Fuckin' spyware....

Done and done


Logfile of HijackThis v1.99.1
Scan saved at 11:49:19 PM, on 4/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\WALLPA~1\WALLPA~1.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\Documents and Settings\Dane Mclean\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.royalsearch.net/search.html
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliterjh32.exe
O4 - HKCU\..\Run: [Wallpaper] C:\PROGRA~1\WALLPA~1\WALLPA~1.EXE /h
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\PROGRA~1\MOZILLA.ORG\MOZILLA\MOZILLA.EXE" -turbo
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15007/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1100822838656
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15008/CTPID.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

You say it keeps on coming back...run Ad-aware and tell us the one that is always repeated...

zeal311 said:

O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliterjh32.exe

I don't like this one. It's a randomized name, inside of system32.

And that means....?

Kill it, obviously. In safe mode.

No. I meant why did you single that out. What does it do O_o

I'm retarded in anything regarding spyware.

Don't know what it does, because I don't have the EXE in front of me. However, like I mentioned - it's a randomized filename, does NOT show up in any google search, and is hiding in system32 under a really strange yet "official sounding" name of "checkrun". It's running on every startup, likely acting as a trickler for spyware or just outright installing and running in on boot. I'm going to GUESS it's a coolwebsearch variant because of the filename/system32 thing, but I honestly don't know since the filename's random.

I have the same fucking problem and I am far too lazy to fix it... spyware removal programs with the simple scan and deletion just isn't good enough for the IE pop ups i keep getting.... Maybe I'll uninstall IE.

I tried to do that on my old laptop. The fucker WONT LET YOU UNINSTALL. Every time I deleted the IE icon in my c:/ directory, it kept on popping right back up.

I hate this norton piece of shit. It detects spyware but then it can't delete it.

Hey, it's a clever one......

Should be WINDOWS in caps, system32 with a capital S...he he he...these are my favourite kind!!!

It is possible to do. Just as hard to do as to completely remove Fun Web Products. Nasty pieces of work...both of 'em.

Download Mozilla Firefox and use it for your 'net. That's what I did a while back..never any problems.

Re: IE uninstallation

Open up My Computer - there's Internet Explorer. Go ahead and type google.com in the address bar and hit enter - it switches to IE mode, and takes you right there. It's built into the shell. (Which is the reason for most spyware infestations - if you compromise Firefox/Opera somehow, you might have access to the history, cache, or bookmarks. If you compromise IE, you have access to the entire system, including Windows itself.)

Uninstalling it completely means you'd have to get another file manager like AB Commander or something. It's possible, but so much of a hassle that you may as well just keep IE as clean as possible and continue to use it as a file manager. Just toss Firefox or Opera on there and get used to one of them. It's either that or going through the steps necessary to secure IE - patching, (which you should do anyway), locking the HOSTS file, disabling ActiveX, etc. Nothing wrong with using IE if you can keep it clean and you stay completely away from unknown sites.

If you care, Secunia says that IE6 has 17 unpatched vulnerablities (80 total, so if you didn't patch, that's a big problem), Firefox has 4 unpatched vulnerabilities (one of which involves dragging images to the address bar, and another which involves Apple Java) and Opera 8 has a scant 0 vulnerabilities so far which surpised me, actually.

That about sums it up in a nutshell. After my last re-installation of Windows I patched everything I could on IE and never used it again. I went straight to Firefox and haven't had ANY problems. Windows is too integrated for it's own good...why IE is so vunerable.

Ok, installed and am using Mozilla firefox, restarted comp in safe mode, rand hijack this, spybot, and adaware, restarted and have not had a pop up yet. *crosses fingers* Thanks for the help guys.