TechSpot

NETEU.exe  Hijacked!

By Darbarian
Jul 28, 2005
  1. Hi folks,

    I've been struggling to get a hijacker program/virus off of my computer called NETEU.exe.

    I identified it with my system mechanic virus software, but could not remove it. I've tried the following..

    Adaware 6.0
    CWS Shredder
    Spykiller/spy subtractor
    Panada Virus scan
    System Mechanic

    I just tried a program called Hijackthis. Supposedly it is designed to attack hijacker viruses such as the NETEU.exe file. However, I must be careful to not delete other non-virus files that it has detected. Does anyone know how to distinguish from the following log just what I need to delete (if anything)?

    Logfile of HijackThis v1.99.1
    Scan saved at 12:47:32 AM, on 7/28/2005
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    D:\Programs\DSL\2PortalMon.exe
    C:\WINDOWS\TBPanel.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    D:\Programs\sysmech\System Mechanic 5\System Mechanic 5 Professional\PopupStopper.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Hacker\KAVPF.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\devldr32.exe
    c:\Program Files\interMute\SpySubtract\SpySub.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\Darin\LOCALS~1\Temp\Rar$EX16.453\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kbhfa.dll/sp.html#45052
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kbhfa.dll/sp.html#45052
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://by104fd.bay104.hotmail.msn.c...642c7d6dc3b2cafb3f06c1c4b050e41d67287e92e222c
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kbhfa.dll/sp.html#45052
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kbhfa.dll/sp.html#45052
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kbhfa.dll/sp.html#45052
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kbhfa.dll/sp.html#45052
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kbhfa.dll/sp.html#45052
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defaults/su/*http://www.yahoo.com
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Class - {EB78D545-7084-1460-B78B-C15169BF794D} - C:\WINDOWS\system32\msmj.dll (file missing)
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [2wSysTray] D:\Programs\DSL\2PortalMon.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Jet Detection] "D:\Device Drivers\SBlive\PROGRAM\ADGJDet.exe"
    O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [crxq32.exe] C:\WINDOWS\system32\crxq32.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [KAVPersonal50] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe /minimize
    O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "D:\Programs\sysmech\System Mechanic 5\System Mechanic 5 Professional\PopupStopper.exe"
    O4 - Global Startup: InterVideo WinCinema Manager.lnk = D:\Programs\Common\Bin\WinCinemaMgr.exe
    O4 - Global Startup: Kaspersky Anti-Hacker.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = D:\Programs\OFFICE2K\Office\OSA9.EXE
    O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1112754712514
    O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\neteu.exe (file missing)
    O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe



    I know a lot of these are not a problem, but they could be if I chose to delete them.

    Any suggestions or insights would be very useful!

    Thanks a bunch!!!!

    Darb :approve:
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 25,948   +19

    First go HERE and follow the instructions exactly.

    Then go HERE for instructions on how to post your Hijackthis log as an attachment.

    Then edit your post above to include the HJT log as an attachment.

    Regards Howard :grinthumb
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.