1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Sneak up problem

Discussion in 'Web & Email' started by [email protected], Sep 20, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. pjdb@texoma.

    [email protected] Thread Starter

    Joined:
    Sep 1, 2004
    Messages:
    12
    Ezula. Removed with adaware and spybot. Went into Explorer to make sure all files were deleted. Two are password protected. Not by me. How do they do this. How do I stop them. How do I get the current ones out of my system.
     
  2. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Does anyone else use the computer?
    If someone has installed things like eZula, no telling what is on there, including keyloggers or trojans that can steal your personal information and account info.
    If you want, post a Hijackthis log, it is what we use to help spot things that may be problems. Keyloggers sometimes are not detectable by a lot of the common antispyware programs like AdAware, but quite a few are.
    Keyloggers also are sometimes installed by employers, and here is where we have to be careful... and so do you.
    More often we see cases where relationships have gone bad, and an ex who wishes to spy on the the other ex...may have installed some things to monitor the computer use.
    In any case, it is odd that there is a password protecting eZula.

    You need full admin rights to do anything...if you are using XP, you have full rights by default unless another user who is also an admin has changed your user settings, which they can do since ALL users by default are at admin level. You however, if this has been done, can simply create a new user and that will be at admin level, so there is a way to deal with anything you run into.
    Create a new folder, the desktop is OK but you do need to click an empty spot there and select New>Folder, rename it to HJT, download Hijackthis.exe to that HJT folder, and follow the directions to post a logfile here in this thread.
    When you run hijackthis.exe, and hit the Scan button, in a minute or less the Save Log button will become active. Save the log as hijackthis.txt and it will open with Notepad....copy and paste the entire saved log into a blank reply here and wait for help.

    http://tools.radiosplace.com/HijackThis.exe
     
  3. pjdb@texoma.

    [email protected] Thread Starter

    Joined:
    Sep 1, 2004
    Messages:
    12
    Logfile of HijackThis v1.98.2
    Scan saved at 7:07:34 AM, on 9/21/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\windows\system\hpsysdrv.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\HP\KBD\KBD.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\AGRSMMSG.exe
    C:\WINDOWS\ALCXMNTR.EXE
    C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\rundll32.exe
    C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\Palm\HOTSYNC.EXE
    C:\WINDOWS\System32\gearsec.exe
    C:\Program Files\InterMute\PopSubtract\PopSub.exe
    c:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\InterMute\SpamSubtract\SpamSub.exe
    c:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\cidaemon.exe
    C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\nda.exe
    C:\Program Files\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.texoma.net
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.myway.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=presario&pf=desktop
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.texoma.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
    R3 - Default URLSearchHook is missing
    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
    O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL (file missing)
    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
    O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: QuickSearch SearchBar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar3_28.dll
    O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
    O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
    O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
    O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
    O4 - Startup: Compaq Organize.lnk = ?
    O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    O4 - Startup: SpamSubtract.lnk = C:\Program Files\InterMute\SpamSubtract\SpamSub.exe
    O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
    O4 - Global Startup: PopSubtract.lnk = C:\Program Files\InterMute\PopSubtract\PopSub.exe
    O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRXXXXXXXXUS
    O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin\core.hp.main\SendTo.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
    O10 - Hijacked Internet access by New.Net
    O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/ei/PopularScreenSaversInitialSetup1.0.0.8.cab
    O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://wwemail.support.hp.com/fd2/objects/SysQuery.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8FBCF762-6C6E-4F65-AA99-780948BB6119}: NameServer = 209.151.96.2 209.151.96.66
     
  4. pjdb@texoma.

    [email protected] Thread Starter

    Joined:
    Sep 1, 2004
    Messages:
    12
    Thanks for your help on this. Hijack This is way over my head at this point. One other person uses my computer, he goes only to Yahoo most of the time for the games. When Ezula was downloaded I was on the computer myself. Did not knowingly allow the download. The password protection came from online. Weird. How dangerous is this. It feels really bad. Would a password on my account help to keep someone else from "administrating" on my computer? Changing my profile to "complete moron".
     
  5. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, Your log is not too bad...some common items is all. Since you did use AdAware and SpyBot, this is basically cleaning up after they have removed things...
    I am wondering though...what version of AAW and Spybot you may have and if you have kept them updated...
    Could you start AdAware up, and on the main screen, post the version and build you have? Do the same for SpyBot.

    Though AdAware has released SE personal edition v.1.05, a lot of us still may be using older copies. It's reccommended to keep up with upgrades (newer builds, versions, etc) as the older ones will not be updated after a certain time and will be of hardly any use against any newer variants of malwares. SpyBot is at v 1.3. After you post what you have, we will advise what you should do.

    To start fixing the files left on your computer:


    Download this file, it is in case your Internet access is hampered by the removals:

    http://www.spychecker.com/program/winsockxpfix.html

    Just let it sit on the desktop or in your Downloads folder, but do not let it go to the Temp folder- Do not run it yet.

