Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Elite Toolbar [CLOSED]


  • This topic is locked This topic is locked

#1
jonoblades

jonoblades

    New Member

  • Member
  • Pip
  • 3 posts
If anyone can help - I have a computer that is causing me no end of grief with popups since finding that it had an elite toolbar installed. Adaware and Spybot have been run on it but not resolved the issue.

Here is the HIJACK THIS log...

Logfile of HijackThis v1.99.1
Scan saved at 15:52:00, on 14/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
C:\WINDOWS\regedit.exe
C:\Program Files\Internet Explorer\iexplore.exe
\Sbsserver\admin\CUSTFI~1\PCAPPS~1\WinZip\winzip32.exe
C:\DOCUME~1\darren\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://SBSSERVER:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\System32\vbrundll.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [regsync] C:\WINDOWS\System32\regsync.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\vrvnmu.exe reg_run
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitecoz32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe
O4 - Global Startup: Firewall Client Connectivity Monitor.LNK = C:\Program Files\Microsoft Firewall Client\ISATRAY.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ndnt.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0009.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = kallkwik.local
O17 - HKLM\Software\..\Telephony: DomainName = kallkwik.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = kallkwik.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = kallkwik.local
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC\WinVNC.exe" -service (file missing)


Any help would be mauch appreciated!
Cheers

Jono
  • 0

Advertisements


#2
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi jonoblades,


Please download FindQoologic from here:
http://forums.net-in...=post&id=134981

Unzip the files and save them to the desktop and run Find-Qoologic2.bat. This will generate a log file; please post the entire contents of the log file here for me to see.
  • 0

#3
jonoblades

jonoblades

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
OK, well this is what I got!!!

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* KavSvc C:\WINDOWS\System32\VRVNMU.EXE
* KavSvc C:\WINDOWS\System32\SUPDATE.DLL
* KavSvc C:\WINDOWS\System32\ZPZGHOZ.DLL
* aspack C:\WINDOWS\System32\BCBORDB.EXE
* aspack C:\WINDOWS\System32\MRT.EXE
* aspack C:\WINDOWS\System32\NTDLL.DLL
* aspack C:\WINDOWS\System32\REDIT.CPL
* UPX! C:\WINDOWS\System32\PSOF1.EXE
* UPX! C:\WINDOWS\System32\UCI.EXE
* UPX! C:\WINDOWS\System32\VRVNMU.EXE
* UPX! C:\WINDOWS\System32\SUPDATE.DLL
* UPX! C:\WINDOWS\System32\ZPZGHOZ.DLL
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* exe C:\docume~1\alluse~1\startm~1\programs\startup\NDNT.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
Acrobat Assistant.lnk
desktop.ini
Firewall Client Connectivity Monitor.LNK
Microsoft Office.lnk
ndnt.exe

User Startup:
C:\Documents and Settings\darren\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fgfqtmfs
<NO NAME> REG_SZ {4daaedeb-7a5b-4f9f-a86b-688a260e4261}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
<NO NAME> REG_SZ {BDA77241-42F6-11d0-85E2-00AA001FE28C}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
<NO NAME> REG_SZ {E0D79300-84BE-11CE-9641-444553540000}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin
  • 0

#4
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
  • Please download the Killbox.
  • Unzip it to the desktop but do NOT run it yet.
  • Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.
  • Once in Safe Mode, please run Killbox.
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste the following into the top "Full Path of File to Delete" box.
    • C:\WINDOWS\System32\VRVNMU.EXE
  • Click the red-and-white "Delete File".
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "No" at the Pending Operations prompt.
  • Repeat steps 5-9 above for these files:
    • C:\WINDOWS\System32\SUPDATE.DLL
    • C:\WINDOWS\System32\ZPZGHOZ.DLL
    • C:\WINDOWS\System32\BCBORDB.EXE
    • C:\WINDOWS\System32\REDIT.CPL
    • C:\WINDOWS\System32\PSOF1.EXE
    • C:\WINDOWS\System32\UCI.EXE
    • C:\WINDOWS\System32\VRVNMU.EXE
    • C:\WINDOWS\System32\SUPDATE.DLL
    • C:\WINDOWS\System32\ZPZGHOZ.DLL
  • Click "Replace on Reboot" and check the "Use Dummy" box.
  • Paste the following file into the top "Full Path of File to Delete" box.
    • C:\docume~1\alluse~1\startm~1\programs\startup\NDNT.EXE (please locate and put the exact address here. It should Most probably be C:\Documents and Settings\Allusers\Startmenu\programs\startup\NDNT.exe)
  • Click the red-and-white "Delete File" button.
  • Click "Yes" at the Replace on Reboot prompt.
  • Click "Yes" at the Pending Operations prompt to restart your computer. You do not need to reboot into Safe Mode this time.
  • When your computer reboots, please run Find-Qoologic2.bat again and post the new log here.

Edited by tampabelle, 14 June 2005 - 10:53 AM.

  • 0

#5
jonoblades

jonoblades

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Sorry it took so long, I didn't have access to the machine
Here it is...

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* KavSvc C:\WINDOWS\System32\VRVNMU.EXE
* KavSvc C:\WINDOWS\System32\SUPDATE.DLL
* KavSvc C:\WINDOWS\System32\ZPZGHOZ.DLL
* aspack C:\WINDOWS\System32\BCBORDB.EXE
* aspack C:\WINDOWS\System32\MRT.EXE
* aspack C:\WINDOWS\System32\NTDLL.DLL
* aspack C:\WINDOWS\System32\REDIT.CPL
* UPX! C:\WINDOWS\System32\PSOF1.EXE
* UPX! C:\WINDOWS\System32\UCI.EXE
* UPX! C:\WINDOWS\System32\VRVNMU.EXE
* UPX! C:\WINDOWS\System32\SUPDATE.DLL
* UPX! C:\WINDOWS\System32\ZPZGHOZ.DLL
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* exe C:\docume~1\alluse~1\startm~1\programs\startup\NDNT.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
Acrobat Assistant.lnk
desktop.ini
Firewall Client Connectivity Monitor.LNK
Microsoft Office.lnk
ndnt.exe

User Startup:
C:\Documents and Settings\darren\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fgfqtmfs
<NO NAME> REG_SZ {4daaedeb-7a5b-4f9f-a86b-688a260e4261}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
<NO NAME> REG_SZ {BDA77241-42F6-11d0-85E2-00AA001FE28C}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
<NO NAME> REG_SZ {E0D79300-84BE-11CE-9641-444553540000}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin
  • 0

#6
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi jonoblades,

Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entires, delete some files or uninstall sosme programs. If in case, you do not see those entires / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

LQfix
Ewido Security Suite

Install Ewido, and update the definitions to the newest files. Do NOT run a scan yet.

Unzip LQfix and save the extracted files in the same folder.

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

2. Remove Infections

Run LQfix.

Run Ewido full scan. Let it fix any items it finds.

3. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://SBSSERVER:8080
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\System32\vbrundll.dll
O4 - HKLM\..\Run: [regsync] C:\WINDOWS\System32\regsync.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\vrvnmu.exe reg_run
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitecoz32.exe
O4 - Global Startup: ndnt.exe


Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

4. Delete Rogue files

Open Windows explorer (right click on start and then click on explore). Locate and delete the following files, if found -

C:\WINDOWS\System32\vbrundll.dll
C:\WINDOWS\System32\regsync
C:\WINDOWS\System32\elitecoz32.exe
C:\WINDOWS\System32\VRVNMU.EXE
C:\WINDOWS\System32\SUPDATE.DLL
C:\WINDOWS\System32\ZPZGHOZ.DLL
C:\WINDOWS\System32\BCBORDB.EXE
C:\WINDOWS\System32\REDIT.CPL
C:\WINDOWS\System32\PSOF1.EXE
C:\WINDOWS\System32\UCI.EXE
C:\docume~1\alluse~1\startm~1\programs\startup\NDNT.EXE



Reboot the PC in Normal Mode.

Run Find_Qoologic2.bat and save its log.

Run Hijack This and post a fresh HJT log along with Find_Qoologic log file and Ewido scan report.
  • 0

#7
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP