[challengermx]

this is my "Hijack this" log and i just hope that u guys can help me out because my computer is going really really slow and for some reason it's been getting worse these past couple of days.Logfile of HijackThis v1.98.2
Scan saved at 9:48:00 PM, on 1/15/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\KALVNDX32.EXE
C:\PROGRAM FILES\VBOUNCER\VIRTUALBOUNCER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\AMERICA ONLINE 5.0\WAOL.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [kalvsys] C:\WINDOWS\SYSTEM\KALVNDX32.EXE
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServicesOnce: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE /boot
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .gov/lfserver/cosd_hr/03522307?DFS__Action=FormsGT&42c25:f817606b87:-15e5: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.kungfuchess.com/activex/web665.cab

Any help will be highly appreciated.

 

[abadaba]

Sorry i don't deal with this,hijack confussion.
Any other help is offered.
And maybe appreciated.
So start over.
need serious help with my computer
What ?

 

[telecom69]

Put a tick by EACH of the following and have hijack FIX THEM after closing all open windows

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 #eautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServicesOnce: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE /boot
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Boot into safe mode and find and delete the following .................................... C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
C:\PROGRAM FILES\VBOUNCER\VIRTUALBOUNCER.EXE

 

[flavallee]

Challengermx:

After you've followed Telecom69's advice, do the following:

Download and install Ad-aware SE Personal 1.05 and Spybot - Search & Destroy 1.3 from the spyware tools section at http://www.majorgeeks.com. Once you've installed them, run their update function and get them up-to-date with the latest files. Once you've updated them, run a full system scan with Ad-aware and delete everything that it finds, reboot your computer, run a scan with Spybot and delete everything in red that it finds, then reboot your computer again.

It's always good practice to run these spyware detection-and-removal utilities BEFORE posting a HijackThis log. Also, make sure to keep them up-to-date and make sure to run them on a regular basis.

HijackThis 1.99.0 is the most current version. You can obtain it from the same location mentioned above.

 

[challengermx]

this is my new "hijack this" log after doing what u guys asked me too do. the only problem is that everytime i try to use Ad-aware SE it says "this program has performed an illegal operation and will be shut down then after pressing "close" it says exception EReadError in module AD-AWARE.EXE bei 00021FOB. Fehler beim lessen von memof.lines.strings: fehler bei einfügen von richedit-zeile. so i dont really know whay this happens.

Logfile of HijackThis v1.98.2
Scan saved at 7:09:13 PM, on 1/16/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\KALVNDX32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\AMERICA ONLINE 5.0\WAOL.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [kalvsys] C:\WINDOWS\SYSTEM\KALVNDX32.EXE
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O12 - Plugin for .gov/lfserver/cosd_hr/03522307?DFS__Action=FormsGT&42c25:f817606b87:-15e5: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.kungfuchess.com/activex/web665.cab

 

[telecom69]

Please go here and get the current version of hijackthis http://www.majorgeeks.com/download3155.html and then repost your log .....

 

[flavallee]

It doesn't look like you've been keeping the temp files cleaned out.

Click Start - Find - All Files And Folders, select the hard drive to look in, then delete everything that appears under:

*.TMP

C:\TEMP\*.*

C:\WINDOWS\TEMP\*.*

You'll need to do them one at a time. Ignore any message that appears about your computer not running right if you delete certain files. Delete them all.

 

[challengermx]

this is the new post log with the upgraded version of "hijack this".

Logfile of HijackThis v1.99.0
Scan saved at 5:12:01 PM, on 1/14/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\KALVNDX32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\AMERICA ONLINE 5.0\WAOL.EXE
C:\PROGRAM FILES\COMMON FILES\DIRECTX\DIRECTINPUT\USER MAPS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\sp.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [kalvsys] C:\WINDOWS\SYSTEM\KALVNDX32.EXE
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\Run: [ntechin] C:\N20050308.EXE
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O12 - Plugin for .gov/lfserver/cosd_hr/03522307?DFS__Action=FormsGT&42c25:f817606b87:-15e5: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: www.mt-download.com (HKLM)
O15 - Trusted Zone: install.xxxtoolbar.com (HKLM)
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.kungfuchess.com/activex/web665.cab

 

[flavallee]

You've got a problem with "about:blank" and "WINTOOLS". Telecom69 and the others will help you get rid of them.

Did you delete the temp files like I requested? The R1 entry is still present in your log.

 

[MFDnNC]

You've got a problem with "about:blank" and "WINTOOLS". Telecom69 and the others will help you get rid of them.

Did you delete the temp files like I requested? The R1 entry is still present in your log.

The problem is with the VX2 issue - this needs a pro - I'll ask for one

 

[telecom69]

Put a tick by each of the following and have hijack fix them after closing all open windows

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\sp.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\sp.dll/sp.html
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
- HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O15 - Trusted Zone: www.mt-download.com (HKLM)
O15 - Trusted Zone: install.xxxtoolbar.com (HKLM)

 

[challengermx]

this is the new post log of "hijack this".

Logfile of HijackThis v1.99.0
Scan saved at 10:31:05 PM, on 1/14/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\KALVNDX32.EXE
C:\N20050308.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\AMERICA ONLINE 5.0\WAOL.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\DIRECTX\DIRECTINPUT\USER MAPS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [kalvsys] C:\WINDOWS\SYSTEM\KALVNDX32.EXE
O4 - HKLM\..\Run: [ntechin] C:\N20050308.EXE
O12 - Plugin for .gov/lfserver/cosd_hr/03522307?DFS__Action=FormsGT&42c25:f817606b87:-15e5: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} - http://www.kungfuchess.com/activex/web665.cab

 

[telecom69]

So how are things running now ?

 

[challengermx]

its running pretty good but its still a little laggy and the websites takes a while to load. so is there a way to make my comp faster?

 

[telecom69]

Have you done a defrag lately ? also do this ......
click on tools at the the top,then on Interenet options,then in the part that says Temporary internet files click on delete files,a box will pop up put a tick in delete offline content then click on OK .....

 

[Cookiegal]

Rescan withi Hijack This and have it fix these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O4 - HKLM\..\Run: [kalvsys] C:\WINDOWS\SYSTEM\KALVNDX32.EXE

O4 - HKLM\..\Run: [ntechin] C:\N20050308.EXE

Then, in safe mode and with files unhidden locate and delete these files:

C:\WINDOWS\SYSTEM\KALVNDX32.EXE
C:\N20050308.EXE

To unhide files so please do this:

Open My Computer.
Select the View menu and click Folder Options.
Select the View Tab.
In the Hidden files section select “show all files”
Click OK

Then reboot and post another log please.

 

[challengermx]

this is my log after deleting the files but i still have to go into safe mode and delete the other files.

Logfile of HijackThis v1.99.0
Scan saved at 12:20:16 PM, on 1/15/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\WWWRVI.EXE
C:\WINDOWS\SYSTEM\KALVNDX32.EXE
C:\N20050308.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\AMERICA ONLINE 5.0\WAOL.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMMON FILES\DIRECTX\DIRECTINPUT\USER MAPS\HIJACKTHIS.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\wwwrvi.exe
O4 - Startup: hhhtku.exe
O12 - Plugin for .gov/lfserver/cosd_hr/03522307?DFS__Action=FormsGT&42c25:f817606b87:-15e5: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll

 

[Cookiegal]

Download Findit98.zip from here:

http://www.thatcomputerguy.us/downloads/findit98.zip

Unzip to desktop and run find.bat inside.
It will scan for a few seconds and a log should pop up.
Please copy and paste entire log contents here.

Click here: http://www.downloads.subratam.org/VX2Finder9x.exe and download the VX2Finder9x.exe tool. Click on the VX2Finder9x.exe and then click on the Click to Find VX2.Betterinternet button. It will display the files, and User Agent string. Now click the Make Log button. It will open the log in notepad. Copy and paste that log here and wait for further instructions.

Next click here: http://www.downloads.subratam.org/DllCompare.exe to download DLLCompare.zip.

Save it to your desktop.

Now run DllCompare and click on the RunLocate.com button. It will scan for the hidden files. When it is finished, you will see in blue Completed the scan, Click Compare to Continue at which time you will click the Compare button.

It will sort through the files it found and determine which should be flagged as "No access" and display them in the lower box.

In a few minutes it will complete then you will see in blue Completed.
Click the Make a Log of what was Found button. It will ask if you want to view the logfile. Click Yes then copy and paste that log in your next reply.

Next open Hijack This. Click on the "Config" button in the lower right corner. Now click on "Misc Tools" then under "Generate Startup List" put a check by "List also minor sections (full)" and "List empty sections (Complete)". Now click on the "Generate Startup List" button and copy and paste the contents of the list back here as well.

Click here: http://forums.techguy.org/attachment.php?attachmentid=45151 to download Runkey.zip. Unzip it and then doubleclick on RunKey.bat. It will produce a Both.txt file. Please copy and paste that here.

Click here: http://forums.techguy.org/attachment.php?attachmentid=44795 to download Silentrunners.zip.

Run the SilentRunners.vbs file. If your antivirus has a script blocker, you will get a warning asking if you want to allow SilentRunners.vbs to run. It might say something like "Malicious Script Warning". This script is not malicious so you are safe in allowing it to run.

When it is finished it will produce a Startup Programs text file. Copy and paste that text file here in your next reply.

Click here: http://forums.techguy.org/attachment.php?attachmentid=46218 to download track.zip. Unzip it to your desktop. Doubleclick on the track.vbs file and let it run. After it runs it will tell you to press any key to continue. Press any key and it will open a Look.txt file. Copy that and post it here as well. As I said with the last script you may get a warning. It is not malicious so you can allow it to run.

*Note: There will be more here than you can post in one reply so it will be easier to just copy all the logs to one notepad file and name it info.txt. Save the file to your desktop and then attach it to your next post.