Last bit of Elitum.EliteBar won't leave

I've done all the steps listed in the DO NOT POST... thread (several times). Finally found the commando.exe Trojan with the trojan scan link there and seem to have gotten everything off with one exception.

Everything (Trend, Symantic, Avert, Adaware, Rav and TrojanScan) is coming up clean except the final scan with Spybot. It finds 2 files it identifies as Elitum.EliteBar. When I try to fix the files, it responds that it can't remove the files, probably because the associated files could be in use. I've run Spybot again on start up with the same result.

I've used the EliteToolBar Removal tool in Safe Mode to no effect, and there's no sign of the kele*.* files in the Windows/system32 directory when I look at it in the command line window.

I've updated XP to SP2, got Symantic installed, and adjusted my browser security settings (boy, do I feel like an idiot for getting slammed this bad). What do I need to do to get those last two files out and start enjoying my new laptop? Thanks, Brian (and thanks very much for the detailed, clear instructions and resources in thread 35407)

 

Here you go.

I didn't realize things were as messed up as they were when I did it (I didn't have problems till I plugged into the network at work to do the update. I use dial-up at home). It's a new machine, so if I have to clear it, I will, but I think everything's gone but those last little remnants (finding the trojan explained a lot of what was happening). Thanks much. Brian

 

Sorry, realized I didn't close Windows Explorer before I ran HJT. Here's a log file with NOTHING else running. Thanks, Brian

 

Done. Did the fixes and rebooted in Safe Mode.

Wasn't there (double check about hidden files & looked again).

Here you go.

Spybot ran on start up and same thing. 2 files probably in memory that can't be removed.

MSA.exe is still not in Windows\system32.

When I was exiting safe mode, I got a "This program is running" with a progress bar while the system was shutting down. I clicked cancel (I assumed it was something replicating itself).

I'm at least not getting slammed with pop ups (yet), which had been happening within minutes of santrting regular mode. Thanks.

 

The first one was from safe. I've gone through everything again and this HJT log is from regular boot.

Elitum.EliteBar (2), ISearchTech.ISTActiveX (2), ISearchTech.Powerscan(2), ISearchTech.Sidefind (1).

The Window is titled "End Progarm-Sample". There is no other name listed. It only appears when shutting down in Safe Mode.

Done. Now when I appempt to fix the problems listed above in Safe Mode, the program quits after about one-third of the progress bar fills. The problems above reappear after restarting (Safe or normal).

Thanks.

 

That's what I've got.

As you requested. Run in regular start up before launching anything else.

Sorry. I think this is it (I saved it from the advanced options--if you need something else, I'll check again).

Thanks.

 

I downloaded and ran TrojanHunter. It located and renamed the silent_install[1].exe file in the temp folder (I ran CCleaner, I swear). Haven't rerun Spybot or anything else since. Also haven't rebooted.

I probably screwed it up in my first attempt to fix things (not with HJT but close enough). Hope my restore CD works...

Spyware Scan Details
Start Date: 1/7/2005 4:09:06 PM
End Date: 1/7/2005 4:16:48 PM
Total Time: 7 mins 42 secs

Detected Threats

ShopAtHome Spyware more information...
Details: ShopAtHome installs itself in the Winsock layer of your computer and redirects visits to merchant sites in order to take the affiliate fees from them automatically without your knowledge.
Status: Ignored
Severe threat - Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine.

Infected files detected
c:\windows\system32\sahhtml.exe
c:\windows\downloaded program files\sahagent_.exe
c:\windows\downloaded program files\sahhtml_.exe
c:\windows\downloaded program files\sahuninstall_.exe
c:\windows\system32\xmlparse.dll
c:\windows\system32\xmltok.dll


WindUpdates Browser Plug-in more information...
Details: This is part of the wind updates ad network, infected machines will receive additional adware applications, and be subjected to popup ads, and other advertising.
Status: Ignored
Severe threat - Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine.

Infected folders detected
c:\temp\fleok


CoolWebSearch.StartPage Browser Hijacker more information...
Details: CoolWebSearch StartPage hijacks Internet Explorers start page not allowing the user to change this URL.
Status: Ignored
Severe threat - Severe threats typically are remotely exploitable vulnerabilities, which can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. There exists a high possibility of potential system damage or security flaw. Attacker has complete control over your computer or install new software on your machine.

Infected registry keys/values detected
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Search Bar_bak
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main Search Page_bak


SearchSquire Adware more information...
Details: SearchSquire is an Internet Explorer sidebar containing paid links that open when you use search engines.
Status: Ignored
Elevated threat - Elevated threats are usually threats that fall into the range of adware in which data about a user's habits are tracked and sent back to a server for analysis without your consent or knowledge.

Infected registry keys/values detected
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchsquire.com
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\searchsquire.com * 4


Detected Spyware Cookies
No spyware cookies were found during this scan.

 

You're a genius. It's gone. Finally. And I can really use a little good news right now.

Thank you. Thank you very much.

 

Okay, may be one final problem. I've had two sudden crashes (blue screen & text up too short a time to read and reboot) while on line (dial up). The MS generated error report reads:

Something else hanging around the scans missed or unrelated to the virus problem (probably a Mozilla/Windows/Site compatibility problem)?

Thanks.

 

No, when I restarted the "Report this Error to Microsoft" dialog box came up. This is from the details of that report.

Those went with no problem, but there are two temp files that were created at the time of start up that won't delete because they're "in use". (~DF2253.tmp & ~DF7225.tmp).

Experienced the same behavior again. I was in the middle of reading a page that was completely loaded in FireFox and the blue screen with white text appeared "Windows has discovered a problem with your system and must shut down to avoid damage." That's just what I could read before the system rebooted. It went on quite a bit further and did not look like a windows system error message (other than the color scheme).

Booted in Safe mode and ran everything again. Trend, AdAware, and Spybot say I'm clean. MS Antispyware beta continues to pick up the Search Squire, which I haven't done anything about.

When I closed out of Safe mode, I get the "End Program-Sample". Letting it run to the end of the bar, Windows tells me the program is not responding and to check the status of the program click cancel (went ahead and did this). I've got 17 processes running. Same thing next time I tried to shut down--clicked the cancel on "End Program Sample" turned the machine off.

After a regular boot, the .tmp files are back in the Temp folder. Two were created on start up and are "in use" so they can't be deleted. Nothing except Windows Explorer is running (Symantic and the MS spyware program loaded on start up). Something smells fishy (or else I'm hopelessly paranoid after the last week).

Thanks.

 

Nice to know you're not omniscient <g>.

I've come across one other reference to the shut down as a possible memory problem, but that doesn't track either. Guess I'll just have to keep an eye on things till I can find a pattern.

Thanks very much for all your help in getting Elitum and the rest off my machine.

 

Sure about that...

It's a program called "logonui.exe". A brief google search calls it malware of the worst kind (or something similar). It appeared running under (below on the list) ZCfgSvc.exe (ZeroCfgSvc MFC Application from Intel Corporation) when I tried to shut down (in Safe Mode since it doesn't appear in normal mode). Going back up the tree in Process Explorer, this is under winlogin.exe, which is under smss.exe, which is under system.

We are now officially in way over my head. Please point me to the simple directions on how to clear this thing out.

 

Then I think we may have a winner on the blue screen of death.

All the info in the previous thread was shutting down from Safe Mode. (There is currently only the Administrator account on the system--I hadn't gotten as far as creating users and wasn't sure if I should bother since I'm the only one on this machine.)

As described, logonui.exe launches, the "End Screen-Sample" launches, the bar runs with the warning about canceling the program now may result in data loss, followed by the "Program is not Responding" dialog. If I click cancel, I'm back in Windows. If I click "End Now," I shut down.

Now, I see from the properties tab in ProcessExplorer that the User for logonui.exe is NT Authority\System. I have also had a "soft crash" in normal mode where I get a message that in "NT Authority\System" has discovered a problem and the system must shut down in 60 seconds followed by a countdown clock to give me time to save and close any open programs.

I'm going to take a guess that I deleted something I shouldn't have while doing my initial clean up (supported by your observation that my registry was too short). Where to next? Should I pull out the recovery CD, and, if I do, will I have to go through the whole operation again if I'm back to SP1 and get infected before I can download the OS updates? Or is there a way to put things right without doing a full restore? Thanks.

 

Now that's a handy command. The scan just ran through the progress bar and the command window returned to the C: prompt. There was no error reported on the progress bar or in the command line, but if I read the description correctly, if it found any problems, it went ahead an corrected it.

Thanks. Hopefully, that's the end of it.

 

Identical.

I ran Process Explorer shutting down in Normal mode as well. logonui.exe launched, ZCfgSvc.exe flashed red, and the system shut down. When I robooted, I got the send a message about the system error to Microsoft message with similar files to be transmitted:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WER9dbb.dir00\Mini011005-01.dmp
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\WER9dbb.dir00\sysdata.xml

My browser pops up the MS message page that the error was caused by a device driver. Launched Explorer and grabbed the latest updates (.NET framework 3, Security) and installed them. No change (Normal or Safe).

