Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Virus - Can't nail it down: winlogon, and wmiprvse - HELP!

Posted on 2006-04-21
12
Medium Priority
?
1,107 Views
Last Modified: 2013-12-04
I am sure I have a virus.  I have searched the archives and tried all kinds of stuff, but I have not had much success, except that I can now get into windows again.  However, I keep getting errors that WINLOGON is trying to send email.

I have tried:  hijackthis, ad-aware, ewido, trend-micro, and more...

After several tries, my last boot into windows, had EWIDO warning about file.  I did not write it down.

Can anyone help me?  Here is my last hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:52:35 AM, on 4/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Temp\Dload\Spyware\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: CIEPl Object - {0612F71E-934B-4D92-B8E8-2E29EA78EB03} - C:\WINDOWS\SYSTEM32\service.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145555080702
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = <edited for sec>
O17 - HKLM\Software\..\Telephony: DomainName = <edited for sec>
O17 - HKLM\System\CCS\Services\Tcpip\..\{822F068E-3B2B-4AB1-A625-894FC7B924A2}: NameServer = <edited for sec>
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = <edited for sec>
O17 - HKLM\System\CS1\Services\Tcpip\..\{822F068E-3B2B-4AB1-A625-894FC7B924A2}: NameServer = <edited for sec>
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = <edited for sec>
O17 - HKLM\System\CS2\Services\Tcpip\..\{822F068E-3B2B-4AB1-A625-894FC7B924A2}: NameServer = <edited for sec>
O20 - Winlogon Notify: bhohxmfd - C:\WINDOWS\SYSTEM32\bhohxmfd.dll
O20 - Winlogon Notify: btrcndqg - C:\WINDOWS\SYSTEM32\btrcndqg.dll
O20 - Winlogon Notify: cfacomab - C:\WINDOWS\SYSTEM32\cfacomab.dll
O20 - Winlogon Notify: dauiadjv - C:\WINDOWS\SYSTEM32\dauiadjv.dll
O20 - Winlogon Notify: dltmsuht - C:\WINDOWS\SYSTEM32\dltmsuht.dll
O20 - Winlogon Notify: dmlkkgcc - C:\WINDOWS\SYSTEM32\dmlkkgcc.dll
O20 - Winlogon Notify: evsipgim - C:\WINDOWS\SYSTEM32\evsipgim.dll
O20 - Winlogon Notify: fqldvtll - C:\WINDOWS\SYSTEM32\fqldvtll.dll
O20 - Winlogon Notify: fyhxcmjn - C:\WINDOWS\SYSTEM32\fyhxcmjn.dll
O20 - Winlogon Notify: gagxygus - C:\WINDOWS\SYSTEM32\gagxygus.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: iuafejvc - C:\WINDOWS\SYSTEM32\iuafejvc.dll
O20 - Winlogon Notify: iukqmhhh - C:\WINDOWS\SYSTEM32\iukqmhhh.dll
O20 - Winlogon Notify: jmpnshtr - C:\WINDOWS\SYSTEM32\jmpnshtr.dll
O20 - Winlogon Notify: lcrgnvwb - C:\WINDOWS\SYSTEM32\lcrgnvwb.dll
O20 - Winlogon Notify: ldwffpgd - C:\WINDOWS\SYSTEM32\ldwffpgd.dll
O20 - Winlogon Notify: lyvdtvne - C:\WINDOWS\SYSTEM32\lyvdtvne.dll
O20 - Winlogon Notify: mroomisi - C:\WINDOWS\SYSTEM32\mroomisi.dll
O20 - Winlogon Notify: octvqcra - C:\WINDOWS\SYSTEM32\octvqcra.dll
O20 - Winlogon Notify: qdrbfdhq - C:\WINDOWS\SYSTEM32\qdrbfdhq.dll
O20 - Winlogon Notify: seoepwdd - C:\WINDOWS\SYSTEM32\seoepwdd.dll
O20 - Winlogon Notify: service - C:\WINDOWS\SYSTEM32\service.dll
O20 - Winlogon Notify: tlgyixlo - C:\WINDOWS\SYSTEM32\tlgyixlo.dll
O20 - Winlogon Notify: upmabypo - C:\WINDOWS\SYSTEM32\upmabypo.dll
O20 - Winlogon Notify: utsoisal - C:\WINDOWS\SYSTEM32\utsoisal.dll
O20 - Winlogon Notify: vmgvpoul - C:\WINDOWS\SYSTEM32\vmgvpoul.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O20 - Winlogon Notify: xctklerm - C:\WINDOWS\SYSTEM32\xctklerm.dll
O20 - Winlogon Notify: xqqqiyek - C:\WINDOWS\SYSTEM32\xqqqiyek.dll
O20 - Winlogon Notify: ydygdpci - C:\WINDOWS\SYSTEM32\ydygdpci.dll
O20 - Winlogon Notify: yilwmjnd - C:\WINDOWS\SYSTEM32\yilwmjnd.dll
O20 - Winlogon Notify: yjnxyhox - C:\WINDOWS\SYSTEM32\yjnxyhox.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Thanks in advance,
Scott
0
Comment
Question by:sddavis
  • 6
  • 6
12 Comments
 
LVL 32

Accepted Solution

by:
r-k earned 2000 total points
ID: 16509672
OK, I posted your log to http://www.hijackthis.de/ and here is the analyzed page:

 http://www.hijackthis.de/logfiles/8162635dce2815d631f5927c54cb2e56.html

You have a bunch of nasties there. I would start by having HJT fix all those O20 Winlogon entries that are marked as "Unknown"

Then reboot, run HJT again, paste the results to http://www.hijackthis.de/ (not here), click on "Analyze" then click "Save Analysis" on the next page, and post a link to the saved page.
0
 

Author Comment

by:sddavis
ID: 16509877
Thanks for the quick reply...

