Elite Toolbar Virus Still!!!!!!

Well in trying to get rid of my toolbar virus problem, i downloaded the program to remove the toolbar bug but i'm still having outrageous pop-ups. in fact it's difficult to even write this message.
 So, this is my hyjackthis log file. How do i manually delete stuff? Will that stop all of the pop ups?. Thanks a lot.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Greetings, looey3333!

Sorry that removing the Elite Toolbar did not remove the popups.  Check the following items in HijackThis log and have HJT remove them.


O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINNT\cfgmgr52.dll

O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)      

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O15 - Trusted Zone: www.shopbop.com

O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll

O20 - AppInit_DLLs: ctrlpan.dll

Kill all the nastys in that list ( you may have to reboot into safe mode).
And / or - use MSConfig:

From services, check the hide non-MS services and deselect the remainder - then uncheck all items (except for maybe anti-virus apps) in the Startup tab - reboot and you should be able to clean it up.  

After running HJT, a good cleanup will also help.

Run CCleaner:


Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

As well as "Elitum/Elitebar" you are also showing other "nasties" -
a "Nail/Aurora" variant is one.

You're running HijackThis from a "temp" folder.
Move HijackThis to a folder of it's own - something like:
C:\HJT\hijackthis.exe or C:\Program Files\HijackThis\hijackthis.exe
Do not run HijackThis directly from the "zip" file, the Desktop, or a "temp" folder.
HJT makes backups and it's good to have them in one centralized location.

You also have "Rootkit Revealer" running from a "temp" folder -
you should move it to a folder of it's own.
When you run "CCleaner" (as advised by blue_zee above)
HijackThis and Rootkit Revealer will be removed!

Before you attempt to fix any of these -
you should probably turn off "System Restore"
(see the Symantec link below, concerning ctrlpan.dll)
Also, make sure the option to
"Show all Files and Folders", including hidden and system is enabled.

A search on the following exe files turns up nothing -
this is a "bad" sign!
You may want to check the properties on them -
however, I'm pretty sure they're "malware".
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nupi.exe

These are known to be bad:
O4 - HKLM\..\Run: [PSof1] C:\WINNT\System32\PSof1.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINNT\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [C:\WINNT\VCMnet11.exe] C:\WINNT\VCMnet11.exe
O4 - HKLM\..\Run: [u3rQ3pW] imastrm.exe
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\elitesai32.exe
O4 - HKLM\..\Run: [touqrzp] c:\winnt\system32\hclrjib.exe r
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\System32\rlnprj.exe reg_run
O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program
O23 - Service: System Startup Service (SvcProc) - Unknown owner -

Here's some info on this entry:
O20 - AppInit_DLLs: ctrlpan.dll

It's probably best to try and deal with the "Nail/Aurora" variant first
(Elitebar is "usually" easier to remove - hopefully!  :)

Here's the current method for removing "Nail/Aurora".

You may want to print out or make a copy of these instructions before
starting, because you will not be able to connect to the internet during most
of this fix.

Please download, install, and update the free version of Ewido trojan scanner
Do Not have it scan yet!

   1. When installing, under "Additional Options" Uncheck -
      "Install background guard"
      "Install scan via context menu".
   2. When you run ewido for the first time,
      you will get a warning "Database could not be found!".
      Click OK.
      This will be fixed in a moment.
   3. From the main ewido screen, click on update in the left menu,
      then click the Start update button.
   4. After the update finishes
      (the status bar at the bottom will display "Update successful")
   5. Exit Ewido. DO NOT scan yet.

Please download the Nail/Aurora Spyware Fix from:
(Alternate download link: dknoppix mirror)

Unzip it to the desktop but do NOT run yet!

Reboot into Safe Mode. To do this with Windows XP, you can follow these steps
from Microsoft:  http://support.microsoft.com/default.aspx?kbid=315222

   1. Restart your computer and start pressing the F8 key on your keyboard.
On a computer that is configured for booting to multiple operating systems,
you can press the F8 key when you the Boot Menu appears.
   2. Select an option when the Windows Advanced Options menu appears, and
then press ENTER.
   3. When the Boot menu appears again, and the words "Safe Mode" appear in
blue at the bottom, select the installation that you want to start, and then

press ENTER.

Once in Safe Mode, please double-click on nailfix.cmd that you unzipped
earlier. Your desktop and icons will disappear and reappear, and a window
should open and close very quickly --- this is normal.

Next, run Ewido again.

   1. Click on the Scanner button in the left menu,
      then click on the Start button.
      This scan can take quite a while to run,
      so time to go get a drink and a snack.... :)
   2. If ewido finds anything, it will pop up a notification.
      You can select "clean" and check the boxes
      "Perform action with all infections"
      "Create encrypted backup" before clicking on OK.
   3. When the scan finishes, click on "Save Report".
      This will create a text file.
      Make sure you know where to find this file again.

Then run HijackThis -
Click Scan -  
Place a checkmark by the following items:

O4 - HKLM\..\Run: [KavSvc] C:\WINNT\System32\rlnprj.exe reg_run

O23 - Service: System Startup Service (SvcProc) - Unknown owner -

Close all open windows except for HijackThis and click Fix Checked.

Now, run CCleaner.

   1. Uncheck "Cookies" under "Internet Explorer".
   2. If you're running Firefox:
      then click on the "Applications" tab and
      uncheck "Cookies" under "Firefox".
   3. Click on "Run Cleaner" in the lower right-hand corner.
      This can take quite a while to run, please be patient!

Empty your Recycle Bin.

Finally, restart your computer in normal mode.

With all browser windows closed, run HijackThis again -
Run your HJT log through the "Analysis" site -
Post a LINK to your new HJT log back here.

Good luck!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Tim HolmanCommented:
Autoruns is also useful in working out whether or not something has latched on to your system that shouldn't have:


Then try SpyBot to clean up the rest of the mess:


If any of these applications pick anything up, bear in mind you may need to disable System Restore AND run them again in SAFE MODE to ensure disinfection.

If this doesn't work, then at least we've elimnated 99.99% of what the problem may be...  :)
Spyware Doctor is very good at removing malicious software (but unfortunately isn't free)
Already advised them that it might be a good idea to turn off "System Restore"
Before you attempt to fix any of these -
you should probably turn off "System Restore"
"Spyware Doctor" and/or "Autoruns" usually can't deal with this -
"Suppose" we'll see!
Tim HolmanCommented:
You can run autoruns from a command line, which may help...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.