Elitum elite

Just today I have found a bit of spyware which keeps connecting to IE and firing up lots of unwanted websites. It is recognised by spybot as ELITUM ELITE BAR. Can't find it mentioned in WBBS search and neither spybot, adaware or AVG seem to be able to address the problem.
Anyone got any suggestions for removing this pest?

 

This does seem to be a resistant critter but it can be removed.

Download Hijackthis v1.99 (see quicklinks in my signature). Unzip it to a folder of it's own. I like c:\hjt but as long as it is not a temp folder and not on or under the desktop, it doesn't matter.

Run HJT to generate a scan log and post the log here.

 

Elitum

Hi Newt. Here is the result of the Hijackthis 1.99 scan:-
Logfile of HijackThis v1.99.0
Scan saved at 17:05:17, on 21/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\brian\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [Sygate Personals Firewalls] ccsrn.exe
O4 - HKLM\..\Run: [Start Upping] taksmgr.exe
O4 - HKLM\..\RunServices: [Sygate Personals Firewalls] ccsrn.exe
O4 - HKLM\..\RunServices: [Start Upping] taksmgr.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Start Upping] taksmgr.exe
O4 - HKCU\..\Run: [Sygate Personals Firewalls] ccsrn.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

I hope that it makes some sense. You're right, persistent little bugger, still shows up on Spybot but it can't seem to get rid of it. Just tried to download SP2 by modem and after 20 Hours, trying to run the file, I get the message like, cannot run a win32 file -- I suppose I will have to get a copy from my bro.
Thanks for your help.

 

Elitum

Newt, Sorry forgot to ask, is there any patch I can use to innoculate against this Elitum thing until such time as I can get SP 2 installed?

 

Hi bg9208

Hijackthis needs to first be unzipped and in a folder other than a temp.
delete the one you have now. make a folder
C:\antispyware
Download the Hijackthis.exe to that folder, while not in safe mode make and post a new log http://www.merijn.org/files/HijackThis.exe

 

Elitum

Hi Newt,

Hope I've got the protocols right now.
I unzipped hijackthis 1.99 to a seoarate folder c:/virusscan and ran a scan and the results are as follows:-
Logfile of HijackThis v1.99.0
Scan saved at 14:31:34, on 22/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ccsrn.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\taksmgr.exe
C:\virusscan\HijackThis.exe

O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [Sygate Personals Firewalls] ccsrn.exe
O4 - HKLM\..\Run: [Start Upping] taksmgr.exe
O4 - HKLM\..\RunServices: [Sygate Personals Firewalls] ccsrn.exe
O4 - HKLM\..\RunServices: [Start Upping] taksmgr.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Start Upping] taksmgr.exe
O4 - HKCU\..\Run: [Sygate Personals Firewalls] ccsrn.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE


I think this is the same as I posted before. Maybe I'm doing something wrong, I'm just running the 'scan' without any other parameters.

Is this any use ?

 

Just 'scan' is fine but there isn't nearly all the stuff I'd expect to see on any system.

Lonny evidently thought this was a scan done while you were booted into 'safe mode'. If not, do you have msconfig set for any sort of selective startup? Click on start, on run, type in msconfig, and click OK then take a look. We need a scan from Normal Startup and all items under the Startup tab checked.

If you were in safe mode or had any sort of selective startup, you'll need to reboot after making changes back to full, normal mode startup.

 

elitum

Hi Newt,

Her is a scan which I have just run under Normal Startup - The list of items in the startup tab is :
ccsrn
taksmgr
ctfmon
msmgs
taksmgr
ccsm
Microsoft Office
(The spelling is correct!)

This is the scan:-

Logfile of HijackThis v1.99.0
Scan saved at 13:14:50, on 23/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ccsrn.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\taksmgr.exe
C:\virusscan\HijackThis.exe

O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [Sygate Personals Firewalls] ccsrn.exe
O4 - HKLM\..\Run: [Start Upping] taksmgr.exe
O4 - HKLM\..\RunServices: [Sygate Personals Firewalls] ccsrn.exe
O4 - HKLM\..\RunServices: [Start Upping] taksmgr.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Start Upping] taksmgr.exe
O4 - HKCU\..\Run: [Sygate Personals Firewalls] ccsrn.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

I don't use Internet Explorer - just don't like it so I run Opera very successfully so I don't know why the logfile showing IE loaded.

Looks pretty much like the other scan to me.

regards

 

Elite

Just a belated ps. to my last post, My system doesn't have much running on it at the moment as my other PC is the one linked to all the useful peripherals and (crossed fingers) doesn't seem to be having any problems just the odd DS Exploit which Spybot can now kill.
This may be the reason that the process list is so sparse.

Brian Owen

 

Hello

That appears to be W32/Rbot-QK
Download PocketKillBox
http://www.downloads.subratam.org/KillBox.zip
Unzip it,Close all open programs, windows and browsers(internet connection)
double-click Killbox.exe
Check the Box to delete on reboot
In the "Full path or file to delete" (paste the following)
C:\WINDOWS\System32\ccsrn.exe
click the red X to delete the file on reboot and answer no.
do the same for >
C:\WINDOWS\System32\taksmgr.exe
exit Killbox and restart your PC (dont worry about the errors on startup)

run Hijackthis and have it fix these items.
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [Sygate Personals Firewalls] ccsrn.exe
O4 - HKLM\..\Run: [Start Upping] taksmgr.exe
O4 - HKLM\..\RunServices: [Sygate Personals Firewalls] ccsrn.exe
O4 - HKLM\..\RunServices: [Start Upping] taksmgr.exe
O4 - HKCU\..\Run: [Start Upping] taksmgr.exe
O4 - HKCU\..\Run: [Sygate Personals Firewalls] ccsrn.exe

==================
Install atleast a free anti virus and firewall program
Dont make the common mistake of installing more than one anti virus or firewall
Computer Associates offers a free one year subscription for all Microsoft users for EZTrust Armor, it's an antivirus and firewall utility. eTrust EZ Armor Security Suite http://my-etrust.com/microsoft/index.cfm?
AVG Anti-Virus-Free: http://www.grisoft.com/us/us_dwnl_free.php
AntiVir Personal Edition: http://www.free-av.com/
avast! 4 Home - Free antivirus software :
http://www.asw.cz/eng/free_virus_protectio.html

ZoneAlarm provide's a paid for and free version http://www.zonelabs.com/

Kerio Personal Firewall
For home users, Kerio Personal Firewall 4 is available in two flavors -
the full edition and the limited free edition.
http://www.kerio.com/us/kpf_download.html

Sygate free for personal/home http://soho.sygate.com/products/spf_standard.htm

http://www.outpost.uk.com/outpost/profree.html

 

elitum

Thanks Newt, Lonny and Tony for your help and advice. The offending bug was duly removed and everything was fine - for a couple of hours - then a series of problems occurred, first wouldn't read floppys then the monitor picture kept changing colours and blanking for a while finally, after switching off and rebooting, the message 'no system installed' flashed up. trying to change the BIOS settings and the cursor couldnt be moved, well it could, but it kept moving back to the first item. After checking the internal connections and verifying that the HD was OK on another PC I finally gave up after hours of trying and and decided to move all the important bits to another barebones PC that has a Cyrix 6x86MX 266 chip.
Hope I get along better with this one.
If not - I will once again pick the brains of the WindowsBBS experts.