• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 254
  • Last Modified:

PopUps Will Not Stop - eliteycn32.exe causing the problem?

I've run MS Antispy, Spybot S&D, Adaware, and SpySubtract.  I've pasted my log file from HijackThis into http://www.hijackthis.de/index.php?langselect=english.  After I remove "eliteycn32.exe" the system seems calm and the popups stop.  When I reboot, it (or something else) seems to reinstall itself and the popups are back.  I'm on a corporate server behind a firewall.  

Any suggestions?

Logfile of HijackThis v1.99.1
Scan saved at 8:08:46 AM, on 4/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\atiptaxx.exe
C:\WINNT\system32\pctspk.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\MAILFR~1\mantispm.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sfgate.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sfgate.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\eliteycn32.exe
O4 - HKCU\..\Run: [Matador] "C:\PROGRA~1\MAILFR~1\mantispm.exe" -quiet
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = graniterock.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = graniterock.corp
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = graniterock.corp
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe

0
Pauldude
Asked:
Pauldude
  • 5
  • 2
1 Solution
 
rossfingalCommented:
Hi!

Try this "Elitebar" Fix -
http://www.softpedia.com/progDownload/EliteToolbar-Remover-Download-18774.html

Restart your computer.
Then do the following:

With all browser windows closed - run HijackThis and
copy and paste the log file into the Analysis site here:
http://www.hijackthis.de/en

Click on the "Analyze" button; and when the analysis is done -
Click on the "Save Analysis" button -
A page will be generated with your saved analysis -
Post a LINK to that page back here.

Please, do not post your log file here!

We'll take a look at it!  :)

Good luck!
RF
0
 
PauldudeAuthor Commented:
RF,

Thanks for the post, sorry about the log.  Ran EliteToolbar Remover, but it did not find anything (I ran it in the normal mode, not safe mode, it that right?).  Popups still occur, but not as often.  The link to the Hijack analysis is:

http://www.hijackthis.de/logfiles/9c77e635822af1f758542c4dc98e51c3.html
0
 
rossfingalCommented:
Hi!

I'm looking at your log file right now.
If you don't hear from me soon, it's because we're having Internet connectivity problems.  :(
Be back soon!

RF
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
craziestCommented:
Hi paul,
please download spywareblaster.This helps block most popups,are you using anytype of popup blocker?
if not,try and download one.i advise you to download google toolbar,it works perfect for me.But before download spywareblaster.Here is the link
http://www.javacoolsoftware.com/spywareblaster.html
Let me know the results.Thanx
0
 
rossfingalCommented:
Hi!
You should copy and paste these instructions into Notepad - you're going to go into "safe" mode -
might be good to have them handy.
Make sure "Show all Files and Folders", including hidden and system, is enabled.
Turn off "System Restore"

Click on "Start" - click on "Run" - in the run box, type "services.msc" (without quotes)
Scroll through the list of "Services"  and look for this:
System Startup Service  (SvcProc)
This is not a valid "Service" - it's "Malware"
Stop it, then disable it..

Run Task Manager and look for anything related to "Etb", "Elite", "Svc", SvcProc", etc. -
"Kill" any that you find.
If you're not sure about anything - post what it is back here.

With all browser windows closed -
Run HijackThis and fix the following:

O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\eliteycn32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe

Clean out all your "temp" files -
# C:\Windows\Temp - delete ALL of the CONTENTS of the folder - Not the "temp" folder itself!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents)
  <=This will delete all your cached internet content including cookies.
  This is recommended and strongly suggested!
    However, if you delete all your cookies - this can affect your stored Internet passwords
    and your ability to logon automatically to various sites.
    So, consider deleting all your cookies - optional
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)

Empty your "Recycle Bin".

Restart your computer into "Safe" mode -
press the F8 key, repeatedly as soon as your computer begins to start -
then, choose "Safe Mode" from the menu.

Do the same thing with Task Manager and "services.msc" - that you did above -
to make sure that none of this stuff is running.
If it is - "Kill" it or "Disable" it.

Search your entire computer for anything related to -
"ETBrun", "Elite", Elitebar", Elitum", eliteycn32.exe, elitemgr32.exe etc..
Check the "system32", dllcache", Prefetch", folders.
Delete all that you find - files, as well as Folders.
Do the same for svcproc.exe
Unsure about anything - just ask!

Clean out all your "temp" files.

Empty the "Recycle Bin".

Restart your computer into "normal" mode.

Run HijackThis again -
Run your log through the Analysis site -
Post a LINK to your HJT log file back here.

Rf

Question/problems? - let us know!
RF
0
 
PauldudeAuthor Commented:
Problem solved.  Not sure which step did it, but they're gone.  Thank you.  
0
 
rossfingalCommented:
Hi!

Glad to hear it!
Here are some tips, to reduce the potential for spyware infection in the future -

    * Spywareblaster <= SpywareBlaster will prevent spyware from being installed -
      http://www.javacoolsoftware.com/spywareblaster.html
    * Spywareguard <= SpywareGuard offers realtime protection
      from spyware installation attempts.
      http://www.wilderssecurity.net/spywareguard.html
    * How to use Ad-Aware to remove Spyware
      <= If you suspect that you have spyware installed on your computer,
      here are instructions on how to download, install and then use Ad-Aware.
      http://www.bleepingcomputer.com/forums/index.php?showtutorial=48
    * How to use Spybot to remove Spyware
      <= If you suspect that you have spyware installed on your computer,
      here are instructions on how to download, install and then use Spybot.
      Similar to Ad-Aware, I strongly recommend both to catch most spyware.
      http://www.bleepingcomputer.com/forums/index.php?showtutorial=43
    * Run CWShredder - to remove numerous variants of {KoolWebSearch}
        {CWShredder - "stand-alone"} - http://cwshredder.net/bin/CWShredder.exe

To protect yourself further:

    * IE/Spyad <= IE/Spyad places over 4000 websites and domains
      in the IE Restricted list
      which will severely impair attempts to infect your system.
      It basically prevents any downloads (Cookies etc) from the sites listed,
      although you will still be able to connect to the sites.
      https://netfiles.uiuc.edu/ehowes/www/resource.htm
    * MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file
      with one containing well know ad sites etc.
      Basically, this prevents your computer from connecting to those sites
      by redirecting them to 127.0.0.1 which is your local computer
      http://mvps.org/winhelp2002/hosts.htm
    * Google Toolbar <= Get the free google toolbar to help stop pop up windows.
      http://toolbar.google.com/

I also suggest that you delete any files from "temp", "tmp" folders.
In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files"
and select the box that says "Delete All Offline Content" and click on "OK" twice.
Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin".
These steps should be done on a regular basis.

And also see TonyKlein's good advice
So how did I get infected in the first place?
http://forums.net-integration.net/index.php?showtopic=3051

Good luck!
RF

0
 
rossfingalCommented:
Hi!

Here's some information on closing a question:
http://www.experts-exchange.com/help.jsp#hs5

Cheers!
RF
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now