TheTechGuide Forum

General Category => Tech Clinic => Topic started by: sohnir on June 08, 2005, 08:11:25 AM

Title: Removing EliteBar
Post by: sohnir on June 08, 2005, 08:11:25 AM: Hi-
I need help with removing EliteBar. I ran AdAware and SpyBot; but still keeps on coming back.
I followed one of the forums on May-14-2005 opened by wakebrder03 and resolved by "questolo" in Tech Clinic.
I executed the instructions by questolo and ran "LQfix.bat" in SAFE mode and rebooted the system. However, I have not executed the "Elite.reg" as it appeared that it was specific to "wakebrder03"'s hijak log.
Although, it appears that EliteBar seems to be gone, my Windows Media Player got screwed up and some other popus still appear. I am not sure I have the clean system. There might be some residual bad registry entries.
As you had "Elite.reg" specifically for wakebrder03; could you please look at my hijack log.
Can you please help? If needed, I can upload the hijack log.
Thanks in advance.
Title: Removing EliteBar
Post by: guestolo on June 08, 2005, 01:15:59 PM: Go ahead and post your Hijackthis log here for analysis
Title: Removing EliteBar
Post by: sohnir on June 08, 2005, 01:30:21 PM: Hi-
Thanks for the quick response. I will post the hijack log as soon as I reach home. It is on my home PC.
thanks again for your help.
Title: Removing EliteBar
Post by: sohnir on June 08, 2005, 09:12:50 PM: Logfile of HijackThis v1.99.1
Scan saved at 10:04:51 PM, on 6/8/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Linksys\Wireless Network PC Card\NICServ.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tp4mon.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\System32\Promon.exe
C:\WINNT\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\PDirect.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\WINNT\System32\PRPCUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\System32\RUNDLL32.exe
C:\WINNT\System32\rundll32.exe
C:\WINNT\System32\rundll32.exe
C:\WINNT\System32\vpnrkn.exe
C:\Program files\ThinkPad\Utilities\tponscr.exe
C:\WINNT\System32\WDBtnMgr.exe
C:\WINNT\System32\winupdt.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Linksys\Wireless Network PC Card\WPC11Cfg.exe
C:\WINNT\System32\nsvsvc\nsvsvc.exe
C:\WINNT\System32\picsvr\picsvr.exe
C:\Documents and Settings\meenavips\My Documents\Tools+Software\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINNT\tct101.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\System32\WinNB57.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\System32\WinNB57.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IBMPMSVC] %SystemRoot%\System32\ibmpmsvc.exe -helper
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [PDIRECT] C:\PROGRA~1\ThinkPad\UTILIT~1\PDirect.exe
O4 - HKLM\..\Run: [TP98UTIL] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98.EXE /s
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\System32\wintask.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\System32\vpnrkn.exe reg_run
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINNT\System32\winupdt.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [empin] C:\WINNT\System32\Cache\e121307.Stub.exe
O4 - HKLM\..\Run: [Nsv] C:\WINNT\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINNT\System32\picsvr\picsvr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: DSW IPSec Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\Wireless Network PC Card\WPC11Cfg.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://awbeta.net-nucleus.com (http://\"http://awbeta.net-nucleus.com\") (HKLM)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC11 - Unknown owner - C:\Program Files\Linksys\Wireless Network PC Card\NICServ.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
Title: Removing EliteBar
Post by: sohnir on June 08, 2005, 09:15:57 PM: Also, it looks like there are more spyware programs installed. I see a "mirar" bar got installed on my IE. I also saw "IE Optimizer" got installed. I de-installed IE Optimizer from Control Panel -> Remove Programs. However, the IE bar is still there.
Please help.
Thanks.
Title: Removing EliteBar
Post by: sohnir on June 08, 2005, 09:21:17 PM: Just an FYI; the Windows Media Player, PC Doctor for NT and Think Pad information programs also appears to be affected; as they have lost their original icons.
Title: Removing EliteBar
Post by: guestolo on June 08, 2005, 09:42:10 PM: Can you do the following for me please

Download and UNZIP to desktop Find_It_NT_2K_XP.zip
Now you have the Find_It_NT_2K_XP folder extracted to desktop
Open the folder and double click on Find.bat
Let this run and finish, give it time
When it's done a log will be produced
Post the log back here please
[attachment=256:attachment]

Could you also open Hijackthis>>Open Misc tools section
Open Uninstall Manager
Click the SAVE LIST button
Save the list to desktop and then copy and paste the contents of it back here
Title: Removing EliteBar
Post by: sohnir on June 08, 2005, 09:57:34 PM: Here is the output file...
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\meenavips\My Documents\Tools+Software\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C is WINDOWS2000
Volume Serial Number is 0A63-11FD

Directory of C:\WINNT\System32

03/02/2000 11:01a <DIR> dllcache
0 File(s) 0 bytes
1 Dir(s) 2,600,689,664 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C is WINDOWS2000
Volume Serial Number is 0A63-11FD

Directory of C:\WINNT\System32

06/08/2005 09:47p <DIR> nsvsvc
06/08/2005 09:47p <DIR> picsvr
03/02/2000 11:31a <DIR> GroupPolicy
03/02/2000 11:20a 271 desktop.ini
03/02/2000 11:20a 21,692 folder.htt
03/02/2000 11:01a <DIR> dllcache
2 File(s) 21,963 bytes
4 Dir(s) 2,600,681,472 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C is WINDOWS2000
Volume Serial Number is 0A63-11FD

Directory of C:\WINNT\System32

------ Temp Files in System32 Directory ------

Volume in drive C is WINDOWS2000
Volume Serial Number is 0A63-11FD

Directory of C:\WINNT\System32

12/07/1999 04:00a 2,577 CONFIG.TMP
1 File(s) 2,577 bytes
0 Dir(s) 2,600,665,088 bytes free

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"iebar"=""

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------- Locate.com Results -------------

No matches found.

-------- Strings.exe Qoologic Results --------

--------- Strings.exe Aspack Results ---------

C:\WINNT\system32\bmocnoq.exe: .aspack
C:\WINNT\system32\redit.cpl: .aspack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrackPointSrv"="tp4mon.exe"
"Synchronization Manager"="mobsync.exe /logon"
"IBMPMSVC"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\
32,5c,69,62,6d,70,6d,73,76,63,2e,65,78,65,20,2d,68,65,6c,70,65,72,00
"XircWinModem4"="ltcm000c.exe 9"
"Promon.exe"="Promon.exe"
"SoundFusion"="RunDll32 cwcprops.cpl,CrystalControlWnd"
"PDIRECT"="C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\PDirect.exe"
"TP98UTIL"="C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\TP98.EXE /s"
"TpHotkey"="C:\\PROGRA~1\\ThinkPad\\UTILIT~1\\tphkmgr.exe"
"PRPCMonitor"="PRPCUI.exe"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"AUNPS2"="RUNDLL32 AUNPS2.DLL,_Run@16"
"A70F6A1D-0195-42a2-934C-D8AC0F7C08EB"="rundll32.exe E6F1873B.DLL,D9EBC318C"
"WinTask driver"="C:\\WINNT\\System32\\wintask.exe"
"98D0CE0C16B1"="rundll32.exe D0CE0C16B1,D0CE0C16B1"
"KavSvc"="C:\\WINNT\\System32\\vpnrkn.exe reg_run"
"WD Button Manager"="WDBtnMgr.exe"
"winupdtl"="C:\\WINNT\\System32\\winupdt.exe"
"Internet Optimizer"="\"C:\\Program Files\\Internet Optimizer\\optimize.exe\""
"empin"="C:\\WINNT\\System32\\Cache\\e121307.Stub.exe"
"Nsv"="C:\\WINNT\\System32\\nsvsvc\\nsvsvc.exe"
"picsvr"="C:\\WINNT\\System32\\picsvr\\picsvr.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
Title: Removing EliteBar
Post by: sohnir on June 08, 2005, 10:00:19 PM: Here is the software list from Uninstall Mgr.

Ad-Aware SE Personal
Adobe Acrobat 5.0
AOL Instant Messenger
Canon Camera Support Core Library
Canon Camera TWAIN Driver 6.4
Canon Camera Window for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
ConfigSafe
Display Utility
DVDExpress
Google Toolbar for Internet Explorer
HijackThis 1.99.1
hp instant support
hp officejet g series
Intel SpeedStep technology Applet
Intel® PRO Ethernet Adapter and Software
iTunes
Jasc Paint Shop Photo Album
JGsoft EditPad Lite 5.4.0
Microsoft Office Professional Edition 2003
Palm Desktop and Synchronization Software
PC-Doctor for Windows NT
QuickTime
Related Page
Retrospect 6.5
S3 Gamma Utility
S3DuoVue Utility
Shockwave 7.0.3 Player
Spybot - Search & Destroy 1.3
TContext
ThinkPad Configuration
ThinkPad Information
Uninstall Access ThinkPad only
USB Storage Adapter FX_AT (WDC)
VNC 4.0
VPN Client
Western Digital USB Mass Storage Driver Installation
Windows 2000 Service Pack 3
Windows Media Player system update (9 Series)
WinZip
Wireless Network PC Card Configuration Utility
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Messenger Explorer Bar
Yahoo! Toolbar
Title: Removing EliteBar
Post by: sohnir on June 08, 2005, 10:03:42 PM: After after I ran LQFix.bat in SAFE mode yesterday, it appears that something is running in the background. There are little windows popping up and disappearing. Some remain on the screen until I kill it.
Thanks for your help.
Title: Removing EliteBar
Post by: sohnir on June 08, 2005, 10:15:40 PM: FYI, when I try to invoke Windows Media Player, it pops up a windows = "Browser Enhancer". I know it is not related to Microsoft. At this point, I just kill it. And I see that wmplayer.exe got overwritten on 6/1/2005. Hence; some spyware overwrite the wmplayer.exe. Is that a correct assumption?
Thanks.
Title: Removing EliteBar
Post by: guestolo on June 08, 2005, 11:19:22 PM: This will take a few tries to get you all clean
That's a correct assumption about wmplayer.exe...

Can I have you do the following please

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Give the link time to load or try it twice, it may be busy
Alternate Download link (http://\"http://www.spywareaid.com/index.php?file=showsoftware&action=dl&softid=1&softtype=exe\")
We'll need this later

Access your Add/Remove programs via Control Panel
Remove these
Related Page
TContext

Afterwards,
Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039?OpenDocument&ExpandSection=4#_Section4\")
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation

Set Windows To Show Hidden Files and Folders
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Find and delete these files or folders if found, we'll still have to remove some others later, but try and remove these for now
FILES
C:\WINNT\tct101.dll <-file
C:\WINNT\System32\WinNB57.dll
C:\WINNT\System32\wintask.exe
C:\WINNT\System32\winupdt.exe
C:\WINNT\System32\Cache\e121307.Stub.exe

Search for these files and remove them if found, ensure you are additionally searching in hidden files and folders
E6F1873B.DLL
D9EBC318C
D0CE0C16B1
AUNPS2.DLL

FOLDERS
C:\WINNT\System32\nsvsvc <-this folder
C:\WINNT\System32\picsvr
C:\Program Files\Internet Optimizer

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
DECLINE to Log off when scan is done.

Do another scan with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINNT\tct101.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\System32\WinNB57.dll

O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINNT\System32\WinNB57.dll

O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [WinTask driver] C:\WINNT\System32\wintask.exe
O4 - HKLM\..\Run: [98D0CE0C16B1] rundll32.exe D0CE0C16B1,D0CE0C16B1
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\System32\vpnrkn.exe reg_run

O4 - HKLM\..\Run: [winupdtl] C:\WINNT\System32\winupdt.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [empin] C:\WINNT\System32\Cache\e121307.Stub.exe
O4 - HKLM\..\Run: [Nsv] C:\WINNT\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINNT\System32\picsvr\picsvr.exe

O15 - Trusted Zone: http://awbeta.net-nucleus.com (http://\"http://awbeta.net-nucleus.com\") (HKLM)

After you have ticked the above entries, close All other open windows,
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

RESTART back to Normal mode

Back in Windows
Can you do the following please
Download the trial version of tds-3 anti trojan from here:
http://www.diamondcs.com.au/tds/downloads/...s/tds3setup.exe (http://\"http://www.diamondcs.com.au/tds/downloads/tds3setup.exe\")
Install it and Restart your computer when and if prompted
Don't run a scan yet

When your back in Windows it's important to update the latest RADIUS database

IMPORTANT>>>

Follow this link on how to update it>> follow the instructions carefully
http://tds.diamondcs.com.au/index.php?page=update (http://\"http://tds.diamondcs.com.au/index.php?page=update\")
Use the Manual update procedure
Again, don't run a scan yet

After TDS3 is updated

Reboot back to Safe mode
Launch TDS-3. In the top bar of tds window click system testing> full systemscan.
Let it completely finish scanning---Even if it appears to hesitate at times
Give this time to finish
Detections will appear in the lower pane of tds window after the scan is finished Right click the list> select save as txt.>> save this to a convenient location, I'll need to see it later

After saving the scandump.txt go ahead and right click the list of alarms again, this time select delete...only delete those with POSITIVE IDENTIFICATION

After you have removed the ones with postitive Identification

Restart back to Normal mode

After you have done the above
Post back the scandump.txt from TDS-3 file and a new Hijackthis log
Could you also let me know what other files you see in this folder
C:\WINNT\System32\Cache <-this folder

Could you also
download FindQoologic from here:
http://forums.net-integration.net/index.ph...=post&id=134981 (http://\"http://forums.net-integration.net/index.php?act=Attach&type=post&id=134981\")
UNZIP the contents within to desktop
Open the extracted folder and double click on Find-Qoologic2.bat
Wait for the log and post it back here
Title: Removing EliteBar
Post by: sohnir on June 09, 2005, 07:20:11 AM: As per your instructions, I removed the TContext and it went away. But the "Related Page" does not. It pops up a ad with radio buttons and when answering NO to each request; it does not de-isntall. What do I do with "Related Page". I think that's the one that shows up on IE on top of Google Bar.

I will perform the rest of the steps later today and post an update.
Thanks.
Title: Removing EliteBar
Post by: Guest on June 10, 2005, 05:47:25 AM: I performed all the steps you suggested. Here are all the dumps and the log files.

### scandump.txt from TDS-3 ##############
Scan Control Dumped @ 05:46:22 10-06-05
RegVal Trace: Suspicious: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\Run [KavSvc=C:\WINNT\System32\vpnrkn.exe reg_run]

Positive identification: TrojanDownloader.Win32.Small.akz3
File: c:\temporary\aun_0015.exe

Positive identification: Trojan.Win32.StartPage.nk10
File: c:\winnt\protector.exe

Positive identification: TrojanDownloader.Win32.Qoologic.o
File: c:\winnt\system32\pkvqa.dat

Positive identification: TrojanDownloader.Win32.Qoologic.o
File: c:\winnt\system32\vpnrkn.exe

Positive identification: TrojanDownloader.Win32.Qoologic.n1
File: c:\winnt\system32\bmocnoq.exe

Positive identification (DLL): Adware.Toolbar.Mirar.a (dll)
File: c:\winnt\system32\windmy.dll

Positive identification (DLL): TrojanDownloader.Win32.Braidupdate.d (dll)
File: c:\winnt\system32\stlb2.dll

Positive identification: TrojanDropper.Win32.Agent.lu
File: c:\winnt\system32\cache\installaps.exe

Positive identification: TrojanDropper.Win32.Delf.z4
File: c:\winnt\system32\cache\helperinstall.exe

Positive identification: TrojanDropper.Win32.Small.wd
File: c:\winnt\system32\cache\ssk3_b5 advagency.exe

Positive identification (embedded in file): TrojanDownloader.Win32.Small.abd
File: c:\winnt\system32\cache\setup1024.exe

Positive identification: TrojanDropper.Win32.Agent.hl
File: c:\winnt\system32\cache\setup1024.exe

Positive identification: TrojanDownloader.Win32.Apropo.ab1
File: c:\winnt\system32\cache\cxtpls_loader.exe

Positive identification (embedded in file): Adware.Toolbar.Mirar.a (dll)
File: c:\winnt\system32\cache\876004.exe

Positive identification (embedded in file): Adware.Toolbar.Mirar (dll)
File: c:\winnt\system32\cache\876004.exe

Positive identification: TrojanDownloader.Win32.Qoologic.o
File: c:\documents and settings\all users\start menu\programs\startup\nitd.exe

Positive identification: TrojanDownloader.Win32.Qoologic.o
File: c:\documents and settings\meenavips\local settings\temporary internet files\content.ie5\pqrakcmw\2.8.7.4[1].exe

Positive identification <Adv>: Possible keylogger
File: c:\documents and settings\meenavips\my documents\tools+software\ufwin\setuprw.exe

Positive identification <Adv>: Possible keylogger
File: c:\documents and settings\meenavips\my documents\tools+software\ufwin\backup\setuprw.exe

Positive identification: Trojan.Win32.StartPage.nk10
File: c:\program files\sdf_bad.exe

Positive identification: TrojanDownloader.Win32.Small.apm
File: c:\program files\windows media player\wmplayer.exe

Positive identification (DLL): Adware.MiniBug (dll)
File: c:\program files\aws\weatherbug\minibugtransporter.dll