Thanks.

 

And the outcome is (drumroll...) Reinstall XP!

I trashed too much of the setup and registry in my initial removal attempt (I was getting at least one memdump crash a day without any discernable pattern). I'd only moved in data for one application, so I figured I'd be better off rebuilding from scratch while it's still relatively easy (only this time I installed the firewall and virus protection first!).

Thanks again for all your help on this. Best, Brian

 

This seems to be a widespread problem after doing research myself into it. I am going to attach part of a correspondence with someone else whom emailed me asking how I fixed this problem with the sysdata.xml and minidump .dmp file errors on my end with a lot of help from my gaming buddies, LOL. Maybe it will help others since it doesn't seem that it is being addressed properly by tech support agents. If anything is unclear or you need further help feel free to email me and I'll try to help.

"I’d be glad to help if I can. I can explain the problem I was having and tell you how I found my solution. But please keep in mind that it may or may not be the answer you need as well.

I too have Windows XP Pro. I had SP1 and SP2 service packs installed. My husband and I had the computer custom made last October. Ever since that time, the computer was experiencing at least one crash per day, rebooting spontaneously and reporting recoveries from serious errors stating the same Minidump and Sysdata.xml files which seem to pertain to this widespread problem. Just recently, I decided to undertake the task of rooting the problem out because I got sick and tired of dealing with it and losing my work. I Googled anything that had to do with sysdata.xml files and read many others reporting the problem and their speculation as to it’s origins.

First, I checked thoroughly for any sign of a virus. Nope, wasn’t it. Then I updated my nVidia graphic card driver. Something different happened, and yet the problem did not entirely go away. The computer was not rebooting all the way anymore and but the monitor was clicking repeatedly to a black screen. Sometimes 5 or more times in a row. So obviously there was still a problem.

Then I thought maybe the CPU motherboard was overheating. So, I downloaded and installed MotherBoard Monitor 5 to check the temps. Had a false alarm on one sensor that was reading off, but eventually, I came to learn that the CPU was normal and not overheating.

Then I read of another speculation somewhere. One which listed the problem source to be a compatibility issue between Windows XP, SP1, SP2 and graphic cards. Ultimately, I can tell you this is truly where the problem originates.

I knew I had to uninstall SP1 and SP2 out of Windows XP. This brought up other issues of security in regards to Internet Explorer which I used and various other programs. So first, I decided to go with another browser altogether. In my case, Mozilla Firefox. But there are other options you may choose. It’s free and so far I haven’t had any problems really. So, I downloaded that (don’t install yet). Then I closed everything I could and uninstalled SP1 and SP2. I then installed Firefox. It will automatically ask to be the default browser, so I said yes. (might have to reboot here…not sure) If you decide to try my method and uninstall SP1 and SP2, Windows auto update should inform you of some critical updates to install if you have the feature enabled…choose the custom install method and inspect the updates...you should install the critical ones. However, it will also include SP1 and SP2 again within the choices to install. You don’t want to reinstall those, so unmark those two and check the “never ask me this again” option so that it won’t keep reminding you of those two updates.

Then, I uninstalled my current nVidia graphic drivers and totally reinstalled using my install disk. (for compatibility issues, I used the disk even if it’s an older version just to be sure)

For the last part, I went into my WINDOWS program folder. I located the folder called “Minidump”, opened it and deleted all files within. Then I located my temporary user folder (TEMP) and deleted it altogether. (upon reboot, XP will make another TEMP folder) Then rebooted. So far, everything has worked and my computer is acting normally for the first time. No more clicking to black screens or rebooting issues and error reports.

Hopefully, this might help. If you have any other questions, feel free to ask and I’ll do my best to answer. I believe that some of the graphic card drivers have not been updated with a fix that addresses this problem and Microsoft hasn’t seemed to be in any hurry to address it as well from what I've read."

Regards,

Rose

cncmomma@cox.net

 

I think it was probably something I did to the graphics driver when I was trying to clean up initially (I did some damage to my registry when I first tried to clear things off). I'm on a laptop that uses an Intel Extreme card. I've had no problems since performing the reinstall back to the factory system set up, and I've been able to update to SP1 and SP2 without any problems. Making sure the firewall was up and going through the Protect Yourself from Malware process seems to have worked to keep the nasties out.

 

Just to let others know...I found this article from Smart Computing with the problem of the sysdata.xml/minidump errors and the solution...hopefully.

http://www.smartcomputing.com/edito...es/2004/s1509/38s09/38s09.asp&articleid=21091