elite adware [RESOLVED]

#1
graeme

Posted 14 June 2005 - 05:55 PM

New Member

Member
4 posts

hi, need some help getting rid of this one.

hijackthis shows this file:
O4 - HKLM\..\Run: [checkrun] E:\windows\system32\elitepmw32.exe

im not able to see the file even though show hidden files is on
booting into linux, i was able to see it plus another file elitezke32.exe

i removed the checkrun entry but it came back

im also wondering why i still see google toolbar entries in hijackthis after i removed google toolbar in addremove programs

hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:46:09 PM, on 6/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Updater.exe
E:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
E:\Program Files\AIM95\aim.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
E:\PROGRA~1\symantec\LIVEUP~1\savroam.exe
E:\Program Files\RealVNC\WinVNC\WinVNC.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\mozilla.org\Mozilla\mozilla.exe
E:\WINDOWS\system32\NOTEPAD.EXE
E:\setup.xp\HijackThis.exe

O4 - HKLM\..\Run: [Q3DObsidian2] RunDll32 E:\WINDOWS\System32\q3dps2.dll,Q3dGlideBoot
O4 - HKLM\..\Run: [WinVNC] "E:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "E:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [checkrun] E:\windows\system32\elitepmw32.exe
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://E:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://E:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://E:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM95\aim.exe
O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - E:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - E:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O16 - DPF: {785EA525-5066-495F-ADF6-3B8316515DEF} (Collapse Control) - http://mirror.worldw...se/collapse.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{45414234-443A-407E-BCE7-C56680409058}: NameServer = 151.203.162.6,151.203.111.6
O20 - Winlogon Notify: NavLogon - E:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - E:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - E:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - E:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - E:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SAVRoam - symantec - E:\PROGRA~1\symantec\LIVEUP~1\savroam.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - E:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

findqoologic log:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* UPX! E:\WINDOWS\System32\FMOD.DLL
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f5bd48

Global Startup:
E:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
Adobe Gamma Loader.exe.lnk
desktop.ini
Microsoft Office.lnk

User Startup:
E:\Documents and Settings\etm\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
<NO NAME> REG_SZ {BDA77241-42F6-11d0-85E2-00AA001FE28C}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
<NO NAME> REG_SZ {B41DB860-8EE4-11D2-9906-E49FADC173CA}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ZFAdd
<NO NAME> REG_SZ {8FF88D27-7BD0-11D1-BFB7-00AA00262A11}

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin

thanks

#2
Excal

Posted 16 June 2005 - 06:37 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Hi graeme and welcome to GeeksToGo! My name is Excal and I will be helping you.

If you still need help, please post a fresh Hijack log so I can help you with your Malware Problems.

:tazz:

Excal

#3
graeme

Posted 19 June 2005 - 11:14 AM

New Member

Topic Starter
Member
4 posts

I think i am cleared now, i found this program:

http://www.softpedia...r-Remover.shtml

and it seems to have erased everything, though i did have to remove
elitepmw32.exe and elitezke32.exe afterwards myself

here's my hijack log, let me know if you see anything still suspicious

Logfile of HijackThis v1.99.1
Scan saved at 1:08:09 PM, on 6/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
E:\PROGRA~1\symantec\LIVEUP~1\savroam.exe
E:\Program Files\RealVNC\WinVNC\WinVNC.exe
E:\Updater.exe
E:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
E:\Program Files\AIM95\aim.exe
E:\WINDOWS\System32\wuauclt.exe
E:\setup.xp\HijackThis.exe
E:\WINDOWS\System32\wuauclt.exe

O4 - HKLM\..\Run: [Q3DObsidian2] RunDll32 E:\WINDOWS\System32\q3dps2.dll,Q3dGlideBoot
O4 - HKLM\..\Run: [WinVNC] "E:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "E:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://E:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://E:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://E:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM95\aim.exe
O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - E:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - E:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O16 - DPF: {785EA525-5066-495F-ADF6-3B8316515DEF} (Collapse Control) - http://mirror.worldw...se/collapse.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{45414234-443A-407E-BCE7-C56680409058}: NameServer = 151.203.162.6,151.203.111.6
O20 - Winlogon Notify: NavLogon - E:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - E:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - E:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - E:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - E:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SAVRoam - symantec - E:\PROGRA~1\symantec\LIVEUP~1\savroam.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - E:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)

#4
Excal

Posted 19 June 2005 - 10:22 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Hi graeme,

Indeed, your log file does look clean

Alot of times malware leaves behind some misc files,

please run this online virus scan: ActiveScan - Save the results from the scan!

Post the active scan log back in the thread please

thanks,

Excal

#5
graeme

Posted 20 June 2005 - 12:54 AM

New Member

Topic Starter
Member
4 posts

here's the results of activescan:

Incident Status Location

Adware:Adware/EliteBar No disinfected E:\Documents and Settings\etm\Favorites\Casino & Carrers

#6
graeme

Posted 20 June 2005 - 01:02 AM

New Member

Topic Starter
Member
4 posts

i also took a look in the system32 dir, and found this dir:

etb

with a file called elitelist

i assume i should delete it

#7
Excal

Posted 20 June 2005 - 06:59 AM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

You can delete this E:\Documents and Settings\etm\Favorites\Casino & Carrers folder.

Also you can delete that whole ETB folder, E:\WINDOWS\system32\ETB

After those two things, you look good

Great job, it appears your computer is clean :tazz:

Ensure you rehide your “hidden files and folders” back to the way they were.

Now that your system is Malware Free, it is important to reset your system Restore. Click Here to learn how to.

Might I suggest the following Free Spyware programs for added security, you can download them at the following links. These programs work great for detection:

Ad-aware SE

Spybot S&D

If you are unhappy with your current antivirus and want to replace it or if you dont already have one, I suggest one of these free programs:
*Note - do not use more than one anti-virus program as it will more than likely cause conflict.

AVG
Avast

The following free programs are great for prevention:

SpywareBlaster 3.4

Spywareguard

IE/Spyad

A Firewall is a must! Here are 2 good free versions:

Sygate

ZoneLabs

There are other options other than Internet Explorer for a browser, which some say have better security. Two of them are:

Firefox

Opera

This site is a great source for tightening up security on Internet Explorer settings.

Make sure that you keep your Operating System and IE updated with the latest Critical Security Updates from Microsoft...they usually come out once a month, on the 2nd Tuesday of each month.

Included in those updates is Windows XP Service Pack 2. Click Here
Since you're junkware free, the time to get it is NOW. Service Pack 2 is a MAJOR upgrade for XP. It adds numerous security and software patches, as well as new features and functionality. You will also be adding another layer of protection against future threats.

Be sure and give the Temp folders a cleaning out now and then as well, Make sure after you clean your Temp files to empty out your Recycle bin as well.
For ease use the following program:

Cleanup
Run "Cleanup" and when it has finished, Reboot

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial and use the tools provided.

#8
Excal

Posted 06 July 2005 - 03:28 PM

Malware Slayer Extraordinaire!

Retired Staff
12,739 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

#1
graeme

Posted 14 June 2005 - 05:55 PM