HijackThis log file....need help....

Here’s the log file of what HijackThis pulled up (then I saved it). Please help me determine what files I need to delete, and what files I should not delete. Thanks.

Logfile of HijackThis v1.98.0
Scan saved at 10:15:51 AM, on 8/7/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSGLOOP.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\MSG32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\TSMGR.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\AIM\AIM.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\COMPUSERVE 7.0\WCS2000.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\DESKTOP\CF\PROGRAMS\HIJACKTHIS_LAST.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=50056
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50056
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/hp/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/p/hp/?http://hp.my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50056
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
O2 - BHO: YBIOCtrl Class - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar.dll
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar.dll
O4 - HKLM..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM..\Run: [Adaptec DirectCD] C:\Program Files\DirectCD\DIRECTCD.EXE
O4 - HKLM..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM..\Run: [VsecomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSEcomR.EXE
O4 - HKLM..\Run: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE /SHOWWARNING
O4 - HKLM..\Run: [RCScheduleCheck] C:\PROGRAM FILES\VCOM\RECOVERY COMMANDER\RCSCHED.EXE -CHECK
O4 - HKLM..\Run: [Fix-It AV] C:\PROGRA~1\VCOM\FIX-IT\MEMCHECK.EXE
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [MSN Manager] C:\WINDOWS\tsmgr.exe
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM..\RunServices: [SchedulingAgent] c:\windows\SYSTEM\mstask.exe
O4 - HKLM..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM..\RunServices: [Vshwin32EXE] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSHWIN32.EXE
O4 - HKLM..\RunServices: [Installer] C:\WINDOWS\SYSTEM\WINST.EXE
O4 - HKLM..\RunServices: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O4 - HKLM..\RunOnce: [washindex] c:\Program Files\Washer\washidx.exe “Tì?”
O4 - HKLM..\RunServicesOnce: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE /boot
O4 - HKCU..\Run: [MoneyAgent] “C:\Program Files\Microsoft Money\System\Money Express.exe”
O4 - HKCU..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU..\Run: [Washer] c:\Program Files\Washer\washer.exe /1
O4 - HKCU..\Run: [AIM] C:\PROGRAM FILES\AIM\aim.exe -cnetwait.odl
O4 - HKCU..\RunOnce: [washindex] c:\Program Files\Washer\washidx.exe “Tì?”
O4 - HKCU..\RunServicesOnce: [washindex] c:\Program Files\Washer\washidx.exe
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: CompuServe 2000 Tray Icon.lnk = C:\CompuServe 2000\cstray.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR.DLL/cmtrans.html
O9 - Extra button: RealGuide - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE

Here is the result rom my HJT analyzer prog.

================================================================================
ANALYZER INFORMATION

bad.dat version : 10
good.dat version : 10
rec.dat version : 3
dasb.dat version : 1

================================================================================
VERSION INFORMATION

================================================================================
GENERAL INFORMATION

All items in the log file which are not shown here
as to be deleted or safe to keep need to be investigated.

This website has a link to a tutorial on the hijackthislog:
http://members.home.nl/acred/cleaning.htm

Also use www.google.com to find out more on items not listed here.

================================================================================
THESE ITEMS SHOULD BE REMOVED:

\program files\common files\wintools\wtoolsa.exe
\program files\common files\wintools\wsup.exe
\windows\tsmgr.exe
\windows\rundll.exe
r1 - hkcu\software\microsoft\internet explorer\main,search bar = http://www.websearch.com/ie.aspx?tb_id=50056
r1 - hklm\software\microsoft\internet explorer\main,searchassistant = http://www.websearch.com/ie.aspx?tb_id=50056
r0 - hklm\software\microsoft\internet explorer\search,searchassistant = http://www.websearch.com/ie.aspx?tb_id=50056
r0 - hklm\software\microsoft\internet explorer\search,customizesearch =
r3 - urlsearchhook: (no name) - {87766247-311c-43b4-8499-3d5fec94a183} - c:\progra~1\common~1\wintools\wtoolsb.dll
o2 - bho: ybioctrl class - {004a5840-ff59-11d2-b50d-0090271d3fd4} - (no file)
o2 - bho: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
o2 - bho: (no name) - {87766247-311c-43b4-8499-3d5fec94a183} - c:\progra~1\common~1\wintools\wtoolsb.dll
o4 - hklm..\run: [msn manager] c:\windows\tsmgr.exe
o4 - hklm..\run: [wintools] c:\program files\common files\wintools\wtoolsa.exe
o4 - hklm..\runservices: [installer] c:\windows\system\winst.exe
o4 - hklm..\runservices: [wintools] c:\program files\common files\wintools\wtoolsa.exe
o4 - hklm..\runservicesonce: [wintools] c:\progra~1\common~1\wintools\wtoolsa.exe /boot
o4 - startup: compuserve 2000 tray icon.lnk = c:\compuserve 2000\cstray.exe

================================================================================
THESE ITEMS ARE SAFE TO KEEP:

\windows\system\kernel32.dll
\windows\system\msgsrv32.exe
\windows\system\mprexe.exe
\windows\system\msgloop.exe
\windows\system\mstask.exe
\windows\system\msg32.exe
\windows\system\mmtask.tsk
\program files\network associates\mcafee virusscan\vshwin32.exe
\program files\alwil software\avast4\ashserv.exe
\windows\system\hidserv.exe
\program files\network associates\mcafee virusscan\vsstat.exe
\windows\explorer.exe
\windows\taskmon.exe
\windows\system\systray.exe
\program files\netropa\one-touch multimedia keyboard\mmkeybd.exe
\windows\system\hpsysdrv.exe
\program files\directcd\directcd.exe
\windows\system\usbmmkbd.exe
\program files\common files\real\update_ob\realsched.exe
\program files\netropa\one-touch multimedia keyboard\keybdmgr.exe
\program files\alwil software\avast4\ashmaisv.exe
\program files\aim\aim.exe
\program files\common files\microsoft shared\works shared\wkcalrem.exe
\program files\winzip\wzqkpick.exe
\program files\netropa\onscreen display\osd.exe
\windows\system\wmiexe.exe
\program files\netropa\one-touch multimedia keyboard\mmusbkb2.exe
\windows\system\spool32.exe
\windows\system\tapisrv.exe
\windows\system\rnaapp.exe
r1 - hklm\software\microsoft\internet explorer\main,search bar = http://www.yahoo.com/ext/hp/search.html
r0 - hklm\software\microsoft\internet explorer\main,start page = http://www.yahoo.com/p/hp/?http://hp.my.yahoo.com
o2 - bho: google toolbar helper - {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar.dll
o3 - toolbar: &radio - {8e718888-423f-11d2-876e-00a0c9082467} - c:\windows\system\msdxm.ocx
o3 - toolbar: &google - {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar.dll
o4 - hklm..\run: [scanregistry] c:\windows\scanregw.exe /autorun
o4 - hklm..\run: [taskmonitor] c:\windows\taskmon.exe
o4 - hklm..\run: [systemtray] systray.exe
o4 - hklm..\run: [loadpowerprofile] rundll32.exe powrprof.dll,loadcurrentpwrscheme
o4 - hklm..\run: [keyboard manager] c:\program files\netropa\one-touch multimedia keyboard\mmkeybd.exe
o4 - hklm..\run: [hpscanpatch] c:\windows\system\hpscanfix.exe
o4 - hklm..\run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
o4 - hklm..\run: [adaptec directcd] c:\program files\directcd\directcd.exe
o4 - hklm..\run: [usbmmkbd] usbmmkbd.exe
o4 - hklm..\run: [vsecomrexe] c:\program files\network associates\mcafee virusscan\vsecomr.exe
o4 - hklm..\run: [vshwin32exe] c:\program files\network associates\mcafee virusscan\vshwin32.exe
o4 - hklm..\run: [vsstatexe] c:\program files\network associates\mcafee virusscan\vsstat.exe /showwarning
o4 - hklm..\run: [rcschedulecheck] c:\program files\vcom\recovery commander\rcsched.exe -check
o4 - hklm..\run: [ashmaisv] c:\progra~1\alwils~1\avast4\ashmaisv.exe
o4 - hklm..\runservices: [loadpowerprofile] rundll32.exe powrprof.dll,loadcurrentpwrscheme
o4 - hklm..\runservices: [schedulingagent] c:\windows\system\mstask.exe
o4 - hklm..\runservices: [hidserv] hidserv.exe run
o4 - hklm..\runservices: [vshwin32exe] c:\program files\network associates\mcafee virusscan\vshwin32.exe
o4 - hklm..\runservices: [avast!] c:\program files\alwil software\avast4\ashserv.exe
o4 - hklm..\runonce: [washindex] c:\program files\washer\washidx.exe “tì?”
o4 - hkcu..\run: [moneyagent] “c:\program files\microsoft money\system\money express.exe”
o4 - hkcu..\run: [taskbar display controls] rundll deskcp16.dll,quickres_rundllentry
o4 - hkcu..\run: [washer] c:\program files\washer\washer.exe /1
o4 - hkcu..\run: [aim] c:\program files\aim\aim.exe -cnetwait.odl
o4 - hkcu..\runonce: [washindex] c:\program files\washer\washidx.exe “tì?”
o4 - hkcu..\runservicesonce: [washindex] c:\program files\washer\washidx.exe
o4 - startup: microsoft works calendar reminders.lnk = c:\program files\common files\microsoft shared\works shared\wkcalrem.exe
o8 - extra context menu item: &google search - res://c:\program files\google\googletoolbar.dll/cmsearch.html
o8 - extra context menu item: cac&hed snapshot of page - res://c:\program files\google\googletoolbar.dll/cmcache.html
o8 - extra context menu item: si&milar pages - res://c:\program files\google\googletoolbar.dll/cmsimilar.html
o8 - extra context menu item: backward &links - res://c:\program files\google\googletoolbar.dll/cmbacklinks.html
o8 - extra context menu item: translate into english - res://c:\program files\google\googletoolbar.dll/cmtrans.html
o9 - extra button: aim - {ac9e2541-2814-11d5-bc6d-00b0d0a1de45} - c:\program files\aim\aim.exe

================================================================================
THESE ITEMS ARE NOT NEEDED TO LOAD AT BOOTTIME FOR
THE SYSTEM TO WORK, IT IS RECOMMENDED TO REMOVE THEM:

================================================================================
THE FOLLOWING ITEMS ARE NOT KNOWN. IF YOU HAVE ANY
INFORMATION ABOUT THEM, PLEASE LET US KNOW.

\program files\compuserve 7.0\wcs2000.exe

thanks man, I appreciate it.

problem…I checked all that stuff and click repair/delete/ whatever it was…and then I did another scan after that and a majority of that stuff that I removed was still there? …whats going on?

ok Im no expert at this but I would say if Hijack this runs in safe mode try to remove them in safe mode.

  1. Disable system restore
  2. Reboot
  3. Run HJT and fix the things
  4. Run a full system scan (and remove/delete/repair is anything is found)
  5. Reboot
  6. Tell us if the problem is gone.

PS: Make sure you remove WinTools. It is loaded with spy-/adware.

how do I do those things? Also, when I reboot and see if the problem is gone, will I have to un-disable the system restore?

Eddy

Make sure you remove WinTools. It is loaded with spy-/adware
I have a program called WinTools.net Professional I hope that's not the same program! ???

Bob3160, check out this link and see if you have it or not.

Thanks for the comeback Eddy,
No, I don’t have WTOOLSA.EXE
But I do have WinPatrol PLUS and have been using it for quite some time. I think it’s an excellent program I’m sure it’s saved my neck a couple of times. It was well worth the small investment.
For those that can’t or don’t want to register, it’s still worth having it just doesn’t give you the online Plus support.