Virus - Can't nail it down: winlogon, and wmiprvse - HELP!

Posted on 2006-04-21
Last Modified: 2013-12-04
I am sure I have a virus.  I have searched the archives and tried all kinds of stuff, but I have not had much success, except that I can now get into windows again.  However, I keep getting errors that WINLOGON is trying to send email.

I have tried:  hijackthis, ad-aware, ewido, trend-micro, and more...

After several tries, my last boot into windows, had EWIDO warning about file.  I did not write it down.

Can anyone help me?  Here is my last hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:52:35 AM, on 4/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: CIEPl Object - {0612F71E-934B-4D92-B8E8-2E29EA78EB03} - C:\WINDOWS\SYSTEM32\service.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) -
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = <edited for sec>
O17 - HKLM\Software\..\Telephony: DomainName = <edited for sec>
O17 - HKLM\System\CCS\Services\Tcpip\..\{822F068E-3B2B-4AB1-A625-894FC7B924A2}: NameServer = <edited for sec>
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = <edited for sec>
O17 - HKLM\System\CS1\Services\Tcpip\..\{822F068E-3B2B-4AB1-A625-894FC7B924A2}: NameServer = <edited for sec>
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = <edited for sec>
O17 - HKLM\System\CS2\Services\Tcpip\..\{822F068E-3B2B-4AB1-A625-894FC7B924A2}: NameServer = <edited for sec>
O20 - Winlogon Notify: bhohxmfd - C:\WINDOWS\SYSTEM32\bhohxmfd.dll
O20 - Winlogon Notify: btrcndqg - C:\WINDOWS\SYSTEM32\btrcndqg.dll
O20 - Winlogon Notify: cfacomab - C:\WINDOWS\SYSTEM32\cfacomab.dll
O20 - Winlogon Notify: dauiadjv - C:\WINDOWS\SYSTEM32\dauiadjv.dll
O20 - Winlogon Notify: dltmsuht - C:\WINDOWS\SYSTEM32\dltmsuht.dll
O20 - Winlogon Notify: dmlkkgcc - C:\WINDOWS\SYSTEM32\dmlkkgcc.dll
O20 - Winlogon Notify: evsipgim - C:\WINDOWS\SYSTEM32\evsipgim.dll
O20 - Winlogon Notify: fqldvtll - C:\WINDOWS\SYSTEM32\fqldvtll.dll
O20 - Winlogon Notify: fyhxcmjn - C:\WINDOWS\SYSTEM32\fyhxcmjn.dll
O20 - Winlogon Notify: gagxygus - C:\WINDOWS\SYSTEM32\gagxygus.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: iuafejvc - C:\WINDOWS\SYSTEM32\iuafejvc.dll
O20 - Winlogon Notify: iukqmhhh - C:\WINDOWS\SYSTEM32\iukqmhhh.dll
O20 - Winlogon Notify: jmpnshtr - C:\WINDOWS\SYSTEM32\jmpnshtr.dll
O20 - Winlogon Notify: lcrgnvwb - C:\WINDOWS\SYSTEM32\lcrgnvwb.dll
O20 - Winlogon Notify: ldwffpgd - C:\WINDOWS\SYSTEM32\ldwffpgd.dll
O20 - Winlogon Notify: lyvdtvne - C:\WINDOWS\SYSTEM32\lyvdtvne.dll
O20 - Winlogon Notify: mroomisi - C:\WINDOWS\SYSTEM32\mroomisi.dll
O20 - Winlogon Notify: octvqcra - C:\WINDOWS\SYSTEM32\octvqcra.dll
O20 - Winlogon Notify: qdrbfdhq - C:\WINDOWS\SYSTEM32\qdrbfdhq.dll
O20 - Winlogon Notify: seoepwdd - C:\WINDOWS\SYSTEM32\seoepwdd.dll
O20 - Winlogon Notify: service - C:\WINDOWS\SYSTEM32\service.dll
O20 - Winlogon Notify: tlgyixlo - C:\WINDOWS\SYSTEM32\tlgyixlo.dll
O20 - Winlogon Notify: upmabypo - C:\WINDOWS\SYSTEM32\upmabypo.dll
O20 - Winlogon Notify: utsoisal - C:\WINDOWS\SYSTEM32\utsoisal.dll
O20 - Winlogon Notify: vmgvpoul - C:\WINDOWS\SYSTEM32\vmgvpoul.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O20 - Winlogon Notify: xctklerm - C:\WINDOWS\SYSTEM32\xctklerm.dll
O20 - Winlogon Notify: xqqqiyek - C:\WINDOWS\SYSTEM32\xqqqiyek.dll
O20 - Winlogon Notify: ydygdpci - C:\WINDOWS\SYSTEM32\ydygdpci.dll
O20 - Winlogon Notify: yilwmjnd - C:\WINDOWS\SYSTEM32\yilwmjnd.dll
O20 - Winlogon Notify: yjnxyhox - C:\WINDOWS\SYSTEM32\yjnxyhox.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Thanks in advance,
Question by:sddavis
    LVL 32

    Accepted Solution

    OK, I posted your log to and here is the analyzed page:

    You have a bunch of nasties there. I would start by having HJT fix all those O20 Winlogon entries that are marked as "Unknown"

    Then reboot, run HJT again, paste the results to (not here), click on "Analyze" then click "Save Analysis" on the next page, and post a link to the saved page.

    Author Comment

    Thanks for the quick reply...

    SUMMARY: I DID check the fic (delete) in HJT, but they just keep reappearing.  Even after a reboot.  I suspect that whatever I have, is  associated with these entries?

    Of note is that when I ran ewido again, it found the corrisponding DLLs in /windows/system32.  They were deleted by ewido, but came back after a reboot!  BAck to step A.

    ALSO, when I go back into normal windows mode ewido says:
    The name of the dll
    Infection: Not-A-Virus.SpamTool.Win32.Agent.f

    ALSO, I cannot remove them from the alter screen, I have to ignore to continue into windows...

    What else can I do?  Need more information?  Let me know, and I will gladly do it.


    Author Comment

    ok! Update...

    Here is the New HJT anaysis:

    I downloaded TRemover and ran it.  Upon restart (I had to ignore ewido warnings) TRemover found the DLLs and after a full scan renamed them and removed them.  

    I was then able to use HJT again, and remove the 020 entries as you have suggested.

    Upon reboot, no warnings...

    HOWEVER, does that mean I am all set?  What else should I do?  NONE of the programs really found it except TRemover, and ewido (although ewido could not remove it).

    Also, I had to reinstall my network card (just drivers).  I have no idea why, but afterwards I was back up.

    What else do I need to do?

    LVL 32

    Expert Comment

    It's looking very good. I would say you are free of the problem now.

    I am a bit confused by the O17 (tcpip) entries. Are they blank because you removed the addresses?

    Even with that I think you're OK. The Userinit entry is normal.
    LVL 32

    Expert Comment

    If you want to be extra sure, you can do the following:

    (1) Download Autoruns from:

    (2) Run the program. It lists a bunch of things that start when Windows starts.

    (3) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"

    (4) This will give you a shorter, more meaningful list.

    Examine the list for anything odd. If unsure, post the relevant part of the log here, or the entire log if you wish.

    Good luck.


    Author Comment

    The tcpip entries were the same before I removed the addresses.  However, I am not against removing them.  Should I try that?

    I'll do your last over the weekend, as wok is killing right now...

    NEW: I am now getting "WMIPRVSE.EXE" error...

    I have looked that up and it sounds suspicious as well...  

    Any quick ideas?

    LVL 32

    Expert Comment

    No, don't worry about the tcp/ip addresses. They seem fine.

    Re. wmiprvse.exe, that is normally a legit windows file, so long as it is in the folder c:\windows\system32\wbem\

    What exact error message are you getting?

    Can you search your disk to see if the file is there in some other folder (that would indicate a virus) ?

    Author Comment

    wmiprvse.exe locations:

    wmiprvsd.dll (c:\i386) 427kb
    wmiprvse.dll (c:\i386) 213kb (c:\windows\prefetch) 23kb
    wmiprvsd.dll (c:\windows\system32\dllcache) 427kb
    wmiprvse.exe (c:\windows\system32\dllcache) 213kb
    WMIPRVSD.DLL (c:\windows\system32\wbem) 427kb
    WMIPRVSE.EXE (c:\windows\system32\wbem) 213kb

    Anything to worry about?  I read on archive that anywhere but (c:\windows\system32\wbem) could be a problem for wmiprvse.exe, and we see that in dllchache here.

    Additionally I added the other variants (search = wmiprvs).

    Thanks for all so far...
    LVL 32

    Expert Comment

    All that looks normal. It is normal to have copies of system files in the dllcache folder. The c:\i386 folder just contains original system files in case you have to reinstall Windows.

    Are you still getting some sort of error ?

    Author Comment

    Yes, the wmiprvse.exe application error is popping up.

    I guess I will do some reading this weekend... ;)

    LVL 32

    Expert Comment

    Feel free to post the error message you're getting, and circumstances in which it occurs.

    Author Comment

    Will do, and after coming hom tonight...

    I forgot to say...


    Between you and the archives, I was able to get into a working set before close on Friday.

    Have a great weekend,  and know that if:
    1) you are fo age
    2) you were near me


    I wouold be buying you beers all night!


    Thanks again,

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Join & Write a Comment

    In a recent article here at Experts Exchange (, I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
    Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
    It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now