If you run HijackThis
(Get HijackThis.exe from
http://tomcoyote.org/hjt/hjt199//HijackThis.exe
Save it to C:\hjt (new folder) then Open it and select
Scan Only)
you will see:
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-
51D73BD81ABC} - C:\WINXP\EliteToolBar\EliteToolBar version
53.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-
0C15C5CA8DEF} - C:\WINXP\EliteToolBar\EliteToolBar version
53.dll
O4 - HKLM\..\Run: [antiware] C:\winxp\system32
\elitetpr32.exe
You may also see a ton of entries like:
O4 - HKLM\..\Run: [RuBkrclfmon.exe]
C:\WINXP\RuBkrclfmon.exe
O4 - HKLM\..\Run: [OUIagclfmon.exe]
C:\WINXP\OUIagclfmon.exe
and also:
O4 - HKLM\..\Run: [Windows Service Pack Auto Update]
C:\Documents and Settings\YourLoginName\figgaz.exe
O4 - HKLM\..\RunServices: [Microsoft Java Windows Update]
vlblhe.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Svhost.exe
O4 - HKCU\..\Run: [Microsoft Update] Svhost.exe
The .exe files may change but if you google them you will
get no or only a few hits.
If you boot into Safe Mode (F8) choose the without
networking option and run HijackThis then select the Scan
Only option again and check all entries that match the
above then hit Fix Checked you should get rid of most of
it.
Then run AntiSpy with the 3 scan options enabled.
Wouldn't hurt to check the folder
C:\Documents and Settings\YourLoginName\
and remove any .exe files you find. This is not a place
where good .exe files live.
If you make a mistake you can tell HijackThis to restore
something or everything. View the List of Backups, select
the entries to be restored and press Restore.
If in doubt send the log to me at (e-mail address removed)
Ron
