Searchmiracle/elitebar problem

I have read through some threads (specifically shef and sighlentex) regarding this problem. I have gone through the
< READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal >
This is what I have done.
Getting Prepared
1. I disabled the system restore
2. I did not do this step because it said "Only do this step if you have the about:blank or home search hijack"
3. I enabled viewing of hidden files and folders and extensions
4. I downloaded all tools available
Scanning And Cleaning Steps
1. I have Windows XP so I booted in "safe mode with networking support"
- I was not able to do an online scan at Trend Micro's Free Online Virus Scan, I have tried in safe mode as well as normal.
-I did an online scan at Symantec Security Check
-I ran McAfee AVERT Stinger
2.Ran CCleaner
3.Ran Spybot, immunized and ran adaware
4.Ran CWShredder, Kill2me, about:Buster and HSRemove
5.Skipped option 5 because it didn't seem applicable
6.Downloaded Hijack this but have not used it yet.

After all that, when I go back to normal mode, elitebar, my search and searchmiracle all seem to respawn.

I am not terribly computer savvy, so please dumb it down for me. Any help is welcome help.

Thanks

 

Welcome to MG

Since you have followed ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal then go ahead and read the Hijackthis Tutorial and attach your HJT (Hijackthis) log.

Make sure you have HijackThis 1.99 and follow the guidelines on where to install it and how to post a log as an attachment. This is all covered in the sticky thread
NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

Now post a HijackThis log as an attachment to your message (Do not post the log inline). All running programs should be closed, including your web browser, e-mail.
Close before running Hijack This!

To repeat: Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file. Place it in its own folder, for example C:\Program Files\HJT

Please also be patient in waiting for replies and responses as there are a limited number of people who are able to help you and as you can see by the posts on this forum there are many people out there who have questions/problems. Thanks and again welcome to MG

sw

 

I have attached the HJT log.

Let me know what you think.

Thanks

 

I messed up. Attached is the .txt log.

Thanks

 

Patxi

I see the search miracle and elite prolem in your log. i would like you to try this tool first and then give us a new HJT log.

Elite Remover

Be sure to run this in safe mode. Read the READ ME that it has with it. After using this tool boot to normal mode and get another HJT log.

 

I went into safe mode and ran the elitebar killer. No success. Here is the new log.

 

Alright I will try and get you a fix sometime today.

 

A couple of questions first:

1. navigate to this file (C:\WINDOWS\system32\kbdcz.exe ), then right click, properties, version and tell me what it says

2. is this Websavings familiar to you?
C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm

 

1. File Version: 5.1.2600.0
Description: Czech Keyboard Layout
Copyright: Microsoft Corporation. All rights reserved
I also have a (C:\\WINDOWS\system32\kbdcz1.exe)
all info is the same except for
Description: Czech_101 Keyboard Layout,
and a (C:\\WINDOWS\system32\kbdcz2.exe)
all infor is the same except for
Description: Czech_Programmer's Keyboard Layout

2. Websavings is only familiar to me in the sense that I want to get rid of it. It is another annoyance.

Thanks

 

You need to DISABLE SpybotSD's "Tea Timer" function as it might interfere with the fix instructions I give you! Disable and reboot first.

After rebooting do the following. I am also suggesting Uninstalling P2P Networking as this will only invite more of the same problems. It is included in the fix.

Please print out these instructions so that you can operate with ALL Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Please look in Add or Remove Programs for the following and Uninstall them if found:

P2P Networking
WebSavingsfromEbates
EliteToolBar

NOW:
Please look in Task Manager (ctrl-alt-del)and try to END the following running processes, if found:

P2P Networking.exe
elitemia32.exe

Now scan with HijackThis and Check the Boxes for the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O1 - Hosts: com
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar.dll
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitemia32.exe
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and navigate to and DELETE the following file and folders if they should remain:

C:\windows\system32\elitemia32.exe
C:\WINDOWS\System32\P2P Networking <---The Folder
C:\Program Files\WebSavingsfromEbates <---The Folder
C:\WINDOWS\EliteToolBar <---The Folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.


NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

THEN:
Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know how your computer is running now and if you had trouble with the above instructions.

Good luck

 

All right...
I first tried to disable Tea Timer via ctrl+alt+delete
Tea timer was not in the process list so I figured that it didn't need to be diabled. Is this correct?

All browser windows closed and hidden files enabled.
I went to add/remove programs and uninstalled
P2P Networking and Elite Toolbar

Websavingsfromebates is in there still and it says "Error:could not execute the main : The system can not find the file specified" when I try to uninstall. I wonder if I may have deleted the file at some point in the past?

Went to task Manager and ended the P2P Networking.exe but the elitemia32.exe was not in there

I scanned with HJK and deleted everything except for :

O3 - Toolbar: &Elitebar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\\WINDOWS\EliteToolBar\EliteToolBar.dll

I didn't delete it because it didn't show up in the scan this time for some reason.

Clicked fix
Then deleted all the mentioned files
Ran CCleaner which cleaned up some stuff and Spybot which came up empty
Ran cleanmgr and reset web settings

Everything seems to be working pretty well. I might have to hold my breath for a while just to make sure it holds and doesn't respawn again.

I wanted to say thanks for the time you took to help a poor schmuck.

Attached is the HJK log.

Let me know if I should get rid of anything else.

 

Your Welcome

Glad you got it all fixed. You should check this out now: How to Protect yourself from malware!

Let me know if there is another problem. Once everything seems OK be sure to turn System Restore back on.

 

nice one your a saint

 

looking at your log there is one file that I still question:
C:\WINDOWS\Driver Cache\bakreg.exe

Find the version for me on it just like you did for kbdcz.exe earlier in the thresd.

 

I went to C:\\WINDOWS\Driver Cache and there is no such .exe
All that's in there is a folder for i386
Inside that folder there are three zip files
driver.cab
sp1.cab
sp2.cab
and another item called mrxsmb.sys

Reccomendation?

 

You could try a search for it and see if it comes up. If you can't find it and your not having any problem we will forget it for now.

 

I ran a search and came up empty. I also re-checked to make sure that all hidden files were visible.

I ran the search and checked the folder in normal mode. I don't know if that makes a difference.

 

Ok. Don't worry about it.

 

Once again, I just wanted to say thanks for all your help. This is a great website. I wish I knew more about computers so I could contibute as well.