Elitetootbar

Unknown

Hello, as many other I suffer from already known problems related to EliteToolbar...: I can't get rid of the problem as it returs everytime I start up my PC again. I've run the latest versions of Spybot (v.1.3.0.12) and Ad-aware personal SE (v 6.2.0.206).

Here's the logfile from the haijackthis:

Logfile of HijackThis v1.98.2
Scan saved at 12:35:33, on 7/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Miramar\PC MACLAN\ATMsg.exe
C:\Centenn.ial\Audit\CAgent32.exe
C:\Centenn.ial\Audit\xferwan.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Retrospect\Remotsvc.exe
C:\Program Files\Retrospect\retroclient.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\TpChrSrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\_integra\bin\shstart.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spoolsvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\realplay.exe
C:\WINDOWS\System32\YPager.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\msgrsv32.exe
C:\Program Files\GlobeSoft\mnm 6\NTx\MNMControl.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\Program Files\Palm\HOTSYNC.EXE
C:\PROGRA~1\WinZip\winzip32.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.belgacom.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.searchmiracle.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = rt-proxy.raftir.net:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.bert.local;*.raftir.be;*.raftir.net;*.ma.suedzucker.de;150.68.*;156.67.*;<local>
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,c:\_integra\bin\shstart.exe
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.DLL
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [Miramar Systems, Inc.] C:\Program Files\Miramar\PC MACLAN\atmsg.exe
O4 - HKLM\..\Run: [MNM] "C:\Program Files\GlobeSoft\mnm 6\NTx\\MultiNetMgr.exe" -SysTray
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WindowsRegKey update] svchostc.exe
O4 - HKLM\..\Run: [AntiVirus Update] AntiVirus.exe
O4 - HKLM\..\Run: [System32 Spool ] winint.exe
O4 - HKLM\..\Run: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\Run: [Realplayer One] realplay.exe
O4 - HKLM\..\Run: [Messenger] C:\WINDOWS\System32\msgrsv32.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\dipset.exe
O4 - HKLM\..\Run: [Yahoo Update] Yahoo.exe
O4 - HKLM\..\Run: [Yahoo Messenger] YPager.EXE
O4 - HKLM\..\Run: [System Stats] SystemStat.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvrse32.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\RunServices: [WindowsRegKey update] svchostc.exe
O4 - HKLM\..\RunServices: [AntiVirus Update] AntiVirus.exe
O4 - HKLM\..\RunServices: [System32 Spool ] winint.exe
O4 - HKLM\..\RunServices: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\RunServices: [Realplayer One] realplay.exe
O4 - HKLM\..\RunServices: [Yahoo Update] Yahoo.exe
O4 - HKLM\..\RunServices: [Yahoo Messenger] YPager.EXE
O4 - HKLM\..\RunServices: [System Stats] SystemStat.exe
O4 - HKLM\..\RunOnce: [Win32 System Spool] spoolsvc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WindowsRegKey update] svchostc.exe
O4 - HKCU\..\Run: [AntiVirus Update] AntiVirus.exe
O4 - HKCU\..\Run: [System32 Spool ] winint.exe
O4 - HKCU\..\Run: [Win32 System Spool] spoolsvc.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo Update] Yahoo.exe
O4 - HKCU\..\Run: [System Stats] SystemStat.exe
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O4 - HKCU\..\RunOnce: [Win32 System Spool] spoolsvc.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {E292EFB0-EE32-11D1-8C74-0000C0B0E2E9} (RptViewerAX Class) - http://ndiv/wi/ActiveX/RptViewerEN.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E86B83FF-7676-4916-9966-7CF83EC344B5}: Domain = raftir.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = raftir.net,raftir.be
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = raftir.net,raftir.be

Thanks to anybody who can help me.

mwsops

SpywareShooter

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.searchmiracle.com/
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [AntiVirus Update] AntiVirus.exe
O4 - HKLM\..\Run: [System32 Spool ] winint.exe
O4 - HKLM\..\Run: [Realplayer One] realplay.exe
O4 - HKLM\..\Run: [Messenger] C:\WINDOWS\System32\msgrsv32.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\dipset.exe
O4 - HKLM\..\Run: [Yahoo Update] Yahoo.exe
O4 - HKLM\..\Run: [Yahoo Messenger] YPager.EXE
O4 - HKLM\..\Run: [System Stats] SystemStat.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvrse32.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\RunServices: [WindowsRegKey update] svchostc.exe
O4 - HKLM\..\RunServices: [AntiVirus Update] AntiVirus.exe
O4 - HKLM\..\RunServices: [System32 Spool ] winint.exe
O4 - HKLM\..\RunServices: [Realplayer One] realplay.exe
O4 - HKLM\..\RunServices: [Yahoo Update] Yahoo.exe
O4 - HKLM\..\RunServices: [Yahoo Messenger] YPager.EXE
O4 - HKLM\..\RunServices: [System Stats] SystemStat.exe
O4 - HKCU\..\Run: [WindowsRegKey update] svchostc.exe
O4 - HKCU\..\Run: [AntiVirus Update] AntiVirus.exe
O4 - HKCU\..\Run: [System32 Spool ] winint.exe
O4 - HKCU\..\Run: [Yahoo Update] Yahoo.exe
O4 - HKCU\..\Run: [System Stats] SystemStat.exe

Fix those entries then find and delete the files listed above, reboot and post a new log.

mwsops

Hello,

Nice to have someone who wants to help me.
I did what you asked me to do (see below). After rebooting I still have the same 43 critical objects detected by ad-aware personal SE and Spybot gives me the same detection: Elitum.Elitbar. When double clicking the following settings are given: HKEY_USERS\S-1-5-21-2133670131-2085641244-188247508-1009\Software\LQ.

Here is my new HijackThis logfile after clearing the critical objects with Ad-aware and clearing the Elite.Elitbar with Spybot.

I look forward to the next step. Thanks

Logfile of HijackThis v1.98.2
Scan saved at 0:58:46, on 8/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Miramar\PC MACLAN\ATMsg.exe
C:\Centenn.ial\Audit\CAgent32.exe
C:\Centenn.ial\Audit\xferwan.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Retrospect\Remotsvc.exe
C:\Program Files\Retrospect\retroclient.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\TpChrSrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\_integra\bin\shstart.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spoolsvc.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
C:\Program Files\GlobeSoft\mnm 6\NTx\MNMControl.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.belgacom.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = rt-proxy.raftir.net:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.bert.local;*.raftir.be;*.raftir.net;*.ma.suedzucker.de;150.68.*;156.67.*;<local>
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,c:\_integra\bin\shstart.exe
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.DLL
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [Miramar Systems, Inc.] C:\Program Files\Miramar\PC MACLAN\atmsg.exe
O4 - HKLM\..\Run: [MNM] "C:\Program Files\GlobeSoft\mnm 6\NTx\\MultiNetMgr.exe" -SysTray
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WindowsRegKey update] svchostc.exe
O4 - HKLM\..\Run: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvrse32.exe
O4 - HKLM\..\RunServices: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\RunOnce: [Win32 System Spool] spoolsvc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Win32 System Spool] spoolsvc.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O4 - HKCU\..\RunOnce: [Win32 System Spool] spoolsvc.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {E292EFB0-EE32-11D1-8C74-0000C0B0E2E9} (RptViewerAX Class) - http://ndiv/wi/ActiveX/RptViewerEN.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E86B83FF-7676-4916-9966-7CF83EC344B5}: Domain = raftir.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = raftir.net,raftir.be
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = raftir.net,raftir.be

SpywareShooter wrote:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.searchmiracle.com/
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O4 - HKLM\..\Run: [AntiVirus Update] AntiVirus.exe
O4 - HKLM\..\Run: [System32 Spool ] winint.exe
O4 - HKLM\..\Run: [Realplayer One] realplay.exe
O4 - HKLM\..\Run: [Messenger] C:\WINDOWS\System32\msgrsv32.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\dipset.exe
O4 - HKLM\..\Run: [Yahoo Update] Yahoo.exe
O4 - HKLM\..\Run: [Yahoo Messenger] YPager.EXE
O4 - HKLM\..\Run: [System Stats] SystemStat.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvrse32.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [Windows TaskAd] C:\Program Files\Windows TaskAd\WinTaskAd.exe
O4 - HKLM\..\RunServices: [WindowsRegKey update] svchostc.exe
O4 - HKLM\..\RunServices: [AntiVirus Update] AntiVirus.exe
O4 - HKLM\..\RunServices: [System32 Spool ] winint.exe
O4 - HKLM\..\RunServices: [Realplayer One] realplay.exe
O4 - HKLM\..\RunServices: [Yahoo Update] Yahoo.exe
O4 - HKLM\..\RunServices: [Yahoo Messenger] YPager.EXE
O4 - HKLM\..\RunServices: [System Stats] SystemStat.exe
O4 - HKCU\..\Run: [WindowsRegKey update] svchostc.exe
O4 - HKCU\..\Run: [AntiVirus Update] AntiVirus.exe
O4 - HKCU\..\Run: [System32 Spool ] winint.exe
O4 - HKCU\..\Run: [Yahoo Update] Yahoo.exe
O4 - HKCU\..\Run: [System Stats] SystemStat.exe

Fix those entries then find and delete the files listed above, reboot and post a new log.

SpywareShooter

Those last instructions weren't supposed to fix the problem, just help get some malware off your computer.

O4 - HKLM\..\Run: [WindowsRegKey update] svchostc.exe
O4 - HKLM\..\Run: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvrse32.exe
O4 - HKLM\..\RunServices: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\RunOnce: [Win32 System Spool] spoolsvc.exe
O4 - HKCU\..\RunOnce: [Win32 System Spool] spoolsvc.exe

Fix those entries then find and delete the following files:
svchostc.exe
C:\windows\system32\kalvrse32.exe

Then reboot and post a new log.

mwsops

Hello agian,

Ifixed the files you've indicated. After that, I could not find the 2 files svchostc.exe
C:\windows\system32\kalvrse32.exe
with the search function, nor taking a look into the system files. Is that possible?

In your first answer, you asked me to delete the file O4-HKLM\..\RunServices:(Antivirus Update) AntiVirus.exe. Could that have affected my virus protection program (= Northern Antivirus 2005)?

Here is my HJTlog file after rebooting and elimination of the critical objects detected by Ad-Aware personal and Spybot. Spybot typically continues to detect the Elitum.EliteBar.

Look forward for the next step. Thanks

Logfile of HijackThis v1.98.2
Scan saved at 10:58:42, on 8/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Miramar\PC MACLAN\ATMsg.exe
C:\Centenn.ial\Audit\CAgent32.exe
C:\Centenn.ial\Audit\xferwan.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Retrospect\Remotsvc.exe
C:\Program Files\Retrospect\retroclient.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\TpChrSrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
c:\_integra\bin\shstart.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\GlobeSoft\mnm 6\NTx\MNMControl.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\System32\spoolsvc.exe
C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABSVC.EXE
C:\hijackthis\HijackThis.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.belgacom.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = rt-proxy.raftir.net:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.bert.local;*.raftir.be;*.raftir.net;*.ma.suedzucker.de;150.68.*;156.67.*;<local>
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=c:\windows\system32\userinit.exe,c:\_integra\bin\shstart.exe
O2 - BHO: SuperAdBlockerBHO Class - {00000000-6C30-11D8-9363-000AE6309654} - C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABBHO.DLL
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [Miramar Systems, Inc.] C:\Program Files\Miramar\PC MACLAN\atmsg.exe
O4 - HKLM\..\Run: [MNM] "C:\Program Files\GlobeSoft\mnm 6\NTx\\MultiNetMgr.exe" -SysTray
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvrse32.exe
O4 - HKLM\..\Run: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\RunServices: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\RunOnce: [Win32 System Spool] spoolsvc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Win32 System Spool] spoolsvc.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SAdBlock.exe
O4 - HKCU\..\RunOnce: [Win32 System Spool] spoolsvc.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {E292EFB0-EE32-11D1-8C74-0000C0B0E2E9} (RptViewerAX Class) - http://ndiv/wi/ActiveX/RptViewerEN.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E86B83FF-7676-4916-9966-7CF83EC344B5}: Domain = raftir.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = raftir.net,raftir.be
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = raftir.net,raftir.be

SpywareShooter wrote:

Those last instructions weren't supposed to fix the problem, just help get some malware off your computer.

O4 - HKLM\..\Run: [WindowsRegKey update] svchostc.exe
O4 - HKLM\..\Run: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvrse32.exe
O4 - HKLM\..\RunServices: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\RunOnce: [Win32 System Spool] spoolsvc.exe
O4 - HKCU\..\RunOnce: [Win32 System Spool] spoolsvc.exe

Fix those entries then find and delete the following files:
svchostc.exe
C:\windows\system32\kalvrse32.exe

Then reboot and post a new log.

mwsops

SpywareShooter wrote:

Those last instructions weren't supposed to fix the problem, just help get some malware off your computer.

O4 - HKLM\..\Run: [WindowsRegKey update] svchostc.exe
O4 - HKLM\..\Run: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvrse32.exe
O4 - HKLM\..\RunServices: [Win32 System Spool] spoolsvc.exe
O4 - HKLM\..\RunOnce: [Win32 System Spool] spoolsvc.exe
O4 - HKCU\..\RunOnce: [Win32 System Spool] spoolsvc.exe

Fix those entries then find and delete the following files:
svchostc.exe
C:\windows\system32\kalvrse32.exe

Then reboot and post a new log.

Hello,

I send some hours ago the results of the actions you suggested (see HJTlog earlier post).

In addition, I rebooted my PC in safe mode and ran Adaware and Spybot again in the safe mode.
- Adaware doesn't identify any critical object anymore;
- Spybot still identifies Elitum.Elitbar problem.

But maybe more interesting is that search on my computer with the string "kalv", I found a lot of results whereas I cannot find them in the normal boot mode.
Here is the rsult of my search after the safe mode reboot (please note that I used the / in place of the usable one because I send you this mail from an older computer):

C:/WINDOWS/Prefetch
KALVAER32.EXE-1D514030.pf
KALVFJX32.EXE-1FFAD18A.pf
KALVGRP32.EXE-12DC9EC1.pf
KALVGSG32.EXE-2FE45298.pf
KALVJTG32.EXE-2F721055.pf
KALVRGZ32.EXE-287EFCCF.pf
KALVRSE32.EXE-180977D9.pf
KALVSDK32.EXE-2C1E5760.pf
KALVUKN32.EXE-07194AFF.pf

C:/WINDOWS/system32
kalvaer32.exe
kalvfjx32.exe
kalvgrp32.exe
kalvgsg32.exe
kalvjtg32.exe
kalvmoj32.exe
kalvnea32.exe
kalvrgz32.exe
kalvrse32.exe
kalvsdk32.exe
kalvukn32.exe

As you can see, the files in the system32 directory are the same as those in the Prefetch directory. However in the system32 directory there are 2 additional files: kalvmoj.exe and kalvnea32.exe.

Have these files anything to do with my problem? It seems they have looking at other postings about the EliteToolbar problem. Can I delete these files? I appreciate your expertise advice.

Thanks

C:/WINDOWS/system32

SpywareShooter

Delete all of those files.

mwsops

SpywareShooter wrote:

Delete all of those files.

Hello Spywareshooter....

YES!...YES!...YES!

I deleted all those files in the C\WINDOWS\system32 and C\WINDOWS\Prefetch . And I got rid of my 'EliteToolbar Syndrome'.
I only have to check if I'm not hit again when I connect to the internet next time. I'll keep you informed.

Thanks for your help. As I'm not a PC expert, you can imagine how much I've appreciated your expertise advice.

I hope that other subscribers of the short-media forum, who have access to the information of this case, can learn something from our case.