Unknown Hijack will not go away! Help!

I have followed the instructions in the tutorial on removing spyware, hijacks and trojan horses on this site. I am usually able to get rid of hijacks with CWShredder, and Adaware SE. Not this time. It keeps popping a small porn pop-up on my desktpop, and then I get a weird floating message behind the icons on my desktop saying my machine is infected. I have figured out that there is a webpage being set as my active desktop. This one has me stumped.
I have learned to read my Hijack this logs, and I analyzed mine pretty well, fixed it, but this is still coming up. Please Help!

I am totally going to Firefox when I get this fixed.
I hate IE so bad.

 

Hi Craab,

I think you might need to disable your Active Desktop. Try this:

RightClick your Desktop and select Properties > Desktop Tab > Customize Desktop > Web and make sure nothing is selected in the box labeled "Web Pages." Namely, make sure that the My Current Home Page Box is unchecked.
Let us know if there are other entries in the Web Pages box and if these instructions help.


Also, if you have exhausted the options in out Cleanup Tutorial (especially the Online Scans), please go ahead and send us a HijackThis Log. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I’ve been busy with work and other obligations these days, but somebody will try to take a look when they get a chance.

PP

 

Hey PhilliePhan,
thanks for helping me with this. I followed your instructions, and there was a page in there that was checked called "security" . I unchecked it, and removed it from the list, but it will come back, as I have done this before. I also noticed that I cannot open Firefox when this hijack "triggers" It seems to go away - but then comes back.
Sometimes, I cannot open the control panel either. I can tell when it is "triggered" because the web stuff is back on my desktop. I am going to post a HJT log.
Thanks again!

 

Ok - here is my HJT log.
I hope this helps.

You must be psyched about the Eagles in the SB.
I was born and raised in Philly, and I have been waiting a LONG
time for an Eagles SB.

Thanks again!

 

Has anyone been able to look at my HJT log file?
I know you all are busy. I am getting porn popups on my computer, and weird security messages.
Plus this hijack is slowing it waaaaaaay down.
When you get a chance please have a look.
Thanks!

 

Hi Craab,

You've got a real nasty one going here. Very similar to this thread:

Sending out an SOS

This can be a real pain in the butt to remove. I am especially concerned about that dddd.exe that seems to have gotten into the Lavasoft Folder.

I will not have time to really look at your HJT log until later tonight when free time.

FOR NOW:

Uninstall LimeWire!! You may be able to thank them for some of this!

Please run this tool in safe mode according to the directions:
EliteToolbar Remover

Then, look in Program Files Folder for anything EliteBar Related and Remove what you find. Also here: C:\WINNT\EliteToolBar *note all of the files and sub folders inside and tell me what they are . . . then DELETE them and then delete the folder itself! If you have problems deleting this, try doing it in SAFE MODE.

Uninstall Ad-aware and DELETE the Lavasoft Folder (assuming free version).
You can D/L fresh one when clean!!

Navigate to this folder --> C:\WINNT\isrvs and do the same as for the Elite ToolBar folder above. Tell me what is in folder and then delete all files and sub folders and then the folder itself. If you have problems deleting this, try doing it in SAFE MODE.


Then, BOOT TO SAFE MODE and scan with HijackThis and Check the Boxes for the following:
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINNT\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINNT\system32\wnim.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINNT\EliteSideBar\EliteSideBar 08.dll

O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} -

O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [kalvsys] c:\winnt\system32\kalvxie32.exe
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe wnim.dll, DllRegisterServer
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"

O4 - Global Startup: LimeWire 4.2.3.lnk = C:\Program Files\LimeWire\LimeWire 4.2.3\LimeWire.exe

O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2****ed.biz
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com

O16 - DPF: v3cab - http://searchmiracle.com/cab/10.cab

O18 - Filter: text/html - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINNT\system32\wnim.dll
O18 - Filter: text/plain - {B72F75B8-93F3-429D-B13E-660B206D897A} - C:\WINNT\system32\wnim.dll

O23 - Service: .NET Framework Service - Unknown - C:\WINNT\svchost.exe (file missing)
O23 - Service: FLEXlm License Manager - Unknown - C:\AW\COM\etc\lmgrd.exe (file missing)
O23 - Service: Printer Status Server - Unknown - C:\WINNT\System32\spool\drivers\w32x86\hpzstatn.exe (file missing)
Make sure ALL Browser Windows are CLOSED whrn you click FIX


While in Safe Mode, navigate to and DELETE the following:

C:\WINNT\system32\soft.exe
C:\Documents and Settings\Christian Raab.CHRISTIAN\dddd.exe

c:\winnt\system32\kalvxie32.exe ---> For this one, before deleting, RightClick it and get Property and Version info if there is any to be found. Also, try to see when it was installed on your machine and look for similar Kalv***.exes!!

C:\WINNT\system32\wnim.dll

C:\WINNT\isrvs --> Make sure this is gone! Same for EliteBar.

NOW, while still in Safe Mode:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin
And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.

Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I need full details of how the above went!! A lot of this may come back, so details are important! Will try to check back tonight.

Best luck
PP

BTW - Although been Phillies Fan for 30+ years, when it comes to football, been Dolphins fan for same amount of time! Figure that one out . . . Still, gotta pull for Eagles Sunday, but Pats probably too strong!

 

Thanks!
I will follow your instructions to the "T".
I'll be online on and off throughout the weekend,
So I will post my findings, and check for your replies occasionally.
Will remove limewire Pronto.
Thanks again.

 

AllRightyThen!

Though, bear in mind that what I gave you is likely just a start and that you may not be able to remove this infection on an "off and on" basis due to possible reconstitution concerns.

I'll keep an eye open for your posts.

PP

 

PhilliesPhan,

I went ahead and removed Limewire, and AdAware.
I ahve not done any more of your instructions, but am about to.
Just wanted to drop a line incase you had any other instructions
before I begin.
I realize that this may take a deeper effort, and what you told me is a starting point.
Thanks again!
craab

 

I imagine much of this will come back. Not sure if that was legitimate Lavasoft folder, but we'll find out!

Carry on! I'll be here now and then over the weekend and keep eye on thread as often as I can.

PP

 

I apprecciate all of your help!

I followed the first part of your instructions:
in safe mode:

found:
C:/winnt/elitetoolbar/
inside was folders:
/elitesidebar
/elitetoolbar
these folders contained:
elitesidebar08.dll, /xml, /cabgoner, /images

deleted all files and the folder

deleted lavasoft folder

found:
C:/winnt/isrvs
inside was:
/icons
edmond.exe
isearch.xpi
msdbhk.dll

deleted all these files and the folder

rebooted and the hijack seems to have re-appeared.
I await your expert advice.
Thanks again!
-craab

 

Did you try EliteBar remover tool?

Did you fix items with HJT in safe mode?

Please follow All of previous instructions exactly as listed and give me fresh HJT log as requested and we'll see where you stand.

These things like to reinstall themselves, so you really need to do all instructions at once the way they are given and do not reboot unless asked to do so.

Hang in there This can be a real pain!

PP

 

Ok will do!
Thanks

 

Ok - followed your instructions exactly this time:
No problems doing any of it.
I have attached the resultant HJT log for your review.
Sorry to cause you so much trouble.
I really am grateful for Majorgeeks, and your help!
Thanks again!

 

Oh - almost forgot - the popups are still there...
I await your expertise.
Thanks!
-craab

ps: Go Eagles

 

You're not causing trouble It's just that this is a very complicated removal process and if we don't get it all and get it all at once, it comes back! Kinda like it did this time - much of the same remains. I'll try to put together some more steps, though likely Saturday afternoon/evening before back on computer.

Please download the following tools in case we need to put them to use:

Generic Detection Tool - NT/2000/XP

Pocket KillBox

I'll see what I can come up with for these baddies.

PP

 

Ok - downloaded the tools - I will check back in the afternoon,
Thanks!

 

Hi Craab,

This problem is proving to be difficult: you have Three separate "hard to remove" baddies that have been giving us all sorts of headaches! It might be better if we tackle them separately.

I will try to come up with removal steps. Been really busy with other obligations these days, but I'll try to post them as soon as I can.

Hang in there
PP

 

I completely understand obligations - I was fulfilling some muself today.
I await your expertise!
Thanks again!
-craab

 

Hi Craab,

Since so much about these baddies is new, the following steps are definitely a “USE AT YOUR OWN RISK” proposition.

I’m not sure how well this will work, but let’s see what we can do with this mess! Hopefully I didn’t miss anything, but with a long fix like this, itst hard to keep tracjk of everything! Please read through these instructions so that you are familiar with them. You’ll need to follow them carefully as these baddies are hard to remove and seem to respawn at will!

Note that you will need to be in Safe Mode and remain there for many of these steps!



FIRST:
Download and install Fresh Ad-awareSE. Internet Update it to latest reference files, but do not run it yet.

ALSO:
Please download http://ralphcaddell.com/Uploads/deldomains.zip and unzip it to your desktop.


THEN:
Copy and paste the information below to notepad. Save it to your Desktop as type "all files" and name it fixTZ.reg


REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{950238FB-C706-4791-8674-4D429F85897E}\InprocServer32]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\mfiltis]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}\InprocServer32]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID\
{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}]

[-HKEY_USERS\S-1-5-21-1644491937-861567501-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}\iexplore]

[-HKEY_USERS\S-1-5-21-1644491937-861567501-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html]
"{950238FB-C706-4791-8674-4D429F85897E}"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\addictivetechnologies.com]
"*"=dword:00000002
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\addictivetechnologies.com]
"*"=dword:00000004
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\addictivetechnologies.com]
"*"=dword:00000002
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\addictivetechnologies.com]
"*"=dword:00000004

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\addictivetechnologies.net]
"*"=dword:00000002
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\addictivetechnologies.net]
"*"=dword:00000004
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\addictivetechnologies.net]
"*"=dword:00000002
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\addictivetechnologies.net]
"*"=dword:00000004

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\admin2cash.biz]
"*"=dword:00000002
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\admin2cash.biz]
"*"=dword:00000004
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\admin2cash.biz]
"*"=dword:00000002
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\admin2cash.biz]
"*"=dword:00000004

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\awmdabest.com]
"*"=dword:00000002
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\awmdabest.com]
"*"=dword:00000004
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\awmdabest.com]
"*"=dword:00000002
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\awmdabest.com]
"*"=dword:00000004

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
"*"=dword:00000002
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
"*"=dword:00000004
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
"*"=dword:00000002
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
"*"=dword:00000004

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bettersearch.biz]
"*"=dword:00000002
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bettersearch.biz]
"*"=dword:00000004
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bettersearch.biz]
"*"=dword:00000002
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\bettersearch.biz]
"*"=dword:00000004

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\c4tdownload.com]
"*"=dword:00000002
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\c4tdownload.com]
"*"=dword:00000004
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\c4tdownload.com]
"*"=dword:00000002
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\c4tdownload.com]
"*"=dword:00000004

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\finefind.nettraffic2cash.biz]
"*"=dword:00000002
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\finefind.nettraffic2cash.biz]
"*"=dword:00000004
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\finefind.nettraffic2cash.biz]
"*"=dword:00000002
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\finefind.nettraffic2cash.biz]
"*"=dword:00000004

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kalvsys"=-
"Sys29"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\desktop search]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\ffis]

[-HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_delprot]

[-HKEY_LOCAL_MACHINE\system\currentcontrolset\services\delprot]

[-HKEY_CURRENT_USER\Software\LQ]

[-HKEY_LOCAL_MACHINE\SOFTWARE\ohbbackup]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Elitum]

[-HKEY_CLASSES_ROOT\CLSID\{825CF5BD-8862-4430-B771-0C15C5CA880F}]

[-HKEY_CLASSES_ROOT\CLSID\{28CAEFF3-0F18-4036-B504-51D73BD81C3A}]


Leave this file on your Desktop for now.


Please save these instructions locally so that you can operate with All Browser Windows CLOSED as much as possible!
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

NOTE:
You must be TOTALLY DISCONNECTED from the Internet when you begin these instructions!! Do this now!


Now do this:
Go START > Control Panel > Network and Internet Connections > Internet Options > Security > Trusted Sites and remove ALL entries from Trusted Sites.


NOW:
The EliteBar crap will keep coming back until we can remove the installer: Kalvsys . In addition to the line and file listed in your HJT log, there will likely be a number of additional kalv***32.exe files where *** are three random letters.
There may be quite a few of these, probably created at or about the same time.

Ex/ O4 - HKLM\..\Run: [kalvsys] c:\winnt\system32\kalvzka32.exe

c:\winnt\system32\kalvzka32.exe

You will need to BOOT TO SAFE MODE and manually DELETE all kalv***32.exe files from System32 Folder. You should be able to find them easily enough in System32 folder if organized alphabetically. If you have trouble deleting them, RightClick them to make sure that they are not write-protected and rename them to kalv***32.bad and then try Deleting them.

Alternatively, you could try this method:
Go START > RUN and type Cmd and hit Enter to open Command Window.
Then, copy and paste in the following line and hit Enter or OK:

DEL /F /Q "%windir%\system32\Kalv***32.exe"

If you choose this route, it is still probably a good idea to look in System32 Folder to make sure all kalv***32.exes have been removed!!


NEXT:
WHILE STILL IN SAFE MODE, please scan with HijackThis and Check the Boxes for the following:
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINNT\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINNT\isrvs\sysupd.dll
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINNT\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINNT\EliteToolBar\EliteToolBar version 59.dll

O4 - HKLM\..\Run: [kalvsys] c:\winnt\system32\kalvzka32.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINNT\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINNT\isrvs\ffisearch.exe

O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2****ed.biz
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com

O16 - DPF: v3cab - http://searchmiracle.com/cab/10.cab

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINNT\isrvs\mfiltis.dll
Make sure All Browser Windows are Closed when you Click FIX.


NOW:
WHILE STILL IN SAFE MODE, run Pocket KillBox and select the “Delete on Reboot ” option and copy and Paste the following into the box, making sure Delete on Reboot is Checked for each entry. Click the Red X to Delete each one, but DO NOT Allow your machine to Reboot yet!! You’ll reboot later.

Enter these in the order listed:

C:\Documents and Settings\Christian Raab.CHRISTIAN\dddd.exe
C:\WINNT\isrvs\desktop.exe
C:\WINNT\isrvs\ffisearch.exe
C:\WINNT\EliteToolBar\EliteToolBar version 59.dll
C:\WINNT\isrvs\sysupd.dll
C:\WINNT\isrvs\mfiltis.dll
C:\WINNT\EliteSideBar\EliteSideBar 08.dll
C:\WINNT\EliteToolBar\EliteToolBar version 59.dll
C:\WINNT\isrvs
C:\WINNT\EliteToolBar
C:\WINNT\EliteSideBar


NEXT:
Run CCleaner , Ad-awareSE and Spybot S&D and have Spybot and Ad-aware fix what they find. EMPTY Recycle Bin (See if there are any problems doing this).

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

*****
NOW REBOOT to Normal Windows and DoubleClick on the fixTZ.reg file on your Desktop and follow the prompts to allow the entries to be merged into your registry.

Next, look to your deldomains.zip on your Desktop and RightClick on the deldomains.inf file and select Install.


Finally, REBOOT AGAIN to Normal Windows and Scan with HijackThis and attach that log.

Let me know of any problems you may have encountered with the above instructions and how your computer is running now. The more details, the better! Hopefully this will help. If not, I suppose you could try the uninstallers supplied by the Elite & Isearch sites themselves . . . I don’t really trust them, but you are already infected, so may be worth a try.

I am going to be quite busy in the coming week, but will try to check back when time permits.

Best luck
PP

 

I'll be doing this tonight - Thank you for all the time you have put into helping me beat this thing. You all should be payed!
I'll follow your directions, and post a HJT log when done.

 

AllRightyThen! Let me know how things shake out - I'm afraid this may not do the trick. This is a new wave of baddie that is, as yet, unstoppable!

PP

 

Ok - I followed this instructions exactly -
I have attached the HJT log after I completed all of the steps.
There does not SEEM to be any of the hijacking left - but I am no expert.
I await your appraisal of the situation.
Thanks again,
craab

 

Ok - I spoke too soon - it is still there...
If it is unstoppable, is formatting my hard drive the only solution?
I really do not want to do that....
Ughhh...
Thanks for your help...

 

Hi Craab,

I hate to say it, but reformatting may be the way to go at this point. NOBODY knows how to kill this yet!

But first...
Did you have any trouble with the kalv***32.exe files??
How many did you find?


Fix these lines in HJT:

O2 - BHO: (no name) - {B75F75B8-93F3-429D-FF34-660B206D897A} - C:\WINNT\system32\boln.dll
O4 - HKLM\..\Run: [Systems Restart] Rundll32.exe boln.dll, DllRegisterServer
O18 - Filter: text/html - (no CLSID) - (no file)

Feed this to Pocket KillBox:

C:\WINNT\system32\boln.dll

NEXT:
Run CCleaner , Ad-awareSE and Spybot S&D and have Spybot and Ad-aware fix what they find. EMPTY Recycle Bin (See if there are any problems doing this).

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Attach a fresh HJT log and let's see what came back! I'll check back as time permits. I'm curious to see what came back so soon.

PP

 

No, I did not have trouble with those kalv***32.exe files- there were about 15 of them - and they are not there...
Should I do your latest instructions in Safe Mode?
Thanks - craab

 

Ok - I followed your instructions in safe mode - disconnected from the web.
Then rebooted - ran HJT - reconnected to the web, and am posting the log.
Thanks in advance!
-craab

 

Also, all those ddd.exe and other files are showing up here:

C:\Documents and Settings\Christian Raab.CHRISTIAN

I am not sure what that means....

 

This darn thing keeps coming back with a vengeance!!
O4 - HKLM\..\Run: [cvswvlik] c:\winnt\system32\cvswvlik.exe
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz

That dddd.exe fits in somewhere, just that nobody knows where! It tends to infiltrate many different folders.
I wish I could be of more help with this, but I do not know where to go with it now . . . Sorry! I imagine that, in a few weeks as this thing goes epidemic, the AV companies will find a fix. Until then, I do not know what to tell you. . . .

If you want, try this:
Please unzip the attached Generic Tool to a folder of your choice.

Now, boot to Safe Mode and DoubleClick the rkfiles.bat to run the scan. It will take a while, so let it go until the DOS window closes.

Then reboot to Normal Windows and look in C:\ Drive for a file named log.txt and attach it with your post. It might tell us something.

PP

 

Ok - I'll try the tool you attached. I really appreciate all of your help.
This thing is nasty - but it has nto totally killed my computer's abilityu to be productive. Do you think that if I can tough out a few weeks, there will be a fix in maybe a month or so online?
I would rather try to wait it out than format my hard drive, and try to restore everything.
What do you think?
Thanks
craab

 

I wouldn't be surprised if a fix is found soon. The nasty VX2 variant that has been going around was similarly unfixable last NOV - DEC. But about the middle of December some Generic Tools began to address it and we've been fixing that VX2 ever since! It is a matter of finding the superhidden crap that keeps reinstalling this stuff!

I imagine the same will be true for some of these new baddies. It was your bad luck that you got hit with ALL of them at once!!
All I can say is Hang in there! and keep checking back often.

Go ahead and run that generic tool and let's see what it tells us, if anything.

PP

 

Ok - will do this evening - thanks for all the support!

 

We are happy to try to help. Malware gets worse and worse each day and it is a challenge trying to keep up with it!

I'll keep an eye open for your post.

PP