Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Aim Virus/Elitum.Elitebar troubles - please help! [CLOSED]

  • This topic is locked This topic is locked



    New Member

  • Member
  • Pip
  • 1 posts
I got the AIM virus by clinking on the link. I think I cleared the virus by funning AIMFix, but I still keep getting pop-ups. I tried running ad-ware and Spybot Search & Destroy, but it didn't help. Please help!! Here is my hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 4:07:40 PM, on 6/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
C:\Program Files\Aventail\Connect\as32svc.exe
C:\Program Files\Connected\CBRegCap.EXE
C:\Program Files\Connected\CBlaunch.exe
C:\Program Files\EY AWS\bin\NetAPISrvr.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\Program Files\CyberArmor\casvc.exe
C:\Program Files\EYMarimba\ESD Client\Tuner.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Funk Software\Odyssey Client\OdTray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\EYMarimba\ESD Client\lib\jre\bin\java.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kontiki\khost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Connected\CBSysTray.exe
c:\Program Files\aventail\connect\as32.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\EY AWS\bin\AWS.exe
C:\Program Files\EY AWS\bin\SMServer.exe
C:\Program Files\EY AWS\bin\SMService.exe
C:\Program Files\Sybase\SQL Anywhere 7\win32\dbsrv7.exe
C:\Program Files\EY AWS\bin\SAPCoolbar.exe
C:\Program Files\lotus\Sametime Client\Connect.exe
C:\Program Files\TenKey\tenkey.exe
C:\Program Files\Microsoft Office\OFFICE11\POWERPNT.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
c:\Program Files\EYMarimba\WorkSpace\.marimba\EYMarimba\ch.40\data\lsu.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\hsudi\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Ernst & Young
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=usweb:80;http=usweb:80;https=usweb:443
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = qp002.quickplace.ey.com;qp001.quickplace.ey.com;*.ey.net;*.ltdcenter.ey.com;198.134.44.*;199.49.190.*;eformrs.com;uschic*;*.eyntc.com;web.ey.com;*.iweb.ey.com;;*.eylink.com;;*.adc.ey.com;gosystemrs.fasttax.com;169.254.*.*;riatraining.com;www.riahelp.com;iweb.eycan.com;txrn.ey.com;txsn.ey.com;txadmin.ey.com;<local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [EYUSESD] c:\Program Files\EYMarimba\ESD Client\Tuner.exe -nologo
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [OdTray.exe] "C:\Program Files\Funk Software\Odyssey Client\OdTray.exe"
O4 - HKLM\..\Run: [pdfFactory Pro Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /runonce
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [_NotesINIBKUP] c:\Program Files\Eyutils\notesinicpy.EXE
O4 - HKLM\..\Run: [Kontiki] "C:\Program Files\Kontiki\khost.exe" -i -p ey-ey
O4 - HKLM\..\Run: [strmsgms] aimstats.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitebrd32.exe
O4 - HKLM\..\RunServices: [strmsgms] aimstats.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\khost.exe
O4 - HKCU\..\Run: [strmsgms] aimstats.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - HKCU\..\RunOnce: [ProxyOn] C:\Progra~1\ConnWiz\ProxyOn.EXE
O4 - Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\aventail\connect\asdns.dll
O14 - IERESET.INF: START_PAGE_URL=http://home.iweb.ey.com
O15 - Trusted Zone: http://*.iweb.ey.com
O15 - Trusted Zone: http://*.ey.net
O15 - Trusted Zone: http://*.eylink.com
O15 - Trusted Zone: http://*.iweb.ey.com (HKLM)
O15 - Trusted Zone: http://*.ey.net (HKLM)
O15 - Trusted Zone: http://*.eylink.com (HKLM)
O15 - Trusted IP range:
O15 - Trusted IP range: (HKLM)
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://extraweb-ame...aweb/iNotes.cab
O16 - DPF: {51B217FA-AA53-11D1-8295-006097970389} (NotesUserCtrl Class) - http://home.iweb.ey....b/notesuser.cab
O16 - DPF: {6CEDB6B5-4859-4E3A-BCA2-FB8E565B8AD9} (JNILoader Control) - http://usst02.ey.net...STJNILoader.cab
O16 - DPF: {BAC4A6B1-588F-495C-9074-B1C3A50AB3B7} (AuthPost.Class1) - http://gfis.iweb.ey....ex/AuthPost.CAB
O16 - DPF: {C5A27D6A-4659-4351-9B7F-45E40BE42715} (gpwsx.plugin) - https://print-global...ugin/EYGPWS.CAB
O16 - DPF: {E00979FF-2951-48DC-92C2-8B6C80E39003} - https://psynch.iweb....cs/pslocalr.dll
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.na.ey.net
O17 - HKLM\Software\..\Telephony: DomainName = us.na.ey.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{188CE485-58CE-405A-81CF-3AB68F85ABAA}: Domain = us.na.ey.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{6218B10C-35E8-41AD-B1CD-76917AE0D554}: Domain = us.na.ey.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{D18B9727-8AC1-467F-82D4-D77259E5953D}: Domain = us.na.ey.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2D70889-80E3-4990-962E-79B1A6AF92D8}: Domain = us.na.ey.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us.na.ey.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = lge-mdr.com,us.na.ey.net,ey.net,ey.com,eycan.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = lge-mdr.com,us.na.ey.net,ey.net,ey.com,eycan.com
O20 - AppInit_DLLs: cahooknt.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: OdysseyClient - C:\WINDOWS\SYSTEM32\odyEvent.dll
O20 - Winlogon Notify: Timbuktu Pro - C:\Program Files\Timbuktu Pro\Hook32.dll
O23 - Service: Aventail Connect (As32Svc) - Unknown owner - C:\Program Files\Aventail\Connect\as32svc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Connected RegCap (CBRegCap) - Connected Corporation - C:\Program Files\Connected\CBRegCap.EXE
O23 - Service: Connected Launcher (ConnectedLauncher) - Connected Corporation - C:\Program Files\Connected\CBlaunch.exe
O23 - Service: CyberArmor Run Service (CyberArmorRunService) - InfoExpress - C:\Program Files\CyberArmor\casvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network API Server (NetAPISrvr) - Unknown owner - C:\Program Files\EY AWS\bin\NetAPISrvr.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Odyssey Client (odClientService) - Funk Software, Inc. - C:\Program Files\Funk Software\Odyssey Client\odClientService.exe
O23 - Service: OracleOraHome81ClientCache - Unknown owner - C:\Oracle\Ora81\BIN\ONRSD.EXE
O23 - Service: SAVRoam - symantec - C:\PROGRA~1\Symantec\SAVRoam\SavRoam.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe

  • 0




    Member 5k

  • Retired Staff
  • 6,363 posts

We are sorry to have missed your log.

If you still need help, please post a fresh Hijack This log
  • 0



    Member 5k

  • Retired Staff
  • 6,363 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member with address of this thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP