When we're done cleaning off your system, i'd
recommend that you install all the
critical windows updates available from
Microsoft, upto
service pack 2. This will help to make your system more secure and prevent many '
problems' from reoccuring in the future.
Run
HiJackThis and click "
Scan", then check(tick) the following, if present:
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
Thanks for your help, Steve. I followed your instructions, and this is the new HJT log.
Logfile of HijackThis v1.99.1 Scan saved at 4:24:53 PM, on 05/23/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000)
When you see a log with no security packs the first thing you think of is an illegal copy of Windows being run.
If you are running an illegal copy of Windows they don't let you get the service packs.
I don't fix systems that are not running legal software.
I just wasn't having a chat....
So here is the first part of the fix...
When you post back the new HJT log please also include the Product Key # for your OS. It can probobly be found on the side of the computer.
Thanks
Let's continue on with the fix...
-
Be sure to look this solution over before you begin. There are a some item(s) i'm not familar with. If you recognze any, then just omit them from this fix.
When we're done cleaning off your system, i'd
recommend that you install all the
critical windows updates available from
Microsoft, upto
service pack 1. This will help to make your system more secure and prevent many '
problems' from reoccuring in the future.
Run
HiJackThis and click "
Scan", then check(tick) the following, if present:
Now, with all windows closed except
HiJackThis, click "
Fix checked".
Locate and
delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
files...
C:\windows\system32\elitedfg32.exe
-
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're '
in use', try deleting them from "
Safe Mode".
Post back a new log, and let me know how everything goes.
Steve
I preformed all the fixes you've instructed me to except for deleting elitedfg32.exe because it was not present.
My windows is fully legal, I was just unaware of the 'service packs' that were available, and my reason for not downloading them currently is because your instructing me not to. I have the product key for my OS, but I'm not sure if posting it here, to you, or anyone, is a good idea. I'm not sure if your a proper authority to give that information out to, and I am also unaware of the concequences of leaking that info into unwanted hands. Please explain how significant my giving that info out can be, and let me know if their is any other way to prove to you that my software is legit being that your making an assumption that it's not. I did just recently download the microsoft anti-spyware software from the microsoft website using my product key, among other things, if this is any help to you. I thank you for your time, and here is my current HJT log.
Scan saved at 6:29:16 PM, on 05/23/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Now, with all windows closed except
HiJackThis, click "
Fix checked".
Locate and
delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
files...
C:\windows\system32\elitedfg32.exe
-
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're '
in use', try deleting them from "
Safe Mode".
Post back a new log, and let me know how everything goes.
Steve
...seems to keep coming up each time i run hijack this, even after using HJT to try to delete it. Also,
C:\windows\system32\elitedfg32.exe
is not present on my computer. I checked in the exact location and did a search for 'elitedfg32' with no luck. Here is my current HJT log. Thanks again for ur help...
Logfile of HijackThis v1.99.1
Scan saved at 3:23:46 PM, on 05/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
This is my normal post for when you are clear - which you now are - or seem to be. Please advise of any problems you still have :-
Here are some last minute instructions.
Download and run CleanUp and clean up all the junk we have left.
Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For an article on Firewalls and a listing of some available ones see the link below:
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here: Instructions for - Spybot S & D and Ad-aware
Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. A tutorial on installing & using this product can be found here:
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A article on anti-malware products with links for this program and others can be found here:
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
I followed your instructions and only had one problem. In safe mode, when I opened the fix.reg i was not prompted to add this to my registry. I saved the notepad document to my desktop. I went on to run 'winsock' anyway and just restarted my computer. It seems we got rid of the elitedfg32.exe line this time. I also haven't had any problems or pop-ups since restarting my computer (yet). How does it look? Thank you again for your time and effort.
Logfile of HijackThis v1.99.1
Scan saved at 6:13:43 PM, on 05/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Service packs, are major updates put out my M$ fixing weaknesses and securing your OS with entries that they didn't think of when XP was made.
As time went on, and hackers found weaknesses in the security of the OS, M$ would patch those weaknesses with critcal updates from their website. You should be checking for them regularly.
Service packs are MAJOR updates to your system. My suggestion is to call M$ on the phone and ask them to send you the disc for SP2. It's a big download, and this is much more convienent and I think a more stable way of installing this in your system.
It's free from M$ ....so just call their 1-800 number you get from directory assistance, it only takes about 1 week to arrive.
zbestwun2001
3 Apprentice
•
8.8K Posts
0
May 23rd, 2005 18:00
Message Edited by zbestwun2001 on 05-23-2005 12:11 PM
zbestwun2001
3 Apprentice
•
8.8K Posts
0
May 23rd, 2005 18:00
Let's continue on with the fix...
When we're done cleaning off your system, i'd recommend that you install all the critical windows updates available from Microsoft, upto service pack 2. This will help to make your system more secure and prevent many ' problems' from reoccuring in the future.
Run HiJackThis and click " Scan", then check(tick) the following, if present:
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.41optYplkOmji/SpySpotterCabInstall.cab
Now, with all windows closed except HiJackThis, click " Fix checked".
Post back a new log, and let me know how everything goes.
-
steve
Message Edited by zbestwun2001 on 05-23-2005 12:10 PM
zbestwun2001
3 Apprentice
•
8.8K Posts
0
May 23rd, 2005 19:00
You realize that you are running your OS without any Security Packs. You have neither SP1 or SP2.
Did you have a problem with the download?
Can I help you with that? Don't do it know but I was wondering why?
Steve
Toth52dt
9 Posts
0
May 23rd, 2005 19:00
Thanks for your help, Steve. I followed your instructions, and this is the new HJT log.
Logfile of HijackThis v1.99.1
Scan saved at 4:24:53 PM, on 05/23/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\2Wire HomePortal Monitor\2portalmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Matt 1\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.254
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [C2kWep] C:\Program Files\Netopia\C3kWepN.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire HomePortal Monitor\2portalmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitedfg32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1116798195169
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
zbestwun2001
3 Apprentice
•
8.8K Posts
0
May 23rd, 2005 20:00
When you see a log with no security packs the first thing you think of is an illegal copy of Windows being run.
If you are running an illegal copy of Windows they don't let you get the service packs.
I don't fix systems that are not running legal software.
I just wasn't having a chat....
So here is the first part of the fix...
When you post back the new HJT log please also include the Product Key # for your OS. It can probobly be found on the side of the computer.
Thanks
Let's continue on with the fix...
-
Be sure to look this solution over before you begin. There are a some item(s) i'm not familar with. If you recognze any, then just omit them from this fix.
When we're done cleaning off your system, i'd recommend that you install all the critical windows updates available from Microsoft, upto service pack 1. This will help to make your system more secure and prevent many ' problems' from reoccuring in the future.
Run HiJackThis and click " Scan", then check(tick) the following, if present:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.254
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 216.19.0.250 idenupdate.motorola.com
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitedfg32.exe
Now, with all windows closed except HiJackThis, click " Fix checked".
Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
files...
C:\windows\system32\elitedfg32.exe
-
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're ' in use', try deleting them from " Safe Mode".
Post back a new log, and let me know how everything goes.
Steve
Toth52dt
9 Posts
0
May 23rd, 2005 20:00
Toth52dt
9 Posts
0
May 23rd, 2005 20:00
Toth52dt
9 Posts
0
May 23rd, 2005 21:00
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\2Wire HomePortal Monitor\2portalmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Matt 1\Desktop\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [C2kWep] C:\Program Files\Netopia\C3kWepN.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire HomePortal Monitor\2portalmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitedfg32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1116798195169
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Message Edited by Toth52dt on 05-23-2005 05:42 PM
zbestwun2001
3 Apprentice
•
8.8K Posts
0
May 23rd, 2005 22:00
-
Run HiJackThis and click " Scan", then check(tick) the following, if present:
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitedfg32.exe
Now, with all windows closed except HiJackThis, click " Fix checked".
Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:
files...
C:\windows\system32\elitedfg32.exe
-
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're ' in use', try deleting them from " Safe Mode".
Post back a new log, and let me know how everything goes.
Steve
Toth52dt
9 Posts
0
May 24th, 2005 18:00
Steve,
I followed your directions, and did it over 3 times, but...
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitedfg32.exe
Scan saved at 3:23:46 PM, on 05/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\2Wire HomePortal Monitor\2portalmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Matt 1\Desktop\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [C2kWep] C:\Program Files\Netopia\C3kWepN.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire HomePortal Monitor\2portalmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitedfg32.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1116798195169
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
zbestwun2001
3 Apprentice
•
8.8K Posts
0
May 24th, 2005 19:00
WinsockXPFix
Copy the bold text to Notepad, and save in a location of your choice as Fix.reg (make sure you save as type: 'all files')
REGEDIT4
[-HKEY_CURRENT_USER\Software\LQ]
[-HKEY_LOCAL_MACHINE\SOFTWARE\ohbbackup]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Elitum]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "antiware"=-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\UserAgent\Post Platform] "iebar"=-
Reboot into safe mode by tapping F8 at boot, then use the up/down arrows to select safe mode
Manually find and delete :
- the ENTIRE contents of the C:\Documents and Settings\ Insert YourUserName here\Local Settings\Temp folder
- any/all of these, if found:
C:\Windows\ EliteToolBar
C:\Windows\ EliteSideBar
C:\Windows\ EliteBar
C:\Windows\System32\ Error.dat
C:\Windows\System32\ eliteerror32.dat
NOTE: To avoid the risk of any of the above not being found due to them
having the 'Hidden' attribute, show all files as follows:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Now go to Start > Run, and type Cmd then press Enter > The Command window opens.
If no commandprompt window opens, go to
Start
AllPrograms
Accessories
CommandPrompt
Copy the following line:
DEL /F /Q "%windir%\system32\elite***32.exe"
RIGHTclick your mouse in the Command Window. The line you've copied
will get pasted into the command window. Subsequently press the ENTER
button.
Next, still in Safe Mode, Run hijackthis again with no Windows Apps or
Browser windows open, Scan, and checkmark/fix the following lines:
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitedfg32.exe
Now Doubleclick Fix.reg you saved earlier, and answer yes when prompted to add its contents to the Registry.
Now run WinsockXPFix
When you're done, start your computer normally, and post a fresh hijackthis log.
Steve
Message Edited by zbestwun2001 on 05-24-2005 01:25 PM
zbestwun2001
3 Apprentice
•
8.8K Posts
0
May 24th, 2005 21:00
The log is now clean of all malware.
This is my normal post for when you are clear - which you now are - or seem to be. Please advise of any problems you still have :-
Here are some last minute instructions.
Managing Windows Millennium System Restore
or
Windows XP System Restore Guide
re-enable system restore with instructions from tutorial above
Instructions for - Spybot S & D and Ad-aware
Steve
Toth52dt
9 Posts
0
May 24th, 2005 21:00
Scan saved at 6:13:43 PM, on 05/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\2Wire HomePortal Monitor\2portalmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Matt 1\Desktop\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hometab.bellsouth.net/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [C2kWep] C:\Program Files\Netopia\C3kWepN.exe
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire HomePortal Monitor\2portalmon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1116798195169
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Toth52dt
9 Posts
0
May 25th, 2005 00:00
Message Edited by Toth52dt on 05-24-2005 08:07 PM
zbestwun2001
3 Apprentice
•
8.8K Posts
0
May 25th, 2005 00:00
Service packs, are major updates put out my M$ fixing weaknesses and securing your OS with entries that they didn't think of when XP was made.
As time went on, and hackers found weaknesses in the security of the OS, M$ would patch those weaknesses with critcal updates from their website. You should be checking for them regularly.
Service packs are MAJOR updates to your system. My suggestion is to call M$ on the phone and ask them to send you the disc for SP2. It's a big download, and this is much more convienent and I think a more stable way of installing this in your system.
It's free from M$ ....so just call their 1-800 number you get from directory assistance, it only takes about 1 week to arrive.
If you have any more problems just send me a PM.
Steve