Major Hijack issue here

I have a major hijack issue. About:Blank has hijacked my homepage. I have numerous popups adn my computer is slow. I have read your policy and have tried all of your suggestions. I have numerous bad processes running. Adware picks up vx2 files and spybot picks up Cool Web Search. I have literraly tried every spyware remover out there. Here are my computer specs.

Dell Optiplex GX260
OP - XP Pro
Memory - 256MB
System Type - X86 Based PC
19 Gig HD

I have fixed every hijacker but this one has stumped me. Please help me with this problem. I have a hijack this log for you to view when ready. Thanks!

 

Does anyone in this forum have any suggestions for me. Please comeback.

 

I have tried all o fthe steps and no dice. I am at my last leg with this computer. Please help. Thanks for your time. My log is attached.

 

C:\WINDOWS\txflxwe.exe
C:\WINDOWS\System32\kwicyi.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php

O4 - HKLM\..\Run: [C:\WINDOWS\txflxwe.exe] C:\WINDOWS\txflxwe.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvnuk32.exe

All of these look suspicious....Why haven't you upgraded to SP2?

 

It is my friends computer and his head is hard as a rock. I tried to tell him but now he will listen. I can not upgrade his computer until i clean it so here I am. Any suggestions.

 

Get rid of all the O1's too..

 

so do i get hijack this to remove all of those files and that is it?

 

Before you do ANYTHING!!!!

move Hijackthis from
C:\Documents and Settings\andrew.vanvulpen\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

to

C:\HiJackThis

THEN run the program and fix the suggested 01's and R1's

Then try to find the the other files and delete them.

C:\WINDOWS\txflxwe.exe
C:\windows\system32\kalvnuk32.exe

 

Ok. I put hijackthis in the right folder....ran it and cleared the programs but asoon as i fixed them they come back and the other 2 files in c:windows would not delete. Attached is my new hijack log for you to look at and advise me on. Your help is greatly appreciated right now.

 

you're still running HJT from
C:\Documents and Settings\andrew.vanvulpen\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

Make sure you are not running HJT from within a zip archive. Extract it and place the exe into the folder and then run it otherwise you will not be able to have backups.

Check your add/remove for ELITE TOOLBAR and remove it.. it not then do

start- run and copy and paste the following line into the run box

regsvr32 /u C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll

and hit enter (yes to success for failure) then try to find and delete the file.

make sure that
C:\WINDOWS\System32\kwicyi.exe
C:\windows\system32\kalvnuk32.exe

are not loaded...i.e. Terminate their procecss in the task manager and then try to delete them.

Then remove the following from HJT..


O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll

 

use this tutorial:
http://www.bleepingcomputer.com/forums/tutorial85.html

i'm not much into xp processes, but i hope this process catalogue will be of help:
http://www.liutilities.com/products/wintaskspro/processlibrary/

what did I do prior to using all the spyware killer software was booting in safe mode and killing all run, runonce, runservices, runblablabla entries in the registry that looked suspicious

You can delete everything in the Hijackthis fix machine, except some "O4" level that are really needed by the system. Which ones - good you know - as this is your computer and you should care about it.

Regards,
Pollack

 

we have a tutorial here that we spent a lot of time on that we use here. We'd rather you pointed them to it than other places. We know and understand our tutorial and it helps us keep in line with posts as they run through the tut.. thanks

READ ME FIRST: Basic Spyware, Trojan And Virus Removal
Hijack This Tutorial And How To Post Your Log File

 

I unzipped the files as you said. I deleted elite tool bar from add/delete programs. I made sure that the 2 files were not running as well in start folder, but kalvnuk32.exe will not shutdown and now i can not even find them in the system 32 folder. I removed the items from hijack this as well.

 

give me another log, I bet they mutated. We'll have to try a new program to kill them.

 

Here is my new log attached chief!

 

C:\WINDOWS\System32\kwicyi.exe
C:\windows\system32\kalvnuk32.exe

Process Explorer v8.6

download this . It's similar to task manager only it's WAY more powerful. It lists everything in a Tree so try to find those files and kill them. Right click has menu to perform actions.

select the item, right click and end the process. Then try to delete the files.

 

Ok, I downloaded process explorer and ran it. I would kill kwicyi.exe and it would just come back. I deleted it from system 32 folder and now it is back in sart up processes and now it is not in the system 32 folder. kalvnuk32,exe is not shown by the process explorer or the system 32 folder. When I unzipped and ran the process explorer, it said my account did not have debugging privelages and would not operate at full capacity. this is truly the worst bug I have ever seen and I do not have much hair left to pull out.

 

Download Pocket Killbox from here: http://www.downloads.subratam.org/KillBox.zip

Unzip the files to the folder of your choice.

Print these instructions or save locally. You must not be connected (unplug cable) to the internet during this.

Close all open programs, windows and browsers and run killbox and paste each of the filenames below into the box, select delete on reboot and end explorer shell before deleting. Then press the red X button, when it says reboot now, say no and continue to paste the lines in in turn and follow the above procedure every time, DO NOT let it reboot yet.

C:\WINDOWS\System32\kwicyi.exe
C:\windows\system32\kalvnuk32.exe

Then click Start > Run and type %temp% in the Run box, press OK . The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of that Temp folder. Also, empty the contents of your Recycle bin and c:\windows\Prefetch folder.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvnuk32.exe
O4 - HKLM\..\RunOnce: [*oledb] C:\WINDOWS\Registration\oledb.exe rerun


Now reboot and after your PC comes back up (note: you should still be disconnected from the internet)
Run HijackThis and double check to make sure the lines are still fixed and also that they have not mutated into another form.
Also use Windows Explorer to double check to make sure those two files actually were deleted.

If clean, reconnect your cable and get a new HJT log before running IE (call it before.log). Then run IE and come back here and post your log. Now exit IE and get a new log (call it after.log) Then run IE again and come back here and post your second log.

 

yeah that trojan is very mocky as it includes many other trojans. and the mockiest thing is that the trojan processes are running in pairs - you close one and it opens the second one, you shut down the second and it opens the first. that's why i am killing this trojan in one restart in safe mode. I recently downloaded ProcRecon http://webchitect.com/ProcRecon it can kill 2 or more processes at once. Kodo if you have time, take a look at it.

 

Added it to my arsenal. Thanks!

 

Guys I appreciate the help very much. Unfortunatley, I have lost my mind and I am tired of dealing with this. I am erasing my hard drive and just starting over. Thanks for your time and courtesy and have a merry christmas!

 

ACK!!!! before you do this make a complete cd with SP2..

http://www.majorgeeks.com/download.php?det=4324

download SP2 network version
http://download.microsoft.com/downl...0-73cf11fdcdf8/WindowsXP-KB835935-SP2-ENU.exe

and follow the instructions for nlite. It will allow you to make a bootable CD with XP SP2 already loaded so you don't have to do all of it after you install. Doing this will eliminate being vuln to MSBLAST and SASSER after you boot for the first time without SP1a and it's required hot fixes.

 

Hey guys, there is now a fix for this problem. Let me know if you want to pursue it.

PP

 

Spill it!!

 

It involves downloading the following generic identification tool and then using Pocket KillBox to remove the files it detects.

Generic Detection Tool

PP