Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

My HiJackThisLog [CLOSED]

Started by terriandrod , Jul 17 2005 08:13 PM

  • This topic is locked This topic is locked

#1
terriandrod
Posted 17 July 2005 - 08:13 PM

terriandrod

    New Member

  • Member
  • Pip
  • 2 posts
Below is my Hijacklog... My problems started out with Virtual Bouncer and Ad Destroyer...I continue to get all of these UNWANTED pop-ups. I've already performed the following;
Clean-up
Lava soft Ad-ware SE
CW-shredder
Spybot Search & Destroy
Windows updates


I also have this crazy ELITE TOOL BAR that I have no idea where it came from, how can I get rid of it?
Please help me if you can!
Blessings,
Terri



Logfile of HijackThis v1.99.1
Scan saved at 9:09:07 PM, on 07/17/2005
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WS_FTP\FTPSCHED.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SCANDISKC.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SCANDISKC.EXE
C:\WS_FTP\FTPQUEUE.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\ELITERPP32.EXE
C:\WINDOWS\SYSTEM\WALM32.EXE
C:\WINDOWS\PQNRRR.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\CAS\CLIENT\CASCLIENT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\PUSDINFO.EXE
C:\PROGRAM FILES\IBM\APTDESK\MVSLOADR.EXE
C:\IBM\REGISTER\REMIND32.EXE
C:\Program Files\IBM\Aptdesk\mvdz1exe.exe
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\UHIX2ZUL\HIJACKTHIS[1].EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gbronline.com/gbr_prod/
F1 - win.ini: run=c:\windows\scandiskc.exe
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [K6CPU] C:\ibmtools\k6cpu.exe
O4 - HKLM\..\Run: [IBMCPU] C:\ibmtools\ibmcpu.exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [AccessRampMonitor] C:\PROGRAM FILES\ACCESSRAMP\MCIWORLD\ARMon32.exe
O4 - HKLM\..\Run: [MYPORTPHOLIO.JPG] C:\WINDOWS\MYPORTPHOLIO.JPG.EXE /nomsg
O4 - HKLM\..\Run: [Kernel32] c:\windows\scandiskc.exe
O4 - HKLM\..\Run: [ftpqueue] C:\WS_FTP\ftpqueue.exe -tray
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] c:\windows\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\SYSTEM\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\SYSTEM\exp.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [checkrun] C:\WINDOWS\SYSTEM\ELITERPP32.EXE
O4 - HKLM\..\Run: [o42O36P] WALM32.EXE
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\pqnrrr.exe reg_run
O4 - HKLM\..\RunServices: [Tweak Ul] c:\windows\netstattt.exe
O4 - HKLM\..\RunServices: [ftpqueue] C:\WS_FTP\FTPSCHED.EXE
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [ModemInstallAssistant] G:\SUPPORT\MODEMINSTALL.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\YAHOO!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [Z3tERWjpj] PUSDINFO.EXE
O4 - Startup: Start Desktop Effects.lnk = C:\Program Files\IBM\Aptdesk\MVSLOADR.EXE
O4 - Startup: Crystal 3D Audio Control.LNK = C:\WINDOWS\CWB3DSND.EXE
O4 - Startup: Reminder-iqi10705.lnk = C:\IBM\Register\REMIND32.EXE
O4 - Startup: Internet Login.lnk = C:\WINDOWS\INETLOGN.EXE
O4 - Startup: ruak.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\YAHOO!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\YAHOO!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\YAHOO!\Common/ycdict.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL (file missing)
O9 - Extra button: Juno - {AFBC3A50-BF64-4307-804D-8FF99F843EAF} - juno.exe (file missing) (HKCU)
O12 - Plugin for .wav: C:\Program Files\Netscape\Navigator\Program\PLUGINS\NPAUDIO.DLL
O13 - WWW. Prefix: http://
O14 - IERESET.INF: START_PAGE_URL=http://www.juno.com/
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\YAHOO!\Common\yinsthelper.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - https://java.sun.com...indows-i586.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
  • 0

Advertisements

#2
kool808
Posted 22 July 2005 - 07:48 PM

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Hello and welcome to Geeks to Go! :tazz: I'm kool808 and I will be helping you today.

