Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

I have a computer that i'm working on ,, and i have discovered a little  
oddity and can't find an answer to.
 
I open up task manager and i find a weird looking file running in the  
process , let's call this file ekfitve.exe for example ,, then i find this  
file in c:\windows\system32 folder ,,, if i put both windows side by side  
and then end the process in task mgr ,, i can see this file change it's  
name right in front of me ,,,then it appears with that name in task mgr.
 
The file is always a weird combo of letters and it never seems to repeat  
itself ,,, i've tried deleting the file ,,but of course can't access it and  
i've tried going through Xp's repair option to try and get it before it  
loads ,, but of course with it changing it's name ,, what do i look for?  
There's no way of locating it.
 
I was thinking of one last shot of getting this bugger ,,with any help from  
here , before deep sixing the system and starting from scratch.
 
Any suggestions????
 
Thanks , Gord

Archived from groups: microsoft.public.windowsxp.general (More info?)

Hi,
 
Nasty little virus you have there, and that name changing is a means of  
protecting itself and preventing removal. It occurs as there is another  
function in place that checks for the presence of the virus, and if not  
there it creates a new instance (hence the name change you see). The way to  
defeat it is in Safe mode where neither the bug or the check is active. From  
there you will be able to delete the files involved and the registry entries  
that load them. If you do not get the latter, then a new instance will be  
created when you start in normal mode. Make sure to check the run keys in  
all of the HKCU entries in addition to the HKLM keys.
 
--  
Best of Luck,
 
Rick Rogers, aka "Nutcase" - Microsoft MVP
http://mvp.support.microsoft.com/
Associate Expert - WindowsXP Expert Zone
www.microsoft.com/windowsxp/expertzone
Windows help - www.rickrogers.org
 
"LouisG" <imnot@home.com> wrote in message  
news:Xns96B964E7D447111241959@216.196.97.142...
>I have a computer that i'm working on ,, and i have discovered a little
> oddity and can't find an answer to.
>
> I open up task manager and i find a weird looking file running in the
> process , let's call this file ekfitve.exe for example ,, then i find this
> file in c:\windows\system32 folder ,,, if i put both windows side by side
> and then end the process in task mgr ,, i can see this file change it's
> name right in front of me ,,,then it appears with that name in task mgr.
>
> The file is always a weird combo of letters and it never seems to repeat
> itself ,,, i've tried deleting the file ,,but of course can't access it  
> and
> i've tried going through Xp's repair option to try and get it before it
> loads ,, but of course with it changing it's name ,, what do i look for?
> There's no way of locating it.
>
> I was thinking of one last shot of getting this bugger ,,with any help  
> from
> here , before deep sixing the system and starting from scratch.
>
> Any suggestions????
>
> Thanks , Gord

Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

LouisG <imnot@home.com> wrote in
news:Xns96B964E7D447111241959@216.196.97.142:  
 
> I have a computer that i'm working on ,, and i have discovered a
> little oddity and can't find an answer to.
>  
> I open up task manager and i find a weird looking file running in the  
> process , let's call this file ekfitve.exe for example ,, then i find
> this file in c:\windows\system32 folder ,,, if i put both windows side
> by side and then end the process in task mgr ,, i can see this file
> change it's name right in front of me ,,,then it appears with that
> name in task mgr.  
>  
> The file is always a weird combo of letters and it never seems to
> repeat itself ,,, i've tried deleting the file ,,but of course can't
> access it and i've tried going through Xp's repair option to try and
> get it before it loads ,, but of course with it changing it's name ,,
> what do i look for? There's no way of locating it.
>  
> I was thinking of one last shot of getting this bugger ,,with any help
> from here , before deep sixing the system and starting from scratch.
>  
> Any suggestions????
>  
> Thanks , Gord
 
that's not a really odd problem, it's some type of spyware/adware, and this  
is typical behavior.
 
try cleaning IN SAFE MODE, with M$ Antispyware, AdAware, and Spybot.

Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

I've cleaned the computer with these ,, there are six accounts on this  
computer , including the admin through safe mode , with three different  
types of cleaners ,,including spybot ,, and they catch things , but it  
still happens ,,,,the only thing that doesn't seem to get cleaned is a  
key in the registry for Altnet.
 
DanS <t.h.i.s.n.t.h.a.t@a.d.e.l.p.h.i.a..n.e.t> wrote in
news:Xns96B969B485191idispcom@216.196.97.142:  
 
> LouisG <imnot@home.com> wrote in
> news:Xns96B964E7D447111241959@216.196.97.142:  
>  
>> I have a computer that i'm working on ,, and i have discovered a
>> little oddity and can't find an answer to.
>>  
>> I open up task manager and i find a weird looking file running in the
>> process , let's call this file ekfitve.exe for example ,, then i find
>> this file in c:\windows\system32 folder ,,, if i put both windows
>> side by side and then end the process in task mgr ,, i can see this
>> file change it's name right in front of me ,,,then it appears with
>> that name in task mgr.  
>>  
>> The file is always a weird combo of letters and it never seems to
>> repeat itself ,,, i've tried deleting the file ,,but of course can't
>> access it and i've tried going through Xp's repair option to try and
>> get it before it loads ,, but of course with it changing it's name ,,
>> what do i look for? There's no way of locating it.
>>  
>> I was thinking of one last shot of getting this bugger ,,with any
>> help from here , before deep sixing the system and starting from
>> scratch.  
>>  
>> Any suggestions????
>>  
>> Thanks , Gord
>  
> that's not a really odd problem, it's some type of spyware/adware, and
> this is typical behavior.
>  
> try cleaning IN SAFE MODE, with M$ Antispyware, AdAware, and Spybot.
>  
>

Archived from groups: microsoft.public.windowsxp.general (More info?)

Thanks Rick ,, that's what i figured ,, i've run the anti virus through  
this thing many times along with antispyware and keep nailing little  
buggers ,,there's 6 accounts on this computer between normal and safe modes  
and trying to eradicate this thing is just sending me in circles.
 
The only thing that the spyware scanners can't get rid of is one key in the  
registry for Altnet , which was probably put there when this person  
installed Kazaa ,,, tried every which way to get this deleted , but can't.
 
Could this be the culprit??
 
"Rick \"Nutcase\" Rogers" <rick@mvps.org> wrote in
news:#H#IvplpFHA.320@TK2MSFTNGP09.phx.gbl:  
 
 
 
> Hi,
>  
> Nasty little virus you have there, and that name changing is a means
> of protecting itself and preventing removal. It occurs as there is
> another function in place that checks for the presence of the virus,
> and if not there it creates a new instance (hence the name change you
> see). The way to defeat it is in Safe mode where neither the bug or
> the check is active. From there you will be able to delete the files
> involved and the registry entries that load them. If you do not get
> the latter, then a new instance will be created when you start in
> normal mode. Make sure to check the run keys in all of the HKCU
> entries in addition to the HKLM keys.  
>

Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

LouisG <imnot@home.com> wrote in news:Xns96B969B5E840B11241959@
216.196.97.142:
 
> I've cleaned the computer with these ,, there are six accounts on this  
> computer , including the admin through safe mode , with three different  
> types of cleaners ,,including spybot ,, and they catch things , but it  
> still happens ,,,,the only thing that doesn't seem to get cleaned is a  
> key in the registry for Altnet.
>  
 
Is the AltNet from the Aurora company ? If it is, there will be an  
Add/Remove Programs entry for it that doesn't work. This is a tough one to  
get rid of if so.

Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

"LouisG" <imnot@home.com> wrote in message
news:Xns96B964E7D447111241959@216.196.97.142...
> I have a computer that i'm working on ,, and i have discovered a little
> oddity and can't find an answer to.
>
> I open up task manager and i find a weird looking file running in the
> process , let's call this file ekfitve.exe for example ,, then i find this
> file in c:\windows\system32 folder ,,, if i put both windows side by side
> and then end the process in task mgr ,, i can see this file change it's
> name right in front of me ,,,then it appears with that name in task mgr.
>
> The file is always a weird combo of letters and it never seems to repeat
> itself ,,, i've tried deleting the file ,,but of course can't access it
and
> i've tried going through Xp's repair option to try and get it before it
> loads ,, but of course with it changing it's name ,, what do i look for?
> There's no way of locating it.
 
 
it's a mutating virus...
you need to run a virus check with a recently updated virus checker...
but if you delete it and it returns...
you may need to backup your data and do a fresh install

Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

Download, install, update and run all of the following.
 
Ad-Aware
http://www.pcbutts1.com/downloads/aawsepersonal.exe
 
Spybot search and destroy
http://www.pcbutts1.com/downloads/spybotsd14.exe
 
Ewido Security Suite Trial version
http://www.pcbutts1.com/downloads/ewidosetup.exe
 
Microsoft Windows AntiSpyware (Beta1)
http://www.microsoft.com/downloads [...] laylang=en
 
If none of the above fixes the issue then download Hijack this, run it, save  
a copy of the log file and cut and paste it back here to this group so that  
I can analyze it. Ignore anyone who tells you to post it elsewhere. I need  
to see it not them.
 
 
HijackThis
http://www.pcbutts1.com/downloads/HijackThis.zip
 
--  
 
 
The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system  W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com
 
 
 
"LouisG" <imnot@home.com> wrote in message  
news:Xns96B969B5E840B11241959@216.196.97.142...
> I've cleaned the computer with these ,, there are six accounts on this
> computer , including the admin through safe mode , with three different
> types of cleaners ,,including spybot ,, and they catch things , but it
> still happens ,,,,the only thing that doesn't seem to get cleaned is a
> key in the registry for Altnet.
>
> DanS <t.h.i.s.n.t.h.a.t@a.d.e.l.p.h.i.a..n.e.t> wrote in
> news:Xns96B969B485191idispcom@216.196.97.142:
>
>> LouisG <imnot@home.com> wrote in
>> news:Xns96B964E7D447111241959@216.196.97.142:
>>
>>> I have a computer that i'm working on ,, and i have discovered a
>>> little oddity and can't find an answer to.
>>>
>>> I open up task manager and i find a weird looking file running in the
>>> process , let's call this file ekfitve.exe for example ,, then i find
>>> this file in c:\windows\system32 folder ,,, if i put both windows
>>> side by side and then end the process in task mgr ,, i can see this
>>> file change it's name right in front of me ,,,then it appears with
>>> that name in task mgr.
>>>
>>> The file is always a weird combo of letters and it never seems to
>>> repeat itself ,,, i've tried deleting the file ,,but of course can't
>>> access it and i've tried going through Xp's repair option to try and
>>> get it before it loads ,, but of course with it changing it's name ,,
>>> what do i look for? There's no way of locating it.
>>>
>>> I was thinking of one last shot of getting this bugger ,,with any
>>> help from here , before deep sixing the system and starting from
>>> scratch.
>>>
>>> Any suggestions????
>>>
>>> Thanks , Gord
>>
>> that's not a really odd problem, it's some type of spyware/adware, and
>> this is typical behavior.
>>
>> try cleaning IN SAFE MODE, with M$ Antispyware, AdAware, and Spybot.
>>
>>
>

Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

Format and reinstall.
 
--  
 
"Instead of trying to bash me you should try to learn from me and
archive my posts so you can better help people in the future. If you don't
understand something I post then ask me my email is valid."
 
- pcbutts1.@thisoldtreehouse.com
- pcbutts1.@seedsv.com
 
 
 
 
LouisG wrote:
> I have a computer that i'm working on ,, and i have discovered a
> little oddity and can't find an answer to.
>
> I open up task manager and i find a weird looking file running in the
> process , let's call this file ekfitve.exe for example ,, then i find
> this file in c:\windows\system32 folder ,,, if i put both windows
> side by side and then end the process in task mgr ,, i can see this
> file change it's name right in front of me ,,,then it appears with
> that name in task mgr.
>
> The file is always a weird combo of letters and it never seems to
> repeat itself ,,, i've tried deleting the file ,,but of course can't
> access it and i've tried going through Xp's repair option to try and
> get it before it loads ,, but of course with it changing it's name ,,
> what do i look for? There's no way of locating it.
>
> I was thinking of one last shot of getting this bugger ,,with any
> help from here , before deep sixing the system and starting from
> scratch.
>
> Any suggestions????
>
> Thanks , Gord
 
--

Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

Thanks,,,,,,,,,Frank,,,,,,,,,,,,,,for nothing,,,,,,,,,,,,,,,,,,
 
"Frank DeLucca, MS-MPV" <frank.delucca.microsoft@gmail.com> wrote in
news:20050821155250.08C0545796@smtp4.wanadoo.nl:  
 
>  
>  
> "LouisG" <imnot@home.com> wrote in message  
> news:Xns96B964E7D447111241959@216.196.97.142...
>>I have a computer that i'm working on ,, and i have discovered a
>>little  
>> oddity and can't find an answer to.
>>
>> I open up task manager and i find a weird looking file running in the
>> process , let's call this file ekfitve.exe for example ,, then i find
>> this file in c:\windows\system32 folder ,,, if i put both windows
>> side by side and then end the process in task mgr ,, i can see this
>> file change it's name right in front of me ,,,then it appears with
>> that name in task mgr.  
>>
>> The file is always a weird combo of letters and it never seems to
>> repeat itself ,,, i've tried deleting the file ,,but of course can't
>> access it and
>> i've tried going through Xp's repair option to try and get it before
>> it loads ,, but of course with it changing it's name ,, what do i
>> look for? There's no way of locating it.
>>
>> I was thinking of one last shot of getting this bugger ,,with any
>> help from
>> here , before deep sixing the system and starting from scratch.
>>
>> Any suggestions????
>>
>> Thanks , Gord
>>
>  
> Your  " , "  key is b0rken. Replace your keyboard to get rid of your  
> problems. O, and install Service Pak 2, if you haven't done so
> already.  
>

Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

Logfile of HijackThis v1.99.1
Scan saved at 11:39:19 AM, on 8/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Intel\Intel NetStructure VPN Client\icsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\xzmofgh.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Labtec\moffice.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Labtec\MOUSE32A.DAT
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
A:\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =  
http://www.iquicksearch.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =  
about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =  
http://rogers.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =  
http://www.iquicksearch.net/search.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =  
about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =  
Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {05304F16-6B90-4DF6-B537-A5AF69F3B5C2} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -  
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12E63F60-1CF7-46D5-AEDF-6539DCA2A80C} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {1F302361-DE67-46C2-B076-F713FD319563} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {25B633B4-F5AC-42EA-A08B-6E0AA8E1574B} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {27E68F6D-F18D-4133-B8AB-C29D4F08962A} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {288A04BC-275E-4194-9B66-A03F809109A8} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {2A267F59-7549-4E90-A507-1CC19AE039B8} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {2B7BAEDB-E0E4-40A1-A852-603E01000116} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {2FE61C11-3C38-4CD4-85F1-F8ADFFC4DA11} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {31F6C1AE-E283-491E-81F5-4E8A590D90BF} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {3DBF3268-6A9D-4751-AD8C-B905F1AF596A} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} - C:
\DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
O2 - BHO: (no name) - {4100741B-0E67-422F-9458-4358139790CA} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {4163C8E3-8B29-4D05-AFAB-FB7C252B093D} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {43B036DC-143A-4EF5-9EF8-BEE04B0B9B33} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {49661D5C-D6E4-A035-C15E-DB98BB45A29F} - C:\WINDOWS
\System32\lny.dll
O2 - BHO: (no name) - {4B900EC1-C2DE-44D5-92C0-AD424BA59198} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {4BE852D9-F37D-430D-9BB8-C64D3864CF48} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {50304AFC-D621-4860-8F57-B2356A00CEF8} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {50EBBC08-EC30-4F25-B273-EA71CE928B71} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {516B5C4D-C164-4F31-9A66-A3642B718D33} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {5274F34D-27C5-43E9-97F4-E7631B35A83E} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program  
Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5B185C59-9E7A-4269-B2B0-B4598C29A020} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {5D878741-964E-46F3-A6A6-4E78CA79FFF9} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {611559C3-4AE0-E79B-345C-EDD8928B0427} - C:\DOCUME~
1\Alex\APPLIC~1\COOLMP~1\borerect.exe (file missing)
O2 - BHO: (no name) - {66192BC7-E190-4869-8196-538CBF6A7FCC} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {66935611-FC52-4D08-91AD-A8E8348216CB} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {69EAD774-5D52-4189-B454-7C0ED79DCB24} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {6C2F3C34-3745-4974-9070-00B42626D328} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {6FA7A7D4-42A6-4D33-8A99-5F5F635A4271} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {78820481-EDEF-4C47-BC5E-B098D4F1828E} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {7FC992CD-B6D9-4CAB-9713-FD401CD171EB} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {86904BCA-D91E-4CE3-986C-535E07547039} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {8F038E9C-E309-43F5-A8B5-C840A01EB73B} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {92E367C0-F36C-4302-BD38-108A45B33249} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {A1ED8367-FC52-48E1-A089-D547527F2226} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {A1FC27AB-D787-424B-B350-C9F5B6C39040} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {A3464DBE-BE74-4C2E-A6ED-4AC9C33A4E58} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {A9BAAB80-EDBC-4784-AB99-73AE226FEA25} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {B199BAFC-DB92-455E-AF16-77B0DD2DECF0} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {B570451E-00F7-4234-9225-6AD5194D17E2} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {B99E1544-FE8E-4AE1-BF16-C7CD05528AD7} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {BE111ACF-0E7B-4D59-944D-7AE096436D18} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {C17184CB-1239-4864-B89E-B5F80EA630F5} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {C1E368F7-DD7A-43D3-81EE-69EE5D7F3924} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {C68DE86F-9611-4738-9A85-3EE3BC847B30} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {CED69274-67B9-4AB8-BB0B-681294DDE067} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {D2F16FB3-FEE4-410F-A2F5-AE57CBA2AA1F} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {D31A67EC-58E1-4713-A05C-9C1C576161FE} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {D35E5601-7BA2-4DC2-BEC6-FEABBA88D4C9} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {D4603105-AA26-4D2C-9C6D-0FA6A878CAE8} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {D9967231-452F-4FCC-A9C7-DBA57FBF1F7D} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {DA021E5B-3F3F-4770-91B2-7B1D03135165} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {DA03C223-2073-4E29-A804-14CB8BEA824D} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {E2B5FB51-3CD3-44CA-A4A3-FE48C8F6022F} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {E4D72068-602F-48BF-967B-D763C185E79C} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {E4F45D9C-6EC3-4351-88B4-035AD6834456} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {E53C6742-A264-4950-BC5A-3DF5A7325AA3} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {EA01ABBE-FCC2-49E6-97CD-1ACE2C3FD5EB} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {ED32D562-5CA5-4D17-8430-3C3394897C55} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {F06B2B78-AA33-4AE1-A11A-EC4B41E006E6} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {FDA8A821-67B5-4E59-94E0-1728AF8919D0} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O2 - BHO: (no name) - {FFF60A14-6FD8-40D7-A02C-9D7CFF458978} - C:\PROGRA~
1\Lycos\IEagent\IEagent.dll (file missing)
O3 - Toolbar: (no name) - {A27CB27E-2D1B-4A60-8843-75AE9419FD0E} - (no  
file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no  
file)
O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no  
file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:
\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD  
Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes
\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime
\qttask.exe" -atboottime
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Labtec\moffice.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3
\MsgPlus.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe  
/STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [egruxcg] C:\WINDOWS\System32\xzmofgh.exe r
O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
\tools.exe
O4 - HKLM\..\RunServices: [soundman] soundman.exe
O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1
\Tools\tools.exe
O4 - HKCU\..\Run: [wmegfi] C:\WINDOWS\System32\wmegfi.exe
O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
\tools.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:
\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -  
C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-
12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-
12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-
0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-
0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -  
C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-
00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} -  
file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm  
(file missing) (HKCU)
O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) -  
http://us.dl1.yimg.com/download.ya [...] ysftcntr_c
urrent.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool)  
- http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -  
http://a1540.g.akamai.net/7/1540/5 [...] le.com/aba
rth/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -  
http://update.microsoft.com/window [...] client/wuw
eb_site.cab?1120351775546
O17 - HKLM\System\CCS\Services\Tcpip\..\{5BEA91D4-EEFA-4D4F-BE7E-
0DAA3A47C660}: NameServer = 49.10.68.10,209.226.175.223
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =  
tdbank.ca,ctwan.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList =  
tdbank.ca,ctwan.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList =  
tdbank.ca,ctwan.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =  
tdbank.ca,ctwan.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -  
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:
\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program  
Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program  
Files\ewido\security suite\ewidoguard.exe
O23 - Service: Intel® NetStructure(TM) VPN Client (ICService) - Unknown  
owner - C:\Program Files\Intel\Intel NetStructure VPN Client\icsrv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:
\Program Files\iPod\bin\iPodService.exe
O23 - Service: soundman - Unknown owner - C:\WINDOWS\System32
\soundman.exe" -service (file missing)
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - c:
\windows\SvcProc.exe
O23 - Service: Wi2n loahder - Unknown owner - C:\WINDOWS\System32
\SVCH0ST.exe" -service (file missing)
 
