Ask Me Help Desk

Ask Me Help Desk (https://www.askmehelpdesk.com/forum.php)
-   Antivirus (https://www.askmehelpdesk.com/forumdisplay.php?f=408)
-   -   Elitum.elitebar Virus/Trojan problem (https://www.askmehelpdesk.com/showthread.php?t=8017)

  • Feb 25, 2005, 02:36 AM
    boud
    Elitum.elitebar Virus/Trojan problem
    Hai all,

    I am one of the unfortunate people who has the Elitum.Elitebar virus/trojan. It drives me nuts. Can someone help me, PLEASE?

    Gr. Boud

    My log of hijack is:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:35:28, on 25-2-2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
    C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
    C:\Program Files\DeskAd Service\DeskAdServ.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    C:\Program Files\DeskAd Service\DeskAdKeep.exe
    C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
    C:\WINDOWS\system32\ANTIVIRUS.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Symantec Shared\NMain.exe
    C:\DOCUME~1\BOUDEW~1\LOCALS~1\Temp\Tijdelijke map 3 voor hijackthis.zip\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmiracle.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http:\\www.headstartservice.nl
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
    O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar.dll
    O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
    O4 - HKLM\.. \Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\.. \Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\.. \Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\.. \Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\.. \Run: [nwiz] nwiz.exe /install
    O4 - HKLM\.. \Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\.. \Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\.. \Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
    O4 - HKLM\.. \Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
    O4 - HKLM\.. \Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
    O4 - HKLM\.. \Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\.. \Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\.. \Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
    O4 - HKLM\.. \Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
    O4 - HKLM\.. \Run: [antiware] C:\windows\system32\elitesav32.exe
    O4 - HKLM\.. \Run: [antivirus32] ANTIVIRUS.EXE
    O4 - HKCU\.. \Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\.. \RunOnce: [antivirus32] ANTIVIRUS.EXE
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http:\\www.headstartservice.nl
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
    O23 - Service: Norton AntiVirus Auto-Protect (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • Feb 25, 2005, 06:15 AM
    Nez
    Spyware
    Hopefully your anti-virus spyware is up to date. Either go to http://www.download.com or http://www.majorgeeks.com and download Adaware SE, Spybot Search and Destroy, Spyblaster, and CCleaner. Then let them scan your PC. (All are freeware).

    Once that is complete, let them all scan again in safe mode.

    Restart your PC, then while it's going through the motions, i.e. monitor screen goes blank, keep pressing F8 on top row of your keyboard. Look at available options and choose safe mode. Run your anti-virus software and all the others, starting with Adaware SE first,then Spybot search and destroy and finally CCleaner.

    Reboot PC.

    All the best,
    Nez.

    P.S. You can also try deleting the temp files in safe mode. Start->my computer.Replace the my computer name in space, and type %temp%. Then press OK. Use CCleaner on recycle bin options.
  • Mar 13, 2005, 12:25 AM
    apsuresh
    EliteBar
    I have the problem of having Elitebar on my PC which is causing a lot of difficulty in working on the PC.. anyone out there who can help... any info received to help me get out of my present predicament would be appreciated
    Regds
  • Mar 13, 2005, 06:18 AM
    ScottGem
    apsuresh,

    Have you run the anti-spyware utilities Nez suggested? Did you try googling the name and see if you can find removal instructions?
  • Mar 13, 2005, 07:32 AM
    fredg
    Trojan
    Hi,
    Nez's answer is very good. It is a re-make of my standard answer for Spyware/Advertising programs , and Trojans. These programs are available all over the net, as Nez pointed out.

    Here it is in full detail:

    If you think you already have Spyware/Advertising Ware in your computer, run these as follows:

    http://www.security-related.com/download2.htm
    Download: SpyBot Search & Destroy; 1.3
    (If you use the Spyware Blaster free program, then don't set SpyBot to the Immunization feature)

    AdAware at:
    http://www.lavasoftusa.com
    Download: AdAware_SE

    CWShredder at:
    http://www.intermute.com/products/cwshredder.html
    (CWShredder is intended only for removal of CoolWebSearch files; placed as spyware on the harddrive). It is not a "stand alone" scan, but needs to be run. Download the free version by clicking on "Download stand alone version of CW Shredder".

    All 3 of the above programs run better and much faster when run in SafeMode.

    To get into SafeMode:
    Re-boot the computer, and immediately after starting up, Press and hold down, F8, at top of keypad.
    When the options show on the screen, use the up and down arrow keys on the keyboard to select
    "Safe Mode".
    Press Enter

    It's best to run the AdAware scan first; 3 times; then re-boot.
    Then, run the AdAware scan again 3 times; then run the SpyBot. Then, run CWShredder.
    Re- Boot.
    Reason for running so many times:
    Some of these trojans' files can be deleted the first time; leaving some others; but on re-boot, they re-write the files that were deleted.
    Running multiple times deletes most of it the first
    Time.

    If you wish to have a great program, after you clean out Spyware/Advertising Ware:
    SpyWare Blaster 3.

    http://www.javacoolsoftware.com/sbdownload.html

    The Spyware Blaster is one of the best at stopping Spyware from getting into the computer in the first place. It is not a scan you have to run, but protects on its own.

    I seriously doubt that any Expert here has the time to go through your HiJack This log and determine what you need to do from it.

    The above free programs, suggested by Nez and myself, will do the job for you automatically. But, if you wish to analyze the HiJackLog yourself, here is a link with good instructions on how to do it (it takes a lot of time):

    http://www.thespykiller.co.uk/hjttut.htm

    Just for information:
    If you wish to add or subtract from an Experts' reputation, or show appreciation or discontent with an answer, click on the "balance scales" icon by the Experts' name. You can then choose what you wish.

    Best wishes,
    fredg
    Update: The Spyware Blaster now has a new version 3.3; available at the above site.
  • Mar 13, 2005, 08:12 AM
    SESaskDFC
    Howdy:

    After running what was suggested above, post another HJT log here.. You have some very obvious nasties on your system that HJT can repair if the others don't clean them..

    Murray

    • All times are GMT -7. The time now is 07:59 PM.