Active Tool Band

[struggling]

Occasionally, on log in, this appears:

 

ActiveToolBand

a BHO is installing

edSloater.exe

 

I think that's all I read. It disappears so fast it's hard to write it all down. And I can't call it up. It just drifts in from time to time.

 

SpySweeper displays it and asks if I want to allow it or not. And SpySweeper says "If you don't answer within _____seconds, I'm going to kick it out of here" (or words to that effect ;))

 

So I disallow it or let SpySweeper handle it.

 

Does anyone know what this thing is?

[BeeCeeBee]

Is your computer an Acer, Jane?

[Guest Wolfeymole]

I dunno whether you have been down this road before Stuggling but we'll try it anyway.

 

Follow the instructions below and get back to us.

 

Your computer could be infected with Malware.

 

• Malware is software designed to infiltrate or damage a computer system without the owner's informed consent.
  It is a combination of the words malicious and software.
  The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.
  

 

• Required Cleanup Steps
  
  1. Disable the Spybot Search & Destroy TEA TIMER if you use it and if it is enabled
     
  2. Run a Temporary file and cache cleaner (ATF)
     
  3. Run 2 Anti-Malware scanners (Listed Below)
     
  4. Run an Online Anti-Virus / Anti-Malware Scanner (Listed Below)
     
  5. Clear out old System Restore points
     
  6. If continued Malware type activity is present you may be asked to post a TrendMicro™ HijackThis™ Log file, do not do so unless requested.
     

   

The reason to run multiple scanners is to ensure that no single scanner is missing something.

The time it takes will vary depending on your system and your internet connection speed.

Typically the SUPERAntiSpyware and Malwarebytes scanners will take between 10 to 90 minutes.

The ESET online scan should take between 1 to 3 hours.

In most cases, these scans will suffice to clean and disinfect your computer.

Heavily infected systems or slower PCs can take much longer to scan and clean.

 

For best results print the following instructions and bookmark this Web page

To keep this guide printer-friendly, use your cursor to highlight the contents below.

From your browser select File - Print and in the printer dialog box under "Print range"

click the

Selection

choice to print out these instructions for removal of malware.

 

 

http://i306.photobucket.com/albums/nn266/FPCH/Malware%20Guide/printer-selection.gif

 

____________________________________________

STEP 1

• Disable Spybot Search & Destroys' TEA TIMER: (if installed, if not go to Step 2)
  
  
  1. Run Spybot-S&D in Advanced Mode.
     
     
  2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
     
     
  3. On the left hand side, Click on Tools
     
     
  4. Then click on the Resident Icon in the List
     
     
  5. Uncheck "Resident TeaTimer" and OK any prompts.
     
     
  6. Restart your computer.
     
     
   

__________________________________________________

STEP 2

• Follow these instructions carefully.
  
  
• Download ATF-Cleaner from
  Snapfiles.com
  to remove un-needed temporary files from your computer that may contain malware.
  
  
• When you run ATF-Cleaner, check the items as shown below for Main.
  
  
• For FireFox, be sure to click on the FireFox tab on top and check the items as shown below for FireFox
  
  
• NOTE:
  If you don't have FireFox or Opera installed then they will be grayed out and can be ignored
  
  
• Then click on "Empty Selected".
  
  

http://i306.photobucket.com/albums/nn266/FPCH/Malware%20Guide/atf-cleaner01.gif

.

http://i306.photobucket.com/albums/nn266/FPCH/Malware%20Guide/atf-cleaner02.gif

__________________________________________________

STEP 3

• Install and run the free version (not the Professional version) of SUPERAntiSpyware from
  SUPERAntiSpyware.com
  
  
  • Accept any prompts to allow SUPERAntiSpyware to install the latest rules and infection definition files.
    
    
  • You do not have to send them your e-mail address, just click next.
    
    
  • You can leave the automated check for updates on.
    
    
  • You can uncheck "Send a diagnostic report to research center" if you don't want to send the information.
    
    
  • DO NOT
    allow SUPERAntiSpyware to protect your Home Page settings.
    
    
  • On the
    Top Left
    select the
    Scan your computer
    button.
    
    
  • Make sure there is a CHECK MARK on all
    Fixed Drives
    .
    
    
  • Click "Perform a Complete Scan". Click "Next" to Repair issues found and reboot the computer when prompted to do so.
    
    
   

__________________________________________________

STEP 4

• Install and run
  Malwarebytes' Anti-Malware
  from
  Malwarebytes - (direct download)
  
  
  • Accept all defaults for the installer
    
    
  • Allow the program to update the definitions
    
    
  • Click on the
    Quick Scan
    and click Next.
    
    
  • If any items are found allow it to clean them and then Reboot your computer.
    
    
   

__________________________________________________

STEP 5

• Run an online scan with ESET from
  Free Virus Scan: Use ESET's Online Antivirus Scanner
  
  
  • You
    must
    use Internet Explorer for this online scan. FireFox, Opera, etc will not work for this scan.
    
    
  • If your computer is running Window's Vista, then you
    must first
    start Internet Explorer as an Administrator. To do so, right-click on the
    Internet Explorer
    icon in the Start Menu and select "
    Run as administrator
    " from the popup context menu.
    
    
   
  • Accept the terms and click "Start".
    
    
  • Once the scanner is ready, check "Remove found threats" AND "Scan unwanted applications".
    
    
  • Click "Start" to begin the scan.
    
    
  • When completed restart your computer
    
    
   

__________________________________________________

Make sure your internet firewall security is enabled, and then please return to Extreme Tech Support - Free PC Help and tell us how the computer seems to be operating.

At that time, you will receive instructions to assist you in removing malicious programs from your Add/Remove program list if warranted.

 

If required this is the download link for TrendMicro™ HijackThis™

Unless instructed to by the Technician helping you then do not download this tool.

 

Once you and the Technician agree that your system appears to be clean then you should delete all your System Restore points and recreate a new one.

Please follow the instructions here

How to turn off and turn on System Restore in Windows XP

How to turn off and turn on System Restore in Windows Vista

[BeeCeeBee]

I just looked back a bit and noticed that this procedure suggested by Wolfeymole was given to you just a short time ago although I am not sure that you completed it.

 

I am not familiar with SpySweeper or it notification system but it may keep raising the same notice each time you boot until you make a decision.

 

The reason I asked you if you have an Acer is that there is an .exe file by that name that appears to be part of Acer's data security software. If you do have an Acer and are not experiencing any difficulties then it is probably safe to allow it.

 

On the other hand, if it is not, further investigation may be necessary. Malware can often attach to or create legitimate sounding files.

[struggling]

Yes, I have an Acer Aspire 9402WSMI. And yes, I was given the malware thing, printed it out and completed it. There was an immediate improvement. I put it on desktop and still run it occasionally for good measure.

 

  Quote

it may keep raising the same notice each time you boot until you make a decision

 

I jumped on the disallow button last time before SpySweeper handled it.

 

You indicated it may be a part of Acer's data security software, so I need to keep that in mind for the moment.

 

I am currently having no significant problems except for programs not responding 2 or 3 times daily. I drop to desktop and each time return to what I was doing and life goes on.

 

I've been considering the issue just one of those little inconveniences. In contrast to the big picture ( remember the MESS I had that you guys helped me out of?! :eek:) , the not responding thing doesn't seem too bad. Or does it?

 

I'll jump off of here right now and go run malwarebytes again.

[BeeCeeBee]

Since that post I am more and more certain that it is part of the Acer data security program named eDataSecurity. That assumes that the entry is edsloader.exe not loater as typed. :)

 

Let me know what the AntiMalwarebytes scan tells you, if anyhing.

 

As to the remainder of your post you need to be a bit (actually a lot) more specific and you know that we well get right to it.

[struggling]

In my notes I have edSloater.exe. But I was rushing to get it and it could very well be edSloader.exe.

 

I ran AntiMalwarebytes and it came up clean.

[BeeCeeBee]

I think we are on pretty safe ground here. I would suggest that you simply make sure the t is a d the next time you see the warning and allow the program to run.

 

Please just put your other issues in a new thread and we will deal with them seperately.

[Goku]

Hello Jane. Please allow the BHO as it is a legitimate one and may be necessary, even essential, for proper running of your system. Source.

 

But please wary as there are malicious duplicates too.

 

Hope that helps. :)

 

-- Goku

[struggling]

Read your two links, Goku. It would seem that if it is a malicious duplicate my SpySweeper would plainly state that. Did I interpret that correctly?

[BeeCeeBee]

From what I gather SpySweeper in monitoring in real time and either did not recognize the program or saw it as a change. Much as a Spybot teatimer would do (just more familiar with that one.)

 

If it recognized it as malware it probably would have identified it as such if that answers your question. But again I do not have SpySweeper so am being general.

 

That is why it is good to double up on on antimalware (not antivirus) protection.

 

Anyhow we have established that you are fine here. :)

[Guest Wolfeymole]

Well I'm not convinced, run the malware tools Strugling and get back to us.

[struggling]

I ran Malwarebytes yesterday after the SpySweeper notification.

 

It came up clean. I make a point of running it twice a week.

 

I have McAfee on board and also alternately run SpySweeper and SuperAntiSpyWare daily.

[BeeCeeBee]

Since we really do not want to beat this horse to death, this is where things stand.

 

I firmly believe that this is an Acer program designed for it's laptops. As a result I would simply allow it.

 

But I also need you to understand that Wolfey has considerably more experience then I do.

 

If you allow this program it will be entered into your registry to run when you boot the compter. If you do not allow it apparently the eDatasecuity progam built into your computer will probably not function.

 

Running the disinfection program can never hurt but it is really up to you what to do in this case.

 

I'm afraid there is no better answer.

[Tootech]

Just to be sure on this one, it's probably a good idea to search for the file ActiveToolBand.dll and look at its properties - that will conclude excactly what it is.

 

Click Start, then Search.

 

In the left hand side click All Files and Folders, then copy/paste the ActiveToolBand.dll filename into the Filename box.

 

Then click on More Advanced Options, make sure the 3 top boxes are ticked ie search system folders, search hidden files and folders and search subfolders.

 

Click Search.

 

When it has finished, can you do a screenshot of what the search finds. It's really the file size, and the folder it is in that is important.

 

Post back with the results.

[struggling]

Tootech, lacking time to look up screen shot directions, but here is the search result:

 

Application exension, unknown application

Size 19.5 kb

Size on disk 32.0 kb

C: Windows system 32

created 10/24/08

modified 10/19/05 >>> '05 (?)

archive

[BeeCeeBee]

Struggling, when you joined Extreme Tech Support - Free PC Help in mid December the first thing you told us is that you formatted your hard drive about 2 months back (mid October?)

 

The October creation date (10/24/08) seems consistent with that time frame and a further indication that it is a legitimate system 32 file and part of the Acer recovery program (disc or partition)

 

I would await Tootech's reply regarding file size (it may be significant) but it still seems to be falling into a pattern.

 

The 05 date would refer to modifications made by Acer to the original program.

 

You may also want to randomly check other system files and see if the creation date is the same. Specifically look under programs for Acer tools and programs and see if you find edata security and check the creation date.

Edited January 12, 2009 by BeeCeeBee