Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Elitemhw32.exe? Help Please

  • This topic is locked This topic is locked



    New Member

  • Member
  • Pip
  • 4 posts
I've been zapped and need help, Please
You may have to type slow so I can keep up also

My computer has Windows XP home ed as its OS
I am using Winpatrol and keep getting an alert that "eiltemkw32.exe" has been installed in my C\Windows\System32 folder. I can't find this file either by running a file search or through Windows Explorer.
Something is there because I am gett lots of .tmp files added to the C\Documents and Settng\username\ Local Settings\Temp folder. I am also getting lots of pop ups and surfing is slow. Winpatrol is unable to remove this from the start up. I have also tried to remove it using the Windows - Help and Support - Adjust start up resources feature.

I have updated and ran Spybot - no help
I have updated and ran Ad Aware 6 - no help
I have updated and ran Symantec - no help

I did a google search on the file name found your site. I then down loaded Hijack This and attached is the log file it created.

I hope all of this makes sense.
Any help is appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 5:32:35 PM, on 3/26/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Program Files\Browser Hijack Blaster\bhblaster.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
C:\Program Files\Browser Hijack Blaster\bhblaster.exe
C:\Documents and Settings\Barry\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://weba.directwe...net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://weba.directwe...net/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://weba.directwe...net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://weba.directwe...net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = ê 1%2O
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://lookfor.cc?pin=12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://lookfor.cc/sp.php?pin=12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://lookfor.cc/sp.php?pin=12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://weba.directwe...net/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://weba.directwe...net/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://ie.search.psn.cn/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - Default URLSearchHook is missing
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://mail.yahoo.com/?.intl=us"); (C:\Documents and Settings\Barry\Application Data\Mozilla\Profiles\default\bfecpnqc.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Barry\Application Data\Mozilla\Profiles\default\bfecpnqc.slt\prefs.js)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [CCPDPSRV] C:\WINDOWS\system32\spool\drivers\w32x86\3\CCpdpsrv.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\elitemkw32.exe
O4 - Startup: Shortcut to bhblaster.exe.lnk = C:\Program Files\Browser Hijack Blaster\bhblaster.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Support - {3090C20A-CD44-4152-B25B-4F5F7C58D449} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (HKCU)
O13 - WWW. Prefix: http://ehttp.cc/?
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {10003000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://c:\nosuch.mht!http://weba.directwe...nsearchie32.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {11311111-1111-1111-1111-111111111157} - file://C:\Recycled\Q330995.exe
O16 - DPF: {1DEFB8C0-22A7-4E58-B735-43A169CDA2AB} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.CAB
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...315/mcfscan.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://lw9fd.law9.ho...ex/HMAtchmt.ocx
O16 - DPF: {F621C77F-126F-4CA5-BC8B-2F64189E93A5} (CWDL_DownLoadControl Class) - http://www.callwave....DL_DownLoad.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{C139333C-33D1-4DB7-BDC1-E9902CCFCA16}: NameServer =
O18 - Filter: text/html - {5B357973-8A00-4326-BBF9-E0DEA299D913} - C:\WINDOWS\System32\onone.dll
O18 - Filter: text/plain - {5B357973-8A00-4326-BBF9-E0DEA299D913} - C:\WINDOWS\System32\onone.dll
O19 - User stylesheet: (file missing)
O20 - AppInit_DLLs: msconfd.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2 (file missing)
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
  • 0




    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
I forgot to mention that this bug shows up as "etbrun" in the windows start up resources list. When I try to delete it it keeps adding itself back.

Anyone have any ideas?
  • 0



    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts

anyone have any ideas?
  • 0



    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
OK I give up
I'l just burn the %@&# thing!!!
  • 0



    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello and welcome to GTG

Please accept my apologies for the late reply.

If you’re still looking to resolve this issue, please run through the steps outlined in this Topic

If that doesn’t cure your problem, please post back a fresh HijackThis log when done.

If, however, you have resolved this issue please let us know.

Thank you for your co-operation and once again apologies for the late reply.

As there has been no reply from the original poster this topic is now closed,
Should you have any further problems please create a new Topic,

Thanks "

Edited by Crustyoldbloke, 03 May 2005 - 03:51 AM.

  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP