I fought Elite bar did I win?

After days of reading and going through all steps in the skicky I'd like to post my log, so someone could give it the once over and make sure I've ridded my machine of a bug that has the power to make tmp file unseeable and also can hide the Elitebar kill app from view in regular mode. I'll wait until asked to post it. Thanks

 

Hi Kenneth,

If you have exhausted all Cleaning Options, go ahead and send us a HijackThis Log. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99.1) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99.1

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I’ve been tied up with work lately and cannot visit this forum too often these days, but somebody will try to take a look when they get a chance.

PP

 

attached is this mornings HJ log

 

Another question following the lines of the infection, I worry that at some point something set up a phantom user on my machine. Example is the the kill Elite Bar program only can be seen in its folder while in safe mode, but the read me that goes with it is allways there. Another example is while using kill box to delete some pesky tmp. files I checked their properties and when clicking on accounts I noticed things changing as the box opened up, almost like the system was hiding a user account. Is that possible? Both trend and tds-3 show me clean. I cannot see another account in safe mode either. How could I check to be absolutely sure.

Thanks for the help

 

You still have some problems, one being a porn dialer.

Please print out these instructions so that you can operate with ALL Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

NOW:
Please look in Task Manager (ctrl-alt-del)and try to END the following running processes, if found:

shch.exe
sssasasb32.exe
elitehlk32.exe

Now scan with HijackThis and Check the Boxes for the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - - (no file)
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [antiware] C:\winnt\system32\elitehlk32.exe
O4 - HKLM\..\Run: [sssasasb32] C:\WINNT\sssasasb32.exe
O4 - HKLM\..\Run: [SvcH0st] C:\WINNT\shch.exe /i
O9 - Extra button: Antivirus - {4358161B-A4B8-498E-8019-3DAB50DFD578} - http://www.accesoplugin.com/prom/a_virus2/?l=tpc2&ver=14&t=new (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following files if they should remain:

C:\WINNT\sssasasb32.exe
C:\WINNT\shch.exe
C:\winnt\system32\elitehlk32.exe


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.


NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

THEN:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know how your computer is running now and if you had trouble with the above instructions.

Good luck

 

Followed your instructions, thank you for making them so clear.
a few things

elitehlk32.exe was not shown in task manager

in safe mode I found C:\winnt\system32\elitegn32.exe in addition to C:\winnt\system32\elitehlk32.exe. I left it there because well I'm not for sure if its a variant or not.

Spybot only picked up Elitebar and fixed it, or so it says

new log attached, all seems ok. I think there may still be junk in the log.

Thanks

 

Please print out these instructions so that you can operate with ALL Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

NOW:
Please look in Task Manager (ctrl-alt-del)and try to END the following running processes, if found:

elitehlk32.exe
elitegn32.exe

Now scan with HijackThis and Check the Boxes for the following:

O4 - HKLM\..\Run: [antiware] C:\winnt\system32\elitehlk32.exe
Do you recognize this next line if not fix it
O9 - Extra button: Bromas y chistes - {068C36CF-483E-4CA8-A7F2-10EFFDA49C45} - http://www.accesoplugin.com/prom/a_bromas2/?l=tpc2&ver=14&t=new (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following files if they should remain:

C:\winnt\system32\elitehlk32.exe
C:\winnt\system32\elitegn32.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.


NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

THEN:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know how your computer is running now and if you had trouble with the above instructions.

Good luck

 

Followed instructions thank you again for making them so clear.

everthing seems clean, what about the following

O4 - HKLM\..\Run: [Open Site] "C:\Program Files\Open Site\opensite.exe"

O16 - DPF: {2C0F2AEA-3A9B-46DB-A7BE-80FF329E415D} - http://www.accesoplugin.com/dialercab/PPremiumInternacional.cab

O16 - DPF: {41D13E9A-BB94-402A-8502-AFA78526B63D} (iiittt Class) - http://www.thesearchmall.com/toolbar/winsrm32.cab

O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB

sorry if I'm getting ahead of you

Log file attached

 

Your doing fine. We are almost done as long as nothing else pops up.

Please print out these instructions so that you can operate with ALL Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

NOW:
Please look in Task Manager (ctrl-alt-del)and try to END the following running processes, if found:

opensite.exe

Now scan with HijackThis and Check the Boxes for the following:

O4 - HKLM\..\Run: [Open Site] "C:\Program Files\Open Site\opensite.exe"
O16 - DPF: {2C0F2AEA-3A9B-46DB-A7BE-80FF329E415D} - http://www.accesoplugin.com/dialercab/PPremiumInternacional.cab
O16 - DPF: {41D13E9A-BB94-402A-8502-AFA78526B63D} (iiittt Class) - http://www.thesearchmall.com/toolbar/winsrm32.cab
O16 - DPF: {E62A47D8-74B1-4A93-963A-E5E43B7CC5C2} (UCSearch.ucUCSearch) - http://www.zuvio.com/opnste/UCSearch.CAB

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following file(s) and folder(s) if they should remain:

C:\Program Files\Open Site <---The Whole Folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.


NEXT:

[Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know how your computer is running now and if you had trouble with the above instructions.

Good luck

 

Thank you so much, I think we've go it

 

Your welcome

Unless I missed something I think you are clean. You should check this out now: How to Protect yourself from malware!

If everything seems to be working OK then turn system restore back on.

 

Glancing thru it one last time I do question this line. Are you familiar with it?
I see in some other posts it has been removed. Most 016's can be removed since they can be D/L again if necessary.

O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab

 

I know what that is, well sort of. Its a flash like controler downloaded from nickelodian to play some of their online games. Thank you once again for your help and thanks to all for the site, Ive used the information here countless time to battle the spyware and its been a great help. This was the first time I couldn't get by just reading, and your help pulled me through. Much respect