I am working on your log. As soon as I made a good fix for this, I will post a reply. Thank you for your patience.
  • 0

#3
kool808
Posted 22 July 2005 - 08:23 PM

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts

It is highly recommended that you install your HijackThis Tool in a safe location where you can easily find them. It is suggested you place them in C:\HJT, that way it could create backups necessary for future restore.



Please SAVE THIS PAGE or secure a PRINT COPY of the instructions for reference.
++++++++ N O T I C E ++++++++

This will likely be a few step process in removing the malware that has infected your system.  I encourage you to stick with it and follow my directions as closely as possible so as to avoid complicating the problem further. You have lots of complex infections but we can take them one at a time. Trust me!

++++++++ STEP 1 ++++++++
1.) Place a shortcut to Panda ActiveScan on your desktop. Do NOT run the scan yet.

2.) Please download the trial version of Ewido Security Suite 3.5 here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

3.) Please Download the following tools to assist us in removing this infection!
  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!
  • Download Track qoo
    • Save it somewhere you will remember like the Desktop
Reboot in SAFE MODE. (How to boot in Safe Mode...)
++++++++ STEP 2 ++++++++
  • Uninstallation
    We need to uninstall the following programs:
  • Go to Control Panel > Add/Remove Programs
  • Please locate if they exist
    • Elite Tool Bar
    • VBouncer
    • Navi Search
    • Casino Client
    • Auto Update

  • Click Uninstall
  • Confirm with OK
++++++++ STEP 3 ++++++++
Open Ad-aware and do a full scan. Remove all it finds.

++++++++ STEP 4 ++++++++
Run Ewido:
  • Click on scanner
  • Click Complete System Scan and the scan will begin.
  • During the scan it will prompt you to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • When the scan is finished, click the Save report button at the bottom of the screen.
  • Save the report to your desktop
Close Ewido

++++++++ STEP 5 ++++++++
Please close all remaining windows, disconnect from the internet, open HijackThis then click SCAN. Please put a check on the following items listed below:

F1 - win.ini: run=c:\windows\scandiskc.exe

O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll

O4 - HKLM\..\Run: [Kernel32] c:\windows\scandiskc.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\SYSTEM\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\SYSTEM\exp.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [checkrun] C:\WINDOWS\SYSTEM\ELITERPP32.EXE
O4 - HKLM\..\Run: [o42O36P] WALM32.EXE
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\pqnrrr.exe reg_run
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [Z3tERWjpj] PUSDINFO.EXE
O4 - Startup: ruak.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Make sure to double check the items you have selected, then click Fix Checked.

++++++++ STEP 6 ++++++++
Be sure to View Hidden and System Files.

Through Windows Explorer, delete the following folder(s) or files(s) if they exist (in bold):
  • C:\windows\scandiskc.exe
  • C:\WINDOWS\SYSTEM\PSof1.exe
  • C:\WINDOWS\SYSTEM\exp.exe
  • C:\WINDOWS\CFGMGR52.DLL
  • C:\WINDOWS\SYSTEM\ELITERPP32.EXE
  • C:\Program Files\AutoUpdate <-- whole folder
  • C:\Program Files\VBOUNCER <-- whole folder
  • C:\Program Files\NaviSearch <-- whole folder
  • C:\WINDOWS\pqnrrr.exe
  • C:\Program Files\Cas <-- whole folder
  • C:\WINDOWS\EliteToolBar <-- whole folder
  • C:\WINDOWS\web\related.htm
Finally, Empty Recycle Bin

++++++++ STEP 7 ++++++++
Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!

++++++++ STEP 8 ++++++++
  • Open HijackThis
  • go to Config, then Misc Tools
  • Open Uninstall Manager, then click Save List...
  • Post the results here
  • close HJT
++++++++ STEP 9 ++++++++
Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
++++++++ STEP 10 ++++++++

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

++++++++ FINAL STEP ++++++++

Please separate each logs with a title on it.

  • Close all windows, open HijackThis then SCAN.
  • Post a NEW HijackThis Log.
  • Post the results of Panda Scan.
  • Post the results of Ewido report.
  • Post the results of Uninstall List.
  • Post the results of WinPFind and Track Qoo. (Very important logs, not to be MISSED)
  • Please tell me how your system is working now.

Edited by kool808, 22 July 2005 - 08:27 PM.

  • 0

#4
kool808
Posted 06 August 2005 - 04:36 PM

kool808

    Visiting Staff

  • Member
  • PipPipPipPip
  • 1,690 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP