spyware wont die! elite toolbar

[IDAFC21]

Anyone ever have to deal w/ that annoying Elite toolbar spyware?? This thing really is a gem lemme tell ya. no spyware program can get rid of it cuz it masks itself and buries files in the registry, and even 2 removal programs ive downloaded that were SPECIFICALLY made to get rid of this thing couldnt get rid of it. heres a hijackthis log, if anyones dealt w/ this before could you tell me where the bad files are, or maybe point me in the direction of some geek forum that might be able to help me out. im getting sick and tired of pop-ups every 20 seconds. i damn near put my fist thru my monitor yesterday

Logfile of HijackThis v1.99.1
Scan saved at 4:28:52 PM, on 4/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\CoolMon\CoolMon.exe
C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\INCRED~1\bin\ImNotfy.exe
C:\Program Files\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.gtplanet.net/forum/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitezzl32.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian pr14\PeerGuardian_1.99b_pr14.exe
O4 - Startup: CoolMon.lnk = C:\Program Files\CoolMon\CoolMon.exe
O4 - Startup: ObjectDock.lnk = C:\Program Files\Stardock\ObjectDock\ObjectDock.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - http://download.rfwnad.com/cab/ddm_control.CAB
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tri...Transporter.cab?
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/18722de77638a6643120/...ip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup...er/imloader.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://download.rfwnad.com/cab/crack.CAB
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX/kdx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E91979B8-E639-4AD0-860C-0B369BA83A38}: NameServer = 68.2.16.30,68.2.16.25
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: GFI LANguard N.S.S. 5.0 attendant service - Unknown owner - C:\Program Files\GFI\LANguard Network Security Scanner 5.0\lnssatt.exe" -service (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

 

[Slick6]

Try a system restore? That should cure it. 👍

 

[Solid Fro]

Have you tried CWShredder?

http://www.intermute.com/spysubtract/cwshredder_download.html

Plus, are you running Spyware Blaster and a firewall to prevent spyware from reaching your system?

 

[German Muscle]

try webroot spy sweeper, if it doesnt get it then boot in safe mode and run it again

 

[Ikari]

I suggest switching to Firefox after you fix this issue.

 

[IDAFC21]

i think i may have done it. i tracked one of the little bastard .exe's down in the startup thru msconfig, so i unchecked that, booted to safe mode, hunted down 3 more rogues in the windows/system32 folder, deleted all of those. ran spybot and cleared it up, then for good measure i deleted all my cookies and temp internet files, and ran the elite toolbar remover program one last time for good measure. did a quick search for any files or folders that still might house somthing and didnt readily see anything so i rebooted back to normal mode, ran spybot and adaware and it came up nill. no popups yet either, which id usually start to get swamped with as soon as windows loaded before......i.....think its gone! thank the heavens, wheres the tylenol

 

[Jay]

I had some crap like that, didnt matter what I did I couldnt get rid of it.

I did a system restore and that got rid of it like Slick6 said.

 

[Solid Lifters]

I ran a Spybot scan a few days ago. Everything came up clean. Today, after reading about all this spyware talk, I decided to update all my spyware/adware programs. I updated Spybot and did a scan. It found 58 spyware programs in my computer that were under Back Web lite.

For those of you with Spybot, you might want to update it and run a scan right now.

 

[Famine]

Tried Microsoft's "Giant Anti-Spyware" tool?

It's pretty good.

 

[LoudMusic]

if it doesnt get it then boot in safe mode and run it again
Try a system restore? That should cure it.
I suggest switching to Firefox after you fix this issue.
For those of you with Spybot, you might want to update it and run a scan right now.
Tried Microsoft's "Giant Anti-Spyware" tool? It's pretty good.

All excellent suggestions. I would like to make a few of my own.

A) Burn all your important data to CD / DVD.
B) Format your hard drive.
C) Reinstall OS.
D) Patch patch patch ...
E) Install only necessary software.
F) Patch patch patch ...

Necessary software includes:
FIREFOX
Quality virus scanner (generally that means it's worth paying for); Symantec, McAfee, etc ...

Do not ever launch Internet Explorer or Outlook (Express). Do not install questionable software (pirated stuff you find on the internet). Do not go to questionable websites. Do not open email from people you do not know.

