0

Well I wanted to connect my other pc (music studio pc) to the LAN and it connected to the net aswell which installed a "Click Me" software...I tried to uninstall and figured out that it ain't the normal software you can uninstall...
Anyhow I searched the site and found a theard about the Click Me but it didn't help me since the HiJackThis log is different...
Here's the log from the other pc:

Logfile of HijackThis v1.99.0
Scan saved at 1:40:22 AM, on 5/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Global Divison\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Service Drivers] msnpg.exe
O4 - HKLM\..\Run: [iassvcs] iassvcs.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteewt32.exe
O4 - HKLM\..\Run: [HELPER] C:\WINDOWS\System32\israel.exe -N
O4 - HKLM\..\RunServices: [Service Drivers] msnpg.exe
O4 - HKLM\..\RunServices: [iassvcs] iassvcs.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Service Drivers] msnpg.exe
O4 - HKCU\..\RunServices: [Service Drivers] msnpg.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1115136999201
O23 - Service: Acronis Scheduler2 Service - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: ASUS Keyboard Service - ASUSTeK COMPUTER INC. - C:\WINDOWS\ASUSKBService.exe
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe

Can you guys please help me out in this? I really don't have a clue on what to check in HJT to fix and what files to delete and all that...
One more request, if you can explain how do I make the pc connect only to the LAN and not to the Internet aswell when I connect it to the router I would be greatfull.

Thank you so much!

2
Contributors
8
Replies
9
Views
12 Years
Discussion Span
Last Post by crunchie
0

I've just read "Helping yourself: What to do before starting a new thread or posting a HiJackThis log" and still can't really understand what should I do with that "Click Me" thing...And I'm afraid to touch anything that might cause me to lose crutial data cause of the pc being a music studio pc.
I really appreciate the time and effort and I hope I'm not annoying anyone with the questions.
Thanks again,
Barak.

0

Barak,

Hi and welcome to the Daniweb forums :).

-

Please go here and have this file scanned.

C:\WINDOWS\System32\israel.exe

Post the results back here.

===============

Download, then unzip to "C:\HJT", the newest version of HiJackThis; version 1.99.1. Then repost your log, either now, or after following the steps in the solution (if provided in this post). This version has features that might be more helpful in 'cleaning' up your system.

===============

Go to www.trendmicro.com, and then:

1. Click "Free Online Scan".
2. Click "Scan now, it's free".

It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:

1. Select all available drives.
2. Check(tick) "Auto Clean".
3. Click "Scan".

When it completes, post back the full filename of any files that cannot be cleaned or deleted.

===============

Go to Add/Remove programs and remove(uninstall) the following, if present:

Elite Toolbar

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.

===============

Run HiJackThis, click "Scan", then check(tick) the following, if present:


O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll

O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll

O4 - HKLM\..\Run: [Service Drivers] msnpg.exe
O4 - HKLM\..\Run: [iassvcs] iassvcs.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteewt32.exe
O4 - HKLM\..\RunServices: [Service Drivers] msnpg.exe
O4 - HKLM\..\RunServices: [iassvcs] iassvcs.exe
O4 - HKCU\..\Run: [Service Drivers] msnpg.exe
O4 - HKCU\..\RunServices: [Service Drivers] msnpg.exe

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to "view system and hidden files/ folders:"

folders...

C:\WINDOWS\EliteToolBar

Search for...

msnpg.exe
iassvcs.exe

...using "Start | Search...".

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

After rebooting your PC, rescan with hijackthis and post a new log.
Let me know how things are now.

0

Barak,

Hi and welcome to the Daniweb forums :).

-

Please go here and have this file scanned.

C:\WINDOWS\System32\israel.exe

Post the results back here.

Thanks, glad to be here. :)
Well, I'm 99% sure israel.exe is a part of it since it got the same Icon but I will give it a try if I can since this Click Me thing is closing every application I open, from HJT to Task Manger, Add Remove and about everything I know.
I'll try to log in in Safe Mode with communication.
Thanks for the help and I'll give it a try as soon as possibale since I got to go to school :eek: hehe.
Thanks again,
Barak.

0

Hi,
Finally back from school, now I can work on this.
Here are the results you asked for -
I scanned Israel.exe and got the following:
File: israel.exe
Status: INFECTED/MALWARE (Note: only non-destructive malware has been found. Considering the non-destructive nature of samples like these - although they can be a pain -, results will not be stored in the database.)
MD5 246e0a3b4e473835809860eed98ff036
Packers detected: -
Scanner results
AntiVir Found DIAL/Generic dialer
Avast Found Win32:Dialer-360
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found Dialer-300
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found not-a-virus:RiskWare.Dialer.PlayGames.c
mks_vir Found nothing
NOD32 Found probably unknown NewHeur_PE (probable variant)
Norman Virus Control Found nothing
VBA32 Found nothing

From that I understood that it is a virus...
Now I'm scanning the rest of the pc with Trend Micro, found 7 infected files (all sorts of trojans, worms and etc'), all got deleted. I don't know if it's supposed to happen but the pc restarted on it's on after deleting them. I'll rescan just to make sure it worked right.
Ok, think all is back to normal except I got "Elite Tool Bar Remove" in the Add/Remove window and I can't remove it from there.
The HJT log looks ok now. Noting weird except HouseCall but that's the Trend Micro anti virus if I'm not mistaking. I'm afraid to get the log in here cause I don't want to connect that pc to the net again. Though I copied it, hehe, and here it is:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1115136999201
O23 - Service: Acronis Scheduler2 Service - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: ASUS Keyboard Service - ASUSTeK COMPUTER INC. - C:\WINDOWS\ASUSKBService.exe
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe

Thanks a lot for the help, I really appreciate it and if I can thank you in anyway just say so.
Barak.

0

Hi Barak :). You only posted half the log :D. What is there looks ok, but I will need to see the rest.


Click Start > Run > Type or copy & paste regedit. The registry editor will open.
Then go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall and delete the Elite Tool Bar Remove entry in the right hand pane.

Set a system restore point first, or back up that section of the registry.

0

Well I'm still afraid to log it to the LAN since it logs it to the Internet aswell and I don't know how to cancel that (Anychance you know?), but I took a cd, burned the log and moved it here.
Here it is:

Logfile of HijackThis v1.99.1
Scan saved at 1:45:45 PM, on 5/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\ASUSKBService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\ALCMTR.EXE
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1115136999201
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: ASUS Keyboard Service (ASUSKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ASUSKBService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

Seems ok?
Thanks a lot,
Barak.

0

Oh yea and I forgot to mention, I did a back up to the C drive with an image (the software is called Acronis) but I thought it ain't that big of a deal to call an image for. :P

0

Congratulations! Your log looks clean - good work!

===============

Now that your PC is clean you need to follow these easy steps to keeping it this way:

Secure your Internet Explorer by going here and following the instructions there.

Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.

Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.

Install and keep updated, Ad-Aware SE, and Spybot S&D.
Run them both on a regular basis, following the manufacturer's recommendations.

Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

Clear your Temp folders.
Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.

Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin.

-

If you have any more problems, post back.

-

Happy surfing,

crunchie.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.