You may have to type slow so I can keep up also
My computer has Windows XP home ed as its OS
I am using Winpatrol and keep getting an alert that "eiltemkw32.exe" has been installed in my C\Windows\System32 folder. I can't find this file either by running a file search or through Windows Explorer.
Something is there because I am gett lots of .tmp files added to the C\Documents and Settng\username\ Local Settings\Temp folder. I am also getting lots of pop ups and surfing is slow. Winpatrol is unable to remove this from the start up. I have also tried to remove it using the Windows - Help and Support - Adjust start up resources feature.
I have updated and ran Spybot - no help
I have updated and ran Ad Aware 6 - no help
I have updated and ran Symantec - no help
I did a google search on the file name found your site. I then down loaded Hijack This and attached is the log file it created.
I hope all of this makes sense.
Any help is appreciated.
Logfile of HijackThis v1.99.1
Scan saved at 5:32:35 PM, on 3/26/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\CCpdpsrv.exe
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Browser Hijack Blaster\bhblaster.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\WINPAT~1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBZPSWX.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBZJSWX.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Browser Hijack Blaster\bhblaster.exe
C:\Documents and Settings\Barry\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://weba.directwe...net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://weba.directwe...net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://weba.directwe...net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://weba.directwe...net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = ê 1%2O
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lookfor.cc?pin=12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://lookfor.cc/sp.php?pin=12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://weba.directwe...net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://weba.directwe...net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://ie.search.psn.cn/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - Default URLSearchHook is missing
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://mail.yahoo.com/?.intl=us"); (C:\Documents and Settings\Barry\Application Data\Mozilla\Profiles\default\bfecpnqc.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Barry\Application Data\Mozilla\Profiles\default\bfecpnqc.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [CCPDPSRV] C:\WINDOWS\system32\spool\drivers\w32x86\3\CCpdpsrv.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitemkw32.exe
O4 - Startup: Shortcut to bhblaster.exe.lnk = C:\Program Files\Browser Hijack Blaster\bhblaster.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Support - {3090C20A-CD44-4152-B25B-4F5F7C58D449} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O13 - WWW. Prefix: http://ehttp.cc/?
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://66.230.145.49/20646/online.chm::/on-line.exe
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://weba.directwebsearch.net/winsearchie32.chm::/winsearchie32.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {1DEFB8C0-22A7-4E58-B735-43A169CDA2AB} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.CAB
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...315/mcfscan.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw9fd.law9.ho...ex/HMAtchmt.ocx
O16 - DPF: {F621C77F-126F-4CA5-BC8B-2F64189E93A5} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{C139333C-33D1-4DB7-BDC1-E9902CCFCA16}: NameServer = 130.18.80.12 130.18.80.13
O18 - Filter: text/html - {5B357973-8A00-4326-BBF9-E0DEA299D913} - C:\WINDOWS\System32\onone.dll
O18 - Filter: text/plain - {5B357973-8A00-4326-BBF9-E0DEA299D913} - C:\WINDOWS\System32\onone.dll
O19 - User stylesheet: (file missing)
O20 - AppInit_DLLs: msconfd.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