 
 
 
"pcbutts1" <pcbutts1@seedsv.com> wrote in
news:f01Oe.104$L77.17@newssvr19.news.prodigy.com:  
 
> Download, install, update and run all of the following.
>  
> Ad-Aware
> http://www.pcbutts1.com/downloads/aawsepersonal.exe
>  
> Spybot search and destroy
> http://www.pcbutts1.com/downloads/spybotsd14.exe
>  
> Ewido Security Suite Trial version
> http://www.pcbutts1.com/downloads/ewidosetup.exe
>  
> Microsoft Windows AntiSpyware (Beta1)
> http://www.microsoft.com/downloads [...] D7A2-6A57-
> 4C57-A8BD-DBF62EDA9671&displaylang=en  
>  
> If none of the above fixes the issue then download Hijack this, run
> it, save a copy of the log file and cut and paste it back here to this
> group so that I can analyze it. Ignore anyone who tells you to post it
> elsewhere. I need to see it not them.
>  
>  
> HijackThis
> http://www.pcbutts1.com/downloads/HijackThis.zip
>

Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

Have hijackthis fix these lines:
 
 
> Logfile of HijackThis v1.99.1
> Scan saved at 11:39:19 AM, on 8/21/2005
> Platform: Windows XP SP1 (WinNT 5.01.2600)
> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>
> Running processes:
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
> C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
> C:\Program Files\iTunes\iTunesHelper.exe
> C:\Program Files\QuickTime\qttask.exe
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
> C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

Ignore that other pcbutts1 he is a name forging troll. Follow the advice I  
give you. If you are not sure who the real one is just email me my email is  
valid. You can also check the message headers and my sig file at the bottom  
of this message.
 
You are infected with Aurora/Nail follow the instructions below and then  
post another hijackthis log.
Please download ewido security suite it is a free version of the program.  
http://www.pcbutts1.com/downloads/ewidosetup.exe
Install ewido security suite
When installing, under "Additional Options" uncheck..
Install background guard
Install scan via context menu
Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you will get a warning "Database  
could not be found!". Click OK. We will fix this in a moment.
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.
The update will start and a progress bar will show the updates being  
installed.
(the status bar at the bottom will display "Update successful" )
Exit ewido. DO NOT SCAN YET.
 
Download CCleaner and install it, but do not run it yet.  
http://www.pcbutts1.com/downloads/ccsetup122.exe
 
Please download this file: Revised Installer for the Nailfix Utility  
http://www.pcbutts1.com/downloads/nailfix1.exe
Save it to your desktop.
DO NOT RUN IT YET.
 
Next configure Windows to show all files
 
Do one of the following:
In Windows XP, on the taskbar, click Start > My Computer.
In Windows 2000/Me/98, on the Windows desktop, double-click the My Computer  
icon.
Do one of the following:
In Windows XP/2000/Me, on the Tools menu, click Folder Options.
In Windows 98, on the View menu, click Folder Options.
On the View tab, uncheck Hide file extensions for known file types.
Do one of the following:
In Windows XP/2000/Me, uncheck Hide protected operating system files. Then,  
under the "Hidden files" folder, click Show hidden files and folders.
In Windows 98, in the Advanced Settings box, under the "Hidden files"  
folder, click Show all files.
If you see a warning message, click Yes.
Click Apply.
Click OK.
 
Next, please reboot your computer in SafeMode by doing the following:
Restart your computer.After hearing your computer beep once during startup,  
but before the Windows icon appears, press F8.Instead of Windows loading as  
normal, a menu should appear
Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click on nailfix.exe.
Click "Next" in the setup
Make sure "Run Nailfix" is checked and click "Finish".
Your desktop and icons will disappear and reappear, and a window should open  
and close very quickly --- this is normal.
 
Now open ewido and do a scan of your system.
Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.**
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the  
action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now as the action.
Once the scan has completed, there will be a button located on the bottom of  
the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find  
it easily.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere  
and the game "Risk" )
 
Download HijackThis http://www.pcbutts1.com/downloads/HijackThis.zip
Now run HijackThis, click Scan, and place a checkmark next to each of the  
following items:
 
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
 
Close all open windows except for HJT, then click the Fix Checked button.  
Close HJT.
 
Locate and delete the following File
C:\WINDOWS\Nail.exe
For Windows NT or 2000 it would be
C:\winnt\Nail.exe
 
Now run CCleaner
Uncheck "Cookies" under "Internet Explorer".
If running Firefox: click on the "Applications" tab and uncheck "Cookies"  
under "Firefox".
Click on Run Cleaner in the lower right-hand corner. This can take quite a  
while to run.
 
Finally, restart your computer in normal mode and please post a new  
HijackThis log, as well as the report log from the Ewido scan by using Add  
Reply.
 
If IE is not working, the links I gave you are direct download links and  
should work. If they don't then paste them into another browser or explorer  
window. If you have no other browser then email me with a valid email  
address and I will send you one. We will fix IE after all the spyware is  
gone.
 
 
 
 
--  
 
 
The best live web video on the internet http://www.seedsv.com/webdemo.htm
NEW Embedded system  W/Linux. We now sell DVR cards.
See it all at http://www.seedsv.com/products.htm
Sharpvision simply the best http://www.seedsv.com