SUMMARY: I DID check the fic (delete) in HJT, but they just keep reappearing.  Even after a reboot.  I suspect that whatever I have, is  associated with these entries?

Of note is that when I ran ewido again, it found the corrisponding DLLs in /windows/system32.  They were deleted by ewido, but came back after a reboot!  BAck to step A.

ALSO, when I go back into normal windows mode ewido says:
The name of the dll
Infection: Not-A-Virus.SpamTool.Win32.Agent.f

ALSO, I cannot remove them from the alter screen, I have to ignore to continue into windows...

What else can I do?  Need more information?  Let me know, and I will gladly do it.

Thanks,
Scott
0
 

Author Comment

by:sddavis
ID: 16510380
ok! Update...

Here is the New HJT anaysis:
http://www.hijackthis.de/logfiles/24abf2bc4c6c06a2902855cc6a96bd88.html

I downloaded TRemover and ran it.  Upon restart (I had to ignore ewido warnings) TRemover found the DLLs and after a full scan renamed them and removed them.  

I was then able to use HJT again, and remove the 020 entries as you have suggested.

Upon reboot, no warnings...

HOWEVER, does that mean I am all set?  What else should I do?  NONE of the programs really found it except TRemover, and ewido (although ewido could not remove it).

Also, I had to reinstall my network card (just drivers).  I have no idea why, but afterwards I was back up.

What else do I need to do?

Thanks,
Scott
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 32

Expert Comment

by:r-k
ID: 16510503
It's looking very good. I would say you are free of the problem now.

I am a bit confused by the O17 (tcpip) entries. Are they blank because you removed the addresses?

Even with that I think you're OK. The Userinit entry is normal.
0
 
LVL 32

Expert Comment

by:r-k
ID: 16510548
If you want to be extra sure, you can do the following:

(1) Download Autoruns from: http://www.sysinternals.com/Utilities/Autoruns.html

(2) Run the program. It lists a bunch of things that start when Windows starts.

(3) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"

(4) This will give you a shorter, more meaningful list.

Examine the list for anything odd. If unsure, post the relevant part of the log here, or the entire log if you wish.

Good luck.

0
 

Author Comment

by:sddavis
ID: 16510970
The tcpip entries were the same before I removed the addresses.  However, I am not against removing them.  Should I try that?

I'll do your last over the weekend, as wok is killing right now...

NEW: I am now getting "WMIPRVSE.EXE" error...

I have looked that up and it sounds suspicious as well...  

Any quick ideas?

0
 
LVL 32

Expert Comment

by:r-k
ID: 16511412
No, don't worry about the tcp/ip addresses. They seem fine.

Re. wmiprvse.exe, that is normally a legit windows file, so long as it is in the folder c:\windows\system32\wbem\

What exact error message are you getting?

Can you search your disk to see if the file is there in some other folder (that would indicate a virus) ?
0
 

Author Comment

by:sddavis
ID: 16511532
wmiprvse.exe locations:

wmiprvsd.dll (c:\i386) 427kb
wmiprvse.dll (c:\i386) 213kb
WMIPRVSE.EXE-0D449B4F.pf (c:\windows\prefetch) 23kb
wmiprvsd.dll (c:\windows\system32\dllcache) 427kb
wmiprvse.exe (c:\windows\system32\dllcache) 213kb
WMIPRVSD.DLL (c:\windows\system32\wbem) 427kb
WMIPRVSE.EXE (c:\windows\system32\wbem) 213kb

Anything to worry about?  I read on archive that anywhere but (c:\windows\system32\wbem) could be a problem for wmiprvse.exe, and we see that in dllchache here.

Additionally I added the other variants (search = wmiprvs).

Thanks for all so far...
Scott
0
 
LVL 32

Expert Comment

by:r-k
ID: 16511586
All that looks normal. It is normal to have copies of system files in the dllcache folder. The c:\i386 folder just contains original system files in case you have to reinstall Windows.

Are you still getting some sort of error ?
0
 

Author Comment

by:sddavis
ID: 16511607
Yes, the wmiprvse.exe application error is popping up.

I guess I will do some reading this weekend... ;)

0
 
LVL 32

Expert Comment

by:r-k
ID: 16511673
Feel free to post the error message you're getting, and circumstances in which it occurs.
0
 

Author Comment

by:sddavis
ID: 16512954
Will do, and after coming hom tonight...

I forgot to say...

THANK YOU SIR!!!!

Between you and the archives, I was able to get into a working set before close on Friday.

Have a great weekend,  and know that if:
1) you are fo age
and
2) you were near me

then

I wouold be buying you beers all night!

:)

Thanks again,
Scott
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
The Relationships Diagram is a good way to get an overall view of what a database is keeping track of. It is also where relationships are defined. A relationship specifies how two tables connect to each other. As you build tables in Microsoft Ac…
Suggested Courses
Course of the Month13 days, 1 hour left to enroll

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question