Hello,

I found this board through googling elitenzm32.exe and found this thread:
http://www.pcguide.com/vb/showthread.php?p=227686

Having a tough time getting rid of elitenxzm32.exe. If you delete it it comes back under new names until the reboot. If you disable it from loading in msconfig it comes right back. Same if you remove it with hijackthis. Tried killing it with killbox, hunting it down through the registry and removing anything I could find related to elite, elitesearch toolbar, etc..

All the other 232 objects and programs have been ripped out of this machine with the exception of this last one. Aurora and coolwebsearch were a piece of cake compared to this.

Here is the current hijackthis log.

Logfile of HijackThis v1.99.0
Scan saved at 6:42:29 PM, on 5/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALURIA~2\asKernel.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\system32\svchost.exe
C:\spywareremove\hijackthis199.exe
C:\Program Files\Internet Explorer\iexplore.exe

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [sunasDtServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitenzm32.exe
O23 - Service: Aluria Security Center Spyware Eliminator Service - Unknown - C:\PROGRA~1\ALURIA~2\ascserv.exe
O23 - Service: asKernel - Unknown - C:\PROGRA~1\ALURIA~2\asKernel.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

askernel is Aluria's spyware removal as they said they could do it. :(
PPmemcheck, cookiepatrol and pestpatrol are PestPatrol
Dewatch is NAVC Enterprise

Any tips would sure be appreciated.

Is this the log in its; entirety?

There seems to a load missing from the middle and the beginning.

Please post the entire log.

I would dump the Aluria product......

Thanks for the quick reply. Yep that is 100% of the log... I spent about an hour ripping everything out of this machine.

This lady's pc had EVERYTHING on it, coolwebsearch, hotbar, aurora, you name it, it was there...

Not too thrilled with the Aluria stuff either...


Something else is running hidden or posing as another service and reloads elitenzm32 about a minute after you delete it, also it replaces other files beginning with ellite including stuff in prefetch directory.

I am really puzzled on this one.

Wow, this one really sounds like a demon...

http://www.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_STARTPA.A&VSect=Td

It maybe also hiding in the system restore that comes with xp.Try this:
Right click on my computer go to properties,click system restore properties and click turn off system restore on all drives.This prevent it from reloading from the backup automaticaly when windows restarts.Restart and and unclick turn off system restore on all drives.
If this doesnt work then it might be time to reformat.

Disabling System Restore is indeed part of the removal solution...please look to the bottom of the linked page and note the "Solution" link which will detail the registry work necessary to remove this bugger...

To remove Elitebar, try this fix: -

Please download miekiemoes' LQfix batch here:
http://users.pandora.be/bluepatchy/LQfix.zip
Unzip it to the desktop but do NOT run it yet.

Next, reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.com/support/safemode.shtml


Once in Safe Mode, run LQfix.bat. When finished, restart your computer in normal mode and post a new HijackThis log.

Good morning,

Thanks for all the info, yes recovery is turned off.

Thanks for the batch file, as safe mode is required I will have to go out to the customer site on Monday AM.

Will post back results.

Thanks again.

Very sorry for the delay on posting back here.

The lqfix worked out perfect. It was gone in 2 min.

Thank you all for your help.
hg

Mlaware usually travels in packs. You should post another HJT log to make sure everything is OK.