Positive identification: TrojanDownloader.Win32.VB.eu
File: c:\program files\fwbartemp_bad\searchbar.exe

################
Title: Removing EliteBar
Post by: Guest on June 10, 2005, 05:48:34 AM: ######### New Hijack Log ###########
Logfile of HijackThis v1.99.1
Scan saved at 6:45:41 AM, on 6/10/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Linksys\Wireless Network PC Card\NICServ.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tp4mon.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\System32\Promon.exe
C:\WINNT\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\PDirect.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\WINNT\System32\PRPCUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\System32\WDBtnMgr.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe
C:\Program files\ThinkPad\Utilities\tponscr.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Linksys\Wireless Network PC Card\WPC11Cfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\vpnrkn.exe
C:\Documents and Settings\meenavips\My Documents\Tools+Software\hijackthis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: SearchToolbarBHOObject - {12EE7A5E-0674-42f9-A76A-000000004D00} - C:\WINNT\System32\stlb2.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINNT\System32\stlb2.dll (file missing)
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IBMPMSVC] %SystemRoot%\System32\ibmpmsvc.exe -helper
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [PDIRECT] C:\PROGRA~1\ThinkPad\UTILIT~1\PDirect.exe
O4 - HKLM\..\Run: [TP98UTIL] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98.EXE /s
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\System32\vpnrkn.exe reg_run
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: DSW IPSec Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\Wireless Network PC Card\WPC11Cfg.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC11 - Unknown owner - C:\Program Files\Linksys\Wireless Network PC Card\NICServ.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

###################
Title: Removing EliteBar
Post by: Guest on June 10, 2005, 05:51:20 AM: c:\WINNT\system32\Cache <- Contents below
###################
dist006.exe
SmartDownload.exe
ven_d1.exe
weirdontheweb_ventura2.exe
################

These looks like a spyware....Should I delete them?
Title: Removing EliteBar
Post by: Guest on June 10, 2005, 05:59:55 AM: Here is the synopsys of all my runs on your suggestions in details:
1) I was not able to de-install Related Page from Control Panel -> Add/Remove s/w programs. It still exists there. It popus a ad window and does not delete unless I click one of their choices. How do I get rid of "Related Page"?
2) Not able to find C:\WINNT\System32\Cache\e121307.Stub.exe and hence cannot delete it
3) Cannot find D9EBC318C and hence cannot delete it
4) C:\Program Files\Internet Optimizer <- did not exist
5) In the final step before I ran the Find-Wooloci2.bat <- Normal start of after runninng the TDS-3; I got the following Windows message: RUNDLL -> Error loading stlb2.dll -> The speicified module could not be found
6) Lastly I am uploading the output of Find-Wooloci2.bat
Thanks again. Look forward to hearing for your feedback.
Title: Removing EliteBar
Post by: Guest on June 10, 2005, 06:01:23 AM: #### OUTPUT from Find-Qoolic2.bat ########

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* KavSvc C:\WINNT\System32\VPNRKN.EXE
* KavSvc C:\WINNT\System32\ZRGPIGB.DLL
* KavSvc C:\WINNT\System32\SUPDATE.DLL
* KavSvc C:\WINNT\System32\PUDCK.DLL
* aspack C:\WINNT\System32\BMOCNOQ.EXE
* aspack C:\WINNT\System32\REDIT.CPL
* UPX! C:\WINNT\System32\VPNRKN.EXE
* UPX! C:\WINNT\System32\ZRGPIGB.DLL
* UPX! C:\WINNT\System32\SUPDATE.DLL
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* exe C:\docume~1\alluse~1\startm~1\programs\startup\NITD.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f8593c

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
AUTOCHK.LNK
Acrobat Assistant.lnk
DSW IPSec Client.lnk
Instant Wireless Configuration Utility.lnk
nitd.exe

User Startup:
C:\Documents and Settings\meenavips\Start Menu\Programs\Startup
.
..
HotSync Manager.lnk

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

####################
Title: Removing EliteBar
Post by: Guest on June 10, 2005, 06:02:28 AM: There is still some residual stuff that I can see.
A "Registry Cleaner" ad just popped up.
Thanks again.
Title: Removing EliteBar
Post by: sohnir on June 10, 2005, 06:03:47 AM: All the updates above are done by sohnir; Sorry I forgot to login and I did not realize that it allows guest forum updates.
Title: Removing EliteBar
Post by: guestolo on June 11, 2005, 06:59:48 PM: Sorry for the delay, if you have rebooted since your last post, things may of changed a bit
Can you do the following please

==Download the Killbox by Option^Explicit (http://\"http://www.atribune.org/downloads/KillBox.exe\"). [color=\"red\"]*In the event you already have Killbox, this is a new version that I need you to download[/color].
* Save it to your desktop or a folder

Open a Notepad file..Go to START>>RUN>>Type in notepad
Hit OK

[color=\"red\"]I need you to copy all of the Killbox file paths below and paste them into Notepad.[/color]

* Please double-click Killbox.exe to run it.
* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

[color=\"purple\"]Killbox file paths to copy and paste to Notepad between dotted lines[/color]
===========================================
C:\WINNT\System32\VPNRKN.EXE
C:\WINNT\System32\PUDCK.DLL
C:\WINNT\System32\BMOCNOQ.EXE
C:\WINNT\System32\REDIT.CPL
C:\WINNT\System32\ZRGPIGB.DLL
C:\WINNT\System32\SUPDATE.DLL
c:\documents and settings\all users\start menu\programs\startup\nitd.exe
C:\WINNT\System32\stlb2.dll
c:\WINNT\system32\Cache\dist006.exe
c:\WINNT\system32\Cache\SmartDownload.exe
c:\WINNT\system32\Cache\ven_d1.exe
c:\WINNT\system32\Cache\weirdontheweb_ventura2.exe

===================================================
* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Back in Windows, don't worry about any error messages

Do another scan with Hijackthis and put a check next to these entries:

O2 - BHO: SearchToolbarBHOObject - {12EE7A5E-0674-42f9-A76A-000000004D00} - C:\WINNT\System32\stlb2.dll (file missing)

O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINNT\System32\stlb2.dll (file missing)

O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\System32\vpnrkn.exe reg_run

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer again

Back in windows

Run another scan with hijackthis and post a fresh log

I need you to run a fresh scan with Find-Qoologic2.bat
Let it finish and post the Whole log from it
Make sure you don't cut out the bottom part of the log
You cut the last one off at
»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»
I need to see everything below this line too /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Title: Removing EliteBar
Post by: sohnir on June 13, 2005, 05:42:01 PM: [color=\"blue\"]Sorry for the really delayed response..I did not realize that your response was on the Page..2..I kept on looking only at Page..1.

I followed all the instructions and here is the hijack log[/color]

######################
Logfile of HijackThis v1.99.1
Scan saved at 6:36:55 PM, on 6/13/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Linksys\Wireless Network PC Card\NICServ.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tp4mon.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\System32\Promon.exe
C:\WINNT\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\PDirect.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\WINNT\System32\PRPCUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\System32\WDBtnMgr.exe
C:\Program files\ThinkPad\Utilities\tponscr.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Linksys\Wireless Network PC Card\WPC11Cfg.exe
C:\WINNT\System32\wuauclt.exe
C:\Documents and Settings\meenavips\My Documents\temp\HijackThis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IBMPMSVC] %SystemRoot%\System32\ibmpmsvc.exe -helper
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [PDIRECT] C:\PROGRA~1\ThinkPad\UTILIT~1\PDirect.exe
O4 - HKLM\..\Run: [TP98UTIL] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98.EXE /s
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\System32\vpnrkn.exe reg_run
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: DSW IPSec Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\Wireless Network PC Card\WPC11Cfg.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC11 - Unknown owner - C:\Program Files\Linksys\Wireless Network PC Card\NICServ.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
########################
Title: Removing EliteBar
Post by: sohnir on June 13, 2005, 05:43:52 PM: I am running Find-Qoologic2.bat and will upload its log asap.
Thanks all for your help.
Title: Removing EliteBar
Post by: sohnir on June 13, 2005, 05:52:47 PM: [color=\"blue\"]I ran Find-Qoologic2.bat again and found the same results..There are really NO entried found in "Registry Entries Found" section...Here is the log again from Find-Qoologic2.bat.
Also, we deleted "vpnrkn.exe". Was that anything to do with VPN connections? Thanks..[/color]
#########################
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f8593c

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
AUTOCHK.LNK
Acrobat Assistant.lnk
DSW IPSec Client.lnk
Instant Wireless Configuration Utility.lnk

User Startup:
C:\Documents and Settings\meenavips\Start Menu\Programs\Startup
.
..
HotSync Manager.lnk

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

#########################
Title: Removing EliteBar
Post by: sohnir on June 13, 2005, 05:55:19 PM: [color=\"blue\"]Following in RED was seen in the DOS window where the Find-Qoologic2.bat was run. Looks like "reg" was NOT recognized.[/color]

[color=\"red\"]Just wait until a text opens please.
Diregard the parameters message
'reg' is not recognized as an internal or external command,
operable program or batch file.[/color]
Title: Removing EliteBar
Post by: guestolo on June 13, 2005, 06:46:12 PM: Not sure why your not getting the full report
Are you sure you unzipped it before running FindQoologic2.bat?

If you are, can you try downloading this version of FindQoologic2.zip
Unzip it to a different location
Run FindQoologic.bat
Wait for the log and post it back here
[attachment=262:attachment]

Could you also open Hijackthis from this location
C:\Documents and Settings\meenavips\My Documents\Tools+Software
Click on Misc tools sections>>
To the right of Generate Startup list
Put a check in "List all minor sections (full)"
and "List empty sections (Complete)
Then
Click the Generate startup list
A text file will open
Copy and paste the contents back here

Also, let me know if you have any Anti-Virus software to install on your computer to keep more secure
Or do you need a free solution?
Title: Removing EliteBar
Post by: sohnir on June 13, 2005, 08:54:47 PM: [color=\"blue\"]I downloaded FindQoologic.bat again and here is the output.[/color]
#############################
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f8593c

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
AUTOCHK.LNK
Acrobat Assistant.lnk
DSW IPSec Client.lnk
Instant Wireless Configuration Utility.lnk

User Startup:
C:\Documents and Settings\meenavips\Start Menu\Programs\Startup
.
..
HotSync Manager.lnk

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»»» Active setup »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

"Find activesetup", version1, launched at: 21:44
Operating System: Windows 2000

HKLM\Software\Microsoft\Active Setup\Installed Components\
">{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\(Default)" = "Windows Media Player"
\StubPath = "C:\WINNT\inf\unregmp2.exe /ShowWMP" [MS]

################################
Title: Removing EliteBar
Post by: sohnir on June 13, 2005, 08:57:19 PM: [color=\"blue\"]Here is the startup list from Hijackthis...Is this is the list that will startup or it just downloaded from Registry and displaying it for us?

Also, yes, I would like to have a free anti-virus solution.

Thanks.[/color]

#### Startup list from Hijack this #################
StartupList report, 6/13/2005, 9:52:09 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\meenavips\My Documents\Tools+Software\hijackthis.EXE
Detected: Windows 2000 SP3 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Linksys\Wireless Network PC Card\NICServ.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tp4mon.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\System32\Promon.exe
C:\WINNT\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\PDirect.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\WINNT\System32\PRPCUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\System32\WDBtnMgr.exe
C:\Program files\ThinkPad\Utilities\tponscr.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Linksys\Wireless Network PC Card\WPC11Cfg.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\meenavips\My Documents\Tools+Software\hijackthis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\meenavips\Start Menu\Programs\Startup]
HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
DSW IPSec Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\Wireless Network PC Card\WPC11Cfg.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

TrackPointSrv = tp4mon.exe
Synchronization Manager = mobsync.exe /logon
XircWinModem4 = ltcm000c.exe 9
Promon.exe = Promon.exe
SoundFusion = RunDll32 cwcprops.cpl,CrystalControlWnd
PDIRECT = C:\PROGRA~1\ThinkPad\UTILIT~1\PDirect.exe
TP98UTIL = C:\PROGRA~1\ThinkPad\UTILIT~1\TP98.EXE /s
TpHotkey = C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
PRPCMonitor = PRPCUI.exe
iTunesHelper = C:\Program Files\iTunes\iTunesHelper.exe
WD Button Manager = WDBtnMgr.exe
KavSvc = C:\WINNT\System32\vpnrkn.exe reg_run

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Yahoo! Pager = C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINNT\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = notepad.exe %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[4d325e44-9433-4e21-b96b-74dd37668bdc] *
StubPath = C:\WINNT\System32\bmocnoq.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINNT\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigIE

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINNT\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINNT\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINNT\Explorer\Explorer.exe: not present
C:\WINNT\System\Explorer.exe: not present
C:\WINNT\System32\Explorer.exe: not present
C:\WINNT\Command\Explorer.exe: not present
C:\WINNT\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINNT
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - c:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[DirectAnimation Java Classes]
CODEBASE = file://C:\WINNT\Java\classes\dajava.cab
OSD = C:\WINNT\Downloaded Program Files\DirectAnimation Java Classes.osd

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINNT\Java\classes\xmldso.cab
OSD = C:\WINNT\Downloaded Program Files\Microsoft XML Parser for Java.osd

[YInstStarter Class]
InProcServer32 = C:\WINNT\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/yinst/yinst_current.cab (http://\"http://download.yahoo.com/dl/yinst/yinst_current.cab\")

[Shockwave Flash Object]
InProcServer32 = C:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://\"http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab\")

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINNT\System32\rnr20.dll
NameSpace #2: C:\WINNT\System32\winrnr.dll
Protocol #1: C:\WINNT\system32\msafd.dll
Protocol #2: C:\WINNT\system32\msafd.dll
Protocol #3: C:\WINNT\system32\msafd.dll
Protocol #4: C:\WINNT\system32\rsvpsp.dll
Protocol #5: C:\WINNT\system32\rsvpsp.dll
Protocol #6: C:\WINNT\system32\msafd.dll
Protocol #7: C:\WINNT\system32\msafd.dll
Protocol #8: C:\WINNT\system32\msafd.dll
Protocol #9: C:\WINNT\system32\msafd.dll
Protocol #10: C:\WINNT\system32\msafd.dll
Protocol #11: C:\WINNT\system32\msafd.dll
Protocol #12: C:\WINNT\system32\msafd.dll
Protocol #13: C:\WINNT\system32\msafd.dll
Protocol #14: C:\WINNT\system32\msafd.dll
Protocol #15: C:\WINNT\system32\msafd.dll
Protocol #16: C:\WINNT\system32\msafd.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Embedded Controller Driver: System32\DRIVERS\ACPIEC.sys (system)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Intel AGP Bus Filter: System32\DRIVERS\agp440.sys (system)
Alerter: %SystemRoot%\System32\services.exe (manual start)
Application Management: %SystemRoot%\system32\services.exe (manual start)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k BITSgroup (manual start)
Computer Browser: %SystemRoot%\System32\services.exe (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: C:\WINNT\System32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
Microsoft ACPI Control Method Battery Driver: System32\DRIVERS\CmBatt.sys (manual start)
Microsoft Composite Battery Driver: System32\DRIVERS\compbatt.sys (system)
Cisco Systems VPN Adapter: System32\DRIVERS\CVirtA.sys (manual start)
Cisco Systems, Inc. VPN Service: "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" (autostart)
DSW IPsec Driver: \??\C:\WINNT\System32\Drivers\CVPNDRVA.sys (autostart)
Crystal SoundFusion(tm) Driver: system32\drivers\cwcspud.sys (manual start)
Crystal SoundFusion(tm) SPuD3 Driver: system32\drivers\cwcspud3.sys (manual start)
Crystal SoundFusion(tm) WDM Driver: system32\drivers\cwcwdm.sys (manual start)
DHCP Client: %SystemRoot%\System32\services.exe (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\services.exe (autostart)
Microsoft DirectMusic SW Synth (WDM): system32\drivers\DMusic.sys (manual start)
Deterministic Network Enhancer Miniport: System32\DRIVERS\dne2000.sys (manual start)
DNS Client: %SystemRoot%\System32\services.exe (autostart)
Print Class Driver for IEEE-1284.4 hpoipr07: System32\DRIVERS\hpoipr07.sys (manual start)
Intel® PRO Adapter Driver: System32\DRIVERS\e100bnt5.sys (manual start)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINNT\System32\svchost.exe -k netsvcs (manual start)
Fax Service: %systemroot%\system32\faxsvc.exe (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Crystal SoundFusion(tm) Game Port: System32\DRIVERS\gameenum.sys (manual start)
GEAR CDRom Filter: SYSTEM32\DRIVERS\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
IEEE-1284.4 Driver hpoid407: System32\DRIVERS\hpoid407.sys (manual start)
USB to IEEE-1284.4 Translation Driver hpoius07: System32\DRIVERS\hpoius07.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
IBMPMDRV: System32\DRIVERS\ibmpmdrv.sys (manual start)
IBM PM Service: %SystemRoot%\System32\ibmpmsvc.exe (autostart)
IntelIde: System32\DRIVERS\intelide.sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPod Service: C:\Program Files\iPod\bin\iPodService.exe (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (manual start)
IrDA Protocol: System32\DRIVERS\irda.sys (autostart)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
Infrared Monitor: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\services.exe (autostart)
Workstation: %SystemRoot%\System32\services.exe (autostart)
TCP/IP NetBIOS Helper Service: %SystemRoot%\System32\services.exe (autostart)
Xircom MPCI+ Modem 56 WinGlobal Driver: System32\DRIVERS\ltck000C.sys (manual start)
LT Modem Driver: System32\DRIVERS\ltmdmnt.sys (manual start)
Messenger: %SystemRoot%\System32\services.exe (autostart)
NetMeeting Remote Desktop Sharing: C:\WINNT\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINNT\System32\msdtc.exe (manual start)
Windows Installer: C:\WINNT\System32\MsiExec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
neo20xx: System32\DRIVERS\neo20xx.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
NetDetect: \SystemRoot\system32\drivers\netdtect.sys (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NICSer_WPC11: C:\Program Files\Linksys\Wireless Network PC Card\NICServ.exe (autostart)
NSC Infrared Device Driver: System32\DRIVERS\nscirda.sys (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
Office Source Engine: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (manual start)
PalmUSBD: system32\drivers\PalmUSBD.sys (manual start)
Parallel class driver: System32\DRIVERS\parallel.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (system)
PCANDIS5 Protocol Driver: \??\C:\WINNT\system32\PCANDIS5.SYS (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
Pcmcia: System32\DRIVERS\pcmcia.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
PMEM: \??\C:\WINNT\System32\Drivers\pmemnt.sys (autostart)
IPSEC Policy Agent: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Protected Storage: %SystemRoot%\system32\services.exe (autostart)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (IrDA Modem): System32\DRIVERS\rasirda.sys (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Microsoft Streaming Network Raw Channel Access: system32\drivers\RCA.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Registry Service: %SystemRoot%\system32\regsvc.exe (autostart)
Retrospect Launcher: C:\Program Files\Dantz\Retrospect\retrorun.exe (autostart)
Retrospect WD Service: C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe (autostart)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe -s (manual start)
S3SavageMX: System32\DRIVERS\s3savmxm.sys (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\system32\MSTask.exe (autostart)
RunAs Service: %SystemRoot%\system32\services.exe (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Smapint: System32\drivers\Smapint.sys (system)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
Still Image Service: %systemroot%\system32\stisvc.exe (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
Microsoft System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
TDSMAPI: System32\Drivers\TDSMAPI.SYS (system)
Telnet: %SystemRoot%\system32\tlntsvr.exe (manual start)
TPPWR: System32\drivers\Tppwr.sys (system)
Distributed Link Tracking Client: %SystemRoot%\system32\services.exe (autostart)
IBM PS/2 TrackPoint Filter Driver: System32\DRIVERS\TwoTrack.sys (manual start)
Microsoft USB Universal Host Controller Driver: System32\DRIVERS\uhcd.sys (manual start)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Standard Hub Driver: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Utility Manager: %SystemRoot%\System32\UtilMan.exe (manual start)
V7: \??\C:\WINNT\system32\Drivers\V7.SYS (autostart)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
vsdatant: \??\C:\WINNT\System32\vsdatant.sys (manual start)
Windows Time: %SystemRoot%\System32\services.exe (manual start)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
USB Storage Adapter FX_AT (WDC): System32\DRIVERS\WDCFX_AT.SYS (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
Windows Management Instrumentation: %SystemRoot%\System32\WBEM\WinMgmt.exe (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Windows Management Instrumentation Driver Extensions: %SystemRoot%\system32\Services.exe (manual start)
Instant Wireless Network PC Card V3.0 Driver: System32\DRIVERS\LSWLNDS.sys (manual start)
Automatic Updates: %systemroot%\system32\svchost.exe -k wugroup (autostart)

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll
WebCheck: C:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

End of report, 29,706 bytes
Report generated in 0.371 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

##############################
Title: Removing EliteBar
Post by: sohnir on June 13, 2005, 08:59:10 PM: What I really want to ask you was that did the last run of Hijackthis updated registry with a list of startup programs or it just downloaded in a flat file?
Thanks.
Title: Removing EliteBar
Post by: guestolo on June 13, 2005, 10:52:25 PM: Not sure what your asking me on the last reply
But I was just checking on some other entries in the registry

Can you do the following for me please
Download and UNZIP to your desktop Export.zip
So you now have Export.bat on your desktop
Double click on Export.bat and a text file called Export.txt will be placed also on your desktop
Copy and paste back the whole contents please
Title: Removing EliteBar
Post by: sohnir on June 14, 2005, 05:23:03 AM: [color=\"blue\"]Here is the export.zip output.
1) My question on the last update was whether we exported the startup list or we enforced one by giving a startup list?
2) Also, you mentioned about a free solution for virus protection. Is there one available
Thanks.[/color]

###############
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fxqgnqkg]
@="{d6d1a954-3930-48d9-ad0d-b1830a104f8b}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With]
@="{09799AFB-AD67-11d1-ABCD-00C04FC30936}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu]
@="{A470F8CF-A1E8-4f65-8335-227475AA5C46}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TDS-3]
@="{E8ADA3E1-CE9B-44A0-A165-997304EF4E18}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip]
@="{E0D79304-84BE-11CE-9641-444553540000}"

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail]
@="{5464D816-CF16-4784-B9F3-75C0DB52B499}"
##########################
Title: Removing EliteBar
Post by: sohnir on June 14, 2005, 05:24:06 AM: Also, how does my system look like? It rebooted by itself on the last startup?
Title: Removing EliteBar
Post by: guestolo on June 14, 2005, 10:43:53 PM: exported the startup list>> and checked other areas that may get hijacked
Thanx for your patience /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

Can you do the following please

Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop, well need this later, don't run it yet
Code: [Select]
REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "KavSvc"=- [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4d325e44-9433-4e21-b96b-74dd37668bdc}] [-HKEY_CLASSES_ROOT\CLSID\{4d325e44-9433-4e21-b96b-74dd37668bdc}] [-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fxqgnqkg] [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d6d1a954-3930-48d9-ad0d-b1830a104f8b}]

Next: Could you go to this link please and install a free Anti-virus software
called AVG 7
http://free.grisoft.com/doc/2/lng/us/tpl/v5 (http://\"http://free.grisoft.com/doc/2/lng/us/tpl/v5\")
Scroll down and click on
AVG Free Edition installation files
File Version
avg70free_323a539.exe <-this link, or similiar
Download the installer and save it too desktop
Run the installer to install AVG 7
Restart the computer if prompted, ensure the virus definitions are up to date
Don't run a scan yet

Reboot into safe mode
Double click on fix.reg and Allow to add or Merge to the registry

Run a full system scan with AVG in safe mode, allowing it too fix whatever it finds

Afterwards, restart back to Normal mode

Run another scan with Hijackthis and post a fresh log
Title: Removing EliteBar
Post by: sohnir on June 16, 2005, 09:33:50 PM: [color=\"blue\"]Followed all the steps and here is the hijack log after that:[/color]

###########################
Logfile of HijackThis v1.99.1
Scan saved at 10:29:56 PM, on 6/16/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Linksys\Wireless Network PC Card\NICServ.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tp4mon.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\System32\Promon.exe
C:\WINNT\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\PDirect.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\WINNT\System32\PRPCUI.exe
C:\Program files\ThinkPad\Utilities\tponscr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINNT\System32\WDBtnMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Linksys\Wireless Network PC Card\WPC11Cfg.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINNT\System32\wuauclt.exe
C:\Documents and Settings\meenavips\My Documents\Tools+Software\hijackthis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IBMPMSVC] %SystemRoot%\System32\ibmpmsvc.exe -helper
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [PDIRECT] C:\PROGRA~1\ThinkPad\UTILIT~1\PDirect.exe
O4 - HKLM\..\Run: [TP98UTIL] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98.EXE /s
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\YAHOO!\MESSEN~1\ypager.exe -quiet
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: DSW IPSec Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\Wireless Network PC Card\WPC11Cfg.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC11 - Unknown owner - C:\Program Files\Linksys\Wireless Network PC Card\NICServ.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

#######################
Title: Removing EliteBar
Post by: guestolo on June 16, 2005, 10:49:49 PM: That's looking good now
How's everything on your end?

You should set up protection against future attacks

SpywareBlaster 3.4 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial (http://\"http://www.bleepingcomputer.com/forums/index.php?showtutorial=53\")
Download link (http://\"https://netfiles.uiuc.edu/ehowes/www/resource.htm#IESPYAD\")

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply click the "enable all protection"

You should also visit Windows updates and install all Latest Critical updates and Service Packs
This is important in keeping your system secure

EDIT>>If Windows media player is no longer working
You can download wmplayer.exe for your version, I believe you are using Media player 9
From this link
http://www.spywareinfo.com/~merijn/winfiles.html (http://\"http://www.spywareinfo.com/~merijn/winfiles.html\")
Download and unzip to your C:\Program Files\Windows Media Player folder
Title: Removing EliteBar
Post by: sohnir on July 06, 2005, 06:34:09 AM: [color=\"blue\"]Hi-
I would really like to thank you for the help. The computer is looking good. Also, I would like to contribute to this site; as it helped me in resolving the problem.

Could you please let me know the easiest and safest way to do it?

Also, I saw one more pop-up today again? How do we diagnose that? Can you please help?

Thanks,

[/color]
Title: Removing EliteBar
Post by: guestolo on July 06, 2005, 09:12:51 PM: Forgot to lock this topic /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />
Can you please repost a fresh hijackthis log to this thread
Title: Removing EliteBar
Post by: sohnir on September 05, 2005, 11:48:30 AM: [color=\"blue\"]Hi-
Here is the fresh hijack log. Can you please take a look?
Thanks.[/color]
################################

Logfile of HijackThis v1.99.1
Scan saved at 12:43:55 PM, on 9/5/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Linksys\Wireless Network PC Card\NICServ.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\tp4mon.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\System32\Promon.exe
C:\WINNT\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\PDirect.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98.EXE
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\WINNT\System32\PRPCUI.exe
C:\Program files\ThinkPad\Utilities\tponscr.exe
C:\WINNT\System32\WDBtnMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\CFGSAFE\AUTOCHK.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Linksys\Wireless Network PC Card\WPC11Cfg.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\MyDoc-06062005\Tools+Software\hijackthis.exe

O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [IBMPMSVC] %SystemRoot%\System32\ibmpmsvc.exe -helper
O4 - HKLM\..\Run: [XircWinModem4] ltcm000c.exe 9
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [PDIRECT] C:\PROGRA~1\ThinkPad\UTILIT~1\PDirect.exe
O4 - HKLM\..\Run: [TP98UTIL] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98.EXE /s
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: AUTOCHK.LNK = C:\CFGSAFE\AUTOCHK.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: DSW IPSec Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\Wireless Network PC Card\WPC11Cfg.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: PCANotify - C:\WINNT\SYSTEM32\PCANotify.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - IBM Corp. - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICSer_WPC11 - Unknown owner - C:\Program Files\Linksys\Wireless Network PC Card\NICServ.exe
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
############################
Title: Removing EliteBar
Post by: guestolo on September 05, 2005, 12:15:57 PM: It looks good

If you still have the trial version of TDS3 installed on your computer go ahead and uninstall it

Afterwards, if this entry in your log related to TDS3 is still found
You can fix checked it with Hijackthis with all other windows closed
O1 - Hosts: 64.91.255.87 www.dcsresearch.com

The only thing you should do is visit Windows updates and install Service Pack 4
Make sure you keep up on all Critical updates