Windir32.exe problem

Comments

• TheHeartSmasher

  September 2005 edited September 2005

  Are there any tricks to removing Windir32.exe?
  
  My daugher at college has an infected laptop she is bringing home this weekend. I will attempt a self-extraction, but just wondered if there were any special problems associated with Windir32.exe.
  
  I did see where LQfix.bat was recommended in one thread for an HJT log that contained Windir32.exe.
  
  If I run into problems I will post a HJT log, but figured I would try it myself first. Hopefully it will not be as difficult as the CoolWebSearch variant I had in 2004.
  
  Jim

  
  Don't try it yourself let short-media SVT team help you solve the problem so you don't mess anything up.
  
  ---note to everyone but you vanagon40---
  I recommend that if you have a virus, trojan, infected pc that you start your own thread and wait to get some really good help.
  
  I fell sorry for people that follow other threads and not remembering that each system is different as visa ve the HJT logs are different visa ve everyone should post their own thread to get the High Quality help of Short-Media in the SVT forum.

  ---

  
  You did a great job posting here just wait and the expert help will come.

  0
• mmonnin Centreville, VA

  October 2005 edited October 2005

  Yes if you have an problems post a log file here for someone to look at.

  0
• vanagon40 Indiana Member

  October 2005 edited October 2005

  OK, this looks like it's beyond me. Several people had worked on this before me. Daugher was having problems, and everytime she ran a virus scan she got new stuff. I had put F-Prot anti-virus, AdAware, Spybot S&D, and SpywareBlaster on her computer this fall, explained how to update IE, and requested that she update and scan with the above at least once a week. After the problems started (she thinks it came through AIM), she somehow "removed" Windir32.exe. Here is the story:
  

  well, basically, the story is that i clicked on a virus from aim and it infected my computer. i updated and ran all my virus scans at least 10 times. it kept popping up with more stuff that it was getting rid of. so i uninstalled AIM and ran more virus scans and then reinstalled aim thinking i had gotten rid of the problem. my scans were all coming out clean. but then i went to dinner tonight and when i came back, it was back and worse than ever! so i uninstalled aim again and did more virus scans. i deleted all aim stuff off my computer. so now all my virus scans are coming back clean. the problem was, whenever i restarted my computer, it would be really really slow to restart and then when it did, it would pop up with a box that said something like "we do not recognize this server or something. do you want us to run this program? windir32.exe located in C:\WINDOWS\system32" so i clicked cancel because i don't know what that is and i don't want to run it. i decide that this must be my problem so i searched for that file and discovered that it was created on 9/26/05 which was when i got the virus so i guessed that was it. i deleted that file. then my roomie lauren suggested that i click on START then RUN then type in "msconfig" which got me a box titled "System Configuration Utility" then i clicked on the tab called "Startup" and then it gave me a list of startup items. in two different places it had windir32.exe so i clicked on the boxes to uncheck it which means that it will no longer be on the startup items. and that pop up box that come up whenever i turned on my computer that asked if i wanted to run it no longer pops up.

  
  I ran a Panda Scan with the following result:
  
  Incident Status Location
  
  Adware:adware/elitebar No disinfected C:\Documents and Settings\Owner\Favorites\Casino & Carrers
  Adware:adware/block-checker No disinfected Windows Registry
  Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\7R99TH9I\virus[1].bmp
  Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\JLY6A831\dating[1].bmp
  Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\QZN89O5H\casino[1].bmp
  Virus:Eicar.Mod No disinfected C:\Program Files\FSI\F-Prot\fpav-help.chm[prob-scan-ok.html]
  Virus:Eicar.Mod No disinfected C:\Program Files\InstallShield Installation Information\{9FD12630-1991-46F5-8479-92DE1EAE87DA}\data1.cab[fpav-help.chm][prob-scan-ok.html]
  Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\casino.bmp
  Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\dating.bmp
  Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\etb\xml\images\virus.bmp

  ---

  I ran an F-Prot scan and two objects were removed (I did not write down what was removed).

  ---

  I ran AdAware (current updates) and no objects were found.

  ---

  I ran Spybot S&D (current updates) and no objects were found.

  ---

  I ran McAfee and no objects were found.

  ---

  I ran a second F-Prot scan and no objects were found.

  ---

  I ran a second Panda Scan with the same result as the first.

  ---

  The laptop actually seems to run fine. The problem is that F-Prot keeps stopping files from opening and producing the following message:
  
  FRISK RealTime Protector
  
  Warning: Infected or suspicious files detected! An attempt was made to access or open the following files on your system.
  
  C:\System Volume Information\_restore{4BC2B7D9-7D85-439A-8A3A-9B6BD5412691}\RP116\A0017508.exe is a security risk or a backdoor program
  [this line is repeated approximately 16 times]
  
  OR
  
  C:\System Volume Information\_restore{4BC2B7D9-7D85-439A-8A3A-9B6BD5412691}\RP118\A0017720.dll is a virus tool named W32/VirTool.EM
  [this line is repeated approximately 16 times]
  
  ***********************************************
  
  So here is the HJT log:
  
  Logfile of HijackThis v1.99.1
  Scan saved at 8:49:50 PM, on 10/1/2005
  Platform: Windows XP SP2 (WinNT 5.01.2600)
  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
  
  Running processes:
  C:\WINDOWS\System32\smss.exe
  C:\WINDOWS\system32\winlogon.exe
  C:\WINDOWS\system32\services.exe
  C:\WINDOWS\system32\lsass.exe
  C:\WINDOWS\system32\svchost.exe
  C:\WINDOWS\System32\svchost.exe
  C:\WINDOWS\system32\spoolsv.exe
  C:\Program Files\FSI\F-Prot\fpavupdm.exe
  C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
  C:\Program Files\Network Associates\VirusScan\Mcshield.exe
  C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
  C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
  C:\WINDOWS\System32\svchost.exe
  C:\Program Files\Venturi2\Client\ventc.exe
  C:\WINDOWS\System32\wltrysvc.exe
  C:\WINDOWS\System32\bcmwltry.exe
  C:\WINDOWS\Explorer.EXE
  C:\Program Files\Dell\QuickSet\quickset.exe
  C:\WINDOWS\System32\hkcmd.exe
  C:\WINDOWS\BCMSMMSG.exe
  C:\WINDOWS\System32\WLTRAY.exe
  C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
  C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
  C:\Program Files\Venturi2\Configurator\ventcfg.exe
  C:\Program Files\FSI\F-Prot\F-Sched.exe
  C:\Program Files\FSI\F-Prot\F-StopW.EXE
  C:\Program Files\Common Files\Real\Update_OB\realsched.exe
  C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
  C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
  C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
  C:\PROGRA~1\PEOPLE~1\PropelAC.exe
  C:\Program Files\ISP50\Bin\Bartshel.exe
  C:\Program Files\Messenger\MSMSGS.EXE
  C:\Program Files\Ares Lite Edition\AresLite.exe
  C:\Program Files\WordWeb\wweb32.exe
  C:\PROGRA~1\ISP50\bin\ppshared.exe
  C:\HijackThis.exe
  
  R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.ezwebsearching.com/sp2.php
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search
  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ezwebsearching.com/sp2.php
  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.peoplepc.com/homepage
  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://home.peoplepc.com/search
  R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
  O2 - BHO: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
  O3 - Toolbar: PeoplePal Toolbar - {A8FB8EB3-183B-4598-924D-86F0E5E37085} - C:\Program Files\PeoplePC\Toolbar\PPCToolbar.dll
  O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
  O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
  O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
  O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
  O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\System32\WLTRAY
  O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
  O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
  O4 - HKLM\..\Run: [Venturi Configurator] C:\Program Files\Venturi2\Configurator\ventcfg.exe
  O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program Files\FSI\F-Prot\F-Sched.exe STARTUP
  O4 - HKLM\..\Run: [F-StopW] C:\Program Files\FSI\F-Prot\F-StopW.EXE
  O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
  O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
  O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
  O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
  O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\BIN\PPCOLink -STATION
  O4 - HKLM\..\Run: [Propel Accelerator] "C:\PROGRA~1\PEOPLE~1\PropelAC.exe"
  O4 - HKLM\..\Run: [PPCRunonce] C:\WINDOWS\system32\PPCRunOnce.exe
  O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe
  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
  O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
  O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
  O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
  O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
  O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
  O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
  O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-page.html
  O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\PeoplePC Accelerated\pac-image.html
  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
  O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
  O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
  O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
  O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.com/SnapfishActivia.cab
  O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119394150672
  O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
  O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
  O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software - C:\Program Files\FSI\F-Prot\fpavupdm.exe
  O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
  O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
  O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
  O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
  O23 - Service: Venturi2 Client (Venturi2) - Venturi Wireless - C:\Program Files\Venturi2\Client\ventc.exe
  O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
  
  *****************************************************
  
  Thanks in advance for the help.

  0
• vanagon40 Indiana Member

  October 2005 edited October 2005

  Bump to toggle SVT help needed. (Didn't work. I'll bet SM still thinks I'm a SVT expert.)

  0
• TheHeartSmasher

  October 2005 edited October 2005

  Funny but help will come in time, wait you must indeed.

  0