New Elitebar Spyware Variant Causing Insanity!

[Nick]

I can only wish that the Microsoft Spyware removal tool
could remove the newest extra-sticky elitebar variant. Even
more- I wish that AdAware and Spybot could help me in my
quest to vanquish the evil popups and system hangs. This
edition is sooo sticky it reinstalls with every removal. No
reboot required. Microsoft Antispyware Removes it and it
comes back. Spybot removes it and it returns. Adaware
removes it and it reinstalls. Any help? (This is the worst
spyware I've ever seen)

 

[AndyManchesta]

Hi Nick ,

Usually its not that hard to remove Elite bar but your
post says new variant so maybe the fixes below are
already out of date,try them in safe mode as well as the
other scanners you have,If this dont kill it then it may
take programs such as startdreck & hijackthis to reveal
whats going on. (Copy this to notepad so you can still
view it in safe mode if needed )


Turn off your system restore goto start>right click my
computer > choose properties > then goto system restore >
check the box ' Turn off system restore ' then press
apply and exit.

Re-enable system restore when you get it clean again by
following the above and uncheckin ' turn off system
restore' then press apply.



Download Ccleaner (remove temp & unused files)

http://download.ccleaner.com/download119bin.asp


Download the elite bar remover

http://www.simplytech.it/ETRemover/ETRemover_v130.zip

(This needs to be run in safe mode-reboot and tap F8
untill you see the option page then choose safe mode)


Run the above remover in safe mode with system restore
tuned off then Ccleaner on all 3 settings(windows,apps &
issues) and clear anything found reboot and see if it
still exists.



Plan B


If the problems are still there use this batch file & reg
fix


Elite Bar Removal Batch File.

This attempts to remove all Elite Tool Bar entries .

Download from:

http://andymanchesta.com/Downloads/eliteremover.bat


Also download this regfix to remove all the reg values
related to elitebar

REGFIX DOWNLOAD

Right click this link and save the file to your desktop.

http://andymanchesta.com/Downloads/eliteremove.reg


Restart the PC in Safe Mode and then double click
the .bat file then run the reg fix.


Run the fix by double clicking on the eliteremove.reg
file.

You will receive a message "Are you sure you want to add
information to the registry".

Click "Yes".

Alternatively, if you prefer to do it manually, delete
all of the following registry entries found:

[-HKEY_LOCAL_MACHINE\Software\Elitum]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\DownloadMana ger]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Internet
Explorer\Toolbar]
[-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\Uninstall\EliteBar Internet Explorer Toolbar]
[-HKEY_CLASSES_ROOT\CLSID\{0A1D22C3-37BE-470C-9C29-
E3074EE0574B}]
[-HKEY_CLASSES_ROOT\CLSID\{28CAEFF3-0F18-4036-B504-
51D73BD81ABC}]
[-HKEY_CLASSES_ROOT\CLSID\{28CAEFF3-0F18-4036-B504-
51D73BD81C3A}]
[-HKEY_CLASSES_ROOT\CLSID\{825CF5BD-8862-4430-B771-
0C15C5CA880F}]
[-HKEY_CLASSES_ROOT\CLSID\{825CF5BD-8862-4430-B771-
0C15C5CA8DEF}]
[-HKEY_CLASSES_ROOT\CLSID\{BE8D0059-D24D-4919-B76F-
99F4A2203647}]
[-HKEY_CLASSES_ROOT\CLSID\{ED103D9F-3070-4580-AB1E-
E5C179C1AE41}]
[-HKEY_CLASSES_ROOT\Interface\{A9B28EF6-ABF3-463B-A3D8-
4D0D0BADFADC}]
[-HKEY_CLASSES_ROOT\TypeLib\{CA9FC31A-6F35-4493-B629-
E64BD6170A17}]
[-HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{28CAEFF 3-
0F18-4036-B504-51D73BD81ABC}]
[-HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{825CF5B D-
8862-4430-B771-0C15C5CA8DEF}]
[-HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{BE8D005 9-
D24D-4919-B76F-99F4A2203647}]
[-HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{ED103D9 F-
3070-4580-AB1E-E5C179C1AE41}]
[-HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{0A1D22C 3-
37BE-470C-9C29-E3074EE0574B}]
[-HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{825CF5B D-
8862-4430-B771-0C15C5CA880F}]
[-HKEY_LOCAL_MACHINE\Software\CLASSES\CLSID\{28CAEFF 3-
0F18-4036-B504-51D73BD81C3A}]
[-HKEY_LOCAL_MACHINE\Software\CLASSES\Interface\{A9B
28EF6-ABF3-463B-A3D8-4D0D0BADFADC}]
[-HKEY_LOCAL_MACHINE\Software\CLASSES\TypeLib\{CA9FC 31A-
6F35-4493-B629-E64BD6170A17}\1.0]
[-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\explorer\Browser Helper Objects\{28CAEFF3-0F18-4036-
B504-51D73BD81ABC}]
[-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\explorer\Browser Helper Objects\{825CF5BD-8862-4430-
B771-0C15C5CA8DEF}]
[-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\explorer\Browser Helper Objects\{BE8D0059-D24D-4919-
B76F-99F4A2203647}]
[-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\explorer\Browser Helper Objects\{ED103D9F-3070-4580-
AB1E-E5C179C1AE41}]
[-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\explorer\Browser Helper Objects\{0A1D22C3-37BE-470C-
9C29-E3074EE0574B}]
[-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\explorer\Browser Helper Objects\{825CF5BD-8862-4430-
B771-0C15C5CA880F}]
[-
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi
on\explorer\Browser Helper Objects\{28CAEFF3-0F18-4036-
B504-51D73BD81C3A}]

And delete the following registy key values.

[HKEY_CURRENT_USER\Software\LQ] "ohb_ie_plugin"=-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVers
ion\Run] "antiware"=-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVers
ion\Run] "kalvsys"=-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVers
ion\Run] "msnmsgq32"=-
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVers
ion\Run] "SheduIer"=-



While in safe mode, delete any of these files that you
find.

You may need to enable hidden files and folders

Go to My Computer->Tools/View->Folder Options->View tab
and make sure that 'Show hidden files and folders'
is enabled. Also make sure that 'Display the contents of
system folders' is checked,Uncheck the box ' hide
extensions for known file types ' Then press apply

You can reset this back later by opening the same page
and pressing ' restore defaults '


Windows XP's search feature is a little different. When
searching you click on 'All files and folders' on the
left pane,
click on the 'More advanced options' at the bottom. Make
sure that Search system folders, Search hidden files and
folders, and Search subfolders are checked.



If any of the following directories exist, delete them.

C:\WINDOWS\EliteToolBar
C:\WINDOWS\EliteSideBar
C:\WINDOWS\EliteBar
C:\WINDOWS\System32\EliteToolBar
C:\WINDOWS\System32\EliteSideBar
C:\WINDOWS\System32\EliteBar
C:\WINDOWS\System32\Elite[3 random letters]32.exe
C:\WINDOWS\System32\kalv[3 random letters]32.exe

Using the Start Menu Find / Search facilty, search for
the following filenames. If any are found delete them.

dl.exe
suicidetb.exe
kal*sys.exe
elite*32.exe
shawn_1.dll
silent_install.exe
protection.exe
protection_update.exe
Bkmsf32.dat




Open Internet Explorer, from the main menu select Tools,
then Internet Options.go to the programs tab and choose
reset web settings


Goto Start > Run and type

prefetch

Check this folder for any reference to the above files if
your unsure remove everything to be safe as they are not
needed.


Run Ccleaner Again


Reboot and see if its gone


The elite bar is sometimes installed by trojan
downloaders
(Trojan.Win32.StartPage.nk,Trojan/Startpage.KS,
Adclicker.Ba,Trojan_Small.ZO,
TrojanDownloader:Win32/Plirt.A, Trojan-
Downloader.Win32.Small.vv, Win32.Startpage.KR!downloader)

Using this damage clean up tool from trend micro will
remove all these if any are on your system

http://www.trendmicro.com/ftp/products/tsc/tsc.zip



If its still there after all this email me the address of
where you downloaded it from and i'll check it out and
get back to you


Regards Andy

 

[Nick]

Andy,
I would like to thank you for your speedy help in resolving
this issue. I am already underway in performing the steps
you suggested and would like to express my deepest gratitude.

Thanks very much,
Nick

 

[AndyManchesta]

No problem Nick ,


If you have any problems let me know.Elitebar also uses a
entry in the Windows system folder with Win(3 random
letters)32.exe but i've left this off the list as its
abit risky to delete the file,there is a genuine
Winhlp32.exe file in the same folder so think it would be
safer to use Hijack this and see if that file exists if
its needed.

See how you get on with the fixes though if your lucky
the remover by simplytech will fix it for you.


Andy

 

[coolsteel]

EliteBar

hello all, anyone trying to eliminate EliteBar could try awido security suite 3.0 download free for 14 days from http://www.ewido.net/en/ hope it helps it did for me.

Coolsteel l

 

[Judymax]

No problem Nick ,


If you have any problems let me know.Elitebar also uses a
entry in the Windows system folder with Win(3 random
letters)32.exe but i've left this off the list as its
abit risky to delete the file,there is a genuine
Winhlp32.exe file in the same folder so think it would be
safer to use Hijack this and see if that file exists if
its needed.

See how you get on with the fixes though if your lucky
the remover by simplytech will fix it for you.


Andy

Andy,
I decided that since Nick had had such positive results I'd give them a whirl. They probably work really well. My problem is that it took me 1/2 hour just to turn off system restore. Elite Tool Bar has such a hold that I couldn't get online to download the solutions! I switched back to my old computer. Do you suppose burning a cd with the download and using that instead of trying to get online would work?