Hi. I'm having a problem with the 'elite toolbar' and the pop ups associated with it. I've tried virtually everything suggested on other sites to fix it without success. I have used the latest updates of Ad Aware and Spybot, which both fix it temporarily, as does HJT. I've tried two online virus scans which failed to pick up anything. The problem is, when I reboot the computer in normal mode, the problem has reappeared! It doesn't seem to come back when in safe mode. My HJT log is posted below. This is taken immediately after rebooting in normal mode and after having supposedly removed it using Ad Aware, Spybot and HJT prior to rebooting...

Logfile of HijackThis v1.98.2
Scan saved at 12:29:49 p.m., on 3/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sdpasvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\System32\tp4mon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Softwin\BitDefender Free Edition\bdmcon.exe
C:\Program Files\Softwin\BitDefender Free Edition\bdnagent.exe
C:\Documents and Settings\Default\Application Data\tteu.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.student.otago.ac.nz:3128
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [BDMCon] C:\Program Files\Softwin\BitDefender Free Edition\\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Program Files\Softwin\BitDefender Free Edition\\bdnagent.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvxah32.exe
O4 - HKCU\..\Run: [Swnr] C:\Documents and Settings\Default\Application Data\tteu.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{BCB1EB67-26AB-45F3-9C79-3D53121DF6C4}: NameServer = 202.27.158.40 202.27.184.3

In previous attempts I have fixed all the R1, O2, O3 and the O17 entry - which all come back. Should one of the O4 entries be fixed as well??? I have also tried deleting the entries from the registry, as well as any files in windows/program files that seem to be related to it.

Please help!!!!!!

Boot into Safe Mode.

Show hidden files
http://www.short-media.com/forum/showpost.php?p=172588&postcount=3


Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvxah32.exe
O4 - HKCU\..\Run: [Swnr] C:\Documents and Settings\Default\Application Data\tteu.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{BCB1EB67-26AB-45F3-9C79-3D53121DF6C4}: NameServer = 202.27.158.40 202.27.184.3


Please delete these files using Windows Explorer(if present):
C:\windows\system32\kalvxah32.exe
C:\Documents and Settings\Default\Application Data\tteu.exe


Please delete these folders using Windows Explorer(if present):
C:\WINDOWS\EliteToolBar


Run Adaware before rebooting and it should find the EliteToolbar registry entries.


Reboot and post a new hijackthis log.

Hi, Thanks for replying to my post! I have done what you suggested. I assume I was supposed to reboot at the end in normal mode before running HJT? I see that the O2 and O3 entries have gone. I found both the files and deleted them but the kalvhxah32.exe seems to have returned. Here's my log...

Logfile of HijackThis v1.98.2
Scan saved at 9:01:12 p.m., on 3/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\sdpasvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\System32\tp4mon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Softwin\BitDefender Free Edition\bdmcon.exe
C:\Program Files\Softwin\BitDefender Free Edition\bdnagent.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.student.otago.ac.nz:3128
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [BDMCon] C:\Program Files\Softwin\BitDefender Free Edition\\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Program Files\Softwin\BitDefender Free Edition\\bdnagent.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvxah32.exe

What next???

Ok, we're getting there. Find this file on your system.
C:\windows\system32\kalvxah32.exe

Right click on it, select Properties, uncheck the box marked "Read-only". Now rename it to badkalvxah32.exe Now you should be able to delete it.


Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvxah32.exe


Reboot and post a new hijackthis log.

Hi, have done what you suggested and it seems like it has gone!!! I've rebooted a few times and have spent a while on different internet sites without any sign of the annoying popups and toolbar...Here's my latest HJT log...

Logfile of HijackThis v1.98.2
Scan saved at 9:04:14 a.m., on 4/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\sdpasvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\tp4mon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Softwin\BitDefender Free Edition\bdmcon.exe
C:\Program Files\Softwin\BitDefender Free Edition\bdnagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.student.otago.ac.nz:3128
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [BDMCon] C:\Program Files\Softwin\BitDefender Free Edition\\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Program Files\Softwin\BitDefender Free Edition\\bdnagent.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O17 - HKLM\System\CCS\Services\Tcpip\..\{BCB1EB67-26AB-45F3-9C79-3D53121DF6C4}: NameServer = 202.27.158.40 202.27.184.3

It looks fairly good to me, not sure about the O17 though. Also ran Ad Aware, and it still detected it. I didn't quarantine or delete the objects as I thought it may cause it to reinfect? What do you think? Thankyou very much for your help! Coul

The ip address with that 017 entry is associated with Telecom Online Service. Is this your ISP? If so, it's ok to leave it.

Always let Adaware delete what it finds. It's probably registry entries that still belong to the spyware infection. If Adaware finds something that it says is bad, I would always let it remove it.

Yes, telecom is my ISP. I'll let ad aware fix the registry entries. Thanks again!

I hope someone can make good use of the information below:

I think I sorted this out after hitting my head against the wall for 2 days. I installed the "Security Task Manager" from

http://www.neuber.com/taskmanager/index.html

This program identified "kalvrhw32.exe" as a suspicious process. I had also seen this same process in the HijackThis reports. I quarantined it (which also deletes the registry instructions to start this process) and now all three spyware programs are coming out clean. I rebooted once, and everything seems to be OK (knock on wood!).

The only possible remaining problem: a couple of times, www.google.com has been re-directed to netaudience.com (which seems to be a harmless site).

Good luck to everyone fighting this problem. And I hope Ad-aware, Spyware Doctor and Spybot catch up with this one soon.

Gabriel

Thanks GOTORO :thumbsup:

I have been trying to get rid of "kalvsys" for days. I installed the "Security Task Manager" after reading your post. Thanks again for the info looks like it solved my problem.

73, Gene