Jump to content
Sign in to follow this  
buffduffdan

Elite Toolbar

Recommended Posts

Everytime I open up MSN Messnger, an internet explorer is opened up with a toolbar that is called Elite Toolbar. I can't seem to get rid of it. I think I got it by accepting a virus accidently via MSN. Here's my HJT log:

 

Logfile of HijackThis v1.99.1

Scan saved at 18:21:57, on 18/04/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

C:\WINDOWS\system32\msnmesg.exe

C:\WINDOWS\system32\msnmesg.exe

C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe

C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

C:\Program Files\Windows Media Player\wmplayer.exe

c:\socks.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

D:\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll

O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

O4 - HKLM\..\Run: [MSN Messages] msnmesg.exe

O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.12R] c:\socks.exe

O4 - HKLM\..\RunServices: [MSN Messages] msnmesg.exe

O4 - HKCU\..\Run: [MSN Messages] msnmesg.exe

O4 - HKCU\..\RunServices: [MSN Messages] msnmesg.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1109714764879

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ssi...ureUploader.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe

O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

Share this post


Link to post
Share on other sites

Hi buffduffdan

 

Lets see if this tool works as advertised.

 

Download and Run this Elitebar removal tool - http://www.simplytech.it/ETRemover

 

You have had and possibly still have Viruses and Trojans on your PC.

That is the reason I ask that you run the programs outlined after the following fix.

 

 

Please set your computer to show all files.

 

* Double-click My Computer.

* Click the Tools menu, and then click Folder Options.

* Click the View tab.

* Clear "Hide file extensions for known file types."

* Under the "Hidden files" folder, select "Show hidden files and folders."

* Clear "Hide protected operating system files."

* Click Apply, and then click OK.

 

 

Close all browser windows and RUN HijackThis.

Click the SCAN button to produce a log.

Place a check mark beside each one of the following entries:

 

 

O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll

O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll

O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.12R] c:\socks.exe

 

Now with all the items selected, delete them by clicking the FIX checked button.

 

Reboot into Safe Mode: please see here if you are not sure how to do this.

 

 

Using Windows Explorer, locate the following files/folders in DARK, and delete them (if they are present):

 

 

C:\WINDOWS\EliteToolBar

c:\socks.exe

 

Reboot and enable hidden files.

 

Please use the following links to run one, or more of the three online Virus Scanners, including Trend Micro and let them fix whatever they find. One may find some things and another will find differant things. The more you run, the more likely you are to find everything.

 

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location, so you can delete it yourself.

 

TrendMicro HouseCall

eTrust AntiVirus Web Scanner

Panda ActiveScan

Note any thing that can't be fixed

Reboot when done.

 

And here are links to two online Trojan Scanners. Lets run one, or both of these too.

 

http://scan.sygatetech.com/pretrojanscan.html

 

And here:

http://www.windowsecurity.com/trojanscan/

 

If you are unable to get or use either of the online Trojan Scanners above...........

 

Go here http://www.trojanhunter.com/ and download and run the free trial of Trojan Hunter.

 

Then,

Please download and install Ad-Aware SE and Spybot S&D according to the following instructions. If you already have these programs, please make sure they are the latest version (Ad-Aware SE Personal 1.05, Spybot Search and Destroy 1.3) and have been updated today. Then run full systems scans as described below.

 

Install and how to use the NEW Ad-aware SE

http://www.bleepingcomputer.com/forums/ind...showtutorial=48

 

Reboot after using Ad-Aware SE.

Download the VX cleaner plug in for Adaware. Install it, then open Adaware & go to *add-ons* & run the plug-in. If anything is found, select *clean system* & when done, reboot & run Adaware & let it finish the clean-up. Reboot again.

 

 

Would you please download the Spybot S&D program from here Spybot S&D 1.3 and install it.

  • Select Search for updates.
  • Then select all available updates that are displayed in the white box.
  • Select a download mirror nearest your location.
  • Then select Download updates .
  • Shut down and restart Spybot.
  • Select the Search and destroy icon and click on Check for Problems.
  • Delete/fix anything that spybot lists In RED.
.

 

Then, please REBOOT, to allow Spybot to finish working

 

The following step is important as you may have several malware files in your temp directories.

 

Then browse to the C:\documents and settings\Your User Name (repeat for all other user names in documents and settings)\local settings\temp folder and delete all files and folders in it.

Then browse to the C:\Window\Temp folder and delete all files and folders in it.

Then in internet explore click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

 

Then please run Hijack This, copy the log and post it here, in this string, using the New Reply feature, so I will be notified.

 

Please do not attempt to FIX anything in the fresh log. We need to see the entire log, as it is.

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.99.1

Scan saved at 18:45:26, on 19/04/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Toolbar\TBPS.exe

C:\PROGRA~1\Toolbar\PIB.exe

c:\PROGRA~1\Toolbar\radio.exe

C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe

C:\PROGRA~1\Toolbar\TBPSSvc.exe

C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

C:\Program Files\Common Files\WinTools\WToolsS.exe

C:\Program Files\Common Files\WinTools\WToolsA.exe

C:\Program Files\Common Files\WinTools\WSup.exe

C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

C:\Program Files\Preview AdService\PrevAdServ.exe

C:\WINDOWS\system32\msnmesg.exe

C:\WINDOWS\system32\msnmesg.exe

C:\Program Files\Preview AdService\PrevAdKeep.exe

C:\Program Files\Internet Explorer\iexplore.exe

D:\HijackThis.exe

C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\XPVYT5LF\GoogleToolbarInstaller[1].exe

C:\Documents and Settings\Daniel\Local Settings\Temporary Internet Files\Content.IE5\XPVYT5LF\sxe3.tmp

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50245

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe

O4 - HKLM\..\Run: [MSN Messages] msnmesg.exe

O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [sAHBundle] C:\DOCUME~1\Daniel\LOCALS~1\Temp\SAHAGE~1.EXE run

O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe

O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe

O4 - HKLM\..\RunServices: [MSN Messages] msnmesg.exe

O4 - HKCU\..\Run: [MSN Messages] msnmesg.exe

O4 - HKCU\..\RunServices: [MSN Messages] msnmesg.exe

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1109714764879

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ssi...ureUploader.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab

O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll

O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe

O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe

O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe

Share this post


Link to post
Share on other sites

Hi buffduffdan

 

Well, we got rid of one parasite, only to be attacked by several even worse undesirables. Looks like you need some additional protection. I'll provide you with that as soon as we have got you cleaned up a bit, maybe sooner if they keep jumping on.

 

Download the stand-alone version of CWShredder 2.12

http://cwshredder.net/bin/CWShredder.exe

 

Then close every window, disconnect from Internet and doubleclick the CWShredder icon on your Desktop.

Click Fix and then Next, let it fix everything it asks about.

 

 

Please use ctl/alt/del to go into Task Manager. Hilight the following and click on END PROCESS.

 

WinTools, WToolsA,WinToolsSvc,WToolsS, OR ANY WINTOOLS VARIANT

 

Toolbar (and any Toolbar you do not know, or want.)

 

Preview AdService Then, exit Task Manager.

 

Then, Please go to Start>Settings>Control panel>Add/Remove Programs and Uninstall/Remove:

 

WinTools, WToolsA,WinToolsSvc,WToolsS, OR ANY WINTOOLS VARIANT

 

Toolbar (and any Toolbar you do not know, or want.)

 

Preview AdService

 

Please set your computer to show all files.

 

* Double-click My Computer.

* Click the Tools menu, and then click Folder Options.

* Click the View tab.

* Clear "Hide file extensions for known file types."

* Under the "Hidden files" folder, select "Show hidden files and folders."

* Clear "Hide protected operating system files."

* Click Apply, and then click OK.

 

Close all browser windows and RUN HijackThis.

Click the SCAN button to produce a log.

Place a check mark beside each one of the following entries: (Do not be concerned if they are not all there.)

 

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50245

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa

O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - (no file)

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll

O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll

O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll

O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

O4 - HKLM\..\Run: [sAHBundle] C:\DOCUME~1\Daniel\LOCALS~1\Temp\SAHAGE~1.EXE run

O4 - HKLM\..\Run: [Preview AdService] C:\Program Files\Preview AdService\PrevAdServ.exe

O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe

O4 - HKLM\..\RunServices: [MSN Messages] msnmesg.exe

O4 - HKCU\..\Run: [MSN Messages] msnmesg.exe

O4 - HKCU\..\RunServices: [MSN Messages] msnmesg.exe

O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll

O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe

O23 - Service: WinTools for IE service (WinToolsSvc) - Unknown owner - C:\Program Files\Common Files\WinTools\WToolsS.exe

 

Now with all the items selected, delete them by clicking the FIX checked button.

 

Reboot into Safe Mode: please see here if you are not sure how to do this.

 

 

Using Windows Explorer, locate the following files/folders in DARK, and delete them:

 

 

C:\PROGRA~1\Toolbar

 

C:\PROGRA~1\COMMON~1\WinTools

 

C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe

 

C:\Program Files\Preview AdService

 

C:\PROGRA~1\Toolbar\TBPS.exe

 

C:\Program Files\Common Files\WinTools\WToolsS.exe

 

C:\DOCUME~1\Daniel\LOCALS~1\Temp\SAHAGE~1.EXE

 

If you were unable to find, or delete any of the files then please follow these additional instructions:

 

Download Pocket Killbox and unzip it; save it to your Desktop.

 

Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

 

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

 

Let the system reboot, enable hidden files and post a fresh Hijack This log in this thread, Using the New Reply: feature, so I will be notified.

 

Note: Do not attempt to "Fix" anything in the new log, as we need to see the entire log.

Share this post


Link to post
Share on other sites

That stupid elitetoolbar is still there. It keeps randomly opening internet explorers and I think it may be causing most of the pop-ups I receive aswell. The EliteToolbarRemover didn't work and I keep deleting it and removing it but it just keeps coming back. HELP!

 

Logfile of HijackThis v1.99.1

Scan saved at 21:23:25, on 26/04/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\msnmesg.exe

C:\WINDOWS\system32\msnmesg.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

c:\s.exe

C:\Program Files\Windows Media Player\wmplayer.exe

D:\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll

O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll

O4 - HKLM\..\Run: [MSN Messages] msnmesg.exe

O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.12R] c:\s.exe

O4 - HKLM\..\RunServices: [MSN Messages] msnmesg.exe

O4 - HKCU\..\Run: [MSN Messages] msnmesg.exe

O4 - HKCU\..\RunServices: [MSN Messages] msnmesg.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1109714764879

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ssi...ureUploader.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab

O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

O23 - Service: Windows Media Connect (WMC) (WmcCds) - Unknown owner - c:\program files\windows media connect\mswmccds.exe (file missing)

O23 - Service: Windows Media Connect (WMC) Helper (WmcCdsLs) - Unknown owner - C:\Program Files\Windows Media Connect\mswmcls.exe (file missing)

Share this post


Link to post
Share on other sites

Hi buffduffdan

 

Protection Recommendations:

 

If you dont have these three FREE programs I would recommend that you get them, without delay. Possibly, they will help prevent some of these problems. Spywareblaster, Spywareguard and IESPY AD. They will add 1000's of sites to your resticted zone and block some hijacks from happening.

 

Next:

Please download LQFix

 

1) Reboot into Safe Mode

How to use the F8 method to Start Your Computer in Safe Mode[/b]

 

*Restart the computer.

*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.

*Use the arrow keys to select the Safe mode menu item

*press Enter.

 

 

2) Run the Program just downloaded.

 

3) Then, Reboot.

 

Then,

 

Use ctl/alt/delete to go to Task Manager and look for Elite, Elite Toolbar or any variant. Highlight if found and click on END PROCESS.

 

Next:

 

Go to Start>Settings>Control Panel>Add/Remove Programs and Uninstall/Remove Elite, Elite Toolbar or any variant.

 

 

Please set your computer to show all files.

 

* Double-click My Computer.

* Click the Tools menu, and then click Folder Options.

* Click the View tab.

* Clear "Hide file extensions for known file types."

* Under the "Hidden files" folder, select "Show hidden files and folders."

* Clear "Hide protected operating system files."

* Click Apply, and then click OK.

 

Close all browser windows and RUN HijackThis.

Click the SCAN button to produce a log.

Place a check mark beside each one of the following entries:

 

 

O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll

O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll

O4 - HKLM\..\Run: [MSN Messages] msnmesg.exe

O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.12R] c:\s.exe

O4 - HKLM\..\RunServices: [MSN Messages] msnmesg.exe

O4 - HKCU\..\Run: [MSN Messages] msnmesg.exe

O4 - HKCU\..\RunServices: [MSN Messages] msnmesg.exe

 

The following are recommended fixes:

Unless you know and trust the following, fix them with Hijack This.

 

O16 - DPF: {A243F6C2-34D2-4549-BCCD-A7BEF759B236} (Seekford Solutions, Inc.'s ssiPictureUploader Control) - http://img.funtigo.com/images/uploader/ssi...ureUploader.cab

O23 - Service: Windows Media Connect (WMC) (WmcCds) - Unknown owner - c:\program files\windows media connect\mswmccds.exe (file missing)

O23 - Service: Windows Media Connect (WMC) Helper (WmcCdsLs) - Unknown owner - C:\Program Files\Windows Media Connect\mswmcls.exe (file missing)

 

Now with all the items selected, delete them by clicking the FIX checked button.

 

Reboot into Safe Mode and enable hidden files: see here if you are not sure how to do this.

 

 

Using Windows Explorer, locate the following files/folders in DARK, and delete them (if they are present):

 

 

C:\WINDOWS\EliteToolBar

c:\s.exe

c:\program files\windows media connect

C:\Program Files\Windows Media Connect\mswmcls.exe

msnmesg.exe(An All Files search will be needed for this)

 

If you were unable to find any of the files then please follow these additional instructions:

 

Download Pocket Killbox and unzip it; save it to your Desktop.

 

Run it, and click the radio button that says Delete a file on reboot. For each of the files you could not delete, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

 

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

 

Let the system reboot.

 

Reboot , enable hidden files and post a fresh Hijack This log in this thread, Using the New Reply: feature, so I will be notified.

Share this post


Link to post
Share on other sites

Ok it seems to have disappeared and hopefully it wont come back

 

Logfile of HijackThis v1.99.1

Scan saved at 21:22:27, on 27/04/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Windows Media Player\wmplayer.exe

D:\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1109714764879

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab

O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab

O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe

Share this post


Link to post
Share on other sites

Hi buffduffdan

 

Yes, looks like that took care of it. Nothing left but an orphaned entry.

 

Your Hijack This log seems to be clean. If everything is back to normal, this is a good time to reset your System Restore.

 

One of the best features of Windows XP is the System Restore option, however if a virus infects a computer with this operating system the virus can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal.

 

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

 

(winXP)

 

1. Turn off System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

Check Turn off System Restore.

Click Apply, and then click OK.

 

2. Reboot.

 

3. Turn ON System Restore.

On the Desktop, right-click My Computer.

Click Properties.

Click the System Restore tab.

UN-Check *Turn off System Restore*.

Click Apply, and then click OK.

 

Those Programs offered in my last post will go far to protect your PC on the Internet. I would advise downloading them as soon as possible.

Share this post


Link to post
Share on other sites

Hello buffduffdan

 

Lets give this a try. Sent to us by our friend Jacee.

Download this tool: http://home.filternet.nl/~hansp21/LQFix.bat

Unzip it to your Desktop.

 

Please boot into safe mode:

Restart the computer

Immediately begin tapping the <F8> key.

Use the arrow keys to highlight Safe Mode and press the <Enter> key.

 

Double click on the tool to run it.

 

Reboot normally. Rescan with HJT and post a new log.

 

That's to clean up the mess left by ELITE TOOLBAR.

 

Thanks Jacee. :lol:

Share this post


Link to post
Share on other sites
Sign in to follow this  

Click here to Read Amazon Reviews!



×