Update on my OS Reinstall---Problems

Discussion in 'other software & services' started by RIFLEMAN, Mar 24, 2004.

Thread Status:
Not open for further replies.
  1. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    Hi guys!! I finally reinstalled my XP operating system in order to get rid of those files i mentioned in my last thread. It went great--I now have over 18 gigs of free space. BUT--here is my problem. I first got back online and went directly to grisoft to redownload AVG. After it wasinstalled I was immediately hit whith NACHIB worm while trying to download Microsoft's security updates. I figured that AVG had fixed it, but right after going online the second time i got that RPC error with the shutdown that comes after. I finally got all updates from MS, but noticed 100CPU usage by WINAII.EXE. Sure enough TDS found this trojan. AVG did not by the way. My problem now is that TDS cannot kill WINAII>EXE or delete it. I can't seem to find much online about it. Any ideas how to kill this sucker? Thanks.
     
  2. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    Heres a log of Hijack this---never figured it may be as easy as deleting them through Hijack? Logfile of HijackThis v1.97.7
    Scan saved at 9:15:32 AM, on 3/24/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    C:\Program Files\NetAssistant\bin\mpbtn.exe
    C:\Program Files\TDS3\tds-3.exe
    C:\WINDOWS\msagent\AgentSvr.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\System32\taskmgr.exe
    C:\WINDOWS\System32\winaii.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\rob\My Documents\Hijack This\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
    O1 - Hosts: 64.91.255.87 www.dcsresearch.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [Video Proes] winaii.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
    O4 - HKLM\..\RunServices: [Video Proes] winaii.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38069.8501967593
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B6478C7D-E664-4A0F-9F9C-26ABC71831C4}: NameServer = 206.47.244.43 206.47.244.89
     
  3. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    First off you'll need to kill this process
    "C:\WINDOWS\System32\winaii.exe"
    CTRL-ALT-DEL to bring your Task Manager up - Process Tab and kill it

    Start - Settings - Control Panel - Adminstrative Tools - Services
    In the list locate "winaii.exe" and stop the process from running further on.

    Then the values below need to be removed
    O4 - HKLM\..\Run: [Video Proes] winaii.exe
    O4 - HKLM\..\RunServices: [Video Proes] winaii.exe

    - Then RUN your TDS again and you should be able to KILL it (delete it ) with TDS. Then reboot.
     
  4. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    Thanks--and will try it. What the heck is it and how did it hit me o fast?
     
  5. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    very simple alot of the new virus just randomly probes port and if the port replys boom your infected has simple has that.

    Also notice that you have NetAssistant... wich ISP ( Internet Service Provider ) are you with ?
     
  6. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    Thanks Flux. the net assistant is my Sympatico IP software. I tried your remedy--went to services and could only find "VIDEOPROES" listed. I tried to stop the service and everything froze solid for over 10 minutes. There was 100 CPu usage. It also told me it could not stop the process just before that happened. I restarted in safe mode and disables it there. I haven't run TDS again yet. Strange I cannot find any infoabout either reference. i will let you know what happens after TDS.
     
  7. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    OK--after disabling video proes in services while in safe mode. TDS does not detect any problems now. I assume I still have this trojan running in my machine or dormant? Either way how do I get rid of it? thanks again.
     
  8. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    If you done the above the next thing I would do is find that file wiaii.exe and rename it to wiaii.ex_

    ( BTW you can get rid of the sympatico netassistant it's pretty much useless ) I work at sympatico :) ( well I should say use to work at sympatico until I switched over to HP )
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi RIFLEMAN,

    Can you do a Find Files for winaii.exe and mail the file to me please?

    Then repeat the instructions posted by FluxGFX and post a new HijackThis log after rebooting.

    Regards,

    Pieter
     
  10. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    Good Idea bro :)
     
  11. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    Sure I cn send it--if I can find it--lol. How do I find your addy Peiter? I really would like to shake this thing clear of my machine. Like I said--I cannot stop the Videoproes service or pause it. It also refuses disabling unless in safe mode. Trying it in normal mode freezes the machine with CPU usage. If you can show me how to find it--doing search for files for "winaii.exe" and videoproes but nothing comes up so far. Thanks guys.
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Maybe the file is hidden. Check here how to "unhide" those: http://www.tacktech.com/display.cfm?ttid=192

    My address is in my profile. Click my name beside my post and you will see it.

    Regards,

    Pieter
     
  13. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    Ok--found it and sent it. I zipped it to be safe. There is also a prefetch file--do you want that also? Can I delete the file and be rid of the thing ? I asked TDS to scan these files and they come up clean. Plase let me know what they are and what you find--I am curious about these things. I know just enough to get in trouble.
     
  14. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    That was easy. It never reached me, but I got this:
    winaii.exe was infected with the malicious virus W32.HLLW.Gaobot.gen and has been
    deleted because the file cannot be cleaned.

    Regards,

    Pieter
     
  15. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    how interesting
     
  16. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    ? Do you mean the Email I sent was cleaned in transit? I still have this file on m machine--just deactivated. I find it strnge TDS does not find it or trojan hunter--unless I let the service run. How can I mail it to you without everything being cleaned?
     
  17. FluxGFX

    FluxGFX Registered Member

    Joined:
    Jan 23, 2003
    Posts:
    667
    Location:
    Ottawa/Canada
    You won't need to the Trojan has been identified. What you can do is get a cleaner for it :)

    removal tool wich can be found here
    http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.removal.tool.html
     
  18. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    I downloaded and ran the tool fromsymantec. It comes up not found also. I read about a few of these "gaobot" trojans and none seem to have the same name files as I still have. Why is nothing detecting this if it is still on my machine?
     
  19. RIFLEMAN

    RIFLEMAN Registered Member

    Joined:
    Feb 1, 2004
    Posts:
    50
    Well--I deleted the files and cleaned the recycle bin. I also went to the services and disabled the hardware profile it ran. I hope I am clean of it and can start with everything fresh. I also tried to send pieter a copy unzipped because if it was Gaobot.gen--it was acting differently than described at symantec. Their tool also never found it. Thanks for your time guys.
     
  20. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    If nothing else at least you got your free space back. It is never fun to do an os reinstall but in some cases there aren't many options.
     
Loading...
Thread Status:
Not open for further replies.