elite toollbar and pop-ups
Hi. I'm having a problem with the 'elite toolbar' and the pop ups associated with it. I've tried virtually everything suggested on other sites to fix it without success. I have used the latest updates of Ad Aware and Spybot, which both fix it temporarily, as does HJT. I've tried two online virus scans which failed to pick up anything. The problem is, when I reboot the computer in normal mode, the problem has reappeared! It doesn't seem to come back when in safe mode. My HJT log is posted below. This is taken immediately after rebooting in normal mode and after having supposedly removed it using Ad Aware, Spybot and HJT prior to rebooting...
Logfile of HijackThis v1.98.2
Scan saved at 12:29:49 p.m., on 3/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sdpasvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\System32\tp4mon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Softwin\BitDefender Free Edition\bdmcon.exe
C:\Program Files\Softwin\BitDefender Free Edition\bdnagent.exe
C:\Documents and Settings\Default\Application Data\tteu.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.student.otago.ac.nz:3128
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [BDMCon] C:\Program Files\Softwin\BitDefender Free Edition\\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Program Files\Softwin\BitDefender Free Edition\\bdnagent.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvxah32.exe
O4 - HKCU\..\Run: [Swnr] C:\Documents and Settings\Default\Application Data\tteu.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{BCB1EB67-26AB-45F3-9C79-3D53121DF6C4}: NameServer = 202.27.158.40 202.27.184.3
In previous attempts I have fixed all the R1, O2, O3 and the O17 entry - which all come back. Should one of the O4 entries be fixed as well??? I have also tried deleting the entries from the registry, as well as any files in windows/program files that seem to be related to it.
Please help!!!!!!
Logfile of HijackThis v1.98.2
Scan saved at 12:29:49 p.m., on 3/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sdpasvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\System32\tp4mon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Softwin\BitDefender Free Edition\bdmcon.exe
C:\Program Files\Softwin\BitDefender Free Edition\bdnagent.exe
C:\Documents and Settings\Default\Application Data\tteu.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.student.otago.ac.nz:3128
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [BDMCon] C:\Program Files\Softwin\BitDefender Free Edition\\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Program Files\Softwin\BitDefender Free Edition\\bdnagent.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvxah32.exe
O4 - HKCU\..\Run: [Swnr] C:\Documents and Settings\Default\Application Data\tteu.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{BCB1EB67-26AB-45F3-9C79-3D53121DF6C4}: NameServer = 202.27.158.40 202.27.184.3
In previous attempts I have fixed all the R1, O2, O3 and the O17 entry - which all come back. Should one of the O4 entries be fixed as well??? I have also tried deleting the entries from the registry, as well as any files in windows/program files that seem to be related to it.
Please help!!!!!!
0
This discussion has been closed.
Comments
Show hidden files
http://www.short-media.com/forum/showpost.php?p=172588&postcount=3
Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvxah32.exe
O4 - HKCU\..\Run: [Swnr] C:\Documents and Settings\Default\Application Data\tteu.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{BCB1EB67-26AB-45F3-9C79-3D53121DF6C4}: NameServer = 202.27.158.40 202.27.184.3
Please delete these files using Windows Explorer(if present):
C:\windows\system32\kalvxah32.exe
C:\Documents and Settings\Default\Application Data\tteu.exe
Please delete these folders using Windows Explorer(if present):
C:\WINDOWS\EliteToolBar
Run Adaware before rebooting and it should find the EliteToolbar registry entries.
Reboot and post a new hijackthis log.
Logfile of HijackThis v1.98.2
Scan saved at 9:01:12 p.m., on 3/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\sdpasvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\System32\tp4mon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Softwin\BitDefender Free Edition\bdmcon.exe
C:\Program Files\Softwin\BitDefender Free Edition\bdnagent.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\HJT\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.student.otago.ac.nz:3128
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [BDMCon] C:\Program Files\Softwin\BitDefender Free Edition\\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Program Files\Softwin\BitDefender Free Edition\\bdnagent.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvxah32.exe
What next???
C:\windows\system32\kalvxah32.exe
Right click on it, select Properties, uncheck the box marked "Read-only". Now rename it to badkalvxah32.exe Now you should be able to delete it.
Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvxah32.exe
Reboot and post a new hijackthis log.
Logfile of HijackThis v1.98.2
Scan saved at 9:04:14 a.m., on 4/12/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\sdpasvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\tp4mon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Softwin\BitDefender Free Edition\bdmcon.exe
C:\Program Files\Softwin\BitDefender Free Edition\bdnagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HJT\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.student.otago.ac.nz:3128
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [BDMCon] C:\Program Files\Softwin\BitDefender Free Edition\\bdmcon.exe
O4 - HKLM\..\Run: [BDNewsAgent] C:\Program Files\Softwin\BitDefender Free Edition\\bdnagent.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O17 - HKLM\System\CCS\Services\Tcpip\..\{BCB1EB67-26AB-45F3-9C79-3D53121DF6C4}: NameServer = 202.27.158.40 202.27.184.3
It looks fairly good to me, not sure about the O17 though. Also ran Ad Aware, and it still detected it. I didn't quarantine or delete the objects as I thought it may cause it to reinfect? What do you think? Thankyou very much for your help! Coul
Always let Adaware delete what it finds. It's probably registry entries that still belong to the spyware infection. If Adaware finds something that it says is bad, I would always let it remove it.
I think I sorted this out after hitting my head against the wall for 2 days. I installed the "Security Task Manager" from
http://www.neuber.com/taskmanager/index.html
This program identified "kalvrhw32.exe" as a suspicious process. I had also seen this same process in the HijackThis reports. I quarantined it (which also deletes the registry instructions to start this process) and now all three spyware programs are coming out clean. I rebooted once, and everything seems to be OK (knock on wood!).
The only possible remaining problem: a couple of times, www.google.com has been re-directed to netaudience.com (which seems to be a harmless site).
Good luck to everyone fighting this problem. And I hope Ad-aware, Spyware Doctor and Spybot catch up with this one soon.
Gabriel
I have been trying to get rid of "kalvsys" for days. I installed the "Security Task Manager" after reading your post. Thanks again for the info looks like it solved my problem.
73, Gene