Jump to content


Photo

Request help:removing weba and elitebar


  • Please log in to reply
5 replies to this topic

#1 barata

barata

    Member

  • New Member
  • Pip
  • 3 posts

Posted 22 July 2004 - 06:43 AM

Hi,

I have a problem in removing weba.directwebsearch startpage and EliteBar for Internet explorer. I have read several postings both question and solution regarding weba, but honestly, since I am not really good at spyware busting, I do not dare to (experimentally) fix this problem. I have run adware, cwshredder and hijackthis anti-spyware.

Two points that I am wondering; one is everytime I run CWshredder, the EliteBar for IE is re appeared, (I removed this earlier using Hijackthis), and second, from what I read from past posting regarding weba, each suggested solution involved in deleting/fixing this winupdate

O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe

Again since I am really new at this, I dare not to say or speculate anything regarding this, but hopefully it can help a bit in answering my problem. Below is my logfile from hijackthis, hopefully someone can help me to fix this problem. Thank you in advance.


Logfile of HijackThis v1.98.0
Scan saved at 4:20:34 AM, on 7/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Digital Line Detect\DLG.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Antispyware\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://weba.directwe...net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://weba.directwe...net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://weba.directwe...net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://weba.directwe...net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://weba.directwe...net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://weba.directwe...net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://weba.directwe...net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://weba.directwe...net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://weba.directwe...net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://weba.directwe...net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://weba.directwe....net/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://weba.directwe...net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://weba.directwe...net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://weba.directwe...net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://weba.directwe...net/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = res://msaps.dll/index.html
O1 - Hosts: 69.31.79.101 auto.search.msn.com
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\WINDOWS\EliteBar\ELITEB~2.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{A5C1A743-7DF4-4579-960C-225B885B644A}: NameServer = 206.13.29.12 206.13.30.12

#2 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 22 July 2004 - 02:11 PM

Hi there,

I need you to do this first;

Go Start>Control Panel>Add/Remove Programs, Remove any instance of, if it shows;

EliteBar

Next;

Make sure all browsers and windows are closed except for hijackthis and put a check against the following and click 'fix checked';


R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://weba.directwe...net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://weba.directwe...net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://weba.directwe...net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://weba.directwe...net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://weba.directwe...net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://weba.directwe...net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://weba.directwe...net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://weba.directwe...net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://weba.directwe...net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://weba.directwe...net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://weba.directwe....net/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://weba.directwe...net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://weba.directwe...net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://weba.directwe...net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://weba.directwe...net/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = res://msaps.dll/index.html

O1 - Hosts: 69.31.79.101 auto.search.msn.com<<<<This is not MSN, fix it


O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81C3A} - C:\WINDOWS\EliteBar\ELITEB~2.DLL


O4 - HKLM\..\Run: [winupd] C:\WINDOWS\System32\winupd.exe


Restart your computer in
Safe Mode Also make sure you show hidden files Then delete the following files or folders as indicated below if they still show:

Not all or any of these may still show,


C:\WINDOWS\EliteBar\ELITEB~2.DLL<<<<Folder
C:\WINDOWS\System32\winupd.exe<<<<File


Reboot, then post a fresh logfile so that I can check to see if it is clean.

#3 barata

barata

    Member

  • New Member
  • Pip
  • 3 posts

Posted 22 July 2004 - 03:16 PM

Hi 12g,

First, I really want to thank you for your fast reply. I really appreciate your time and effort you spent to help me. I have followed your advice step by step completely, and it seems the problems do not exist anymore (the brower returned to the homepage that I set originally). Below is my new hijackthis logfile for your review, thank you.


Logfile of HijackThis v1.98.0
Scan saved at 1:07:49 PM, on 7/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\MATLAB6p1\webserver\bin\win32\matlabserver.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Digital Line Detect\DLG.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Antispyware\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

#4 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 22 July 2004 - 03:21 PM

Hi there


You are very welcome :wave:


Your log is clean now, to help keep it free from further abuse, please do this;


To provide future protection - I would advise you to download and install:

SpywareBlaster will block bad ActiveX and malevolent cookies. Download from Here

IE-SPYAD puts over 5000 sites in your restricted zone, if you use IE, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Download
Here

Both are very small free programs that you run once, and then just weekly to check for updates.

And also see
So how did I get infected in the first place?

#5 barata

barata

    Member

  • New Member
  • Pip
  • 3 posts

Posted 22 July 2004 - 04:05 PM

Hi 12g,

Again my sincere thank you for all your help and your advice. I also thank you for your humble offer to recheck my new logfile. I am really gratefull to be able to get help as fast and effective as this. My warm regards.

Barata :lol: :lol: :lol:

#6 12g

12g

    Forum Deity

  • Trusted Advisor
  • PipPipPipPipPip
  • 1,167 posts

Posted 22 July 2004 - 04:06 PM

Hi 12g,

Again my sincere thank you for all your help and your advice. I also thank you for your humble offer to recheck my new logfile. I am really gratefull to be able to get help as fast and effective as this. My warm regards.

Barata :lol: :lol: :lol:

Glad we could help you :wave:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button