Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

trojan.elitebar


  • This topic is locked This topic is locked

#1
dannykaye

dannykaye

    New Member

  • Member
  • Pip
  • 3 posts
I have the trojan.elitebar.
Here is my hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 1:27:33 PM, on 9/19/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\DESKTOP\NEW FOLDER (2)\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.erh.noaa.gov/er/box/
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\PROGRAM FILES\SURFSIDEKICK 3\SSKBHO.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38-1.dll
O2 - BHO: (no name) - {A18B47F4-3433-CB6E-0E01-CB7F06BEB11D} - C:\WINDOWS\SYSTEM\pcehgsba\rnyjcqes.dll
O2 - BHO: (no name) - {4FCE855C-9150-67FC-5630-4ED7D8E545C1} - C:\WINDOWS\Ppbdqppb.dll
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\AUTOCHK.EXE
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\THINKPAD\UTILIT~2\TPHKMGR.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\SYSTEM\PSof1.
O4 - HKLM\..\Run: [testit.exe] C:\WINDOWS\SYSTEM\testit.exe
O4 - HKLM\..\Run: [ptswraup] c:\windows\system\ptswraup.exe
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\SYSTEM\MEDGS1.exe
O4 - HKLM\..\Run: [OPR] C:\WINDOWS\SYSTEM\OPR.exe
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WUAUCLT.DLL,SHStart
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\rtrtgt.exe reg_run
O4 - HKLM\..\Run: [RXKGYNGR] C:\WINDOWS\SYSTEM\DWIV\RXKGYNGR.EXE
O4 - HKLM\..\Run: [ipxkel] C:\WINDOWS\SYSTEM\goew\ipxkel.exe
O4 - HKLM\..\Run: [ajpv] C:\WINDOWS\SYSTEM\sfbvn\ajpv.exe
O4 - HKLM\..\Run: [ntsxyoh] c:\windows\system\ntsxyoh.exe
O4 - HKLM\..\Run: [NTCSSPJK] C:\WINDOWS\SYSTEM\BWLSXMNP\NTCSSPJK.EXE
O4 - HKLM\..\Run: [LSQA] C:\WINDOWS\SYSTEM\YNGGDPGJ\LSQA.EXE
O4 - HKLM\..\Run: [QVVX] C:\WINDOWS\SYSTEM\SRJXKEIK\QVVX.EXE
O4 - HKLM\..\Run: [SurfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~1\DEFWATCH.EXE
O4 - HKLM\..\RunServices: [rtvscn95] c:\PROGRA~1\NORTON~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [pcAnywhere Agent] C:\Program Files\Symantec\pcAnywhere\pcamgt.exe
O4 - HKLM\..\RunServices: [SR_Service] C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [SurfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe
O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe
O4 - Startup: papa.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://endeavor/qp2.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0006.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = rmld
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = res2.ns.algx.net,res3.ns.algx.net,res1.ns.algx.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 207.86.143.242,165.117.128.5,206.205.242.132
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - (no file)


