Please Help! Irritating pop-up - Elitebar and Searchmiracle

**elrond_elros** · 06-12-2004

Hi,

Could someone give me some pointers how to remove Elitebar/Searchmiracle??

I've tried removing all the files and registry entries using Ad-aware and Spybot. I've even removed them manually from the registry.

The program keeps on re-installing itself after I reboot my pc. It also pop-up irritating windows every few minutes.

Here is the HijackThis log after I did a clean up using Ad-aware:

Logfile of HijackThis v1.98.2
Scan saved at 1:33:54 PM, on 6/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\trcboot.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\TNGSD\BIN\SDSERV.EXE
c:\sapdb\programs\pgm\serv.exe
C:\WINDOWS\System32\Drivers\ldlcserv.exe
C:\TNGSD\BIN\TRIGGAG.EXE
C:\SxpInst\sxplog32.exe
C:\WINDOWS\Explorer.EXE
C:\TNGSD\BIN\triggusr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\CA\eTrust Antivirus\Realmon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\SAPDB\C11\DB\pgm\kernel.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\SAP\JDT\eclipse\SapIde.exe
C:\j2sdk1.4.2_04\bin\javaw.exe
C:\PROGRA~1\QUESTS~1\TOAD\TOAD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\hijackthis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,C:\SxpI nst\sxplog32.exe
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvkeh32.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB98E09B-A02B-428B-89D7-ADC02CB17224}: NameServer = 172.31.11.1

**brain_damage** · 06-12-2004

This may be of some use have you tried turning system restore off before you run adaware etc ?? then once (if) they're clear turn system restore back on

if its stuck in there it will keep reappearing every time you reboot..

sorry I know nothing about hijack logs..

**spud** · 06-12-2004

hi elrond elros please welcome to d-a-l the online computer help forum please try what brain damage has suggested then post another hjt log if you are still having problems and one of the moderators will advice the best course of action

please be patient as i know that there is a bit of a back log at the mo but i am sure it will not take to long
cheers

**Jaynee** · 06-12-2004

Do a search for this file and delete it in safe mode.
C:\windows\system32\kalvkeh32.exe

Restart your pc and install xp service pack 2

**elrond_elros** · 07-12-2004

Thanks a million!!! My system seems to be back to normal after disabling system restore and cleaning the registry. At least Elitebar doesn't come back...

kalvkeh32.exe is not found in my system though.

Ad-aware is still detecting Ebates MoneyMaker in my registry though. I've been cleaning it many times but it always come back. I've cleared all my cache and cookies. It doesn't seem to do anything drastic, is it safe to leave it in my machine?

Here is my new HijackThis log:
Logfile of HijackThis v1.98.2
Scan saved at 10:39:35 AM, on 7/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\trcboot.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\Program Files\CA\SharedComponents\CA_LIC\LogWatNT.exe
C:\TNGSD\BIN\SDSERV.EXE
c:\sapdb\programs\pgm\serv.exe
C:\WINDOWS\System32\Drivers\ldlcserv.exe
C:\TNGSD\BIN\TRIGGAG.EXE
C:\SxpInst\sxplog32.exe
C:\WINDOWS\Explorer.EXE
C:\TNGSD\BIN\triggusr.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\CA\eTrust Antivirus\Realmon.exe
C:\hijackthis\hijackthis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,C:\SxpI nst\sxplog32.exe
O4 - HKLM\..\Run: [SDJobCheck] triggusr.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvkeh32.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB98E09B-A02B-428B-89D7-ADC02CB17224}: NameServer = 172.31.11.1

**Jaynee** · 07-12-2004

Did you try to delete in safemode?

**elrond_elros** · 07-12-2004

Hi jaynee,

I'm not exactly if you're referring to the file kalvkeh32.exe or the registry entries.

I can't find the file in either safe or normal mode.

Yes, I have tried deleting the registry entries in safe mode, but it still comes back.

Thanks for your help. Very much appreciated.

**Jaynee** · 07-12-2004

Did you show hidden files?

From the Control Panel, click the Folder Options icon.

When the Folder Options dialog box appears, select the View tab.

Open the Hidden Files and Folders item and check the Show Hidden Files and Folders option.

Click OK to register your changes.

**elrond_elros** · 08-12-2004

Yup. Hidden files and folders are displayed. In fact, I've even unchecked Hide protected operating system files.

The browser pop-up window "Search result for poker online" is back!!! Its trying to link to "http://searchmiracle.com/ads/search.php".

**brain_damage** · 08-12-2004

Have you tried running in safe mode with system restore turned off ?? and do a full search??............are they appearing in add remove in control panel?

Please Help! Irritating pop-up - Elitebar and Searchmiracle

Please Help! Irritating pop-up - Elitebar and Searchmiracle

Similar Threads

irritating floppy problem :@

Help with Elitebar and Moneymaker needed

Elitebar will not go away

EliteBar and other problems

irritating pop up at every starup.....