Elite Toolbar nigthmare 1

[Polu]

Hello all.

I have been recently required to clean my girlfriend's laptop and it was like a zoologic full of virus, spyware and another exotic life-forms.

I found one specially dificult to remove. It is called "Elite toolbar". It presents itself as a helpful add-on for Internet Explorer but it is a real pest. It replaces your start page, continuosly open a number of pop up windows and so on.

I was not able to find an automated tool to remove it, so I have been reading diverse phorums and I am pretty sure that there must be different versions of this stuff, since I have read about various register entries and files that wasn't present on my girlfriend's laptop (Windows XP SP1).

Here is what I did to remove my particular version of this "elite" software:

- Start windows in Safe Mode.
- Search the registry for "Elite" word and remove all and every "Elite Toolbar" entry. In my particular case there was three entries
- Search the hard disk(s) for "EliteToolbar.dll" file and delete it. In my particular case there was two files at C:\Windows\System32 and at C:\Windows\EliteToolBar
- Search C:\Windows for kal*.exe and delete all. In my case, there was 8 files.
- Look in the registry at LOCAL_MACHINE and CURRENT_USER \Software\Microsoft\Windows\Current Version\Run, RunOnce, RunOnceEx and RunServices and remove any entries about any of the c:\windows\kal*.exe files
- Restart the computer and that's all. Elite Toolbar has gone.

Be careful because if you miss something, all the Elite Toolbar stuff will be regenerated in your hard disk and in your registry and you will have to start again.

I hope this will be helpful!

Best regards,

Polu.

 

[pechenegs]

why not just use Hijack this to zap it off after using adaware and spybot to clean up first?

pech

 

[pechenegs]

why not use hijack this to zap it off after cleaning up with adaware, spybot and CWshredder.

pech

 

[Polu]

Hello, pechenegs.

As I said, I was not able to find an automated tool to remove it. Regular antivirus/antispyware tools weren't able to clean it. I tried all the obvious things and didn't work

Thank you!

Polu.

 

[Polu]

Hello all, again.

It looks like a new definition file for Ad-aware has been released and it includes the Elite Toolbar.
So, anyone experiencing this trouble should download/update Ad-aware and run it.

http://www.lavasoftusa.com/support/download/

Thank you all.

Polu.

 

[3838]

Important: Turn Off your internet connection!
==================================
1) go to task manager (alt+del+cntl)and stop rundll32 process (keep doing this step since rundll32 will reactivate itself.) Also, stop running any other programs when you are doing this.

2) go to windower explorer to remove all "hide" options
Tools-Folder Options-View and uncheck all "Hide" options.

(from this point on, pls discuss with experts if you are not sure what you are doing.)

3) go to C:/ and examine all files, anything looks suspecious are target files to be removed.
Look for "Elite" and "Toolbar" in file names.

4) go to C:/WINDOWS/Program Files. Match unfamiliar program names to the list in "Add-Remove Programs" (start - setting - control). Anything looks suspicous are your target files to remove.

Look for "Elite" and "Toolbar" in file names. Also, there might be a "SED" program here, delete it!

5) go to C:/WINDOWS/SYSTEM and identify suspicious files as your target files to delete (I used date modified to narrow down to the ~date I thought I was hijacked.)
Look for "Elite" and "Toolbar" in file names.

6) "run regedit" and conduct a complete search of "toolbar" and any other references you think that are from spyware (those suspicious files you found in previous step.)

I was very bold, I actually delete the entire folder and/or the key relating to Elite tool bar. (Some people prefere to modify the values to "blank" when doing this. But I just don't care anymore at that point since I was ready to scratch and reinstall the system from grounds up.)


In all, I got rid of it after I repeat the step a few times. and run the set of anti-spywares a few times. I think you are using the same set of antispyware. This is sequence I run them

1) HijackThis (very bold again, I selected everything it finds and ask HIjackThis to remove them.)

Be sure you re-scan again and again (in the same session). It can help you to identify which keys are re-generated again in the background after you thought you had them removed.

2) CWShredder

3) Spybot

4) Ad-aware


*** Make sure you have the reference files updated for all those sharewares.

Good Luck!
3)

 

[WasHere]

I think I'd like to nominate Polu to receive some type of computer/tech award or honor, because my home computer was infected by the Elite toolbar, and I think because of it I had more than the usual pop-ups. I didn't see the Elite toolbar displayed. I had to go to the menu bar, choose View > Toolbars, and there it was. When I checked it on the menu bar, it's ugly presence was revealed! I was most concerned because our 'puter is a family computer, and I didn't want my kids to be exposed to the easily available sites of a very questionable nature. By following Polu's detailed instructions, I was able remove the Elite scourge. The only thing I did differently was at the second to last step. I didn't find the "kal*.exe" files in the specific folders mentioned, and just did a search of the registry and found two of 'em in different folders. Like another poster, I deleted entire folders in the registry labeled "Elite." My registry was greatly infected with "Elite". I didn't count the number of files, but they were about as numerous as the number of rats in 50 feet of a big city sewer line.

So, Polu is a great person in my book! Thanks so much, Polu!

 

[sparrownightmare]

Im going to have to try the manual approach to get rid of this bug too. I've tried Ad-Aware SE newest version and ref file, as well as Spyware Nuker 2005. Neither seem able to kill it although they try, Spyware Nuker says to reboot to complete the process but after reboot its still there. Im going to give one last try with Hijack This and if that doesnt work. well, Ill try a manual removal before losing it and reformatting. Wish me luck.

 

[REDixon]

I haven't had any luck with the adware removal tools either. I finally tracked the problem down to the fact that EliteToolbar (May the author of the "program" rot in the 7th, 8th, 9th and any other Nth hell I can think of) removes access rights except read from certain registry keys.

Rodney
McKee Foods Corporation

 

[Polu]

Hello.

I would like to express my gratitude to WasHere for these nice words. It is always good to know that I have helped someone.

Thank you, WasHere.

Polu.

 

[sparrownightmare]

I finally managed to get rid of it and all the junk it installed. it involved booting to the command prompt and doing some manual editing on the registry and some zapping of a lot of files. Not for the faint of heart.

 

[WasHere]

I feel everyone's pain re: the Elite ToolBar curse. After I rid my computer of it as I mentioned in my previous post, I was fine for a week or two. Then, I discovered it was back -- sort of like that "Jason" character in the "Halloween" series of movies who keeps on poppin' up. I went through the routine again as outlined by "fantastic" Polu, along w/ my tiny modification (as mentioned in my last post), and made it die a second time. Recently too, I finally installed all Microsoft products updates and patches through the IE browser, and since then, I've not seen a third appearance. So, I don't know if that'd help anyone or if it's not even related.

I'm glad to see SparrowNightmare had success! Also, I chuckled when I read what DEDixon proposes for the creators of this Nightmare toolbar. C'mon DEDixon, you're being way too nice! :>)

 

[sparrownightmare]

We should really start a thread to discuss what we would do to the morons who write these annoying codeparasites, if we ever got five minutes alone in a room full of kitchen utensils with them.

 

[Lonnyb]

Try this remover tool. Worked good for me.

http://www.simplytech.it/ETRemover/

 

[pechenegs]

there's a new version of this pest called,

C:\WINDOWS\\etb\pokapoka68.exe
C:\WINDOWS\\\etb\\pokapoka70.exe
C:\WINDOWS\\etb\pokapoka69.exe

you need to get rid of the folder etb.

here's a new tool for cleaning it off, usually I use hijack this and the killbox on it as well as the old elitebar tool remover as listed above by Lonnyb!!

http://users.pandora.be/bluepatchy/miekiemoes/tools/LQfix.exe