Any thoughts?
  • 0

Advertisements


#2
dannykaye

dannykaye

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Logfile of HijackThis v1.99.1
Scan saved at 2:20:17 PM, on 9/19/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ATI2EVXX.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
C:\PROGRAM FILES\SYMANTEC\PCANYWHERE\PCAMGT.EXE
C:\PROGRAM FILES\CHECKPOINT\SECUREMOTE\BIN\SR_WATCHDOG.EXE
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\CHECKPOINT\SECUREMOTE\BIN\SR_SERVICE.EXE
C:\PROGRAM FILES\CHECKPOINT\SECUREMOTE\BIN\SR_GUI.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATI2CWXX.EXE
C:\CFGSAFE\AUTOCHK.EXE
C:\PROGRAM FILES\THINKPAD\UTILITIES\TPHKMGR.EXE
C:\WINDOWS\SYSTEM\ATIPTAXX.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
C:\WINDOWS\SYSTEM\PTSWRAUP.EXE
C:\WINDOWS\SYSTEM\MEDGS1.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RTRTGT.EXE
C:\WINDOWS\SYSTEM\DWIV\RXKGYNGR.EXE
C:\WINDOWS\SYSTEM\GOEW\IPXKEL.EXE
C:\WINDOWS\SYSTEM\SFBVN\AJPV.EXE
C:\WINDOWS\SYSTEM\NTSXYOH.EXE
C:\WINDOWS\SYSTEM\BWLSXMNP\NTCSSPJK.EXE
C:\WINDOWS\SYSTEM\YNGGDPGJ\LSQA.EXE
C:\WINDOWS\SYSTEM\SRJXKEIK\QVVX.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\CFGWIZ32.EXE
C:\PROGRAM FILES\MAILSKINNER\MAILSKINNER.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMP\INSEARCH.EXE
C:\WINDOWS\BUDDY.EXE
C:\WINDOWS\DESKTOP\NEW FOLDER (2)\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.erh.noaa.gov/er/box/
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\PROGRAM FILES\SURFSIDEKICK 3\SSKBHO.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38-1.dll
O2 - BHO: (no name) - {A18B47F4-3433-CB6E-0E01-CB7F06BEB11D} - C:\WINDOWS\SYSTEM\pcehgsba\rnyjcqes.dll
O2 - BHO: (no name) - {4FCE855C-9150-67FC-5630-4ED7D8E545C1} - C:\WINDOWS\Ppbdqppb.dll
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Ati2cwxx] Ati2cwxx.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\AUTOCHK.EXE
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\THINKPAD\UTILIT~2\TPHKMGR.EXE
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\SYSTEM\PSof1.
O4 - HKLM\..\Run: [testit.exe] C:\WINDOWS\SYSTEM\testit.exe
O4 - HKLM\..\Run: [ptswraup] c:\windows\system\ptswraup.exe
O4 - HKLM\..\Run: [MedGS] C:\WINDOWS\SYSTEM\MEDGS1.exe
O4 - HKLM\..\Run: [OPR] C:\WINDOWS\SYSTEM\OPR.exe
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\WUAUCLT.DLL,SHStart
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\rtrtgt.exe reg_run
O4 - HKLM\..\Run: [RXKGYNGR] C:\WINDOWS\SYSTEM\DWIV\RXKGYNGR.EXE
O4 - HKLM\..\Run: [ipxkel] C:\WINDOWS\SYSTEM\goew\ipxkel.exe
O4 - HKLM\..\Run: [ajpv] C:\WINDOWS\SYSTEM\sfbvn\ajpv.exe
O4 - HKLM\..\Run: [ntsxyoh] c:\windows\system\ntsxyoh.exe
O4 - HKLM\..\Run: [NTCSSPJK] C:\WINDOWS\SYSTEM\BWLSXMNP\NTCSSPJK.EXE
O4 - HKLM\..\Run: [LSQA] C:\WINDOWS\SYSTEM\YNGGDPGJ\LSQA.EXE
O4 - HKLM\..\Run: [QVVX] C:\WINDOWS\SYSTEM\SRJXKEIK\QVVX.EXE
O4 - HKLM\..\Run: [SurfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [Windows Incontext] C:\WINDOWS\TEMP\INSEARCH.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ATIPOLAB] ati2evxx.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [defwatch] C:\PROGRA~1\NORTON~1\DEFWATCH.EXE
O4 - HKLM\..\RunServices: [rtvscn95] c:\PROGRA~1\NORTON~1\rtvscn95.exe
O4 - HKLM\..\RunServices: [pcAnywhere Agent] C:\Program Files\Symantec\pcAnywhere\pcamgt.exe
O4 - HKLM\..\RunServices: [SR_Service] C:\Program Files\CheckPoint\SecuRemote\bin\SR_Watchdog.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [SurfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe
O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe
O4 - HKCU\..\RunServices: [SurfSideKick 3] C:\PROGRAM FILES\SURFSIDEKICK 3\Ssk.exe
O4 - HKCU\..\RunServices: [MailSkinner] c:\program files\mailskinner\mailskinner.exe
O4 - Startup: papa.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://endeavor/qp2.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0006.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = rmld
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = res2.ns.algx.net,res3.ns.algx.net,res1.ns.algx.net
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 207.86.143.242,165.117.128.5,206.205.242.132
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - (no file)


Thanks.
Danny Kaye
  • 0

#3
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

You have numerous instances of malware showing in your log so this will take a few steps.

First step:
Run Hijackthis. Click on "Open the Misc Tools section". Next click on "Open uninstall manager".
Press the button 'save list'. It will open a Notepad file. Place the content of that file here in your in your next post.
  • 0

#4
dannykaye

dannykaye

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
Thanks, Buckey_sam.
I already dealt with the issue quite forcefully. :) It was not my computer and all the info was retrieved from it. So I whipped out the ol' restoration disk and threatened the machine to obey or else :) ..it chose or else = good as new. :tazz:
Thanks for gettng back to me though.

Danny Kaye
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP