Read and Run Me First Done. Problems Questions and Logs Attached.

Discussion in 'Malware Help (A Specialist Will Reply)' started by dmpie, Jun 1, 2007.

  1. dmpie

    dmpie Private E-2

    Well, Things are running much better on my Daughters laptop. Other than very badly needing the "housekeeping" steps it was nearly impossible to go online other than in safe mode. The wallpaper was just a blue screen that could not be changed and I kept getting a triangle in the tray that would open a baloon that wanted you to run a scan with the "ultimate tools" (Ultimate Defender, Ultimate Cleaner, etc.)

    Have followed all the steps and will attach everthing required. Still have some things to fix. First, the wallpaper on the desktop is back but I still can not change it. On boot-up I get a Error Loading, C:\windows\system\jhmnrz.dll , The specified module could not be found.

    As far as I can tell that is the only things that are going on right now. (But there may be some things going on behind the scenes that still need work. One question I do have is if I can uninstall CounterSpy when we are all done? Not that I mind it much but it is only a trial and it loads into the tray on boot and have found no option to remove it from running at start up.

    Will let you look at the logs and check back for your advice. Thanks for your time on this. I truly Appreciate it.
     

    Attached Files:

    dmpie, Jun 1, 2007
    #1
  2. dmpie

    dmpie Private E-2

    The other three Logs.
     

    Attached Files:

    dmpie, Jun 1, 2007
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Is the below something you saved on your Desktop? If not then delete it.
    C:\Documents and Settings\susan\Desktop\FREE! Instant Messenger.lnk

    Uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders which may be left behind by the uninstall:
    C:\Documents and Settings\All Users\Application Data\Sunbelt Software
    C:\Program Files\Sunbelt Software

    Also uninstall the below as requested in step 0 of the READ ME
    Viewpoint Media Player

    Do you have any software you use from Symantec still installed? I did not notice any. But I do see Liveupdate and LiveReg in you installed programs list. You should uninstall the below if all Symantec software has already been removed.
    LiveReg (Symantec Corporation)
    LiveUpdate 1.80 (Symantec Corporation)

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    O2 - BHO: (no name) - {1ECCBC75-F685-4991-48D6-007CB10615DA} - C:\WINDOWS\System32\mfsvtvi.dll (file missing)
    O2 - BHO: (no name) - {23D43B43-58DF-7FAB-921F-0404AA209639} - C:\WINDOWS\System32\vfirqqn.dll (file missing)
    O2 - BHO: (no name) - {422ACAAC-53DF-E2E5-D354-001817C24DF8} - C:\WINDOWS\System32\ffkhcln.dll (file missing)
    O2 - BHO: (no name) - {669404C3-757B-FB04-E260-0AAA7254C51E} - C:\WINDOWS\System32\tfmdxyd.dll (file missing)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [jhmnrz.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\jhmnrz.dll,jebvirc
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O16 - DPF: {00EC4214-4AB4-1A5A-7BF1-562B659BEFE9} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {040FCEEC-EACB-4EE9-7934-402C72625C85} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {04271902-923B-429D-83B7-5A7318D8E49B} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {047C85D7-3326-60D4-5C51-6D512D52F33C} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {0945F303-48EF-196A-2FBC-13A847FE0EBE} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {0A43FC7A-69FF-49F2-ADF1-1DA84679EFB2} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {0A856B79-34C4-63F9-ECEA-362138EC0BBF} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {0A9767DF-4DBC-3378-27A7-37DA5205F997} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {0B112D05-0701-431A-A53C-31AC18017ABA} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {0BA1AA35-56BC-42D6-D046-47E853E746EF} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {0DB26167-9111-5089-7FD6-0D2B0A95B074} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {0E8D0F24-FC17-2467-DAB3-3DAB25363E7B} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {105F7228-756D-1A17-8924-411734EA0834} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {1403B6B0-2671-33F9-4113-027D06B0A95C} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {14EF32C4-96DA-7038-DCEB-1A022D4F1748} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {162F445E-1613-08CB-1EFD-794B31928FD6} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {1A17788C-22FC-30CC-B098-0F9874777244} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {1BB4C150-7332-3A68-457D-1E8522D418C7} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {1CB93E0D-5BA1-79F0-C951-4EFE5A660A35} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {1DCB1DDC-668B-4EE5-5713-5B3F3C334BF1} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {1FD812D1-B787-26E0-87AE-03DE39468E68} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {213907DD-6472-3338-0D70-6247299FCCDF} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {21E9E1DC-FEBD-2302-2E14-61D64C970346} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {232FC67A-67AB-0C94-E325-404846634DC6} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {23D1188E-A453-524D-0895-453356CD7DD4} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {26579A14-408A-2497-9C01-4A134E88204B} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {26F7C810-69F1-08D3-B66F-4B2013A56C24} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {27442B8E-C4DB-4511-6B52-539659633277} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {2873D3CD-D65D-0245-7DCC-183621200BE5} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {2EB1E559-F0E2-0C87-5F1A-242031CF5458} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {3148D6E3-EC43-76E0-068A-1C1553AAA0AF} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {31D54FBB-559D-5C2C-7040-0D6E309D5652} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {33B4D0FE-3892-2959-A8ED-4D2436CBCDE2} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {33E2CC1E-DC53-4382-4EA5-3833000F5A44} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {349F7F05-10B7-2B90-662B-258E5E4C139B} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {3505BF20-A567-6621-7E57-270626710A94} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {3527C781-8A6C-3631-35C0-6F4C2927476C} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {3543BBA9-8283-5FA7-698F-49B66EF8EBB7} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {35D406D7-8437-215B-6C75-72053E273D7A} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {364C28C8-29D5-0947-A380-582719F4AC96} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {3659B68A-73CB-301B-6092-77A557AB7FD9} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {3771DBC4-FBB4-482B-61AC-4870709820F3} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {37E1AD50-37A1-086F-A46E-025432BB1DBF} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {3AE3879D-D42E-6636-A9D5-65AC63DF2274} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {3D37A706-1F1D-1327-9BEF-563F70A1D95C} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {3E559F6B-B96D-2A67-FC7C-626516E9CA46} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {3E804F89-E94A-27BC-19A8-342224F71C3E} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {3FAA0BEA-C13F-3EFB-3530-798D0AA0B7A9} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {4031EB43-C8A2-21C3-A9D9-76867A28F904} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {4097FF9A-9BB0-66F4-70B8-58C21279ACD1} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {40F8B342-0F91-795C-EB05-003828399C4A} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {41492B61-D40E-63FB-306C-6A435FEB5202} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {4231E7DF-2702-6295-654B-23777C483273} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {434F5B2D-297F-0596-B992-661B0FE748E7} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {43D42777-6DB3-6652-80D2-322832DE1D49} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {444B1A7D-8FC2-59FE-C89E-0C904BEA3773} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {44B1A80F-6078-75F6-ADF9-7AE0692ABDDA} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {47215B76-D0AF-4B59-691A-11D26B6A36E9} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {4763B4EA-FFFA-2CEB-DD42-171178E7B4C7} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {4AABF818-1C2D-5BFB-8FC9-59225ED932AD} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {4BE775AF-9870-2C82-F68F-63BD22598CB1} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {4CC09223-90D2-7AB6-F1BC-77A325817C9D} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {4E370655-8A5B-4B67-C5CA-16D967267FD4} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {4E70FED3-DBEA-16A7-0EA7-533760911586} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {4F2EFB05-3ADF-3DC6-A2F0-677339FD6C70} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {4F8800D0-584C-3824-9B03-43336FFDD70E} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {51A8AD46-3253-0065-136D-73EC26216F4E} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {51B1BF80-CD10-6FEB-66CF-5BCB237FD74E} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {525C1397-FEFA-1A97-6860-38853C3DE272} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {538005B2-4DC6-45AD-1719-4B9A403A1E85} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {573FDF46-D8FE-3EF9-4F8F-45ED4A116827} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {5742FA3E-7B0D-2164-7E41-6A1B30E08A0A} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {57D54F22-A379-3566-0F1E-4BDF7132247C} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {58D4AADB-A7F6-18C5-5666-70C9330B46DD} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {5A1A2127-B839-3F75-E321-0A6B73CEBEC7} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {5F0CBA83-8F21-1B1E-A9A5-3FD55650186C} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {5F54804A-5619-314F-583F-26B4694F30BE} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {5FEBAB1B-E312-2110-CDDF-7D2C28212D91} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {603CA958-16BE-7B9E-8FE5-2AA70CF89E04} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {6078A75B-291C-3357-6396-7DC1244E10B3} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {609BCB50-76BD-70F8-D247-0D192E732194} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {616F9B68-B89C-7722-8DD2-0E5A19DA7166} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {61A657D5-D856-4213-DDF1-60E019694661} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {621ADEA7-D2A9-7FA2-6686-17DD5B1F47CB} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {637F995D-69C0-6088-E48E-360542BB2A2B} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {674ED733-45DD-50AC-77A9-40A205CCFE16} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {691D9090-313A-23B1-41BC-3B80655CF094} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {697E72E0-E9BE-7823-81F6-4C1C1B8C46DC} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {6A0A7EFE-4254-6B75-7DBA-6EBC5FCA8E3D} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {6A171ED8-FE37-4945-6076-7D2A48C6E276} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {6AA42043-28AE-44AF-EADA-28FF2F95059F} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {6C2941D6-9A78-74F1-F47A-7F9B256C5059} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {6F3B6CB1-0AF7-3EC1-10C3-115619B6C75C} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {72FFF58D-52BC-3981-4EC8-5A390F1CAF8C} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {736D5F3C-FA50-2D1E-D4B9-1800697B5151} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {73A3EC43-9E90-365E-A22B-25E33B8EBBCB} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {73AF6D7A-3B5A-4B90-9B2B-0F0E6C1CFCC4} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {74416883-2CA8-1B2A-F45F-12EA0B8F10B7} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {75149BA7-FA38-129D-BBC7-18245D928E06} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {770508A3-F861-595D-F1BA-375B3CE8343A} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {77F3196F-5523-16F7-A01D-49073F81ED44} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {77F75E0E-40FD-1A44-BB88-5DF46DF4AED7} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {78B443D8-4758-1A01-B472-04E047DAFC55} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {7A5DA32E-9034-5D5C-D5BF-736F573B969E} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {7AEF8CA2-F01D-0810-E13B-2D88551EB9AB} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {7B5FD7FB-1021-406B-752F-5ABD71AB9236} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {7D5D2976-691A-5038-ADA9-75191EE0D54D} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {7DF4849B-BD88-1B04-E456-51EF52E2F4AF} - http://85.255.115.229/1/gdnUS2312.exe
    O16 - DPF: {7EED526A-417C-004B-BEF6-62A57C51C04D} - http://85.255.115.229/1/gdnUS2312.exe

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete the below files if found:
    C:\Program Files\PLook\plook.exe
    C:\HDD Backup\web.exe
    C:\WINDOWS\System32\jhmnrz.dll
    C:\WINDOWS\system32\moneyspj.exe

    Now locate the below folder and delete it if found:
    C:\Program Files\PLook

    Now run Ccleaner

    Now reboot in normal mode

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Now attach the below new logs and tell me how the above steps went.

    1. GetRunKey
    2. ShowNew
    3. HJT


    Make sure you tell me how things are working now!

    Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.
     
    chaslang, Jun 2, 2007
    #3
  4. dmpie

    dmpie Private E-2

    Hello Again. Well, all steps from your kind reply post are now done and new logs attached. All seems to be running quite well. Still am unable to access the controls to change the desktop wallpaper. The list and browse are in gray and cannot click on them. Sorry that I missed the Viewpoint Media Player. Got rid of the IM.ink that was on desktop. (Think it was there from an AOL install.) The Symantec programs were left from some of the pre-installed "free" stuff when the notebook was new. Got rid of them as well. Let me know if there is anything to be done to repair the wallpaper problem and if you see anything I need to take care of from the new logs. Thank You!
     

    Attached Files:

    dmpie, Jun 3, 2007
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Now reboot!

    How are things looking now?
     
    chaslang, Jun 4, 2007
    #5
  6. dmpie

    dmpie Private E-2

    Looks all good here! Am now able to access desktop wallpaper controls. Have had no pop-ups or an other mailware related problems. If all is good I will "toggle" system restore when you reply and switch the system back to put the hidden folders back into hiding. Anything else I need to do to finish??

    Thanks for all you help and will work on keeping things clean from now on!:)

    Will be sending a friend here for help. He is having a problem with some sort of bug that's effects the search engine results (Yahoo, Google) Seems that when he clicks on an item from the search results he keeps getting redirected to another page that was not where he wanted to go. I would guess that will be a mailware problem as well? Of what type? Well it could be him but since I have done the "do first" steps I may end up helping him out. (Not the right person to follow long detailed instuctions like I am) So if I do it will be partly to help him and mostly to spare you from getting a ton of "It's not working for me. I think I'm doing it right." posts. It's the least I can do for the time you have spent helping me!
     
    dmpie, Jun 4, 2007
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome!

    If you are not having any other malware problems, it is time to do our final steps:
    1. If we used Pocket Killbox during your cleanup, do the below
      • Run Pocket Killbox and select File, Cleanup, Delete All Backups
    2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, and the C:\combofix.txt log that was created.
    3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
    4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
    5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
    6. If we had you run Avenger, you can delete all files related to Avenger now.
    7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
    9. If you are running Windows XP or Windows ME, do the below:
      • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Jun 4, 2007
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds