runwin32.exe and wininet32.exe have taken over

Discussion in 'malware problems & news' started by markp03, Jun 25, 2004.

Thread Status:
Not open for further replies.
  1. markp03

    markp03 Registered Member

    Joined:
    Apr 21, 2004
    Posts:
    11
    ok i need help getting rid of runwin32.exe and wininet32.exe i have run adware 6 and spybot and cwshreder
    i can't even open a word document to show you my hijackthis log!!! pelase help!
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi markp03,

    Without seeing a hijackthis log it's a little more difficult to know what else is running, but lets try this first. Boot your computer into safe mode by tapping the F8 key just before windows begins to load.

    Find and delete these files:
    C:\WINDOWS\RUNWIN32.EXE
    C:\WINDOWS\WININET32.EXE

    Then if you have an antivirus, try and run it while in safe mode.
    You can also run CWShredder in safe mode.

    Then Open IE -->tools -->options -->connections, and untick use a proxy server. (the runwin32.exe uses a proxy server)

    Reboot normally and go do a FULL system on-line scan:
    Panda
    Trendmicro's Housecall
    Symantec

    For addional cleaning instructions:
    http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.allight.html

    Try and post a hijackthis log and we'll see what's still left.

    Regards,

    snap


    Note, I may move this thread to another location after we see a hijackthis log, but I'll wait for that. Either way, there will be a marker here pointing to the thread.
     
  3. markp03

    markp03 Registered Member

    Joined:
    Apr 21, 2004
    Posts:
    11
    ok some how it shut down my browser but by some mirical and by constantly dealting the files that where reinstalling themselfs i got NAV installed and updated and ran it and it deleated alot of stuff here is my log
    Logfile of HijackThis v1.97.7
    Scan saved at 11:26:03 PM, on 6/25/2004
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Sygate\SPF\Smc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Winamp\winampa.exe
    C:\program files\powerstrip\pstrip.exe
    C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
    C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
    C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    C:\WINDOWS\System32\RUNDLL32.EXE
    D:\stuFF\setup files\FreeRAM XP Pro 1.40.exe
    C:\Program Files\Navnt\navapw32.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
    C:\PROGRA~1\Navnt\navapsvc.exe
    C:\PROGRA~1\Navnt\npssvc.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\scagent.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
    C:\PROGRA~1\Navnt\alertsvc.exe
    C:\Program Files\Winamp\winamp.exe
    C:\Program Files\JavaSoft\JRE\1.3.1_04\bin\javaw.exe
    C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
    D:\stuFF\hijackthis\HijackThis.exe

    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
    O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
    O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
    O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
    O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
    O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\Navnt\npscheck.exe
    O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\Navnt\defalert.exe
    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
    O4 - HKCU\..\Run: [FreeRAM XP] "D:\stuFF\setup files\FreeRAM XP Pro 1.40.exe" -win
    O4 - Global Startup: LimeWire 3.8.10.lnk = D:\Program Files\LimeWire\3.8.10\LimeWire.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Navnt\navapw32.exe
    O9 - Extra button: AIM (HKLM)
    O10 - Broken Internet access because of LSP provider 'xfire_lsp.dll' missing
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/mickey/us/win/QuickTimeInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab



    I still feel like my comp is running slower now though... and ever second or so a lil hour glass pops up next to my cursor like my comp is doing somthing but it is not...so i think i am still infected with something...i ran the panda and the other anti virus software

    thanks
     
  4. markp03

    markp03 Registered Member

    Joined:
    Apr 21, 2004
    Posts:
    11
    I ran the panda and tredmicro online scans and they found stuff but when i try to run the other one a "send bug report" screen pops up and closes all my browser windows
     
  5. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi markp03,

    I have gone through your log and I am not seeing any sign of infection now. Although I am also not seeing any R0, R1, 02, 03 lines (those are the search and start pages, BHO's and toolbars), which is unusual not to see them in a log, but does happen.

    But to be sure that nothing has altered their being viewable, can you open HijackThis and click on the button in the lower right called "Config....."
    - make sure you do not have a check in the box beside "Ignore non-standard but safe domains in IE"
    - then click on the button called "Ignorelist" and make sure there is nothing listed there. If there is, remove them.

    Use the Disk Cleanup Wizard in XP to clear the Temporary Internet files and Temp Folder files. Go to Start, click Run, and type in cleanmgr and then click "OK" to bring up the Disk Cleanup Wizard.

    Then go to Microsoft's Update Site and download and install ALL Critical Updates listed for XP and IE6. You are seriously behind in your critical updates and many of the dangerous hijackers take advantage of the vulnerabilities in unpatched systems.

    You also have Limewire, which installs adware on your computer. I would recommend uninstalling it, but this is of course your choice. Here is more information about it: http://www.pestpatrol.com/pestinfo/l/limewire.asp

    Once you have checked the configuration settings in Hijackthis, and also updated your system, please repost another hijackthis log to be checked.

    Regards,

    snap
     
Loading...
Thread Status:
Not open for further replies.