Suspected SearchMiracle problem

I'm going to give you your own thread. You should not post in a thread belonging to someone else unless you are trying to help with their problem.

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail. Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

 

Sorry about that! I forgot to split you off now to your own and it is called:

Suspected SearchMiracle problem.

 

It's up to you but I think you should uninstall WinPoet using Add/Remove Programs! See this for info about it: http://www.pestpatrol.com/pestinfo/t/tv_media_display.asp

C:\Program Files\WinPoET Broadband Connection\WrOS.EXE
O23 - Service: WinPPPoverEthernet - iVasion, a Routerware Company - C:\Program Files\WinPoET Broadband Connection\WrOS.EXE

Also see this: http://support.earthlink.net/mu/1/psc/img/walkthroughs/broadband/DSL/win/2281.psc.html

What is this used for anyway?

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\Program Files\DeskAd Service\DeskAdServ.exe
C:\Program Files\DeskAd Service\DeskAdKeep.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\EliteToolBar version 59.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [mLNN] C:\documents and settings\claudette o'toole\local settings\temp\mLNN.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvcup32.exe
O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
O4 - HKCU\..\Run: [msmc] C:\WINDOWS\System32\mscif.exe
O4 - HKCU\..\Run: [DealHelperDown] "C:\Documents and Settings\Thomas O'Toole\Local Settings\Temp\msB.tmp"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O15 - Trusted Zone: http://*.windowsupdate.com


Fix any of these you don't recognize or don't need, you can always download them again:
O16 - DPF: {12589FA1-C456-11CE-BF01-10AA1055595A} - http://www.wsel.net/imcupdatefiles/whistlesilent610.cab
O16 - DPF: {68E53982-CCCE-48C2-89B9-C3C97638F9B4} (CActSetupObj Object) - http://www.odysseusmarketing.com/actsetup.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB


After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\DeskAd Service <--- the whole folder
C:\EliteToolBar version 59.dll
C:\documents and settings\claudette o'toole\local settings\temp\mLNN.exe
C:\Documents and Settings\Thomas O'Toole\Local Settings\Temp\msB.tmp
C:\windows\system32\kalvcup32.exe
C:\WINDOWS\System32\mscif.exe

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

As far as I know WinPoet has nothing to do with Poetry. I wonder if it has something to do with your ISP though. It does say broadband. Do you have a broadband connection. But the file is gone now anyway so I would suspect it was bad.

Yes delete those EliteSideBar and EliteToolBar folders.

We still have some work to do here.

It is imperative that you always remember to exit all browsers before using HJT especially when trying to fix things with HJT. You had this running:

C:\Program Files\Internet Explorer\iexplore.exe

 

Download Pocket KillBox but do not run. Now print or save these instructions locally because you must exist ALL browsers now and stay disconnected until I have you reboot.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvcup32.exe
O23 - Service: WinPPPoverEthernet - Unknown - C:\Program Files\WinPoET Broadband Connection\WrOS.EXE (file missing)

After clicking Fix, exit HJT.

Run Pocket Killbox. Select the following options to Delete on Reboot and End Explorer Shell While Killing File.

Now, Copy and Paste C:\Program Files\DeskAd Service\DeskAdServ.exe into the box.Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click No


Now, Copy and Paste C:\windows\system32\kalvcup32.exe into the box.Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click Yes and allow your machine to reboot but boot into safe mode.

Run Windows Explorer and look for the following and delete if found (tell me what you find):
C:\Program Files\DeskAd Service <--- the whole folder
C:\windows\system32\kalvcup32.exe


Now reboot in normal mode and get a new HJT log. And then reconnect back here and post your new HJT log.