PopUps Will Not Stop - eliteycn32.exe causing the problem?

Posted on 2005-04-19
Last Modified: 2010-04-11
I've run MS Antispy, Spybot S&D, Adaware, and SpySubtract.  I've pasted my log file from HijackThis into  After I remove "eliteycn32.exe" the system seems calm and the popups stop.  When I reboot, it (or something else) seems to reinstall itself and the popups are back.  I'm on a corporate server behind a firewall.  

Any suggestions?

Logfile of HijackThis v1.99.1
Scan saved at 8:08:46 AM, on 4/19/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Microsoft Office\Office\WINWORD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\CwbSvStr.Exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\eliteycn32.exe
O4 - HKCU\..\Run: [Matador] "C:\PROGRA~1\MAILFR~1\mantispm.exe" -quiet
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = graniterock.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = graniterock.corp
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = graniterock.corp
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Client Access Express Remote Command (Cwbrxd) - IBM Corporation - C:\WINNT\CWBRXD.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: System Startup Service  (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe

Question by:Pauldude
    LVL 12

    Expert Comment


    Try this "Elitebar" Fix -

    Restart your computer.
    Then do the following:

    With all browser windows closed - run HijackThis and
    copy and paste the log file into the Analysis site here:

    Click on the "Analyze" button; and when the analysis is done -
    Click on the "Save Analysis" button -
    A page will be generated with your saved analysis -
    Post a LINK to that page back here.

    Please, do not post your log file here!

    We'll take a look at it!  :)

    Good luck!

    Author Comment


    Thanks for the post, sorry about the log.  Ran EliteToolbar Remover, but it did not find anything (I ran it in the normal mode, not safe mode, it that right?).  Popups still occur, but not as often.  The link to the Hijack analysis is:
    LVL 12

    Expert Comment


    I'm looking at your log file right now.
    If you don't hear from me soon, it's because we're having Internet connectivity problems.  :(
    Be back soon!

    LVL 3

    Expert Comment

    Hi paul,
    please download spywareblaster.This helps block most popups,are you using anytype of popup blocker?
    if not,try and download one.i advise you to download google toolbar,it works perfect for me.But before download spywareblaster.Here is the link
    Let me know the results.Thanx
    LVL 12

    Accepted Solution

    You should copy and paste these instructions into Notepad - you're going to go into "safe" mode -
    might be good to have them handy.
    Make sure "Show all Files and Folders", including hidden and system, is enabled.
    Turn off "System Restore"

    Click on "Start" - click on "Run" - in the run box, type "services.msc" (without quotes)
    Scroll through the list of "Services"  and look for this:
    System Startup Service  (SvcProc)
    This is not a valid "Service" - it's "Malware"
    Stop it, then disable it..

    Run Task Manager and look for anything related to "Etb", "Elite", "Svc", SvcProc", etc. -
    "Kill" any that you find.
    If you're not sure about anything - post what it is back here.

    With all browser windows closed -
    Run HijackThis and fix the following:

    O4 - HKLM\..\Run: [etbrun] C:\winnt\system32\eliteycn32.exe
    O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINNT\svcproc.exe

    Clean out all your "temp" files -
    # C:\Windows\Temp - delete ALL of the CONTENTS of the folder - Not the "temp" folder itself!
    # C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents)
      <=This will delete all your cached internet content including cookies.
      This is recommended and strongly suggested!
        However, if you delete all your cookies - this can affect your stored Internet passwords
        and your ability to logon automatically to various sites.
        So, consider deleting all your cookies - optional
    # C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
    # C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files (all contents)
    # C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)

    Empty your "Recycle Bin".

    Restart your computer into "Safe" mode -
    press the F8 key, repeatedly as soon as your computer begins to start -
    then, choose "Safe Mode" from the menu.

    Do the same thing with Task Manager and "services.msc" - that you did above -
    to make sure that none of this stuff is running.
    If it is - "Kill" it or "Disable" it.

    Search your entire computer for anything related to -
    "ETBrun", "Elite", Elitebar", Elitum", eliteycn32.exe, elitemgr32.exe etc..
    Check the "system32", dllcache", Prefetch", folders.
    Delete all that you find - files, as well as Folders.
    Do the same for svcproc.exe
    Unsure about anything - just ask!

    Clean out all your "temp" files.

    Empty the "Recycle Bin".

    Restart your computer into "normal" mode.

    Run HijackThis again -
    Run your log through the Analysis site -
    Post a LINK to your HJT log file back here.


    Question/problems? - let us know!

    Author Comment

    Problem solved.  Not sure which step did it, but they're gone.  Thank you.  
    LVL 12

    Expert Comment


    Glad to hear it!
    Here are some tips, to reduce the potential for spyware infection in the future -

        * Spywareblaster <= SpywareBlaster will prevent spyware from being installed -

        * Spywareguard <= SpywareGuard offers realtime protection
          from spyware installation attempts.

        * How to use Ad-Aware to remove Spyware
          <= If you suspect that you have spyware installed on your computer,
          here are instructions on how to download, install and then use Ad-Aware.

        * How to use Spybot to remove Spyware
          <= If you suspect that you have spyware installed on your computer,
          here are instructions on how to download, install and then use Spybot.
          Similar to Ad-Aware, I strongly recommend both to catch most spyware.

        * Run CWShredder - to remove numerous variants of {KoolWebSearch}
            {CWShredder - "stand-alone"} -

    To protect yourself further:

        * IE/Spyad <= IE/Spyad places over 4000 websites and domains
          in the IE Restricted list
          which will severely impair attempts to infect your system.
          It basically prevents any downloads (Cookies etc) from the sites listed,
          although you will still be able to connect to the sites.

        * MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file
          with one containing well know ad sites etc.
          Basically, this prevents your computer from connecting to those sites
          by redirecting them to which is your local computer

        * Google Toolbar <= Get the free google toolbar to help stop pop up windows.

    I also suggest that you delete any files from "temp", "tmp" folders.
    In Internet Explorer, click on "Tools" => "Internet Options" => "Delete Files"
    and select the box that says "Delete All Offline Content" and click on "OK" twice.
    Also, empty the recycle bin by right clicking on it and selecting "Empty Recycle Bin".
    These steps should be done on a regular basis.

    And also see TonyKlein's good advice
    So how did I get infected in the first place?

    Good luck!

    LVL 12

    Expert Comment


    Here's some information on closing a question:


    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Join & Write a Comment

    As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now