Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

searchmiracle and elitesidebar removal help please

Started by death_hand , Mar 12 2005 04:27 AM

  • This topic is locked This topic is locked

#1
death_hand
Posted 12 March 2005 - 04:27 AM

death_hand

    Member

  • Member
  • PipPip
  • 56 posts
Hi,

My system has become infected with the searchmiracle and elitesidebar adware.

I've run Ad-Aware6, Spybot S&D and Microsoft AntiSpyware over and over but they can't completely remove the spyware as it keeps re-installing itself and need help as to how to use the HijackThis software.

Thanks for your help in advance :tazz:

DH
  • 0

Advertisements

#2
death_hand
Posted 12 March 2005 - 04:40 AM

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Logfile of HijackThis v1.99.1
Scan saved at 10:35:48, on 12/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\spss_lmd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmiracle.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lboro.ac.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CPQHotkeys] hotkeysvc.exe
O4 - HKLM\..\Run: [CTHelper] cthelper.exe
O4 - HKLM\..\Run: [PcSync] PCsync.exe
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\WINFRW.EXE
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitewsr32.exe
O4 - HKLM\..\RunServices: [CPQHotkeys] hotkeysvc.exe
O4 - HKLM\..\RunServices: [CTHelper] cthelper.exe
O4 - HKLM\..\RunServices: [PcSync] PCsync.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [CPQHotkeys] hotkeysvc.exe
O4 - HKCU\..\Run: [CTHelper] cthelper.exe
O4 - HKCU\..\Run: [PcSync] PCsync.exe
O4 - HKCU\..\RunServices: [CPQHotkeys] hotkeysvc.exe
O4 - HKCU\..\RunServices: [CTHelper] cthelper.exe
O4 - HKCU\..\RunServices: [PcSync] PCsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download all by Free Download Manager - file://D:\My Documents\Uni Work\EDMUS\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://D:\My Documents\Uni Work\EDMUS\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://D:\My Documents\Uni Work\EDMUS\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://D:\My Documents\Uni Work\EDMUS\Free Download Manager\dlpage.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/...4/OCI/setup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100103577619
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay10...ex/HMAtchmt.ocx
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Spss License Manager (SpssLM) - Unknown owner - C:\WINDOWS\system32\spss_lmd.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#3
death_hand
Posted 13 March 2005 - 06:23 AM

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Help

Anyone??? :tazz:
  • 0

#4
death_hand
Posted 14 March 2005 - 11:00 AM

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
BTTT
  • 0

#5
death_hand
Posted 14 March 2005 - 05:58 PM

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Bumped - someone plz help me I've seen that you can sort this exact problembut I just need to know what to delete using HJT :tazz: ;)
  • 0

#6
Guest_thatman_*
Posted 14 March 2005 - 10:42 PM

Guest_thatman_*
  • Guest
Hi death_hand

Welcome to geekstogo ;)

1) About:Buster - Download it and extract it to C:/aboutbuster.
2) CleanUp! - Download it and install it.
3) CWShredder 2.11 - Download it and save it to your desktop.
4) Ad-Aware - Download, install, and update.

Enable hidden files and folders: Be sure you're able to Enable hidden files and folders:

During the fix do NOT connect to the internet. Unless you can memorize these instructions, it would be a good idea to print them out.

Boot into safe mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Run CWShredder
-Next, click on the: ‘Fix’ button
-Follow the prompts, and press OK

