MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: hijackthis log, plz help if u can
November 17, 2019, 07:45:22 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
November 17, 2019, 07:45:22 AM

Login with username, password and session length
 Featured Sites:
News
New  We now offer MyTechSupport.ca Merchandise! Every purchase goes towards maintaining our site.
Thank you for supporting MyTechSupport.ca!
  0 Members and 1 Guest are viewing this topic.
Pages: [1] 2  All Go Down Print
Author Topic: hijackthis log, plz help if u can  (Read 2950 times)
baia
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 13


Bookmark and Share

View Profile
« on: March 21, 2005, 12:38:57 AM »

PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version:xp
Problem Application Name & Version:
Problem Hardware Make & Model:
Error Messages:


PLEASE SUPPLY RELEVANT INFORMATION:
Operating System Version:XP
Problem Application Name & Version:
Problem Hardware Make & Model:
Error Messages:


here is my log, iv been getting problems after i installed a program which was full of spyware.
i have 2 users on my xp, so plz take into taught that.

here is my log ..
[code]Logfile of HijackThis v1.97.7
Scan saved at 7:31:58 PM, on 20/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Continuum\New Folder (2)\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitecae32.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\image.dll,Install
O9 - Extra button: AIM (HKLM)

now i'v been taking all of stuff off this list
but now i'm guessing its the elitecae32.exe, i'v tried takin it off but it doesnt seem to want to come off, plz help me out here
Logged

 
baia
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 13


Bookmark and Share

View Profile
« Reply #1 on: March 21, 2005, 09:06:21 PM »

can i get a bump

i ran spy sweeper
now the pop ups still come
but they are all 404 errors
Logged

 
baia
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 13


Bookmark and Share

View Profile
« Reply #2 on: March 22, 2005, 01:04:45 AM »

an update, to my 2nd post
i ran adware SE and the ads, got back to working
now i'm getting different ads, i'm getting viagra adds, but same ad, like this

and this my endtask, after a reboot



you can also see one of the adds poping up
i'm getting more ads at a closer intervals, plz help, i'm about to reformt my comp, and i dont want to.

 
notice elitecae32.exe is not in the end task.
i'v looked at it with the KILLBOX program, and i could not find it.
i could try to do a search of the file i'll try that next, but plz help if u possible have the time to
Logged

 
redaxe
Supreme Loonie
Global Moderator
Hero Member
*****

Karma: +16/-0
Offline Offline

Gender: Male
Posts: 1276


Bookmark and Share

View Profile
« Reply #3 on: March 22, 2005, 11:27:18 PM »

Go to http://www.tomcoyote.com/hjt/ and download the latest version of Hijack This.
The version you have is badly out of date.
Logged

baia
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 13


Bookmark and Share

View Profile
« Reply #4 on: March 23, 2005, 12:20:37 AM »

here is my log
now

Logfile of HijackThis v1.99.1
Scan saved at 7:17:13 PM, on 22/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Continuum\New Folder (2)\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitecae32.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O21 - SSODL: systemil - {355139A1-8E88-401F-BEEE-09ADE954CCCB} - sysil.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)


i took away the elitecar32.exe if this works, i'm goin to hug u so hard u might get hard
Logged

 
baia
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 13


Bookmark and Share

View Profile
« Reply #5 on: March 23, 2005, 12:22:54 AM »

nm...
elitecae32.exe still shows back up..

Logfile of HijackThis v1.99.1
Scan saved at 7:19:35 PM, on 22/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Continuum\New Folder (2)\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitecae32.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O21 - SSODL: systemil - {355139A1-8E88-401F-BEEE-09ADE954CCCB} - sysil.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)
Logged

 
redaxe
Supreme Loonie
Global Moderator
Hero Member
*****

Karma: +16/-0
Offline Offline

Gender: Male
Posts: 1276


Bookmark and Share

View Profile
« Reply #6 on: March 23, 2005, 11:00:17 PM »

Start by disabling System Restore, which is something you can re-enable after the PC has been fixed.
Right click My Computer and select Properties.
Click the System Restore tab and in there disable it. Apply and OK out.

Furthermore, make sure that Windows Explorer is set to show hidden files and folders. Click Tools/Folder Options -> View and check Show hidden files and folders and uncheck Hide protected operating system files


Now download the following programs:

CWShredder
Spybot Search & Destroy
Ad-Aware
VX2 Cleaner
Stinger
About:Buster <-- you won't use this one until after we've made some amendments to your logfile.
Cleanup! <-- you won't use this one until after we've made some amendments to your logfile.

Now go to the following online AV scanners:

Rav Antivirus
Trend Antivirus
Panda Activescan

Let all of them delete what they want. Write down what they fail in dealing with.

Then run and update CWShredder. Click the Fixbutton and click OK when the prompt CWShredder will shutdown any open Internet Explorer and Windows Media Player windows. Click OK to continue appears.
Wait for it to finish and then click Next and Finish.

Now install, run, update and scan your system with Spybot S&D.
When it's done scanning, check all entries that are marked RED and click Fix Selected.

Then install Ad-Aware and update it right away. Then scan and let it fix whatever it reports.
Then shut down Ad-Aware.
Then install the VX2 Cleaner and let it install into the Ad-Aware program folder.
Start Ad-Aware again and click the AddOns button. Double click the VX2 Cleaner in there and click OK at the prompt.

If your computer is infected

 Select
Logged

baia
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 13


Bookmark and Share

View Profile
« Reply #7 on: March 24, 2005, 12:43:40 AM »

ok this is goin to take me some time, i'll start today, and finish tomorrow and i will get back to you, thanx for replying Smiley
Logged

 
baia
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 13


Bookmark and Share

View Profile
« Reply #8 on: March 24, 2005, 09:20:13 PM »

ok i'v done everything on ur list..

i ran panda active scan, couldnt get others to work.
ran everything eles
i did look(failed to find) elitecae32.exe
i took it off with hijackthis,
here is the log after

Logfile of HijackThis v1.99.1
Scan saved at 4:14:07 PM, on 24/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Continuum\New Folder (2)\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.yahoo.com
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitecae32.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)


it is still there..

this is my log from panda active scan

Incident                      Status                        Location                                                                                                                                                                                                                                                        

Virus:Trj/Narod.E             Disinfected                   Operating system                                                                                                                                                                                                                                                
Adware:Adware/StartPage.DD    No disinfected                C:\windows\system32\elitecae32.exe                                                                                                                                                                                                                              
Adware:Adware/SaveNow         No disinfected                Windows Registry                                                                                                                                                                                                                                                
Adware:Adware/Gator           No disinfected                C:\WINDOWS\Downloaded Program Files\HDPlugin10??.dll                                                                                                                                                                                                            
Adware:Adware/Apropos         No disinfected                C:\DOCUME~1\Smirf\LOCALS~1\Temp\cfout.txt                                                                                                                                                                                                                      
Adware:Adware/EliteBar        No disinfected                Windows Registry                                                                                                                                                                                                                                                
Virus:Exploit/ByteVerify      Disinfected                   C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7691cc0e-4219260c.RB0[GetAccess.class]                                                                                                                
Virus:Exploit/ByteVerify      Disinfected                   C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7691cc0e-4219260c.RB0[InsecureClassLoader.class]                                                                                                      
Virus:Exploit/ByteVerify      Disinfected                   C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7691cc0e-4219260c.RB0[Dummy.class]                                                                                                                    
Virus:Exploit/ByteVerify      Disinfected                   C:\Documents and Settings\Brian\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-7691cc0e-4219260c.RB0[Installer.class]                                                                                                                
Virus:Exploit/ByteVerify      Disinfected                   C:\Documents and Settings\Smirf\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-19061f19-20bc8df5.RB0[Dummy.class]                                                                                                                    
Spyware:Spyware/ISTbar        No disinfected                C:\Documents and Settings\Smirf\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3cc46f89-38193a44.zip[InstallerApplet.class]                                                                                                      
Adware:Adware/Lop             No disinfected                C:\Documents and Settings\Smirf\Local Settings\Temp\13cb5022.exe                                                                                                                                                                                                
Adware:Adware/Lop             No disinfected                C:\Documents and Settings\Smirf\Local Settings\Temp\1882277f.exe                                                                                                                                                                                                
Adware:Adware/Lop             No disinfected                C:\Documents and Settings\Smirf\Local Settings\Temp\188242c6.exe                                                                                                                                                                                                
Adware:Adware/Lop             No disinfected                C:\Documents and Settings\Smirf\Local Settings\Temp\36045d.exe                                                                                                                                                                                                  
Adware:Adware/Lop             No disinfected                C:\Documents and Settings\Smirf\Local Settings\Temp\Rem3F.exe                                                                                                                                                                                                  
Adware:Adware/Lop             No disinfected                C:\Documents and Settings\Smirf\Local Settings\Temp\sta176.exe                                                                                                                                                                                                  
Adware:Adware/Lop             No disinfected                C:\Documents and Settings\Smirf\Local Settings\Temp\sta177.exe                                                                                                                                                                                                  
Adware:Adware/Lop             No disinfected                C:\Documents and Settings\Smirf\Local Settings\Temp\sta4.exe                                                                                                                                                                                                    
Adware:Adware/FunWeb          No disinfected                C:\Documents and Settings\Smirf\Local Settings\Temporary Internet Files\Content.IE5\5N39F5ZC\SmileyCentralInitialSetup1.0.0.8[1].cab                                                                                                                            
Adware:Adware/FunWeb          No disinfected                C:\Documents and Settings\Smirf\Local Settings\Temporary Internet Files\Content.IE5\5N39F5ZC\SmileyCentralInitialSetup1.0.0.8[1].cab[f3initialsetup1.0.0.8-2.inf]                                                                                              
Adware:Adware/FunWeb          No disinfected                C:\Documents and Settings\Smirf\Local Settings\Temporary Internet Files\Content.IE5\5N39F5ZC\SmileyCentralInitialSetup1.0.0.8[1].cab[f3Setup1.exe]                                                                                                              
Virus:Exploit/Mhtredir.gen    Disinfected                   C:\Documents and Settings\Smirf\Local Settings\Temporary Internet Files\Content.IE5\65GJYHI5\CA84VHF9.HTM                                                                                                                                                      
Virus:Exploit/Mhtredir.gen    Disinfected                   C:\Documents and Settings\Smirf\Local Settings\Temporary Internet Files\Content.IE5\65GJYHI5\CAI3GPU3.HTM                                                                                                                                                      
Virus:Exploit/Mhtredir.gen    Disinfected                   C:\Documents and Settings\Smirf\Local Settings\Temporary Internet Files\Content.IE5\65GJYHI5\CAIVIDAX.HTM                                                                                                                                                      
Virus:Exploit/Mhtredir.gen    Disinfected                   C:\Documents and Settings\Smirf\Local Settings\Temporary Internet Files\Content.IE5\65GJYHI5\CAOFFX0H.HTM                                                                                                                                                      
Adware:Adware/CWS.Aboutblank  No disinfected                C:\Documents and Settings\Smirf\Local Settings\Temporary Internet Files\Content.IE5\65GJYHI5\on-line[1].exe                                                                                                                                                    
Adware:Adware/CWS.Aboutblank  No disinfected                C:\Documents and Settings\Smirf\Local Settings\Temporary Internet Files\Content.IE5\65GJYHI5\on-line[2].exe                                                                                                                                                    
Virus:VBS/Psyme.C             Disinfected                   C:\Documents and Settings\Smirf\Local Settings\Temporary Internet Files\Content.IE5\8LCPAFGH\shellscript[1].js                                                                                                                                                  
Virus:VBS/Psyme.C             Disinfected                   C:\Documents and Settings\Smirf\Local Settings\Temporary Internet Files\Content.IE5\8LCPAFGH\shellscript[2].js                                                                                                                                                  
Adware:Adware/Gator           No disinfected                C:\Documents and Settings\Smirf\Local Settings\Temporary Internet Files\Content.IE5\NEO3RXOH\hdplugin_1100_bundle43v5d41[1].cab[HDPlugin1100.dll]                                                                                                              
Virus:VBS/Psyme.C             Disinfected                   C:\Documents and Settings\Smirf\Local Settings\Temporary Internet Files\Content.IE5\NEO3RXOH\shellscript[1].js                                                                                                                                                  
Adware:Adware/SearchAid       No disinfected                C:\Program Files\Internet Explorer\kdmprcov.exe                                                                                                                                                                                                                
Adware:Adware/SearchAid       No disinfected                C:\Program Files\Internet Explorer\lyyrpkgt.exe                                                                                                                                                                                                                
Adware:Adware/SearchAid       No disinfected                C:\Program Files\Internet Explorer\ppqojbkc.exe                                                                                                                                                                                                                
Adware:Adware/SearchAid       No disinfected                C:\Program Files\Internet Explorer\xfrcysko.exe                                                                                                                                                                                                                
Adware:Adware/FunWeb          No disinfected                C:\Program Files\Microsoft AntiSpyware\Quarantine\2D0D8F13-662F-4663-9D05-4FF8F1\91DD8940-F222-4BA1-A8AF-73B360                                                                                                                                                
Adware:Adware/HuntBar         No disinfected                C:\RECYCLER\S-1-5-21-1482476501-746137067-1957994488-1005\Dc1\EDow.exe                                                                                                                                                                                          
Adware:Adware/StartPage.DD    No disinfected                C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O92741UB\protector_update[1].exe                                                                                                                                  
Virus:Trojan Horse            Disinfected                   C:\WINDOWS\system32\il.dat                                                                                                                                                                                                                                      
Adware:Adware/WUpd            No disinfected                C:\WINDOWS\system32\shell32.exe                                                                                                                                                                                                                                
Virus:Trojan Horse            Disinfected                   C:\WINDOWS\system32\sysie.dll                                                                                                                                                                                                                                  
Virus:Trj/Narod.E             Disinfected                   C:\WINDOWS\system32\sysil.dll                                                                                                                                                                                                                                  
Virus:Trojan Horse            Disinfected                   C:\WINDOWS\system32\systemil.exe                                                                                                                                                                                                                                


i'm going to reintall msn plus right now, and i'll reply if i get pop ups
Logged

 
baia
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 13


Bookmark and Share

View Profile
« Reply #9 on: March 24, 2005, 09:29:52 PM »

ok, i installed msn plus
Logfile of HijackThis v1.99.1
Scan saved at 4:25:04 PM, on 24/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Continuum\New Folder (2)\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.yahoo.com
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitecae32.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)



so
basicaly, after doing all the scaning, i still have basiclly the same log.
i dont mind the msn plus/msn, i'v had that with me, for a long time, and i'v never got any problems.

its the elitecae32.exe
how do i delete something that i cant find?
Logged

 
redaxe
Supreme Loonie
Global Moderator
Hero Member
*****

Karma: +16/-0
Offline Offline

Gender: Male
Posts: 1276


Bookmark and Share

View Profile
« Reply #10 on: March 24, 2005, 11:49:29 PM »

Did you disable System Restore and empty all Temp and Temporary Internet Files folders?
Did you empty your Recycle Bin??

Now let HJT fix the following entries:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitecae32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)

Now click the Config button in the bottom right corner of HJT and in the pane that opens, select Misc Tools. Then select the Delete a file on reboot... button. Navigate your way to C:\windows\system32\elitecae32.exe, select it and click the Open button.

Now empty the Temp folders, Temporary Internet Folders and your recycle bin. Reboot and post a new HJT log.
Logged

baia
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 13


Bookmark and Share

View Profile
« Reply #11 on: March 25, 2005, 02:04:10 AM »

ok first time i did not empty my temp folder

but this time..
i did what u said
there are a couple of files in internet file folder that cannot be deleted, like index
but i did all u said
for the config part, in HJT, i just typed in the file in windows/system32, even though it wasnt there, and hit reboot
still...

i couldnt take out the symantex network driver service ither..
here is the log

Logfile of HijackThis v1.99.1
Scan saved at 8:58:45 PM, on 24/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\RioMSC.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Continuum\New Folder (2)\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.yahoo.com
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitecae32.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe (file missing)

Logged

 
redaxe
Supreme Loonie
Global Moderator
Hero Member
*****

Karma: +16/-0
Offline Offline

Gender: Male
Posts: 1276


Bookmark and Share

View Profile
« Reply #12 on: March 25, 2005, 12:41:27 PM »

Ok, let's keep hammering this bit.

Start by collecting the attached file:
Download Attachment: 200532582625_TheEliteToolbarRemoverV10.zip


Extract the zipped archive to your desktop. Run the file and follow it's prompts until it's done.

Then uninstall the following, if it's available in your Add/Remove Programs:

EliteToolBar
EliteBar


Now search for the following files on your hard drives, using the search funcion in Windows:

etbrun
elitecae32.exe
Bkmsf32.dat
elit*.*
<-- In this case copy and paste it as I put it and let the Windows Search function find any possible files that are named elite something or other.

In all cases Delete everything you find.

Now click Start -> Run and at the prompt type regedit and click OK.

Search for and delete the following entries (using the same colour codes as before, make sure you only delete the marked entries. You can navigate to them by pressing the + sign next to each registry folder.):

Before you start, here are instructions on How to make a backup of the Windows registry. Make sure you follow those directions to the letter.

HKEY_LOCAL_MACHINE\SOFTWARE\Elitum
HKEY_CURRENT_USER\SOFTWARE\LQ
HKEY_CURRENT_USER\SOFTWARE\Winrar\File List
HKEY_CURRENT_USER\SOFTWARE\Winrar\Profiles

HKEY_CLASSES_ROOT\CLSID\{825CF5BD-8862-4430-B771-0C15C5CA880F}
HKEY_CLASSES_ROOT\CLSID\{28CAEFF3-0F18-4036-B504-51D73BD81C3A}

HKEY_CLASSES_ROOT\Interface\{DBF33E89-1784-42AC-ADE4-A428F56550A3}
HKEY_CLASSES_ROOT\Interface\{A9B28EF6-ABF3-463B-A3D8-4D0D0BADFADC}
HKEY_CLASSES_ROOT\TypeLib\{CA9FC31A-6F35-4493-B629-E64BD6170A17}
HKEY_CLASSES_ROOT\Interface\{a74cd7de-ea6f-11d4-abf3-000102378429}
HKEY_CLASSES_ROOT\TypeLib\{a74cd7dd-ea6f-11d4-abf3-000102378429}
HKEY_CLASSES_ROOT\PLOT.PlotCtrl.1

Then close the registry editor.

Now click Start -> Windows Updates and install all critical updates that are available, especially those that have anything to do with Internet Explorer and Outlook/Outlook Express.

Then reboot and post a new HJT log.
« Last Edit: March 25, 2005, 01:54:58 PM by redaxe » Logged

baia
Jr. Member
**

Karma: +0/-0
Offline Offline

Gender: Male
Posts: 13


Bookmark and Share

View Profile
« Reply #13 on: March 25, 2005, 03:40:35 PM »

i'm not going to do this yeat
i'm not getting any pop ups atm
so i'm good, if they come again, i'll do this
Logged

 
redaxe
Supreme Loonie
Global Moderator
Hero Member
*****

Karma: +16/-0
Offline Offline

Gender: Male
Posts: 1276


Bookmark and Share

View Profile
« Reply #14 on: March 25, 2005, 04:36:27 PM »

Ok, naturally this is your choice.

Good luck Smiley
Logged

Pages: [1] 2  All Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page June 17, 2018, 07:17:51 PM