Badly infested PC, Elite won't go away!!

A friend mentioned that he couldn't read his mail anymore on his 2 month old PC, XP Home, SP1. PC was on dialup (ISP is Supanet here in the UK), no AV, no firewall!! It was riddled with junk - AdAware-SE (latest sig file) alone reported over 60 critical objects, MS AntiSpyware beta found scores too. Removed all possible with these apps + Spybot. PC was running like a snail in molasses (a tired, old snail with only one leg). Found dozens of copies of a process NaGQM.exe running and they wouldn't terminate- attempts to stop them spawned many more as if in retaliation! NAV (2005 version, latest defs) reported this & removed it. A IE6toolbar "Elite" is present and won't go. If removed by an antispyware app, it is gone until the next boot <grrrr> and I think it is the source of ad popups every few minutes. I have downloaded a tool ETRemoverV11 SimplyTech and will try this tomorrow. together with running Windows update, which has never been done.

TCPView shows dozens of connections listening to "your-n6jlw2io3t:nnnn" mainly from smsse.exe, some from svchost. Connections come & go at a fast rate. Display window is all green and red!

The HiJackThis log is as follows. Run keys are starting some weirdly named .exe's!! I would value any comments and/or help from mailware experts on the forum. TIA James

Logfile of HijackThis v1.99.1
Scan saved at 03:18:19 PM, on 03/03/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup
Program\AudioDeck\AudioDeck.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\FRED\My Documents\My download
files\HiJackThis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.supanet.com/search/iepanel/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
C:\WINDOWS\System32\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.supanet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.supanet.com/search/iepanel/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Supanet
Internet Explorer
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [SupaDial] C:\Program Files\SupaDial\SupaDial.exe /A
O4 - HKLM\..\Run: [t3S] C:\windows\temp\t3S.exe
O4 - HKLM\..\Run: [emFxj] C:\windows\emFxj.exe
O4 - HKLM\..\Run: [JNaC9XGha] C:\windows\JNaC9XGha.exe
O4 - HKLM\..\Run: [7N9Q] C:\windows\system32\7N9Q.exe
O4 - HKLM\..\Run: [Syg4t3 P3rs0n4l F1r3w4ll] vc3h0st.exe
O4 - HKLM\..\Run: [WinAmpAgent] C:\WINDOWS\shch.exe /i
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe "
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec
Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]
C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [antiware] C:\windows\system32\eliteehc32.exe
O4 - HKLM\..\RunServices: [Syg4t3 P3rs0n4l F1r3w4ll] vc3h0st.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [Syg4t3 P3rs0n4l F1r3w4ll] vc3h0st.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: AudioDeck.lnk = C:\Program Files\VIA Technologies,
Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.supanet.com/
O17 -
HKLM\System\CCS\Services\Tcpip\..\{D5C6E5FB-4C44-4AC8-8F93-D671B9C2DAF8}:
NameServer = 213.40.66.126 213.40.130.126
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec
Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) -
Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Kerio Personal Firewall (PersFw) - Kerio Technologies -
C:\Program Files\Kerio\Personal Firewall\persfw.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton
AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

Hello

Set windows to show hidden extensions file's and folder's.
click for> instructions<.

Start Hijackthis and place a check next to these items,
Close all browser windows and shut down all other programs that show in the taskbar. (even Folders) [WE do not mean stop the programs in the tray area near the clock]
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [t3S] C:\windows\temp\t3S.exe
O4 - HKLM\..\Run: [emFxj] C:\windows\emFxj.exe
O4 - HKLM\..\Run: [JNaC9XGha] C:\windows\JNaC9XGha.exe
O4 - HKLM\..\Run: [7N9Q] C:\windows\system32\7N9Q.exe
O4 - HKLM\..\Run: [Syg4t3 P3rs0n4l F1r3w4ll] vc3h0st.exe
O4 - HKLM\..\Run: [WinAmpAgent] C:\WINDOWS\shch.exe /i
O4 - HKLM\..\Run: [antiware] C:\windows\system32\eliteehc32.exe
O4 - HKLM\..\RunServices: [Syg4t3 P3rs0n4l F1r3w4ll] vc3h0st.exe
O4 - HKCU\..\Run: [Syg4t3 P3rs0n4l F1r3w4ll] vc3h0st.exe
====================================
Hit fix checked and close Hijackthis.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reboot into safe mode
Click Start, click Run, type msconfig in the Open box, and then click OK.
click the boot.ini tab > Tick [X]/Safeboot, apply > OK restart windows.
then choose safe.
Find and delete (ONLY THESE EXACT) files and folder's (If present)



C:\WINDOWS\shch.exe << This file
C:\windows\system32\7N9Q.exe << This file
C:\windows\JNaC9XGha.exe << This file
C:\windows\emFxj.exe << This file
C:\windows\temp\t3S.exe << This file

* Locate via Start > Search
vc3h0st.exe << This file
C:\windows\system32\eliteehc32.exe << This file
Delete C:\windows\system32\elit???32.exe <these file's
(where ??? indicates random characters).
Delete C:\windows\EliteToolBar
Delete C:\windows\EliteBar
C:\windowsSystem32\error32.dat < delete if there
What was there ?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Restart back to normal By unchecking [ ]/safeboot in msconfig
hit apply then OK and let windows restart
When windows is restarted place a check in the
[X] dont show this message or launch the system configurations utlity when windows starts.

Delete the contents of all your temp folders, as in. Open C:\ then >
C:\documents and settings\(all your pc users)\local settings\temp
Note: Some systems have temporary internet files, Application Data and History in that temp, if so leave them and delete all other folders and files inside that temp..
Delete the contents of the C:\windows\temp folder

Clear Internet Explorers's cache
1. In Control Panel, open Internet Options.
2. Click the General tab, and then under Temporary Internet files, click Delete Files.
3. In the Delete Files dialog box, click to select the Delete all offline content check box.
4. wait for the hourglass to disapear
5. Click OK.

If you have sunjava installed it's cache should be cleared to
> control panel java-plugin > cache tab > hit clear!
And do make sure you have the latest version

Dont depend on any one antivirus program go get preferably two free onlines
weekly or bi-weekly
Trend Micro-Free online Scan: http://housecall.trendmicro.com/
check all box's except [ ]auto clean !!, scan and if it cannot clean tell it to delete found files !!

BitDefender AntiVirus Free Scan, check all box's except [ ]auto clean !!,
then have it delete the file if it cannot clean/repair/cure it,
turn off any PopupBlockers before accessing the site:
http://www.bitdefender.com/scan/licence.php

If there are any problems Copy there report's back here please.

Post a fresh Hijackthis log

 

Hi Lonnie

Found & deleted eliteehc32.exe and vc3h0st.exe. Others were not present.

Found & deleted folders ...\EliteToolbar and ..\EliteSidebar. folder Elitebar was not present.

Was running machine for a few minutes after procedure completed and MS Antispyware warned of attempt by Elite Toolbar to install itself in browser!!. Blocked it and ran AdAware. This found a number of reg keys (but no run keys) pertaining to Elite. Removed them with the app. Searched registry manually for elit* and found two keys pertaining to the toolbar. Deleted them.

Thought about where this flaming thing could be starting from. Two things were run on boot, an "AudioDesk" app from VIA technologies, apparently something to do with the soundcard and which put an icon in the tray, and Supadial, a connection wizard (not really required) from the ISP.
Have disabled both in case the Elitebar was being somehow bundled with one of them and installing from it. Has now run for some hours with no EliteBar appearing and no ad popups! HiJack shows no untoward items. I think I've won!!

Very many thanks for your valued help.

James