Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Searchmiracle, Elitesearch, Hijack this log post


  • This topic is locked This topic is locked

#1
digstyle2000

digstyle2000

    New Member

  • Member
  • Pip
  • 3 posts
[FONT=Arial] I know there are many people experiencing similar problems. I am a IT Tech and assure anyone that can help that I read the "Before you post..." rules and have done averything listed and possibly more to get rid of this problem. One office machine (XP Home SP1) is getting swamped by popups and something is highlighting parts of regular words on friendly websites...example, on SARC.com, wherever the word analysis shows up, anal is highlighted and when I hover over it I see a searchmiracle websearch in the status bar. I ran Hijack this and fixed what I saw that included searchmiracle or elitebar but I am still getting popups evry 2 minutes and the profane highlightings are still there. I also suspect that this PC is somehow related to our network going down every 2 weeks. No viruses were found on the norton scan or the trend-micro scan.Below is my Hijack this post. Any help will be very appreciated! I thank you all in advance for having such a great support site! I my only regret is that I haven't joined earlier.

Logfile of HijackThis v1.99.1
Scan saved at 2:37:05 PM, on 3/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton\SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton\SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\Norton\SYSTEM~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\julianne.miller.TRINET\Desktop\Hijack This\HijackThis.exe

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitednv32.exe
O4 - HKLM\..\RunOnce: [AAW] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = trinet-associates.com
O17 - HKLM\Software\..\Telephony: DomainName = trinet-associates.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{763457E8-F837-463F-8A1F-E3A0B41661E2}: NameServer = 192.168.1.10,192.168.1.20,192.168.1.30,192.168.1.40
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = trinet-associates.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton\SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton\SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\Norton\SYSTEM~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi there,

* Open notepad and copy and paste next content in the white field in it:
(Do not copy and paste the word code that is on top in it!!)

@echo off

%systemdrive%
cd %WinDir%\system32
attrib -r -s -h elite*32.exe
del /q elite*32.exe

echo Merging registry.... 
echo REGEDIT4>c:\clear.reg
echo.>>c:\clear.reg
echo [-HKEY_CURRENT_USER\Software\LQ]>>c:\clear.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\ohbbackup]>>c:\clear.reg
echo [-HKEY_LOCAL_MACHINE\SOFTWARE\Elitum]>>c:\clear.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]>>c:\clear.reg
echo "antiware"=->>c:\clear.reg
regedit /s c:\clear.reg
del c:\clear.reg

Save this as elitefix.bat , choose save as *all files and save it on your desktop.
Don't use it yet!

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitednv32.exe
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab


* Click on Fix Checked when finished and exit HijackThis.

* Reboot into Safe Mode`:
°To get into Safe mode as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Search for the following folder and file and delete them if still present:

C:\WINDOWS\system32\eliteerror32.dat
C:\windows\EliteToolbar or EliteSidebar

* Now doubleclick on elitefix.bat that you made before.
A doswindow will open and close again. This is normal.

* Reboot back to normal mode and post a new hijackthislog.

Edited by miekiemoes, 11 March 2005 - 10:24 AM.

  • 0

#3
digstyle2000

digstyle2000

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
1. I created the batch file on my computer and moved it to a network share so that I could pull it onto the problem computer. Problem is that computer couldn’t see the file. I had to completely rename it (Newname.bat), to get that computer to see it in Windows Explorer so I could pull it on locally.

2. I did the next step just fine – checking the 3 items and hitting “Fix Checked”.

3. I went to reboot into Safe Mode, but no-ah-ah. Computer locks up if I’m hitting the F8-key before the first Windows XP splash comes up (the one with the black background). If I wait until this appears, it boots up normally.

4. So, I went ahead and proceeded with a normal boot just to see if I would be able to follow the rest of the steps. Not.

5. No file, C:\Windows\System32\eliteerror.dat and no folder C:\Windows\Elitetoolbar or EliteSidebar.

6. I did run the batch file, but as you can see from the attached log file, no difference.

I definitely think this is at least a problem, whether it is THE problem or not remains to be seen. But it looks like it is hooked into Windows and blocking the display of anything with the word “elite” in it. In fact…

Hmmm…

I just tried to create a notepad doc and Notepad locked when I went to “Save As”. Twice.

So, I created a dummy text file on my computer and saved it to another network share with the name “elitenotes.txt”. The problem computer won’t see it. Then I renamed one of the files that was showing up on the list to start with “elite” and as soon as Windows Explorer refreshed the view, it disappeared.

Obviously you guys are on to something. Now, what to do about it since I can’t boot into Safe Mode????

Here is the new hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 3:00:09 PM, on 3/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton\SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton\SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\Norton\SYSTEM~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\julianne.miller.TRINET\Desktop\Hijack This\HijackThis.exe

O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitednv32.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = trinet-associates.com
O17 - HKLM\Software\..\Telephony: DomainName = trinet-associates.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{763457E8-F837-463F-8A1F-E3A0B41661E2}: NameServer = 192.168.1.10,192.168.1.20,192.168.1.30,192.168.1.40
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = trinet-associates.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton\SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton\SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\Norton\SYSTEM~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#4
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
digstyle,

I created the batch file on my computer and moved it to a network share so that I could pull it onto the problem computer


Why not creating the batchfile on the problemcomputer itself? Why making it all so difficult. You really have to follow these steps on the problem computer, not through remote desktop or whatever.

Hmm.. so you can't boot into safe mode.. You must be doing something wrong in here.
Read here again: http://www.computerh...s/chsafe.htm#02
If that doesn't work, go to start > run > type: msconfig
Choose the tab: bootini and check: /safeboot
So, next time your system must boot in safe mode. Don't forget to uncheck that afterwards to get into normal mode again.


C:\WINDOWS\EliteToolBar is really present.. and C:\Windows\System32\eliteerror32.dat must be present too.. but the problem in here is, this is not always viewable in normal mode, that's why it is important you have to get into safe mode.

Also make sure your hidden files and folder are visible:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
  • 0

#5
digstyle2000

digstyle2000

    New Member

  • Topic Starter
  • Member
  • Pip
  • 3 posts
I went into the bott.ini and checked safeboot. I was able to get at many files I couldn't see in normal mode and deleted every one of them and everythin is working GREAT! No more pop-ups, no more elitesearch...no more swearing at the PC! Thanks a lot for all of your useful help!
  • 0

#6
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello..
Good news... but, can you post a new hijackthislog so I can check everything is gone now?
  • 0

#7
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Due to inactivity, this thread will now be closed.
If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request. If you should have a new issue, please start a new topic.
This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP