TheTechGuide Forum
General Category => Tech Clinic => Topic started by: xJackx410 on April 16, 2005, 08:39:44 AM
-
new to the forums, hey all. ive got pop ups being launched when im not even connected to the internet. and when i look in my startup folder in msconfig i see this
elitexab32
it says its location software/microsoft/windows/currentversion/run
i cant find that folder either.
well anyway here is my hijackthis log file.
thanks for the help
Logfile of HijackThis v1.99.1
Scan saved at 9:35:01 AM, on 4/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\xJackx\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com (http://\"http://www.dellnet.com\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.offeroptimizer.com/sidebar.htm (http://\"http://search.offeroptimizer.com/sidebar.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.offeroptimizer.com/sidebar.htm (http://\"http://search.offeroptimizer.com/sidebar.htm\")
R3 - Default URLSearchHook is missing
O2 - BHO: kz515Obj Class - {0000005D-C175-4405-BAC5-1F3B2BAF67C6} - C:\WINDOWS\kz515.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nse4F.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitexab32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.com -
{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab (http://\"http://download.games.yahoo.com/games/clients/y/grt5_x.cab\")
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab\")
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/18c610fdaf9b1658a721/...ip/RdxIE601.cab (http://\"http://207.188.7.150/18c610fdaf9b1658a721/netzip/RdxIE601.cab\")
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab (http://\"http://web1.shutterfly.com/downloads/Uploader.cab\")
O16 - DPF: {A44B714B-EE0F-453E-9300-A69B321FEF6C} (MaxisSimsFamilyTeleX Control) - http://thesims.ea.com/teleport/families/Ma...FamilyTeleX.cab (http://\"http://thesims.ea.com/teleport/families/MaxisSimsFamilyTeleX.cab\")
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yahoo.com/...ropper1_1us.cab (http://\"http://us.dl1.yimg.com/download.yahoo.com/dl/installs/ydropper/ydropper1_1us.cab\")
O17 - HKLM\System\CCS\Services\Tcpip\..\{E6317197-6624-43AD-B34C-0A7BBE04C2D0}: NameServer = 209.244.0.3 209.244.0.4
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
-
You show signs of possibly having a newer infection on your computer
Ensure you try all steps to see if we can get you clean
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.
Next==Download and UNZIP to desktop
Elite Toolbar Removal Tool (http://\"http://www.majorgeeks.com/download4465.html\")
From that link
When that's done
Can you download and UNZIP to desktop
RKFILES
Click here (http://\"http://www.thetechguide.com/forum/index.php?act=Attach&type=post&id=148\")
Also, download and UNZIP to desktop Begin.zip
So you have Begin.reg and Export.bat on the desktop
[attachment=149:attachment]
Afterwards:
Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation
Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- System Startup Service
Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled
Find and delete these files if found
C:\WINDOWS\svcproc.exe <-file
C:\WINDOWS\kz515.dll
C:\WINDOWS\System32\nse4F.dll
If the next folder is found, please delete it
C:\WINDOWS\SYSTEM32\cache32_rtneg3 <-folder, let me know if you found it
Do a disk cleanup
Go to START>>RUN>>type in
cleanmgr
Hit OK
Ensure temp and temp internet files are checked
===Open Hijackthis>>Open Misc Tools Section>>Open "Delete an NT Service"
Copy and Paste or type the next entry in bold to the blank box and hit OK
SvcProc
Do another scan with Hijackthis and put a check next to these entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.offeroptimizer.com/sidebar.htm (http://\"http://search.offeroptimizer.com/sidebar.htm\")
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.offeroptimizer.com/sidebar.htm (http://\"http://search.offeroptimizer.com/sidebar.htm\")
R3 - Default URLSearchHook is missing
O2 - BHO: kz515Obj Class - {0000005D-C175-4405-BAC5-1F3B2BAF67C6} - C:\WINDOWS\kz515.dll
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nse4F.dll
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitexab32.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/18c610fdaf9b1658a721/...ip/RdxIE601.cab (http://\"http://207.188.7.150/18c610fdaf9b1658a721/...ip/RdxIE601.cab\")
After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Double click on begin.reg and allow to merge to the registry
In safe mode, double click on RKfiles.bat and let it finish scanning
Be patient
When it's done, it will create a log, by default the log is saved at
C:\log.txt
Run the EliteToolbar Remover
Restart back to Normal mode
Back in windows
Post that log back here along with the log from RKfiles.bat>>C:\log.txt
Could you also double click on Export.bat and post the log it produces
Post back a fresh Hijackthis log too
AFTER posting the above 3 logs could you also
Could you also download and UNZIP
Find_It's.zip (http://\"http://forums.net-integration.net/index.php?act=Attach&type=post&id=142443\")
After unzipped open the folder Find_It's
Double click on Find_It's.bat and wait for the log
and post it back here