Author Topic: Elitewym32.exe in registry (Read 958 times)

bth · « **on:** May 02, 2005, 06:19:07 AM »

I am working on a system where the registry gets edited on every reboot to include this exe in the HKLM\...run section. I've run HJT and am including the log. TIA for your help.

Logfile of HijackThis v1.99.1
Scan saved at 6:00:38 AM, on 5/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
Z:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\hjt\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitewym32.exe
O4 - HKLM\..\Run: [tvqgkf] ; c:\windows\system32\vaoloih.exe
O4 - HKLM\..\Run: [TaskMon] C:\WINDOWS\System32\taskmon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PSoft1] ; C:\WINDOWS\System32\psoft1.exe
O4 - HKLM\..\Run: [GMedia2] ; C:\WINDOWS\System32\GSMedia3.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\RunOnce: [CounterSpyCleaner] C:\Program Files\Sunbelt Software\CounterSpy Client\sunASCleaner.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [lsasrv] ; C:\WINDOWS\System32\lsasrv.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://24.234.255.102/activex/AxisCamControl.cab
O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1d/www.n....0_SILENT_2.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - Z:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

guestolo · « **Reply #1 on:** May 02, 2005, 07:25:13 PM »

You show signs of a few different infections on your computer
Mydoom being one of them
Can you try and download all that I ask, all are free and don't take too much time too run, except for Ewido, but it is very effective in killing one problem you have and may uncover more

==Download and save to desktop
The STINGER by McAfee
Save it for now, we'll run it in a bit

==Download and Unzip to a folder Hoster.zip
We'll need this later

==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup
Give the link time to load or try it twice, it may be busy
Install for now, don't run a scan yet

Download and UNZIP to desktop NailRemove.zip, so you now have
NailRemove.bat on your desktop, we'll need this later
[attachment=193:attachment]

==Download and UNZIP to desktop LQFIX.zip
So you now have LQfix.bat on the desktop, we'll need this later
[attachment=194:attachment]

==Finally, Download and then Install
Ewido Trojan Scanner

When installing, under "Additional Options" UNCHECK "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on UPDATE in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido
We'll need it later

Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Please Print this out or save these instructions to a Notepad file and save it to your Desktop
RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, after the single post beep, or use the link
I supplied for a more detailed explanation

In safe mode

Run STINGER by McAfee's, let it fix whatever it finds
When it's done, Please restart the computer, Allow to restart back to Safe mode

Back in Safe mode
==Go to START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- System Startup Service

Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled

==Double click on Nailremove.bat
A dos windows will open and close quickly, this is normal

==Double click on LQFix.bat, again a windows will open and close quickly

==Find and delete these files if they exist, they may not be found, but take a look
C:\WINDOWS\System32\psoft1.exe <-file
C:\windows\system32\elitewym32.exe <-file
C:\WINDOWS\System32\GSMedia3.exe <-file
c:\windows\system32\vaoloih.exe <-file
C:\WINDOWS\System32\lsasrv.exe <-file, DON'T delete lsasrv.dll

==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Decline to Log off

Instead
====Open Ewido trojan scanner
Click on the Scanner button in the left menu, then click on the Start button. This scan can take a while, so give it time to run
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.
Save the report

==Open Hoster>>Click on "Restore Original Hosts"
OK it

==Do another scan with Hijackthis and put a check next to these entries:
Not all may be found, but fix what you see

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitewym32.exe
O4 - HKLM\..\Run: [tvqgkf] ; c:\windows\system32\vaoloih.exe
O4 - HKLM\..\Run: [TaskMon] C:\WINDOWS\System32\taskmon.exe

O4 - HKLM\..\Run: [PSoft1] ; C:\WINDOWS\System32\psoft1.exe
O4 - HKLM\..\Run: [GMedia2] ; C:\WINDOWS\System32\GSMedia3.exe

O4 - HKCU\..\Run: [lsasrv] ; C:\WINDOWS\System32\lsasrv.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart back to Normal mode
Back in Windows if prompted by
Microsoft AntiSpyware or CounterSpy allow the changes so they don't interfere with any fixes we have done

Post back a fresh Hijackthis log and the report from Ewidos
Could you also
Download Find_It's.zip
UNZIP the contents
Open the FindIt's folder and double click on the FindIt's.bat
Wait for the log and post it back here

NOTE: If you have trouble downloading the tool from McAfee's please run Hoster ahead of time, as one infection may have modified your Hosts file

Also, I left out a file to manually delete on purpose, I don't want you to remove a legit file and the scanners may take care of it for you
This file here
C:\WINDOWS\System32\taskmon.exe
Set by Mydoom
When your back in normal mode
Can you look in your system32 folder for taskmon.exe <<with and "o"and let me know if it exists
You will see Taskman.exe, which is legit<< with 2 "a"

bth · « **Reply #2 on:** May 03, 2005, 07:52:52 AM »

From the looks of it, and the way their system is running, YOU ARE A HERO!

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' /> Here are the logs since I ran all of the software you suggested:

Logfile of HijackThis v1.99.1
Scan saved at 7:43:24 AM, on 5/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
Z:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\System32\taskmgr.exe
C:\hjt\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O16 - DPF: Yahoo! MahJong - http://download.games.yahoo.com/games/clients/y/ot0_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://24.234.255.102/activex/AxisCamControl.cab
O16 - DPF: {92CA8ACC-4E99-4A2A-93F1-B2C5CADC8613} (NMInstall Control) - http://a14.g.akamai.net/f/14/7141/1d/www.n....0_SILENT_2.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - Z:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

=================================================
Microsoft Windows XP [Version 5.1.2600]
The current date is: Tue 05/03/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»

* aurora C:\WINDOWS\VSNFOO.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\System32\POKER.EXE

»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

* SAHAgent C:\WINDOWS\System32\70TOVMTO.INI
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»» Checking Windir\svcproc.exe and nail.exe.

»»»»» Checking for System32\DrPMon.dll.

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 748D-57CA

Directory of C:\WINDOWS\SYSTEM32

04/29/2005 03:02 AM <DIR> cache32_rtneg2
0 File(s) 0 bytes
1 Dir(s) 2,839,314,432 bytes free
»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 748D-57CA

Directory of C:\WINDOWS\system32

04/29/2005 05:58 PM 3,262 dice21.ico
04/29/2005 05:58 PM 3,262 vh e2331.ico
04/29/2005 05:58 PM 4,286 greenmovie2313asaadsasfad.ico
04/29/2005 05:58 PM 3,262 creditcard32123123123asdsa1.ico
04/28/2005 10:14 AM 4,286 greenmovie2313asaadsasfad112341231adsfa.ico
04/29/2005 05:58 PM 4,286 mp3red51aads.ico
04/28/2005 10:14 AM 3,262 creditcard32123123123asdsa.ico
04/29/2005 05:58 PM 3,262 kill spyware1.ico
04/29/2005 05:58 PM 3,262 kill popups.ico
9 File(s) 32,430 bytes
0 Dir(s) 2,839,314,432 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\aurora

! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Bolger

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj
<NO NAME>   REG_SZ   Bolger Functional Class

! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\CLSID\{302A3240-4805-4a34-97D7-1645A0B08410}
<NO NAME>   REG_SZ   BolgerObj Class

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
Driver   REG_SZ   DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon
Driver   REG_SZ   DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon
Driver   REG_SZ   DrPMon.dll

===============================================
McAfee AVERT Stinger Version 2.5.4 built on May 2 2005

Copyright © 2005 Networks Associates Technology, Inc. All Rights Reserved.

Virus data file v1000 created on May 2 2005.

Ready to scan for 53 viruses, trojans and variants.

Scan initiated on Tue May 03 05:47:18 2005

Number of clean files: 43515

Let me know if there's anything else that you see needs to be taken care of.

Thank you very much,

bth

guestolo · « **Reply #3 on:** May 03, 2005, 10:11:58 PM »

Still have to get rid of some leftovers

==Download the Pocket Killbox
UNZIP it to a folder of your choice

==Download and UNZIP to desktop clear.zip so you now have clear.reg on the desktop
[attachment=198:attachment]

Please save these instructions to a Notepad file and save it to your Desktop>>Close all browser windows, disconnect from the Internet

==Run Pocket KillBox>>Now killbox and this notepad file is open
Click on Tools>>Delete Temp files

In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in

C:\WINDOWS\VSNFOO.EXE

Select the radio button to
Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
If prompted to Reboot Now, Click NO

Continue to copy and paste the next paths to the files below into killbox
Selecting Delete on Reboot after each

C:\WINDOWS\System32\70TOVMTO.INI
C:\WINDOWS\system32\dice21.ico
C:\WINDOWS\system32\vh e2331.ico
C:\WINDOWS\system32\greenmovie2313asaadsasfad.ico
C:\WINDOWS\system32\creditcard32123123123asdsa1.ico
C:\WINDOWS\system32\greenmovie2313asaadsasfad112341231adsfa.ico
C:\WINDOWS\system32\mp3red51aads.ico
C:\WINDOWS\system32\creditcard32123123123asdsa.ico
C:\WINDOWS\system32\kill spyware1.ico
C:\WINDOWS\system32\kill popups.ico

When you've entered the last path to the file
Allow the computer to Reboot
or Restart the computer anyways

Back in Windows

Find and delete this folder
C:\WINDOWS\SYSTEM32\cache32_rtneg2 <-folder

Double click on clear.reg and allow to merge to the registry

Restart the computer one more time

Post back one last hijackthis log and could you run FindIt's.bat again and post the log
Did you happen to see taskmon.exe in the System32 folder??
Remember, not taskman.exe

Edited this a bit, I removed one file to delete on reboot with killbox
Can you do the following
I want to check out this file, it may be a legit file if the user plays online Poker

Could you also go to this site please
Give this site time to load
Jotti's Online Malware scan

Use the browse button and navigate to the file on your hard disk
C:\WINDOWS\System32\POKER.EXE <-this file

Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please, just the scanner results

bth · « **Reply #4 on:** May 03, 2005, 10:21:36 PM »

guestolo, I will run the rest of this in the morning when I get off work. I did not see the file taskmon.exe in the system32 directory.

Will post the logs in the morning.

Have a good night and thank you very much.

bth

TheTechGuide Forum

News:

Author Topic: Elitewym32.exe in registry (Read 958 times)

bth

Elitewym32.exe in registry

guestolo

Elitewym32.exe in registry

bth

Elitewym32.exe in registry

guestolo

Elitewym32.exe in registry

bth

Elitewym32.exe in registry