Honestly, the only way to garountee that you have removed all the 'bad stuff' from your computer is to format the drive and start over. At my office I support ~35 Windows machines. I've spent untold hours hunting down crappy virus or spyware only for it to show right back up when I could have spent about four hours reinstalling everything. The next step is to make sure you don't put it back on.

 

[Jondot]

There's some spyware program on my pc which i can't get rid of. Istsvc. Every time i turn on my pc, a folder appears with istsvc in it. I tried clicking delete, and it said it was in use. I used task manager to make sure it wasn't in use, and it still said it was. Pain in the a***.

 

[Impreza04]

There's some spyware program on my pc which i can't get rid of. Istsvc. Every time i turn on my pc, a folder appears with istsvc in it. I tried clicking delete, and it said it was in use. I used task manager to make sure it wasn't in use, and it still said it was. Pain in the a***.

Thats the IST.IST Bar, awaful thing. Ad-Aware cleared that for me.

 

[skip0110]

So glad I don't have to deal with this mess on a day-to-day basis

 

[Solid Lifters]

I used this to search my computer, and some stuff popped up that both Adaware and Spybot didn't catch. Now, how do I get rid of it?

http://www3.ca.com/securityadvisor/pest/pestscan.aspx

Here's what it found...

 

[skip0110]

I used this to search my computer, and some stuff popped up that both Adaware and Spybot didn't catch. Now, how do I get rid of it?

http://www3.ca.com/securityadvisor/pest/pestscan.aspx

Here's what it found...

Haha, my dad works at CA and writes part of the eTrust virus scanner code...if you knew my dad you wouldn't use that software

 

[Solid Lifters]

Haha, my dad works at CA and writes part of the eTrust virus scanner code...if you knew my dad you wouldn't use that software

Yeah, thanks. You've been a big help.

OK, I've been able to to get rid of most of them myself and with the help of SpySubtract which I just downloaded and ran. It caught 25 spy and ad ware that SpyBot and Adawared didn't catch. To bad it's a 30 trial only. Plus, I didn't want to run their "Venus Spy Trap" so I answered no, but it's running anyway. I don't like it when I don't want somthing and gives it to me anyway. So, if they're going to give it to me regardless, why ask me in the first place?

I got rid of all but the first three spyware that the eTrust scanner noted. They are located in "hkey". What the hell is that? How do I search for it? Where do I search for it? This is a new one for me.

Thanks for any true help you guys can give me.

 

[skip0110]

I got rid of all but the first three spyware that the eTrust scanner noted. They are located in "hkey". What the hell is that? How do I search for it? Where do I search for it? This is a new one for me.

Jeez, I'm sorry.

HKEY is referring to a certain part of the registry.

Start->Run->type regedit

But the registry is a big place. I hope the exact location is specified to you.

 

[Solid Lifters]

Jeez, I'm sorry.

HKEY is referring to a certain part of the registry.

Start->Run->type regedit

But the registry is a big place. I hope the exact location is specified to you.

Thank you very much! 👍

OK, so I look for the files and click on them. Then, should I delete the whole thing? I notice two items pop up for that file. One that has "defalut" and one that I guess is current. Should I delete both? I tried it, and it seems to work fine so far.

 

[IDAFC21]

id be careful with stuff in the registry. delete the wrong thing say bye bye to your computer. does the spyware program tell you what spyware they're associated w/? or what the file names are that are in the HKEY. if you can find that out you should google it and you'll probably find a way to get rid of em safely

 

[Solid Lifters]

id be careful with stuff in the registry. delete the wrong thing say bye bye to your computer. does the spyware program tell you what spyware they're associated w/? or what the file names are that are in the HKEY. if you can find that out you should google it and you'll probably find a way to get rid of em safely

Well, so far so good. I have no problems whatsoever. I do get a "Back Web" error when my computer starts up. All I do is clear it, and everything is fine. But that was removed during the Spybot scan, and I can always bring them back. But, I don't have a need to. I don't care about the warning that pops up since nothing goes wrong.

The eTrust scan game me the exact location of the problem, and I deleted them. No ill effects whatsover. I hope it stays that way.