hijackthis shows this file:
O4 - HKLM\..\Run: [checkrun] E:\windows\system32\elitepmw32.exe
im not able to see the file even though show hidden files is on
booting into linux, i was able to see it plus another file elitezke32.exe
i removed the checkrun entry but it came back
im also wondering why i still see google toolbar entries in hijackthis after i removed google toolbar in addremove programs
hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 7:46:09 PM, on 6/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Updater.exe
E:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
E:\Program Files\AIM95\aim.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
E:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
E:\PROGRA~1\symantec\LIVEUP~1\savroam.exe
E:\Program Files\RealVNC\WinVNC\WinVNC.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\mozilla.org\Mozilla\mozilla.exe
E:\WINDOWS\system32\NOTEPAD.EXE
E:\setup.xp\HijackThis.exe
O4 - HKLM\..\Run: [Q3DObsidian2] RunDll32 E:\WINDOWS\System32\q3dps2.dll,Q3dGlideBoot
O4 - HKLM\..\Run: [WinVNC] "E:\Program Files\RealVNC\WinVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "E:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [checkrun] E:\windows\system32\elitepmw32.exe
O4 - HKLM\..\Run: [vptray] E:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [AIM] E:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://E:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://E:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://E:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://E:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\j2re1.4.2_08\bin\npjpi142_08.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM95\aim.exe
O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - E:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - E:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O16 - DPF: {785EA525-5066-495F-ADF6-3B8316515DEF} (Collapse Control) - http://mirror.worldw...se/collapse.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{45414234-443A-407E-BCE7-C56680409058}: NameServer = 151.203.162.6,151.203.111.6
O20 - Winlogon Notify: NavLogon - E:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - E:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - E:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - E:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - E:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: SAVRoam - symantec - E:\PROGRA~1\symantec\LIVEUP~1\savroam.exe
O23 - Service: VNC Server (winvnc) - Unknown owner - E:\Program Files\RealVNC\WinVNC\WinVNC.exe" -service (file missing)
findqoologic log:
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* UPX! E:\WINDOWS\System32\FMOD.DLL
»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f5bd48
Global Startup:
E:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
Adobe Gamma Loader.exe.lnk
desktop.ini
Microsoft Office.lnk
User Startup:
E:\Documents and Settings\etm\Start Menu\Programs\Startup
.
..
desktop.ini
»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»
! REG.EXE VERSION 3.0
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
<NO NAME> REG_SZ {BDA77241-42F6-11d0-85E2-00AA001FE28C}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
<NO NAME> REG_SZ {750fdf0e-2a26-11d1-a3ea-080036587f03}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
<NO NAME> REG_SZ {09799AFB-AD67-11d1-ABCD-00C04FC30936}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
<NO NAME> REG_SZ {A470F8CF-A1E8-4f65-8335-227475AA5C46}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
<NO NAME> REG_SZ {B41DB860-8EE4-11D2-9906-E49FADC173CA}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ZFAdd
<NO NAME> REG_SZ {8FF88D27-7BD0-11D1-BFB7-00AA00262A11}
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
<NO NAME> REG_SZ Start Menu Pin
thanks