Run CleanUp
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
1. If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
2. After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.
3. Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".
4. Once the definitions have been updated:
5. Reconfigure Ad-Aware for Full Scan as per the following instructions:
* Launch the program, and click on the Gear at the top of the start screen.
* Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is grayed out, those features are only available in the retail version.)
o "Automatically save logfile"
o Automatically quarantine objects prior to removal"
o Safe Mode (always request confirmation)
o Prompt to update outdated confirmation) - Change to 7 days.
* Click the "Scanning" button (On the left side).
* Under Drives & Folders, select "Scan within Archives"
* Click "Click here to select Drives + folders" and select your installed hard drives.
* Under Memory & Registry, select all options.
* Click the "Advanced" button (On the left-hand side).
* Under "Shell Integration", select "Move deleted files to Recycle Bin".
* Under "Log-file detail", select all options.
* Click on the "Defaults" button on the left.
* Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
* Click the "Tweak" button (Again, on the left-hand side).
* Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:
o "Unload recognized processes during scanning."
o "Obtain command line of scanned processes"
o "Scan registry for all users instead of current user only"
* Under "Cleaning Engine", select the following:
o "Automatically try to unregister objects prior to deletion."
o "During removal, unload explorer and IE if necessary"
o "Let Windows remove files in use at next reboot."
o "Delete quarantined objects after restoring"
* Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
* Click on "Proceed" to save these Preferences.
* Click on the "Scan Now" button on the left.
* Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
6. Close all programs except ad-aware.
7. Click on "Next" in the bottom right corner to start the scan.
8. Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
9. After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may have found. Allow it to finish.

Run HJT, close any open windows, and fix the following items (if they are still there):

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmiracle.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lboro.ac.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R3 - URLSearchHook: (no name) - _{12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar.dll
O4 - HKLM\..\Run: [CPQHotkeys] hotkeysvc.exe
O4 - HKLM\..\Run: [CTHelper] cthelper.exe
O4 - HKLM\..\Run: [Windows System Configuration] C:\WINDOWS\WINFRW.EXE
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitewsr32.exe
O4 - HKLM\..\RunServices: [CPQHotkeys] hotkeysvc.exe
O4 - HKLM\..\RunServices: [CTHelper] cthelper.exe
O4 - HKCU\..\Run: [CPQHotkeys] hotkeysvc.exe
O4 - HKCU\..\Run: [CTHelper] cthelper.exe
O4 - HKCU\..\RunServices: [CPQHotkeys] hotkeysvc.exe
O4 - HKCU\..\RunServices: [CTHelper] cthelper.exe

Click on Fix Checked and exit HijackThis.

Using Windows Explorer, locate the following files/folders, and delete them if found:

C:\WINDOWS\EliteToolBar\ <--Delete the whole folder
hotkeysvc.exe<--Delete this file
cthelper.exe<--Delete this file
C:\WINDOWS\WINFRW.EXE<--Delete this file
C:\windows\system32\elitewsr32.exe<--Delete this file

Reboot into normal mode (simply restart your computer as you normally would),

Please run the following free, online virus scans.

http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm

Please post the logs From both virus scans and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0

#7
death_hand
Posted 16 March 2005 - 06:54 AM

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Logfile of HijackThis v1.99.1
Scan saved at 12:46:12, on 16/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\spss_lmd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PcSync] PCsync.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteunn32.exe
O4 - HKLM\..\RunServices: [PcSync] PCsync.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PcSync] PCsync.exe
O4 - HKCU\..\RunServices: [PcSync] PCsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download all by Free Download Manager - file://D:\My Documents\Uni Work\EDMUS\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://D:\My Documents\Uni Work\EDMUS\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://D:\My Documents\Uni Work\EDMUS\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://D:\My Documents\Uni Work\EDMUS\Free Download Manager\dlpage.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/...4/OCI/setup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100103577619
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay10...ex/HMAtchmt.ocx
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Program Files\AntiVirus\CWShredder.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Spss License Manager (SpssLM) - Unknown owner - C:\WINDOWS\system32\spss_lmd.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I've run all of the steps that you suggested but as soon as i connected to the interbet the searchmiracle.com popups came back :tazz: ;)
  • 0

#8
Guest_thatman_*
Posted 16 March 2005 - 07:45 AM

Guest_thatman_*
  • Guest

I've run all of the steps that you suggested but as soon as i connected to the interbet the searchmiracle.com popups came back :tazz:  ;)

View Post


Reply from Kc
You have not follow my instructions ;)
You did not do the online virus scans :)
You have not read the instructions :)

Are you wasting my time there are many member that need help and can follow the instuctions given. Do not waste my time.

Please set your system to show all files; please see here if you're unsure how to do this.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake
:
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteunn32.exe
Click on Fix Checked when finished and exit HijackThis.

[*]Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders, and delete them:

C:\windows\system32\eliteunn32.exe

Exit Explorer, and reboot as normal afterwards.

Please run the following free, online virus scans.

http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp

Please post the logs From both virus scans and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :mad:
  • 0

#9
death_hand
Posted 16 March 2005 - 09:04 AM

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Ok sorry :tazz: ;) ;)
  • 0

#10
Guest_thatman_*
Posted 16 March 2005 - 09:12 AM

Guest_thatman_*
  • Guest
Hi death_hand

Lets get back to cleaning your system. ;)

Follow the instructions from my last post.

Kc :tazz:
  • 0

Advertisements

#11
death_hand
Posted 16 March 2005 - 09:19 AM

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
I didn't mean to waste your time I followed you method but I'm fairly new to PC's.

I've got a new HJT log and online virus scans are running now - will post them when they're done :tazz:
  • 0

#12
death_hand
Posted 16 March 2005 - 10:08 AM

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Right here are the requested logs.....

This is from thePanda virus scan


Incident Status Location

Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/Gator No disinfected C:\DOCUME~1\George\LOCALS~1\Temp\gain.txt
Adware:Adware/MyWay No disinfected Windows Registry
Adware:Adware/nCase No disinfected C:\Temp\salm_*.dat
Spyware:Spyware/ISTbar No disinfected C:\DOCUME~1\George\LOCALS~1\Temp\Shortcuts.txt
Adware:Adware/Apropos No disinfected Windows Registry
Adware:Adware/DelFinMedia No disinfected C:\keys.ini
Adware:Adware/IEDriver No disinfected C:\DOCUME~1\George\LOCALS~1\Temp\ckz*
Adware:Adware/NavHelper No disinfected C:\Program Files\Ares
Adware:Adware/Adroar No disinfected C:\DOCUME~1\George\LOCALS~1\Temp\cpr_in.exe
Adware:Adware/EliteBar No disinfected Windows Registry
Adware:Adware/BroadcastPC No disinfected C:\DOCUME~1\George\LOCALS~1\Temp\btv_1001.exe
Adware:Adware/BroadcastPC No disinfected C:\Documents and Settings\George\Local Settings\Temp\btv_1001.exe
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\George\Local Settings\Temp\uninstall.exe
Adware:Adware/Apropos No disinfected C:\Program Files\MicrosoftAntiSpywareInstall\Quarantine\0BA67B45-E428-4DDF-9EE3-5BEF21\1FC54C23-B351-4407-9763-60751C
Adware:Adware/Apropos No disinfected C:\Program Files\MicrosoftAntiSpywareInstall\Quarantine\0BA67B45-E428-4DDF-9EE3-5BEF21\6F5E8267-40DE-4260-91A7-4799F7
Adware:Adware/Apropos No disinfected C:\Program Files\MicrosoftAntiSpywareInstall\Quarantine\53627C91-FC9F-483C-BE96-989CBF\975996C2-F2AB-418D-B8DA-1A976A
Adware:Adware/Apropos No disinfected C:\Program Files\MicrosoftAntiSpywareInstall\Quarantine\53627C91-FC9F-483C-BE96-989CBF\D3CB1FC5-65FC-4461-A997-49F03F
Adware:Adware/SAHAgent No disinfected C:\Program Files\MicrosoftAntiSpywareInstall\Quarantine\8ADC122A-C5D1-40C4-B739-3A938D\1081FA1B-94FF-48A6-88A4-9311DF
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\installer_MARKETING12.exe
Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\system32\eliteaok32.exe
Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\system32\elitecup32.exe
Adware:Adware/EliteBar No disinfected C:\WINDOWS\system32\elitedoolsav.dat
Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\system32\eliteerror32.dat
Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\system32\elitefoe32.exe
Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\system32\elitegvm32.exe
Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\system32\elitelje32.exe
Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\system32\elitemxs32.exe
Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\system32\elitenmc32.exe
Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\system32\eliteppl32.exe
Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\system32\eliterjc32.exe
Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\system32\eliteslj32.exe
Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\system32\elitesuz32.exe
Virus:Trj/Startpage.SJ Disinfected C:\WINDOWS\system32\eliteutt32.exe
Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\temp.exe
  • 0

#13
death_hand
Posted 16 March 2005 - 10:09 AM

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
Here is the log from the TrendMicro scan...


Results:
We have detected 14 infected file(s) with 14 virus(es) on your computer: - 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 1 virus(es) deleted, 0 virus(es) undeletable
- 13 virus(es) not found, 0 virus(es) unaccessible
Detected File Associated Virus Name Action taken
C:\Documents and Settings\George\Local Settings\Temporary Internet Files\Content.IE5\2DTKGU9D\x[1].htm HTML_MHTREDIR.AX Deletion successful
C:\WINDOWS\system32\eliteaok32.exe TROJ_STARTPA.A File not found before action taken. Threat removed.
C:\WINDOWS\system32\elitecup32.exe TROJ_STARTPA.A File not found before action taken. Threat removed.
C:\WINDOWS\system32\eliteerror32.dat TROJ_STARTPA.A File not found before action taken. Threat removed.
C:\WINDOWS\system32\elitefoe32.exe TROJ_STARTPA.A File not found before action taken. Threat removed.
C:\WINDOWS\system32\elitegvm32.exe TROJ_STARTPA.A File not found before action taken. Threat removed.
C:\WINDOWS\system32\elitelje32.exe TROJ_STARTPA.A File not found before action taken. Threat removed.
C:\WINDOWS\system32\elitemxs32.exe TROJ_STARTPA.A File not found before action taken. Threat removed.
C:\WINDOWS\system32\elitenmc32.exe TROJ_STARTPA.A File not found before action taken. Threat removed.
C:\WINDOWS\system32\eliteppl32.exe TROJ_STARTPA.A File not found before action taken. Threat removed.
C:\WINDOWS\system32\eliterjc32.exe TROJ_STARTPA.A File not found before action taken. Threat removed.
C:\WINDOWS\system32\eliteslj32.exe TROJ_STARTPA.A File not found before action taken. Threat removed.
C:\WINDOWS\system32\elitesuz32.exe TROJ_STARTPA.A File not found before action taken. Threat removed.
C:\WINDOWS\system32\eliteutt32.exe TROJ_STARTPA.A File not found before action taken. Threat removed.




Trojan/Worm Check 1 worm/Trojan horse deleted

What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 1 Trojan horse program(s) and worm(s) on your computer: - 0 worm(s)/Trojan(s) passed, 0 worm(s)/Trojan(s) no action available
- 1 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s) undeletable
Trojan/Worm Name Trojan/Worm Type Action taken
WORM_SDBOT.AUL Worm Deletion successful
  • 0

#14
death_hand
Posted 16 March 2005 - 10:12 AM

death_hand

    Member

  • Topic Starter
  • Member
  • PipPip
  • 56 posts
And here is the HJT log after running the two virus scans...

Logfile of HijackThis v1.99.1
Scan saved at 16:11:38, on 16/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\spss_lmd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lboro.ac.uk/students
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [PcSync] PCsync.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteunn32.exe
O4 - HKLM\..\RunServices: [PcSync] PCsync.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PcSync] PCsync.exe
O4 - HKCU\..\RunServices: [PcSync] PCsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Download all by Free Download Manager - file://D:\My Documents\Uni Work\EDMUS\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://D:\My Documents\Uni Work\EDMUS\Free Download Manager\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://D:\My Documents\Uni Work\EDMUS\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://D:\My Documents\Uni Work\EDMUS\Free Download Manager\dlpage.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: RaptisoftGameLoader - http://www.miniclip....tgameloader.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://sib1.od2.com/...4/OCI/setup.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1100103577619
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay10...ex/HMAtchmt.ocx
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Program Files\AntiVirus\CWShredder.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Spss License Manager (SpssLM) - Unknown owner - C:\WINDOWS\system32\spss_lmd.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#15
Guest_thatman_*
Posted 16 March 2005 - 11:23 AM

Guest_thatman_*
  • Guest
Hi death_hand

Please read through the instructions before you start (you may want to print this out).

Be sure you're able to view hidden files,

For anyone using Windows XP, 'Search' will not automatically show hidden files even if your folder options settings are set to do that. Do this so you can see hidden files and folders - Click here to download xphidden.zip. Extract xphidden.reg from the zip file and save it to the desktop. When done, double-click the xphidden.reg and when asked to merge say yes.

Please download and install AD-Aware.
Check Here on how setup and use it - please make sure you update it first.
Please don't run it yet.

Download Winpatrol Free

Download the ccleaner
I use this Program and is setup like this all boxs are checked.
Now run the ccleaner


Here is the start off the fix

Using Windows Explorer search for the following files and folders.

C:\Temp\salm_*.dat<--Delete the whole folder
C:\keys.ini<--Delete the whole folder
C:\Program Files\Ares<--Delete the whole folder


Welcome to Microsoft AntiSpyware
How to Remove a Quarantined Item
You can permanently remove any items in quarantine. To permanently remove an item from quarantine:
1. A list of all items in your quarantine is displayed. Select the item you would like to delete and when the item appears in the right details pane, click Remove Threat. This permanently removes the threat from your computer.
2. To remove multiple threats in the quarantine, select each item and click Remove all checked Threats at the bottom of the screen.

C:\Program Files\MicrosoftAntiSpywareInstall\Quarantine\0BA67B45-E428-4DDF-9EE3-5BEF21\1FC54C23-B351-4407-9763-60751C
C:\Program Files\MicrosoftAntiSpywareInstall\Quarantine\0BA67B45-E428-4DDF-9EE3-5BEF21\6F5E8267-40DE-4260-91A7-4799F7
C:\Program Files\MicrosoftAntiSpywareInstall\Quarantine\53627C91-FC9F-483C-BE96-989CBF\975996C2-F2AB-418D-B8DA-1A976A
C:\Program Files\MicrosoftAntiSpywareInstall\Quarantine\53627C91-FC9F-483C-BE96-989CBF\D3CB1FC5-65FC-4461-A997-49F03F
C:\Program Files\MicrosoftAntiSpywareInstall\Quarantine\8ADC122A-C5D1-40C4-B739-3A938D\1081FA1B-94FF-48A6-88A4-9311DF

Delete all temp files
C:\Documents and Settings\George\Local Settings\Temp\cpr_in.exe
C:\Documents and Settings\George\Local Settings\Temp\btv_1001.exe
C:\Documents and Settings\George\Local Settings\Temp\btv_1001.exe
C:\Documents and Settings\George\Local Settings\Temp\uninstall.exe
C:\Documents and Settings\George\Local Settings\Temp\gain.txt
C:\Documents and Settings\George\Local Settings\Temp\Shortcuts.txt
C:\Documents and Settings\George\Local Settings\Temp\ckz*

Download Pocket Killbox and unzip it; save it to your Desktop.
Run it, and click the radio button that says Delete a file on reboot.
Paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
Let the system reboot.
C:\WINDOWS\installer_MARKETING12.exe
C:\WINDOWS\system32\eliteaok32.exe
C:\WINDOWS\system32\elitecup32.exe
C:\WINDOWS\system32\elitedoolsav.dat
C:\WINDOWS\system32\eliteerror32.dat
C:\WINDOWS\system32\elitefoe32.exe
C:\WINDOWS\system32\elitegvm32.exe
C:\WINDOWS\system32\elitelje32.exe
C:\WINDOWS\system32\elitemxs32.exe
C:\WINDOWS\system32\elitenmc32.exe
C:\WINDOWS\system32\eliteppl32.exe
C:\WINDOWS\system32\eliterjc32.exe
C:\WINDOWS\system32\eliteslj32.exe
C:\WINDOWS\system32\elitesuz32.exe
C:\WINDOWS\system32\eliteutt32.exe
C:\WINDOWS\system32\temp.exe
End off killbox files

Reboot into normal mode.

Now run Ad-aware se

Please run the following free, online virus scans.

http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp

Please post the logs From both virus scans and HJT.log we will need them to remove previous infections that have left files on your system.

Kc :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP