Have a Look at Hijack_This Log Pls

  • Thread starter Thread starter bu2
  • Start date Start date
B

bu2

Any constructive comment will be appreciated:

Please have a look at my Hijack_This Log given below and advise
if there is anything I should worry about. My PC is a bit slower lately.

I appear to have (according to Trend Micro PC-Cillin Internet
Security 2005 "Scan for Spyware" feature an ADW_ELITEBAR.D
Trojan.

I have used several methods to get rid of it as well as advice and
direct involvement of some kind souls. So far the thing is still there.
Or is it? Could it just be PC-Cillin glitch claiming "The Bar" is there
when it is not.

A number of softwares do not even "see" it. PC-Cillin "deletes"
it but it comes back immediately or it seems so. XOFT sw did
not see it but says my (home page) search bar may have been
hijacked.

PC-Cillin regular scan as well as SpyHunter, MS Antispyware (Beta)
and some other softwares are unable to even see it.

My friend GianCarlo of the SimplyTech suggested it is not an ELITEBAR
but a clever Trojan pretending to be it.

I run MS Windows XP Home SP2, two firewalls (Trend Micro and XP) and
what I mentioned above. What follows is aforementioned log:

C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Antivirus\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet
Explorer provided by Sympatico
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Omnipage] C:\Program
Files\ScanSoft\OmniPageSE\opware32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE
C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [EPSON Stylus C62 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S0BIC1.EXE /P23 "EPSON Stylus
C62 Series" /O6 "USB001" /M "Stylus C62"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD
Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program
Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet
Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE
C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. -
C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -
C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend
Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~3\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro
Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~3\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. -
C:\PROGRA~1\TRENDM~1\INTERN~3\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. -
C:\PROGRA~1\TRENDM~1\INTERN~3\tmproxy.exe
 
From: "bu2" <[email protected]>

|

< HJT log snipped >

As an Anti Virus News Group, this is NOT the place to post HJT logs.
There are specific places to post, and parse, the logs.

For a start -- http://www.hijackthis.de/

I will suggest you perform the following...

Dump the contents of the IE Temporary Internet Folder cache (TIF)

start --> settings --> control panel --> internet options --> delete files

1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Ad-aware SE (free personal version v1.05)
http://www.lavasoftusa.com/

Trend Sysclean Method 1
---------------------------------------
Create a directory.
On drive "C:\"
(e.g., "c:\sysclean")

Download SYSCLEAN.COM and place it in that directory.
Download the signature files (pattern files) by obtaining the ZIP file.
For example; lpt530.zip

Extract the contents of the ZIP file and place the contents in the same directory as
SYSCLEAN.COM.

Trend Sysclean Method 2
---------------------------------------
Download the utility SYSCLEAN_FE in "Procedure 1" at the following URL, SYSCLEAN_FE
automates the download and execution process of the Trend Sysclean Package.
http://www.ik-cs.com/got-a-virus.htm

2) Update Ad-aware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode and shutdown as many applications as possible.
5) Using both the Trend Sysclean utility and Ad-aware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point

* Please report back your results *
 
David H. Lipman said:
From: "bu2" <[email protected]>
Click to expand...
Trend Sysclean Method 1
---------------------------------------
Click to expand...
<SNIP>

I did as instructed and the Sysclean Method 1 finds nothing i.e. all's okay.

The PC-Cillin AV Scan never finds ADW_ELITEBAR.D and neither did
any other software. The PC-Cillin feature "Scan for Spyware" still thinks
it's found it and after prompting it "deletes" it. A repeated check finds
it.

XOFT run earlier thought my search has been hijacked. And I believe there
is something there. If it's just spying to see what I look at - although I
don't
like it - I could live with it, but I am afraid of something worse.

I will report on method 2 later.

Thanks again.
 
From: "bu2" <[email protected]>


|
| I did as instructed and the Sysclean Method 1 finds nothing i.e. all's okay.
|
| The PC-Cillin AV Scan never finds ADW_ELITEBAR.D and neither did
| any other software. The PC-Cillin feature "Scan for Spyware" still thinks
| it's found it and after prompting it "deletes" it. A repeated check finds
| it.
|
| XOFT run earlier thought my search has been hijacked. And I believe there
| is something there. If it's just spying to see what I look at - although I
| don't
| like it - I could live with it, but I am afraid of something worse.
|
| I will report on method 2 later.
|
| Thanks again.
|


If you mean XoftSpy
That's JUNK !
http://www.spywarewarrior.com/rogue_anti-spyware.htm#xos_note
 
Thanks. Yes I meant Xoftspy. I cannot comment on how good they are
but I appreciate you pointing out the note. It's funny at the end of the
"free"
run they asked for $50 to clean the junk. And nothing like my problem
appeared to be there. I declined.

I may sound like real silly but I will ask anyway:
in my windows\temp directory I recently found and deleted a bunch
of things. May be they were harmless or even necessary at one time.
What scared me a bit was a pink colored icon called install.exe
and its properties pointed to "Chief's installer Pro for Windows" and
copyright Dr. Abimbola A. Olowofoyehm (The African Chief).

Does this mean anything to anyone?
 
From: "bu2" <[email protected]>

| Thanks. Yes I meant Xoftspy. I cannot comment on how good they are
| but I appreciate you pointing out the note. It's funny at the end of the
| "free"
| run they asked for $50 to clean the junk. And nothing like my problem
| appeared to be there. I declined.
|
| I may sound like real silly but I will ask anyway:
| in my windows\temp directory I recently found and deleted a bunch
| of things. May be they were harmless or even necessary at one time.
| What scared me a bit was a pink colored icon called install.exe
| and its properties pointed to "Chief's installer Pro for Windows" and
| copyright Dr. Abimbola A. Olowofoyehm (The African Chief).
|
| Does this mean anything to anyone?

It doen't mean anything to me -- sorry. But deleting it is good. ;-)
 
After trying all kinds of things I decided to clean up my PC by
deleting all traces of any suspicious software that otherwise may
not necessary.

I also included SpyHunter and MS Antispyware Beta. After the reboot
the Trend Micro PC-Cillin's Check for Spyware feature comes up
clean.

I am not sure but I believe it was either a clash between various anti
virus/anti spyware applications or MS Antispyware Beta monitors or
influences searches and PC-Cillin saw "ADW_ELITEBAR.D" which
kept coming back after being deleted.

Thanks for your help and advice. I learned quite a bit in the process.
 
From: "bu2" <[email protected]>

| After trying all kinds of things I decided to clean up my PC by
| deleting all traces of any suspicious software that otherwise may
| not necessary.
|
| I also included SpyHunter and MS Antispyware Beta. After the reboot
| the Trend Micro PC-Cillin's Check for Spyware feature comes up
| clean.
|
| I am not sure but I believe it was either a clash between various anti
| virus/anti spyware applications or MS Antispyware Beta monitors or
| influences searches and PC-Cillin saw "ADW_ELITEBAR.D" which
| kept coming back after being deleted.
|
| Thanks for your help and advice. I learned quite a bit in the process.


here is some more for you. Always check the Syware Warrior web sites for rogue and/or
deceptive anti spayware applications.

Notes on SpyHunter
http://www.spywarewarrior.com/rogue_anti-spyware.htm#sh_note
 
Back
Top