Virus - Can't nail it down: winlogon, and wmiprvse - HELP!

I am sure I have a virus.  I have searched the archives and tried all kinds of stuff, but I have not had much success, except that I can now get into windows again.  However, I keep getting errors that WINLOGON is trying to send email.

I have tried:  hijackthis, ad-aware, ewido, trend-micro, and more...

After several tries, my last boot into windows, had EWIDO warning about file.  I did not write it down.

Can anyone help me?  Here is my last hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:52:35 AM, on 4/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: CIEPl Object - {0612F71E-934B-4D92-B8E8-2E29EA78EB03} - C:\WINDOWS\SYSTEM32\service.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) -
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = <edited for sec>
O17 - HKLM\Software\..\Telephony: DomainName = <edited for sec>
O17 - HKLM\System\CCS\Services\Tcpip\..\{822F068E-3B2B-4AB1-A625-894FC7B924A2}: NameServer = <edited for sec>
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = <edited for sec>
O17 - HKLM\System\CS1\Services\Tcpip\..\{822F068E-3B2B-4AB1-A625-894FC7B924A2}: NameServer = <edited for sec>
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = <edited for sec>
O17 - HKLM\System\CS2\Services\Tcpip\..\{822F068E-3B2B-4AB1-A625-894FC7B924A2}: NameServer = <edited for sec>
O20 - Winlogon Notify: bhohxmfd - C:\WINDOWS\SYSTEM32\bhohxmfd.dll
O20 - Winlogon Notify: btrcndqg - C:\WINDOWS\SYSTEM32\btrcndqg.dll
O20 - Winlogon Notify: cfacomab - C:\WINDOWS\SYSTEM32\cfacomab.dll
O20 - Winlogon Notify: dauiadjv - C:\WINDOWS\SYSTEM32\dauiadjv.dll
O20 - Winlogon Notify: dltmsuht - C:\WINDOWS\SYSTEM32\dltmsuht.dll
O20 - Winlogon Notify: dmlkkgcc - C:\WINDOWS\SYSTEM32\dmlkkgcc.dll
O20 - Winlogon Notify: evsipgim - C:\WINDOWS\SYSTEM32\evsipgim.dll
O20 - Winlogon Notify: fqldvtll - C:\WINDOWS\SYSTEM32\fqldvtll.dll
O20 - Winlogon Notify: fyhxcmjn - C:\WINDOWS\SYSTEM32\fyhxcmjn.dll
O20 - Winlogon Notify: gagxygus - C:\WINDOWS\SYSTEM32\gagxygus.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: iuafejvc - C:\WINDOWS\SYSTEM32\iuafejvc.dll
O20 - Winlogon Notify: iukqmhhh - C:\WINDOWS\SYSTEM32\iukqmhhh.dll
O20 - Winlogon Notify: jmpnshtr - C:\WINDOWS\SYSTEM32\jmpnshtr.dll
O20 - Winlogon Notify: lcrgnvwb - C:\WINDOWS\SYSTEM32\lcrgnvwb.dll
O20 - Winlogon Notify: ldwffpgd - C:\WINDOWS\SYSTEM32\ldwffpgd.dll
O20 - Winlogon Notify: lyvdtvne - C:\WINDOWS\SYSTEM32\lyvdtvne.dll
O20 - Winlogon Notify: mroomisi - C:\WINDOWS\SYSTEM32\mroomisi.dll
O20 - Winlogon Notify: octvqcra - C:\WINDOWS\SYSTEM32\octvqcra.dll
O20 - Winlogon Notify: qdrbfdhq - C:\WINDOWS\SYSTEM32\qdrbfdhq.dll
O20 - Winlogon Notify: seoepwdd - C:\WINDOWS\SYSTEM32\seoepwdd.dll
O20 - Winlogon Notify: service - C:\WINDOWS\SYSTEM32\service.dll
O20 - Winlogon Notify: tlgyixlo - C:\WINDOWS\SYSTEM32\tlgyixlo.dll
O20 - Winlogon Notify: upmabypo - C:\WINDOWS\SYSTEM32\upmabypo.dll
O20 - Winlogon Notify: utsoisal - C:\WINDOWS\SYSTEM32\utsoisal.dll
O20 - Winlogon Notify: vmgvpoul - C:\WINDOWS\SYSTEM32\vmgvpoul.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O20 - Winlogon Notify: xctklerm - C:\WINDOWS\SYSTEM32\xctklerm.dll
O20 - Winlogon Notify: xqqqiyek - C:\WINDOWS\SYSTEM32\xqqqiyek.dll
O20 - Winlogon Notify: ydygdpci - C:\WINDOWS\SYSTEM32\ydygdpci.dll
O20 - Winlogon Notify: yilwmjnd - C:\WINDOWS\SYSTEM32\yilwmjnd.dll
O20 - Winlogon Notify: yjnxyhox - C:\WINDOWS\SYSTEM32\yjnxyhox.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Thanks in advance,
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

OK, I posted your log to and here is the analyzed page:

You have a bunch of nasties there. I would start by having HJT fix all those O20 Winlogon entries that are marked as "Unknown"

Then reboot, run HJT again, paste the results to (not here), click on "Analyze" then click "Save Analysis" on the next page, and post a link to the saved page.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
sddavisAuthor Commented:
Thanks for the quick reply...

SUMMARY: I DID check the fic (delete) in HJT, but they just keep reappearing.  Even after a reboot.  I suspect that whatever I have, is  associated with these entries?

Of note is that when I ran ewido again, it found the corrisponding DLLs in /windows/system32.  They were deleted by ewido, but came back after a reboot!  BAck to step A.

ALSO, when I go back into normal windows mode ewido says:
The name of the dll
Infection: Not-A-Virus.SpamTool.Win32.Agent.f

ALSO, I cannot remove them from the alter screen, I have to ignore to continue into windows...

What else can I do?  Need more information?  Let me know, and I will gladly do it.

sddavisAuthor Commented:
ok! Update...

Here is the New HJT anaysis:

I downloaded TRemover and ran it.  Upon restart (I had to ignore ewido warnings) TRemover found the DLLs and after a full scan renamed them and removed them.  

I was then able to use HJT again, and remove the 020 entries as you have suggested.

Upon reboot, no warnings...

HOWEVER, does that mean I am all set?  What else should I do?  NONE of the programs really found it except TRemover, and ewido (although ewido could not remove it).

Also, I had to reinstall my network card (just drivers).  I have no idea why, but afterwards I was back up.

What else do I need to do?

ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

It's looking very good. I would say you are free of the problem now.

I am a bit confused by the O17 (tcpip) entries. Are they blank because you removed the addresses?

Even with that I think you're OK. The Userinit entry is normal.
If you want to be extra sure, you can do the following:

(1) Download Autoruns from:

(2) Run the program. It lists a bunch of things that start when Windows starts.

(3) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"

(4) This will give you a shorter, more meaningful list.

Examine the list for anything odd. If unsure, post the relevant part of the log here, or the entire log if you wish.

Good luck.

sddavisAuthor Commented:
The tcpip entries were the same before I removed the addresses.  However, I am not against removing them.  Should I try that?

I'll do your last over the weekend, as wok is killing right now...

NEW: I am now getting "WMIPRVSE.EXE" error...

I have looked that up and it sounds suspicious as well...  

Any quick ideas?

No, don't worry about the tcp/ip addresses. They seem fine.

Re. wmiprvse.exe, that is normally a legit windows file, so long as it is in the folder c:\windows\system32\wbem\

What exact error message are you getting?

Can you search your disk to see if the file is there in some other folder (that would indicate a virus) ?
sddavisAuthor Commented:
wmiprvse.exe locations:

wmiprvsd.dll (c:\i386) 427kb
wmiprvse.dll (c:\i386) 213kb (c:\windows\prefetch) 23kb
wmiprvsd.dll (c:\windows\system32\dllcache) 427kb
wmiprvse.exe (c:\windows\system32\dllcache) 213kb
WMIPRVSD.DLL (c:\windows\system32\wbem) 427kb
WMIPRVSE.EXE (c:\windows\system32\wbem) 213kb

Anything to worry about?  I read on archive that anywhere but (c:\windows\system32\wbem) could be a problem for wmiprvse.exe, and we see that in dllchache here.

Additionally I added the other variants (search = wmiprvs).

Thanks for all so far...
All that looks normal. It is normal to have copies of system files in the dllcache folder. The c:\i386 folder just contains original system files in case you have to reinstall Windows.

Are you still getting some sort of error ?
sddavisAuthor Commented:
Yes, the wmiprvse.exe application error is popping up.

I guess I will do some reading this weekend... ;)

Feel free to post the error message you're getting, and circumstances in which it occurs.
sddavisAuthor Commented:
Will do, and after coming hom tonight...

I forgot to say...


Between you and the archives, I was able to get into a working set before close on Friday.

Have a great weekend,  and know that if:
1) you are fo age
2) you were near me


I wouold be buying you beers all night!


Thanks again,
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.