    Go to Add/Remove Programs, and uninstall :
    New.Net Domains, or similar.
    Uninstall MyWebSearch, My Search Bar, Email Plugin etc.
    My Way- actually optional but better you remove it.
    QuickSearch Bar
    Weatherbug> this is also optional, it does keep track somewhat but is not harmful, keep if you use it/like it.

    Some of those programs may not be in Add/Remove any longer. That is to be expected.

    Next, Open Windows Explorer, and make sure that these settings are done so you can see all files/hidden files:

    Your user name folders may all have to have this done, if there are more than one user profiles.


    Next- with all other windows closed, run Hijackthis again, after it is done scanning, put checks next to all of these and click "Fix checked" to remove the items.

    C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop--this is not "normal" but if by chance it is something you did...and want....keep it, it does not look good though! You can reset your Home page to what you want after.


    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

    O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

    O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL (file missing)

    O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)

    O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

    O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll

    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

    O2 - BHO: QuickSearch SearchBar - {82315A18-6CFB-44a7-BDFD-90E36537C252} - C:\Program Files\QuickSearch\QuickSearchBar3_28.dll

    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

    O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s

    O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

    O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

    O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

    O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusear...?p=ZRXXXXXXXXUS

    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)


    Next- find and delete these files (at the end of each line, not the folders...just the end file) You will not find them all but look anyway...they are sometimes there or not:

    C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

    C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL

    C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

    C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

    C:\Program Files\NewDotNet\newdotnet6_38.dll

    C:\Program Files\QuickSearch\QuickSearchBar3_28.dll

    Enpty the Recycle Bin once more and reboot.

    Your next step would be to run AdAware and SpyBot, but I do not know what versions you have of those...and whether you have things set this way:

    >> First in the main window look in the bottom right corner and click on Check for updates now then click Connect and download the latest reference files.

    From main window :Click Start then under Select a scan Mode tick "Perform full system scan".

    Next deselect "Search for negligible risk entries."

    Now to scan just click the Next button.

    When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose select all from the drop down menu and click Next)<<

    Those are the settings up to v. 1.04 of AdAware.


    About the two "password protected" eZula files: I have not heard of that before and cannot advise you what to do.
    Will have some input from someone for you, though! If you could post the filenames in your reply, that might help.

    Run Hijackthis again and post a new log. (y)
     
  6. pjdb@texoma.

    [email protected] Thread Starter

    Joined:
    Sep 1, 2004
    Messages:
    12
    Byteman,
    I am using the following programs as security for my PC. Usually in this order.
    Ad-Aware SE personal Build 1.05
    Spybot 1.3
    Spyware Blaster v3.2
    Hijack This 1.98.2
    Tweak Now Registry Cleaner (I have done a scan with this but not implemented, did not want to screw everything up<Have not done enough research as to proper use)

    I check for updates nearly everytime I run these and install if available.
    If I spend a lengthy period on the internet, I will usually do a quick scan with either Ad-Aware or Spybot to remove garbage I may have picked up.

    I am in the process of doing all the things you outlined, will let you know(if I can) how it goes. My Way was my toolbar of choice. Can you recommend a "safe" site where I can use the smileys etc. in my e-mails? I use freeware when at all possible and am fixing to have to redo my popup blocker and my spam blocker, do you have a recommend for either of those?

    I feel like I am bugging you to death. Thank you for the help. You are really good at this. An excellent mentor.

    Pam
     
  7. Maritimesea

    Maritimesea

    Joined:
    Sep 9, 2004
    Messages:
    436
    Pam, you are too funny. "Change my profile to "Complete moron"",that's a classic. At least ezula hasn't taken your sense of humour. And your crestfallen tone at the realization that you may have to give up your smiley filled emails....ahhh the bittersweet death of innocence. :) Now I abhor adware like everyone,but I'm also of the opinion that as long as you research the potential risks and weigh them against the benifits you can make an informed choice. So find out what My Way toolbar actually does in terms of spy/adware and if it's an acceptable risk and the program itself isn't buggy on your machine then what the hey.....I say let the girl/woman have her smileys. :)
     
  8. Byteman

    Byteman Gone but Never Forgotten

    Joined:
    Jan 24, 2002
    Messages:
    17,742
    Hi, It's entirely up to you what you remove.
    It is optional about MyWay, as I posted up above...it's
    only a slight security risk, if you like the features keep it, so do not fix any entries for MyWay or the other search related items....NewDotNet should go. You seem to have a good handle on things, and are using the right tools to clean things up. Good luck.
    I do not use popup blockers or spam blockers, but can provide some help.
    Get IE-SPYADS, it's a great blocking tool: Read about it
    https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD

    and decide if you want it- I have used it for years and have had only a few problems getting to a couple of sites> and in case you cannot get to one, it is easy to remove it from the list of restricted sites. It's a great addition to AAW, Spybot, SpywareBlaster and plays well with all my software. I use what you use, but no other blockers, not even SpywareGuard, and have not once had anything install except tracking cookies.... and I go out of my way to test the protections I do use!
    Here is a good site for freeware and has some spam filters etc: but, I cannot give you anything else about them, since I don't use any!

    http://www.pricelessware.org/thelist/net.htm#Email: Spam Tool
    Hope this helps!
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/276073

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice