1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Elite toolbar and other nasties. HJT log.

Discussion in 'Malware and Virus Removal Archive' started by Vortigern Wolf, 2005/02/02.

Thread Status:
Not open for further replies.
  1. 2005/02/02
    Vortigern Wolf

    Vortigern Wolf Inactive Thread Starter

    Joined:
    2002/11/11
    Messages:
    57
    Likes Received:
    0
    Hi

    Have a computer that has elitetoolbar and other nasties upon it. Need some experienced help in removing them please.

    Have run Ad Aware and it has removed some nasties, have run hijack this here is the log:

    Logfile of HijackThis v1.99.0
    Scan saved at 09:39:18, on 02/02/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\ntosrkl.exe
    C:\WINDOWS\System32\winasp.exe
    C:\WINDOWS\System32\GSICON.EXE
    C:\WINDOWS\System32\dslagent.exe
    C:\WINDOWS\System32\PopUpBlockerd.exe
    C:\WINDOWS\System32\realone.exe
    C:\WINDOWS\system32\defragfatx.exe
    C:\WINDOWS\lsasss.exe
    C:\DOCUME~1\GREGGS~1\LOCALS~1\Temp\27.tmp.exe
    C:\WINDOWS\System32\mcafeshield.exe
    C:\WINDOWS\winagent.exe
    C:\WINDOWS\System32\cosine.exe
    C:\WINDOWS\system32\windns.exe
    C:\WINDOWS\clfmon.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\Connect 4\hijackthis.exe

    O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar.dll
    O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar.dll
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKLM\..\Run: [Popup Blocker System32 Monitoring] PopUpBlockerd.exe
    O4 - HKLM\..\Run: [Real One Player] realone.exe
    O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\system32\defragfatx.exe
    O4 - HKLM\..\Run: [lsasss.exe] C:\WINDOWS\lsasss.exe
    O4 - HKLM\..\Run: [[Ephemeral 2.5] by TreeHugger, ] C:\DOCUME~1\GREGGS~1\LOCALS~1\Temp\27.tmp.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [Kernal Fault Check] ntosrkl.exe
    O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\uaetr.exe
    O4 - HKLM\..\Run: [Mcafee Auto Protect] mcafeshield.exe
    O4 - HKLM\..\Run: [NvCplScan] winasp.exe
    O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
    O4 - HKLM\..\Run: [sssasasb32] C:\WINDOWS\sssasasb32.exe
    O4 - HKLM\..\Run: [MsnExplorer] C:\WINDOWS\winagent.exe /i
    O4 - HKLM\..\Run: [cosine] cosine.exe
    O4 - HKLM\..\Run: [Services] C:\WINDOWS\system32\windns.exe
    O4 - HKLM\..\Run: [clfmon] C:\WINDOWS\clfmon.exe
    O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvnmo32.exe
    O4 - HKLM\..\RunServices: [Popup Blocker System32 Monitoring] PopUpBlockerd.exe
    O4 - HKLM\..\RunServices: [Real One Player] realone.exe
    O4 - HKLM\..\RunServices: [Kernal Fault Check] ntosrkl.exe
    O4 - HKLM\..\RunServices: [Mcafee Auto Protect] mcafeshield.exe
    O4 - HKLM\..\RunServices: [NvCplScan] winasp.exe
    O4 - HKLM\..\RunServices: [cosine] cosine.exe
    O4 - HKLM\..\RunOnce: [Kernal Fault Check] ntosrkl.exe
    O4 - HKLM\..\RunOnce: [NvCplScan] winasp.exe
    O4 - HKCU\..\Run: [Popup Blocker System32 Monitoring] PopUpBlockerd.exe
    O4 - HKCU\..\Run: [Real One Player] realone.exe
    O4 - HKCU\..\Run: [Kernal Fault Check] ntosrkl.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [NvCplScan] winasp.exe
    O4 - HKCU\..\Run: [Mcafee Auto Protect] mcafeshield.exe
    O4 - HKCU\..\Run: [cosine] cosine.exe
    O4 - HKCU\..\RunOnce: [Kernal Fault Check] ntosrkl.exe
    O4 - HKCU\..\RunOnce: [NvCplScan] winasp.exe
    O4 - Global Startup: Exif Launcher.lnk = ?
    O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Cfajhdoc.dll
    O21 - SSODL: mtklefap - {DCB557DF-0DA8-4FB4-18B5-162BF92CD7A1} - C:\WINDOWS\System32\ubttgz32.dll
    O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

    Thankyou in advance for your help.

    Vortigern
     
    Vortigern Wolf,
    #1
  2. 2005/02/02
    Newt

    Newt Inactive

    Joined:
    2002/01/07
    Messages:
    10,974
    Likes Received:
    2
    This PC is a major mess. May be possible to clean it and have it run OK after the cleaning but I wouldn't bet the farm on it.

    When you finish all the cleaning and updating, post a new HJT log.

    **********************************

    I haven't tried this EliteToolBar removal utility but the site that hosts it is reliable and it's free so should be well worth a try.
    Download here

    Meanwhile, use Hijackthis to scan and remove the following and then turn off system restore, boot to safe mode to run the EliteToolBar removal app, boot to normal mode and turn SR back on.

    Where an entry shows up multiple times, if I put in a comment on the first occurance in the below list I didn't comment on the others but the original comment applies. PopUpBlockerd.exe is an example.


    O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar.dll
    O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar.dll
    O4 - HKLM\..\Run: [Popup Blocker System32 Monitoring] PopUpBlockerd.exe
    (note: can't find much on this one. If you are sure it is legit, keep it. Otherwise I'd get rid of it - 04 entry and then the file)
    O4 - HKLM\..\Run: [Real One Player] realone.exe
    (note: I think this is the installer piece for the RealOne player and only needed for the install. Shouldn't still be needed as a reg run entry)
    O4 - HKLM\..\Run: [Windows DLL Loader] C:\WINDOWS\system32\defragfatx.exe
    (note: I dunno for sure about this one either. Certainly nothing usual and given how eaten up this machine is, unless you know for sure about the file, I'd delete this 04 entry and later remove the file from the PC)
    O4 - HKLM\..\Run: [lsasss.exe] C:\WINDOWS\lsasss.exe
    (Note: Sasser worm dropped this one. Whatever AV you are running isn't working. Online AV scan when this cleaning is finished)
    O4 - HKLM\..\Run: [[Ephemeral 2.5] by TreeHugger, ] C:\DOCUME~1\GREGGS~1\LOCALS~1\Temp\27.tmp.exe
    (note: clean out the temp folder for each user when you are done. Nothing should be running from there)
    O4 - HKLM\..\Run: [Kernal Fault Check] ntosrkl.exe
    O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\uaetr.exe
    O4 - HKLM\..\Run: [Mcafee Auto Protect] mcafeshield.exe
    (note: part of WORM_RBOT.BMM [trend's name] or W32/Rbot-UH [Sophos])
    O4 - HKLM\..\Run: [NvCplScan] winasp.exe
    (note: Exploit-DcomRpc.gen trojan)
    O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
    (note: after you finish, go to add/remove and try to get rid of this thing)
    O4 - HKLM\..\Run: [sssasasb32] C:\WINDOWS\sssasasb32.exe
    O4 - HKLM\..\Run: [MsnExplorer] C:\WINDOWS\winagent.exe /i
    O4 - HKLM\..\Run: [cosine] cosine.exe
    O4 - HKLM\..\Run: [clfmon] C:\WINDOWS\clfmon.exe
    O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvnmo32.exe
    O4 - HKLM\..\RunServices: [Popup Blocker System32 Monitoring] PopUpBlockerd.exe
    O4 - HKLM\..\RunServices: [Real One Player] realone.exe
    O4 - HKLM\..\RunServices: [Kernal Fault Check] ntosrkl.exe
    O4 - HKLM\..\RunServices: [Mcafee Auto Protect] mcafeshield.exe
    O4 - HKLM\..\RunServices: [NvCplScan] winasp.exe
    O4 - HKLM\..\RunServices: [cosine] cosine.exe
    O4 - HKLM\..\RunOnce: [Kernal Fault Check] ntosrkl.exe
    O4 - HKLM\..\RunOnce: [NvCplScan] winasp.exe
    O4 - HKCU\..\Run: [Popup Blocker System32 Monitoring] PopUpBlockerd.exe
    O4 - HKCU\..\Run: [Real One Player] realone.exe
    O4 - HKCU\..\Run: [Kernal Fault Check] ntosrkl.exe
    O4 - HKCU\..\Run: [NvCplScan] winasp.exe
    O4 - HKCU\..\Run: [Mcafee Auto Protect] mcafeshield.exe
    O4 - HKCU\..\Run: [cosine] cosine.exe
    O4 - HKCU\..\RunOnce: [Kernal Fault Check] ntosrkl.exe
    O4 - HKCU\..\RunOnce: [NvCplScan] winasp.exe
    O4 - Global Startup: Exif Launcher.lnk = ?
    O21 - SSODL: Web Event Logger - {79FEACFF-FFCE-815E-A900-316290B5B738} - C:\WINDOWS\System32\Cfajhdoc.dll
    O21 - SSODL: mtklefap - {DCB557DF-0DA8-4FB4-18B5-162BF92CD7A1} - C:\WINDOWS\System32\ubttgz32.dll
    O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe (file missing)

    You should try, while booted to safe mode to run the EliteToolBar, to locate and delete any file associated with an entry from the above list that you removed.

    Also run cleanmgr.exe and let it remove all the files it locates.

    This PC is badly in need of some onboard AV software and all the security patches it is missing. These would have stopped the majority of the problems you are now having to clean.
     
    Newt,
    #2


  3. to hide this advert.

Thread Status:
Not open for further replies.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...