Results 1 to 3 of 3

Thread: Eanthology

  1. #1
    Junior Member
    Join Date
    Oct 2006
    Posts
    1

    Default Eanthology

    I've that this is some kind of advertising/pop-up program - eAccelerator. I downloaded some software and this program was downloaded with it. I can delete it but it reloads on startup and the popups go crazy.

    Here's the Highjack this log and thanks for any ideas:

    Logfile of HijackThis v1.99.1

    Scan saved at 8:46:57 AM, on 10/23/2006

    Platform: Windows XP SP2 (WinNT 5.01.2600)

    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)



    Running processes:

    C:\WINDOWS\System32\smss.exe

    C:\WINDOWS\system32\winlogon.exe

    C:\WINDOWS\system32\services.exe

    C:\WINDOWS\system32\lsass.exe

    C:\WINDOWS\system32\svchost.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\system32\rundll32.exe

    C:\WINDOWS\system32\spoolsv.exe

    C:\Program Files\Apache Group\Apache2\bin\Apache.exe

    C:\Program Files\Bonjour\mDNSResponder.exe

    C:\WINDOWS\System32\drivers\CDAC11BA.EXE

    C:\WINDOWS\am9u\command.exe

    C:\mysql\bin\mysqld-nt.exe

    C:\Program Files\Norton AntiVirus\navapsvc.exe

    C:\Program Files\Apache Group\Apache2\bin\Apache.exe

    C:\WINDOWS\System32\svchost.exe

    C:\WINDOWS\wanmpsvc.exe

    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    C:\WINDOWS\Explorer.EXE

    C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

    C:\Program Files\Dell\Support\Alert\bin\DAMon.exe

    C:\WINDOWS\system32\ovauma1ep.exe

    C:\WINDOWS\cfg32.exe

    C:\WINDOWS\sys01661538170-.exe

    C:\WINDOWS\v1201.exe

    C:\WINDOWS\system32\pi2pl.exe

    C:\WINDOWS\Duce6.exe

    C:\PROGRA~1\PRINTV~1\pvmodule.exe

    C:\Program Files\Common Files\{D891BA86-063B-1033-0604-020603020001}\Update.exe

    C:\Program Files\Batty2\Batty2.exe

    C:\Program Files\PSDream\PSDream.exe

    C:\Program Files\CMFibula\CMFibula.exe

    C:\WINDOWS\system32\rundll32.exe

    C:\DOCUME~1\jon\APPLIC~1\MBOLS~1\logonui.exe

    C:\Program Files\?ppPatch\w?aclt.exe

    C:\Program Files\Common Files\iwru\iwrum.exe

    C:\Program Files\Common Files\iwru\iwrua.exe

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\msconfig.exe

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe

    C:\WINDOWS\system32\wscntfy.exe

    C:\WINDOWS\cfg32a.exe

    C:\Program Files\Internet Explorer\iexplore.exe

    C:\Program Files\webHancer\Programs\whagent.exe

    C:\Program Files\highjackthis\HijackThis.exe



    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.eyeseek.com/firstsite.asp?b=

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.eyeseek.com/firstsite.asp?b=

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

    R3 - URLSearchHook: (no name) - {0A66E7FF-0542-7EB4-4D63-59C79C06B3B9} - C:\WINDOWS\system32\hyta.dll

    R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll

    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\dvhfb.exe

    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe,nqnjlei.exe

    O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)

    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\WINDOWS\Downloaded Program Files\ycomp5_0_2_0.dll

    O3 - Toolbar: ToolBar888 - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\Program Files\Common Files\{3891BA86-063B-1033-0604-020603020001}\MyToolBar.dll

    O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll

    O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

    O4 - HKLM\..\Run: [Dell|Alert] C:\Program Files\Dell\Support\Alert\bin\DAMon.exe

    O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe

    O4 - HKLM\..\Run: [p2p networking] p2pnetworking.exe

    O4 - HKLM\..\Run: [pVRV3eP] C:\WINDOWS\system32\ujtnzbw.exe

    O4 - HKLM\..\Run: [sfpJk] "C:\WINDOWS\system32\ovauma1ep.exe"

    O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe

    O4 - HKLM\..\Run: [anp15766] RUNDLL32.EXE w007d499.dll,n 0061576000000003007d499

    O4 - HKLM\..\Run: [sys01661538170-] C:\WINDOWS\sys01661538170-.exe

    O4 - HKLM\..\Run: [{1B-BA-A8-86-ZN}] C:\windows\system32\opdsregn.exe GEN001

    O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe

    O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe

    O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe

    O4 - HKLM\..\Run: [PVModule] C:\PROGRA~1\PRINTV~1\pvmodule.exe

    O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe

    O4 - HKLM\..\RunServices: [p2p networking] p2pnetworking.exe

    O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook

    O4 - HKCU\..\Run: [PSDream] "C:\Program Files\PSDream\PSDream.exe"

    O4 - HKCU\..\Run: [CMFibula] "C:\Program Files\CMFibula\CMFibula.exe"

    O4 - HKCU\..\Run: [Aida] "C:\DOCUME~1\jon\APPLIC~1\MBOLS~1\logonui.exe" -vt yazb

    O4 - HKCU\..\Run: [Yvgo] C:\Program Files\?ppPatch\w?aclt.exe

    O4 - HKCU\..\Run: [iwru] C:\Program Files\Common Files\iwru\iwrum.exe

    O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe

    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

    O4 - Global Startup: msconfig.exe

    O4 - Global Startup: taskmgr.exe

    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

    O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll

    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

    O10 - Hijacked Internet access by WebHancer

    O10 - Hijacked Internet access by WebHancer

    O10 - Hijacked Internet access by WebHancer

    O12 - Plugin for .avi: C:\Program Files\Netscape\Communicator\Program\PLUGINS\npavi32.dll

    O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

    O16 - DPF: {1DD81666-F3AD-11D3-BA86-00500487B4EC} (WonSearchX Control) - /member/ocx/WonSearchX.ocx

    O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freewar...eanerstart.cab

    O16 - DPF: {78267546-F2AC-11D2-A278-005004676C44} (WonList Control) - /member/ocx/WonList.ocx

    O16 - DPF: {AECD14A8-F662-11D1-A395-00805F535788} (Plotwon Control) - http://www.investors.com/member/ocx/plotwon.ocx

    O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab

    O16 - DPF: {EE3CD402-69EB-4B53-819D-0CA2F95AD7DA} (PFMngr Control) - /member/ocx/PFMngr.ocx

    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yaho...bio5_0_2_0.cab

    O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab

    O18 - Filter: text/html - {8660A526-27A4-4FBD-85B2-857E82A25971} - C:\WINDOWS\system32\lqe2z.dll

    O20 - AppInit_DLLs: BattyRun2.dll

    O20 - Winlogon Notify: ShellCompatibility - C:\WINDOWS\system32\m6nqlg5516.dll

    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

    O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)

    O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

    O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE

    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\am9u\command.exe

    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

    O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe

    O23 - Service: MySQL41 - Unknown owner - C:\Program.exe (file missing)

    O23 - Service: mysqld-nt - Unknown owner - c:\mysql\bin\mysqld.exe

    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


    Thanks
    Jonathan

  2. #2
    Security Expert-Emeritus
    Join Date
    Oct 2005
    Posts
    5,025

    Default

    Hi Jonathan
    Sorry for the wait, are you being assisted at another forum ?
    If not post a fresh hijackthis log, this time without its formating messed up. you might have to turn off then on word wrap in notepad.
    ~~~~~~~~~~~~~~~~~~~~~~~
    Microsoft MVP Windows-Security 2006

  3. #3
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,956

    Default

    This topic has been closed to prevent others with similar issues posting in it.
    If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.

    Applies only to the original topic starter.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •