Help with removal of desktop.exe and elite toolbar

[needhelpplz]

Can someone please help me determine how to remove the desktop search bar and the elite toolbar. I have ran a adaware scan and a spybot scan. Below is my HJT log file.
Thanks, Brandon

Logfile of HijackThis v1.99.1
Scan saved at 1:35:53 PM, on 3/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\System32\ScsiAccess.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\hkcmd.exe
C:\WINNT\system32\SK9910DM.EXE
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\IUInfoClient\Blabber.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\System32\wsxsvc\wsxsvc.exe
C:\WINNT\system32\winupdt.exe
C:\WINNT\system32\objmovie.exe
C:\winnt\system32\msnavc32.exe
C:\WINNT\system32\osigeepm.exe
C:\WINNT\isrvs\desktop.exe
C:\WINNT\system\scog.exe
C:\WINNT\system32\?hkdsk.exe
C:\WINNT\system32\nv4onf.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
C:\WINNT\system32\Tpws.exe
C:\WINNT\system32\PiwUU.exe
C:\Documents and Settings\Owner\Desktop\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINNT\EliteToolBar\EliteToolBar.dll
O2 - BHO: (no name) - {6AA66C12-AB8E-8C50-87EA-830A7279A699} - C:\WINNT\system32\ktffw.dll
O2 - BHO: (no name) - {A381310E-25C7-1586-7EEB-AEE0C9893617} - C:\WINNT\system32\xeqjdgrc.dll
O2 - BHO: (no name) - {B74A3D53-38F5-11B5-5455-02C9A19181BF} - C:\WINNT\system32\vbwtefad.dll
O2 - BHO: (no name) - {D8B09EF3-6298-4041-A329-321EFD14916D} - C:\WINNT\system32\pbursvfy.dll (file missing)
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Blabber] C:\Program Files\IUInfoClient\Blabber.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\system32\RirZr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ITNow] C:\Program Files\Indiana University\ITnow Client\ITNow.exe /nosplash /min
O4 - HKLM\..\Run: [b3866f0c720b] C:\WINNT\System32\browselc.exe
O4 - HKLM\..\Run: [Windows Media Player] wmediaplayer.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Dvx] C:\WINNT\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINNT\system32\winupdt.exe
O4 - HKLM\..\Run: [zvmcmnci] c:\winnt\system32\zvmcmnci.exe
O4 - HKLM\..\Run: [778g3sQ] objmovie.exe
O4 - HKLM\..\Run: [App32dll] C:\winnt\system32\msnavc32.exe lee0105
O4 - HKLM\..\Run: [antiware] C:\winnt\system32\eliteukr32.exe
O4 - HKLM\..\Run: [osigeepm] C:\WINNT\system32\osigeepm.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [msw] C:\Documents and Settings\All Users\Application Data\msw\MSW.exe
O4 - HKLM\..\RunServices: [Windows Media Player] wmediaplayer.exe
O4 - HKLM\..\RunServices: [Kaspersky Antivirus] KasperskyAV.exe
O4 - HKCU\..\Run: [MSCVT] C:\Windows\MSCVT.exe
O4 - HKCU\..\Run: [OVCKPY] C:\WINNT\QDUSJ.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Ltho] C:\Documents and Settings\Owner\Application Data\dees.exe
O4 - HKCU\..\Run: [Mwakcesm] C:\WINNT\system32\?hkdsk.exe
O4 - HKCU\..\Run: [MwrmRic2h] nv4onf.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\Kodak Software Updater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0033.exe
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
O20 - Winlogon Notify: igfxcui - C:\WINNT\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: RunOnceEx - C:\WINNT\system32\msrdim.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: hndlqghhbwfh (vdeqnhnu6) - Unknown owner - C:\WINNT\system32\eeqxaxtv6.exe (file missing)

[Cache]

OK, first im going to ask you to put the Spyware aside for a while as you have more nasty items in your log.

You seem to be infected with a variant of the W32/RBOT-PL worm, either RBOT-PL or RBOT-FP, and maybe also Dloader-HW and W32.HLLW.Slideshow

Please update your antivirus and run a full system scan. After that run the below online scans:

http://housecall.trendmicro.com/
and
http://www.windowsecurity.com/trojanscan/

Next download CWShreder from the link below:

http://www.intermute.com/spysubtract..._download.html

Next update CWShreder, Spybot and AD-aware, also download VX2 cleaner plugin for AD-aware from the link below and install it:

http://www.lavasoftusa.com/software/...2cleaner.shtml

Next run a full scan with all three programs (CWShreder, AD-aware and Spybot), aslo make sure you run a scan with the VX2 plugin with AD-aware.

When you have done all the above, run HJT again and post a new log.

Just so you know, the thing that are either known nasties or at least very suspicious in your log are:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - Default URLSearchHook is missing
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINNT\EliteToolBar\EliteToolBar.dll
O2 - BHO: (no name) - {6AA66C12-AB8E-8C50-87EA-830A7279A699} - C:\WINNT\system32\ktffw.dll
O2 - BHO: (no name) - {A381310E-25C7-1586-7EEB-AEE0C9893617} - C:\WINNT\system32\xeqjdgrc.dll
O2 - BHO: (no name) - {B74A3D53-38F5-11B5-5455-02C9A19181BF} - C:\WINNT\system32\vbwtefad
O2 - BHO: (no name) - {D8B09EF3-6298-4041-A329-321EFD14916D} - C:\WINNT\system32\pbursvfy.dll (file missing)
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar.dll
O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\system32\RirZr.exe
O4 - HKLM\..\Run: [b3866f0c720b] C:\WINNT\System32\browselc.exe
O4 - HKLM\..\Run: [Dvx] C:\WINNT\System32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINNT\system32\winupdt.exe
O4 - HKLM\..\Run: [zvmcmnci] c:\winnt\system32\zvmcmnci.exe
O4 - HKLM\..\Run: [778g3sQ] objmovie.exe
O4 - HKLM\..\Run: [App32dll] C:\winnt\system32\msnavc32.exe lee0105
O4 - HKLM\..\Run: [antiware] C:\winnt\system32\eliteukr32.exe
O4 - HKLM\..\Run: [osigeepm] C:\WINNT\system32\osigeepm.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKCU\..\Run: [MSCVT] C:\Windows\MSCVT.exe
O4 - HKCU\..\Run: [OVCKPY] C:\WINNT\QDUSJ.exe
O4 - HKCU\..\Run: [Ltho] C:\Documents and Settings\Owner\Application Data\dees.exe
O4 - HKCU\..\Run: [Mwakcesm] C:\WINNT\system32\?hkdsk.exe
O4 - HKCU\..\Run: [MwrmRic2h] nv4onf.exe
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {EB623776-492A-42CA-9571-3AA39F58530B} - http://www.alwaysupdatednews.com/install/aun_0033.exe
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
O23 - Service: hndlqghhbwfh (vdeqnhnu6) - Unknown owner - C:\WINNT\system32\eeqxaxtv6.exe (file missing)

But I suggest you folow the instructions above and post a new log before you fix anything using HJT if you dont know what your doing.

[Twizty]

i had this same problem with the destop.exe, turns out i had the bube.d virus

you have to download KASPERSKY ANTI VIRUS .. only prog so far that deletes the worm, but it installs so much malware that even removing it may still screw your pc up, so i had to do a fresh install of XP...but w/e you feel like doing

[Cache]

Here is somthing I missed first time around:

O4 - HKLM\..\Run: [Windows Media Player] wmediaplayer.exe
O4 - HKLM\..\RunServices: [Windows Media Player] wmediaplayer.exe

The above indicates that you also have the W32/Agobot-NQ worm.

Basically, your computer is completely plagued with viruses, adware, spyware and just about every variety of infection going. It may well be an easier task to reformat and re-install your OS, rarther than spending hours trying to tackle all these infections.

Regarding Bube.d (aka Win32.Beavis), this is indeed somthing to look into. Although I would expect to see a list as long as my arm in the trusted zone. However, your security setting for HTTP have been lowered, which may also be an indication of Bube.d. You should hope that Bube.d is not present because of the fact it infects Explorer.exe, which makes it very nasty indeed.

You can download KAV from here:
http://www.kaspersky.com/index.html

Also, if you do have Bube.d, you may find you are blocked from the KAV site due to changes in the HOSTS file.

If so:
Download the Hoster from here: http://members.aol.com/toadbee/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program

For more detailed information on Bube.d and its removal, see the link below:

http://computercops.biz/postt106277.html