Need Help Removing SearchMiracle and Elite Toolbar

[Heckler]

 
Hi,

I did a search and did not find anything on this.
I am having a very difficult time removing searchmiracle from  a pc. I have tried using the following spyware removers to no avail. AdWare, Spysweeper, Microsoft's Spyware Cleaner/Remover & Hijack This. I have tried many suggestions on other forums to no avail. Any help is appreciated, I am a sys analyst so get as technical as you have to. I have already tried cleaning the registry and zero results, just can't remove this bug. BTW, all the spyware removers tell me they find it and delete it only to re-boot and find it again. Thank You in advance for any suggestions.

[dl65]

Heckler......How about running hijackthis and posting the log file for us to look at ......I've been doing a bit of looking and it appears that it's the best tool to use to clean it up . Have you run CW Shedder , it will identify and temporarily reset your home page.

dl65  

[dl65]

Heckler.....I neglected to ask what o/s is on the infected PC?
If you open your browser and go up to the "view" button and select toolbars .....does the elite toolbar show up there .......and if you go into control panel ......add/remove programs .........does Elite toolbar show up in there......if it does remove it .......but whats really required is the hijackthis log .

dl65  

[Heckler]

Thanks for the quick response.
It is running win2k SP4
I just re-booted the pc after running AD-Ware complete scan and so far no pop ups...not sure if this may have gotten it. Let me know what you think.

Here is the log file...

Logfile of HijackThis v1.99.0
Scan saved at 1:18:52 PM, on 1/8/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINNT\Explorer.EXE
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINNT\system32\ctfmon.exe
C:\Palm\HOTSYNC.EXE
C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\unzipped\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = www.google.com
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvrgf32.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb028
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.richfx.com/player/mediaversion/005/latest/twophase.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = sdccc.org
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = sdccc.org
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = sdccc.org
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks

[merlin_2]

run spysweeper and disconnect from the net when sweeping?also this may help in the future>>http://www.wilderssecurity.net/bhblaster.html

or dump ie6 and use either firefix or avant browsers?

[dl65]

Heckler.....Ok .......Heres what I see ......

Have hijackthis remove .............
R3 - Default URLSearchHook is missing

Do you recognise this one ......
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb028      I dont recognise it ....I would consider removing it ........

All other entries look ok ...
Be sure to empty all the temp folders as well .

Reboot the pc and then see if things look ok .
I think I would also do a search in registry for Elite tool bar and miraclesearch just to be sure ..

let us know how it goes .

dl65  

[merlin_2]

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVGCtrl] "C:\PROGRA~1\AVPERS~1\AVGCTRL.EXE" /min
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
O4 - HKCU\..\Run: [Desktop Architect] "C:\PROGRAM FILES\DESKTOP ARCHITECT\DATRAY.EXE" -S
O4 - Global Startup: SECRETMAKER.lnk = C:\Program Files\SECRETMAKER\secretmaker.exe

on the hi-jackthis click the info button.

[Heckler]

dl65--

Thanks for your help and input. I think that when I ran the complete scan with AdWare it finally removed searchmiracle. I did delete the entries that you suggested as a precaution. The O8 mywebsearch is spyware as well so it's gone! :-)

I've installed Spyware Blaster to block any future junk from installing as well as Microsoft's spyware sw. I also inastalled Avant, I use it on m pc and works great.

Thanks to all for your response and assistance.

[merlin_2]

Read more here>http://www.wilderssecurity.net/bhblaster.html

[Heckler]

merlin_2
thanks for your response...reading it as we speak