PDA

View Full Version : no idea what virus i have but here is the log

PeeMonkey
6 Aug 2005, 5:42am
This is a friends computer and im trying to fix it, im thinking the virus is these 2 files O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitedub32.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe but i cant get rid of them, help plz

Logfile of HijackThis v1.99.1
Scan saved at 9:40:04 PM, on 8/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\etb\pokapoka62.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\J Ramos\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\regedit.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://adshttp.com/servlet/ajrotator/121229/0/viewHTML?zone=enternet
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitedub32.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
Shadow2018
6 Aug 2005, 3:26pm
No sign of a virus but the 2 files you point towards are part of some adware called "elitebar." To fix this please follow these instructions:

Download Ad-Aware SE (http://www.majorgeeks.com/Ad-Aware_SE_Personal_d506.html) and save the setup file to your desktop. Run the setup file for Ad-Aware SE and create a shortcut to your desktop. Open Ad-Aware and update this withe latest definitions. Exit this for now.

Download Spybot Search & Destroy (http://www.majorgeeks.com/SpyBot-Search_&_Destroy_d2471.html). Follow the same instructions for the setup as you did with Ad-Aware SE and then exit Spybot for now.

Make sure all hidden system files/folders are visible:

Open my computer>click tools>click folder options>
click view tab>check show hidden files>uncheck hide file extensions>click apply>click OK>exit


Open "my computer"> click control panel>click add/remove programs> find the elitebar entry and uninstall it.


Run Hijack This. Close all other open windows. Place a checkmark next to these entries and click Fix Checked:

O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitedub32.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe

Reboot into safe mode. To enter safe mode>reboot your system>at the start up screen tap the F8 button until a menu appears>select "safe mode" from that menu.


Now delete these files or directories:

C:\windows\system32\elitedub32.exe
C:\WINDOWS\etb

Run a "full system scan" with Ad-Aware SE and Spybot Search & Destroy. Remove all files found.

Reboot into normal mode.

Run two of these online scans:

http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm

http://www.bitdefender.com/scan8/ie.html

http://housecall.trendmicro.com/


There may be some files that are not removed by one or both of the scans. Please include this information in your next post along with a new Hijack This log.