My daughter's computer has eetu.exe running. Wen I delete it, it comes
back, eventually. How do i permanently get rid of it.
Upload the file for scanning here:
http://www.virustotal.com/flash/index_en.html
and let us know which products alert and what malware names
they assign.
That file name is used by a Adware/Spyware program and it may
be detected and removed by AdAware and/or Spybot. Have you
tried them?
Art
http://home.epix.net/~artnpeg
D
David H. Lipman
From: "Art" <[email protected]>
|
| Upload the file for scanning here:
|
| http://www.virustotal.com/flash/index_en.html
|
| and let us know which products alert and what malware names
| they assign.
|
| That file name is used by a Adware/Spyware program and it may
| be detected and removed by AdAware and/or Spybot. Have you
| tried them?
|
| Art
|
| http://home.epix.net/~artnpeg
PurityScan Adware Trojan
http://research.sunbelt-software.co...rojan.Startup.NameShifter.Aida&threatid=40274
http://www.processlibrary.com/directory/files/eetu/
|
| Upload the file for scanning here:
|
| http://www.virustotal.com/flash/index_en.html
|
| and let us know which products alert and what malware names
| they assign.
|
| That file name is used by a Adware/Spyware program and it may
| be detected and removed by AdAware and/or Spybot. Have you
| tried them?
|
| Art
|
| http://home.epix.net/~artnpeg
PurityScan Adware Trojan
http://research.sunbelt-software.co...rojan.Startup.NameShifter.Aida&threatid=40274
http://www.processlibrary.com/directory/files/eetu/
M
mstrspy
I have tried adaware spybot and ewido and none of these will detect
eetu.exe.
eetu.exe.
D
David H. Lipman
From: "mstrspy" <[email protected]>
| I have tried adaware spybot and ewido and none of these will detect
| eetu.exe.
|
Run MSCONFIG.EXE. Go to the StartUp tab.
Search for the line item that loads "eetu.exe" and isable it.
Reboot the PC and then delete eetu.exe.
| I have tried adaware spybot and ewido and none of these will detect
| eetu.exe.
|
Run MSCONFIG.EXE. Go to the StartUp tab.
Search for the line item that loads "eetu.exe" and isable it.
Reboot the PC and then delete eetu.exe.
M
mstrspy
I tried what you said, and it did not work. Even though I disabled
eetu.exe I couldn't delete it after reboot. I had to reboot to safe
mode to delete it.
When I delete it (insafe mode) I restarted in regular mode and it
reinstalled itself. It is in my startup folder again along with the
disabled one.
Real pain in the butt.
M
eetu.exe I couldn't delete it after reboot. I had to reboot to safe
mode to delete it.
When I delete it (insafe mode) I restarted in regular mode and it
reinstalled itself. It is in my startup folder again along with the
disabled one.
Real pain in the butt.
M
D
David H. Lipman
From: "mstrspy" <[email protected]>
| I tried what you said, and it did not work. Even though I disabled
| eetu.exe I couldn't delete it after reboot. I had to reboot to safe
| mode to delete it.
| When I delete it (insafe mode) I restarted in regular mode and it
| reinstalled itself. It is in my startup folder again along with the
| disabled one.
|
| Real pain in the butt.
|
| M
Give SuperAdBlocker a shot.
The author, Nick Skrepetos, allows the fully functional software to be used for free for a
15 day trial period. It has been shown to work where others fail.
http://www.superadblocker.com
| I tried what you said, and it did not work. Even though I disabled
| eetu.exe I couldn't delete it after reboot. I had to reboot to safe
| mode to delete it.
| When I delete it (insafe mode) I restarted in regular mode and it
| reinstalled itself. It is in my startup folder again along with the
| disabled one.
|
| Real pain in the butt.
|
| M
Give SuperAdBlocker a shot.
The author, Nick Skrepetos, allows the fully functional software to be used for free for a
15 day trial period. It has been shown to work where others fail.
http://www.superadblocker.com
O
Offbreed
mstrspy said:Here it is:
Logfile of HijackThis v1.97.7
pcbutts is trying to shut down this news group by getting people to post
their HijackThis logs here. If he can get enough to do that, this ng
will be useless for research through a search engine.
Please Google "pcbutts".
P
pcbutts1
Download Hijack this, run it, save a copy of the log file and cut and paste
it back here to this group so that I can analyze it. Ignore anyone
especially the troll Leythos, who will tag along a nonsense post to this
message, who tells you to post it elsewhere. I need to see it not them.
--
The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com
it back here to this group so that I can analyze it. Ignore anyone
especially the troll Leythos, who will tag along a nonsense post to this
message, who tells you to post it elsewhere. I need to see it not them.
--
The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com
M
mstrspy
Here it is:
Logfile of HijackThis v1.97.7
Scan saved at 9:57:28 PM, on 12/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\d?dplay.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Morpheus\Morpheus.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\DOCUME~1\ELIZAB~1\LOCALS~1\Temp\!update.exe
C:\Program Files\rdso\eetu.exe
C:\Documents and Settings\MSTRSPY\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://education.dellnet.com/
R3 - URLSearchHook: (no name) -
_{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9}
- C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
N3 - Netscape 7: user_pref("browser.startup.homepage",
"http://www.freewebs.com/1445gs"); (C:\Documents and
Settings\Elizabeth\Application
Data\Mozilla\Profiles\default\3dl0avrx.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
(C:\Documents and Settings\Elizabeth\Application
Data\Mozilla\Profiles\default\3dl0avrx.slt\prefs.js)
O2 - BHO: (no name) - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} -
C:\PROGRA~1\RXTOOL~1\sfcont.dll (file missing)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} -
C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} -
C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD
Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ufgu] C:\WINDOWS\mqwt.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program
Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [winshost.exe] C:\WINDOWS\system32\winshost.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH
Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick
3\Ssk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program
Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program
Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [winshost.exe] C:\WINDOWS\system32\winshost.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell
Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Eunothh] C:\WINDOWS\system32\d?dplay.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager]
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick
3\Ssk.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program
Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Aida] "C:\Program Files\rdso\eetu.exe" -vt ndrv
O4 - Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program
Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM
Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Dictionary -
http://www.ezreference.com/_/ie-com-p3.htm
O8 - Extra context menu item: &Encyclopedia -
http://www.ezreference.com/_/ie-com-e-p3.htm
O8 - Extra context menu item: &Search -
http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program
Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program
Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program
Files\Yahoo!\Common/ycdict.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
Control) -
http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo
Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) -
http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Logfile of HijackThis v1.97.7
Scan saved at 9:57:28 PM, on 12/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\d?dplay.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Morpheus\Morpheus.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\DOCUME~1\ELIZAB~1\LOCALS~1\Temp\!update.exe
C:\Program Files\rdso\eetu.exe
C:\Documents and Settings\MSTRSPY\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://education.dellnet.com/
R3 - URLSearchHook: (no name) -
_{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9}
- C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
N3 - Netscape 7: user_pref("browser.startup.homepage",
"http://www.freewebs.com/1445gs"); (C:\Documents and
Settings\Elizabeth\Application
Data\Mozilla\Profiles\default\3dl0avrx.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
(C:\Documents and Settings\Elizabeth\Application
Data\Mozilla\Profiles\default\3dl0avrx.slt\prefs.js)
O2 - BHO: (no name) - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} -
C:\PROGRA~1\RXTOOL~1\sfcont.dll (file missing)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} -
C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} -
C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD
Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ufgu] C:\WINDOWS\mqwt.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program
Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [winshost.exe] C:\WINDOWS\system32\winshost.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH
Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick
3\Ssk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program
Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program
Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [winshost.exe] C:\WINDOWS\system32\winshost.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell
Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Eunothh] C:\WINDOWS\system32\d?dplay.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager]
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick
3\Ssk.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program
Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Aida] "C:\Program Files\rdso\eetu.exe" -vt ndrv
O4 - Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program
Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM
Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Dictionary -
http://www.ezreference.com/_/ie-com-p3.htm
O8 - Extra context menu item: &Encyclopedia -
http://www.ezreference.com/_/ie-com-e-p3.htm
O8 - Extra context menu item: &Search -
http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program
Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program
Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program
Files\Yahoo!\Common/ycdict.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
Control) -
http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo
Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) -
http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
D
David H. Lipman
From: "mstrspy" <[email protected]>
| Here it is:
| Logfile of HijackThis v1.97.7
| Scan saved at 9:57:28 PM, on 12/28/2005
| Platform: Windows XP SP2 (WinNT 5.01.2600)
| MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
|
< HJT Log snipped >
That's an old version of HJT and it is missing much data.
However, this is NOT the right place to be posting HJT logs.
Using HJT v1.99.1
http://www.spywareinfo.com/~merijn/files/HijackThis.exe
Post in one of the below forums where you can get expert advice for
HiJack This! (HJT) logs.
NOTE: Registration is REQUIRED before posting a log
NOTE: Web sites NOT listed in any particular order
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/security
http://castlecops.com/forum67.html
http://www.wilderssecurity.com/forumdisplay.php?f=24
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.iamnotageek.com/f-130.html
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://boards.cexx.org/viewforum.php?f=1
http://www.malwarebytes.biz/forums/index.php?showforum=5
{ borrowed from the alt.privacy.spyware News Group }
Additionally, you didn't follow my earlier advice and run the Multi AV Scanning Tool.
At the minimum what was shown in the above log is that you have a Bagle Trojan variant.
W32/Bagle.bo -- http://vil.nai.com/vil/content/v_132205.htm
Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe
To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close
Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.
C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm
* * * Please report back your results * * *
| Here it is:
| Logfile of HijackThis v1.97.7
| Scan saved at 9:57:28 PM, on 12/28/2005
| Platform: Windows XP SP2 (WinNT 5.01.2600)
| MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
|
< HJT Log snipped >
That's an old version of HJT and it is missing much data.
However, this is NOT the right place to be posting HJT logs.
Using HJT v1.99.1
http://www.spywareinfo.com/~merijn/files/HijackThis.exe
Post in one of the below forums where you can get expert advice for
HiJack This! (HJT) logs.
NOTE: Registration is REQUIRED before posting a log
NOTE: Web sites NOT listed in any particular order
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/security
http://castlecops.com/forum67.html
http://www.wilderssecurity.com/forumdisplay.php?f=24
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.iamnotageek.com/f-130.html
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://boards.cexx.org/viewforum.php?f=1
http://www.malwarebytes.biz/forums/index.php?showforum=5
{ borrowed from the alt.privacy.spyware News Group }
Additionally, you didn't follow my earlier advice and run the Multi AV Scanning Tool.
At the minimum what was shown in the above log is that you have a Bagle Trojan variant.
W32/Bagle.bo -- http://vil.nai.com/vil/content/v_132205.htm
Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe
To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close
Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.
C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm
* * * Please report back your results * * *
P
pcbutts1
That log is not complete and you are using an old version of HJT. Download
the latest version from the link David provided. From what you posted
download ccleaner from here, run it using the default settings
http://www.pcbutts1.com/downloads/ccsetup126.exe Download killbox from here
http://www.pcbutts1.com/downloads/killbox.zip Run killbox, cut and paste the
paths below into the box in killbox and then click on the red X to delete
those files. If killbox give you an error deleting then run it again and
choose the delete on reboot option.
C:\WINDOWS\system32\d?dplay.exe
C:\Program Files\rdso\eetu.exe
C:\WINDOWS\mqwt.exe
C:\WINDOWS\system32\winshost.exe
C:\Program Files\SurfSideKick3\Ssk.exe
Next have HJT fix the following lines then run the new HJT and post another
log. Ignore the other posters, they are not qualified to read HJT logs and
instead of trying to learn they attack me, you see they have been of no help
to you at all.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.myspace.com/
R3 - URLSearchHook: (no name) -
_{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9}
- C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
N3 - Netscape 7: user_pref("browser.startup.homepage",
"http://www.freewebs.com/1445gs"); (C:\Documents and
Settings\Elizabeth\Application
Data\Mozilla\Profiles\default\3dl0avrx.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
(C:\Documents and Settings\Elizabeth\Application
Data\Mozilla\Profiles\default\3dl0avrx.slt\prefs.js)
O2 - BHO: (no name) - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} -
C:\PROGRA~1\RXTOOL~1\sfcont.dll (file missing)
O4 - HKLM\..\Run: [ufgu] C:\WINDOWS\mqwt.exe
O4 - HKLM\..\Run: [winshost.exe] C:\WINDOWS\system32\winshost.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick
3\Ssk.exe
O4 - HKCU\..\Run: [winshost.exe] C:\WINDOWS\system32\winshost.exe
O4 - HKCU\..\Run: [Eunothh] C:\WINDOWS\system32\d?dplay.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick
3\Ssk.exe
O4 - HKCU\..\Run: [Aida] "C:\Program Files\rdso\eetu.exe" -vt ndrv
--
The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com
the latest version from the link David provided. From what you posted
download ccleaner from here, run it using the default settings
http://www.pcbutts1.com/downloads/ccsetup126.exe Download killbox from here
http://www.pcbutts1.com/downloads/killbox.zip Run killbox, cut and paste the
paths below into the box in killbox and then click on the red X to delete
those files. If killbox give you an error deleting then run it again and
choose the delete on reboot option.
C:\WINDOWS\system32\d?dplay.exe
C:\Program Files\rdso\eetu.exe
C:\WINDOWS\mqwt.exe
C:\WINDOWS\system32\winshost.exe
C:\Program Files\SurfSideKick3\Ssk.exe
Next have HJT fix the following lines then run the new HJT and post another
log. Ignore the other posters, they are not qualified to read HJT logs and
instead of trying to learn they attack me, you see they have been of no help
to you at all.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.myspace.com/
R3 - URLSearchHook: (no name) -
_{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9}
- C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
N3 - Netscape 7: user_pref("browser.startup.homepage",
"http://www.freewebs.com/1445gs"); (C:\Documents and
Settings\Elizabeth\Application
Data\Mozilla\Profiles\default\3dl0avrx.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
(C:\Documents and Settings\Elizabeth\Application
Data\Mozilla\Profiles\default\3dl0avrx.slt\prefs.js)
O2 - BHO: (no name) - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} -
C:\PROGRA~1\RXTOOL~1\sfcont.dll (file missing)
O4 - HKLM\..\Run: [ufgu] C:\WINDOWS\mqwt.exe
O4 - HKLM\..\Run: [winshost.exe] C:\WINDOWS\system32\winshost.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick
3\Ssk.exe
O4 - HKCU\..\Run: [winshost.exe] C:\WINDOWS\system32\winshost.exe
O4 - HKCU\..\Run: [Eunothh] C:\WINDOWS\system32\d?dplay.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick
3\Ssk.exe
O4 - HKCU\..\Run: [Aida] "C:\Program Files\rdso\eetu.exe" -vt ndrv
--
The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com
mstrspy said:Here it is:
Logfile of HijackThis v1.97.7
Scan saved at 9:57:28 PM, on 12/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\d?dplay.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Morpheus\Morpheus.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\DOCUME~1\ELIZAB~1\LOCALS~1\Temp\!update.exe
C:\Program Files\rdso\eetu.exe
C:\Documents and Settings\MSTRSPY\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://education.dellnet.com/
R3 - URLSearchHook: (no name) -
_{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9}
- C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
N3 - Netscape 7: user_pref("browser.startup.homepage",
"http://www.freewebs.com/1445gs"); (C:\Documents and
Settings\Elizabeth\Application
Data\Mozilla\Profiles\default\3dl0avrx.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
(C:\Documents and Settings\Elizabeth\Application
Data\Mozilla\Profiles\default\3dl0avrx.slt\prefs.js)
O2 - BHO: (no name) - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} -
C:\PROGRA~1\RXTOOL~1\sfcont.dll (file missing)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} -
C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} -
C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD
Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ufgu] C:\WINDOWS\mqwt.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program
Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [winshost.exe] C:\WINDOWS\system32\winshost.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH
Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick
3\Ssk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program
Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program
Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [winshost.exe] C:\WINDOWS\system32\winshost.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell
Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Eunothh] C:\WINDOWS\system32\d?dplay.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager]
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick
3\Ssk.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program
Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Aida] "C:\Program Files\rdso\eetu.exe" -vt ndrv
O4 - Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program
Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM
Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Dictionary -
http://www.ezreference.com/_/ie-com-p3.htm
O8 - Extra context menu item: &Encyclopedia -
http://www.ezreference.com/_/ie-com-e-p3.htm
O8 - Extra context menu item: &Search -
http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program
Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program
Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program
Files\Yahoo!\Common/ycdict.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
Control) -
http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo
Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) -
http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
H
Heather
Well, you got one thing right......he ran an old version of HiJack
This.....as for the rest of it, he would be far better off to post the
log to a proper Spyware Forum....instead of using you and your rebadged
programs. By "ccleaner", do you mean http://www.ccleaner.com/ ?? If
so, he should download it from the AUTHOR'S website.
As David said.....post in one of the below forums where you can get
expert advice for HiJack This! (HJT) logs.
NOTE: Registration is REQUIRED before posting a log
NOTE: Web sites NOT listed in any particular order
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/security
http://castlecops.com/forum67.html
http://www.wilderssecurity.com/forumdisplay.php?f=24
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.iamnotageek.com/f-130.html
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://boards.cexx.org/viewforum.php?f=1
http://www.malwarebytes.biz/forums/index.php?showforum=5
{ borrowed from the alt.privacy.spyware News Group }
This.....as for the rest of it, he would be far better off to post the
log to a proper Spyware Forum....instead of using you and your rebadged
programs. By "ccleaner", do you mean http://www.ccleaner.com/ ?? If
so, he should download it from the AUTHOR'S website.
As David said.....post in one of the below forums where you can get
expert advice for HiJack This! (HJT) logs.
NOTE: Registration is REQUIRED before posting a log
NOTE: Web sites NOT listed in any particular order
http://aumha.net/viewforum.php?f=30
http://www.bleepingcomputer.com/forums/forum22.html
http://www.dslreports.com/forum/security
http://castlecops.com/forum67.html
http://www.wilderssecurity.com/forumdisplay.php?f=24
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.iamnotageek.com/f-130.html
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://boards.cexx.org/viewforum.php?f=1
http://www.malwarebytes.biz/forums/index.php?showforum=5
{ borrowed from the alt.privacy.spyware News Group }
pcbutts1 said:That log is not complete and you are using an old version of HJT.
Download the latest version from the link David provided. From what
you posted download ccleaner from here, run it using the default
settings http://www.pcbutts1.com/downloads/ccsetup126.exe Download
killbox from here http://www.pcbutts1.com/downloads/killbox.zip Run
killbox, cut and paste the paths below into the box in killbox and
then click on the red X to delete those files. If killbox give you an
error deleting then run it again and choose the delete on reboot
option.
C:\WINDOWS\system32\d?dplay.exe
C:\Program Files\rdso\eetu.exe
C:\WINDOWS\mqwt.exe
C:\WINDOWS\system32\winshost.exe
C:\Program Files\SurfSideKick3\Ssk.exe
Next have HJT fix the following lines then run the new HJT and post
another log. Ignore the other posters, they are not qualified to read
HJT logs and instead of trying to learn they attack me, you see they
have been of no help to you at all.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.myspace.com/
R3 - URLSearchHook: (no name) -
_{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9}
- C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
N3 - Netscape 7: user_pref("browser.startup.homepage",
"http://www.freewebs.com/1445gs"); (C:\Documents and
Settings\Elizabeth\Application
Data\Mozilla\Profiles\default\3dl0avrx.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
(C:\Documents and Settings\Elizabeth\Application
Data\Mozilla\Profiles\default\3dl0avrx.slt\prefs.js)
O2 - BHO: (no name) - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} -
C:\PROGRA~1\RXTOOL~1\sfcont.dll (file missing)
O4 - HKLM\..\Run: [ufgu] C:\WINDOWS\mqwt.exe
O4 - HKLM\..\Run: [winshost.exe] C:\WINDOWS\system32\winshost.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick
3\Ssk.exe
O4 - HKCU\..\Run: [winshost.exe] C:\WINDOWS\system32\winshost.exe
O4 - HKCU\..\Run: [Eunothh] C:\WINDOWS\system32\d?dplay.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick
3\Ssk.exe
O4 - HKCU\..\Run: [Aida] "C:\Program Files\rdso\eetu.exe" -vt ndrv
--
The best live web video on the internet
http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com
mstrspy said:Here it is:
Logfile of HijackThis v1.97.7
Scan saved at 9:57:28 PM, on 12/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\d?dplay.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Morpheus\Morpheus.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\DOCUME~1\ELIZAB~1\LOCALS~1\Temp\!update.exe
C:\Program Files\rdso\eetu.exe
C:\Documents and Settings\MSTRSPY\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL
=
http://education.dellnet.com/
R3 - URLSearchHook: (no name) -
_{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) -
{02EE5B04-F144-47BB-83FB-A60BD91B74A9}
- C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
N3 - Netscape 7: user_pref("browser.startup.homepage",
"http://www.freewebs.com/1445gs"); (C:\Documents and
Settings\Elizabeth\Application
Data\Mozilla\Profiles\default\3dl0avrx.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
(C:\Documents and Settings\Elizabeth\Application
Data\Mozilla\Profiles\default\3dl0avrx.slt\prefs.js)
O2 - BHO: (no name) - {59879FA4-4790-461c-A1CC-4EC4DE4CA483} -
C:\PROGRA~1\RXTOOL~1\sfcont.dll (file missing)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} -
C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Easy-WebPrint -
{327C2873-E90D-4c37-AA9D-10AC9BABA46C} -
C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD
Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ufgu] C:\WINDOWS\mqwt.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program
Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [winshost.exe] C:\WINDOWS\system32\winshost.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH
Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick
3\Ssk.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program
Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program
Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [winshost.exe] C:\WINDOWS\system32\winshost.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell
Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Eunothh] C:\WINDOWS\system32\d?dplay.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager]
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick
3\Ssk.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program
Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Aida] "C:\Program Files\rdso\eetu.exe" -vt ndrv
O4 - Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program
Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program
Files\AIM
Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Dictionary -
http://www.ezreference.com/_/ie-com-p3.htm
O8 - Extra context menu item: &Encyclopedia -
http://www.ezreference.com/_/ie-com-e-p3.htm
O8 - Extra context menu item: &Search -
http://kl.bar.need2find.com/KL/menusearch.html?p=KL
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program
Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program
Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program
Files\Yahoo!\Common/ycdict.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
Control) -
http://fpdownload.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine
Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo
Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) -
http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
H
Heather
OOPS!! Sorry for reposting all of his ill-gotten programs and the HJT
log.
log.
S
Shane
US Law Enforcement and/or Intelligence Services. Do something about this
shithead, or I will. Got it?
Shane Beatson, you know where you can find me.
--
The Sugitive
Chapter One: http://tinyurl.com/bcevp
Chapter Two: http://tinyurl.com/ag92o
Chapter Three: Coming to an URL near you soon!
shithead, or I will. Got it?
Shane Beatson, you know where you can find me.
--
The Sugitive
Chapter One: http://tinyurl.com/bcevp
Chapter Two: http://tinyurl.com/ag92o
Chapter Three: Coming to an URL near you soon!
K
kurt wismer
pcbutts1 said:Download Hijack this, run it, save a copy of the log file and cut and paste
it back here to this group so that I can analyze it. Ignore anyone
especially the troll Leythos, who will tag along a nonsense post to this
message, who tells you to post it elsewhere. I need to see it not them.
i suppose he should also ignore all the regulars who say that hijack
this logs are unwelcome here?
if you want to look at his hijack this log, ask him to email it to you
privately...
P
pcbutts1
There is nothing in the charter prohibiting HJT logs therefore they are
acceptable. If you or anybody does not want to see them then don't look at
it, nobody is forcing you. Although somebody should force you to use your
shift or caps lock key.
--
The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com
acceptable. If you or anybody does not want to see them then don't look at
it, nobody is forcing you. Although somebody should force you to use your
shift or caps lock key.
--
The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com
H
Heather
And there is nothing in the "charter" that says we have to put up with your
rude behaviour either!!
Altho I should think that by now any semi-regular can see the above and
decide for themselves if they want to listen to an ignorant plagiarist!!
And we still don't want HJT logs on here.....PERIOD!!
If you don't like it, then go back to bugging the MS XP groups.....unless
they have banned you, which is probably the case....snicker.
Reminds me of that movie about the Man with No Country....that kinda fits
you.
HF
rude behaviour either!!
Altho I should think that by now any semi-regular can see the above and
decide for themselves if they want to listen to an ignorant plagiarist!!
And we still don't want HJT logs on here.....PERIOD!!
If you don't like it, then go back to bugging the MS XP groups.....unless
they have banned you, which is probably the case....snicker.
Reminds me of that movie about the Man with No Country....that kinda fits
you.
HF
P
pcbutts1
Try your kill file it works. I am not banned in any NG, you are an idiot for
believing Leythos the stalker.
--
The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com
believing Leythos the stalker.
--
The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com