Update on my OS Reinstall---Problems

Hi guys!! I finally reinstalled my XP operating system in order to get rid of those files i mentioned in my last thread. It went great--I now have over 18 gigs of free space. BUT--here is my problem. I first got back online and went directly to grisoft to redownload AVG. After it wasinstalled I was immediately hit whith NACHIB worm while trying to download Microsoft's security updates. I figured that AVG had fixed it, but right after going online the second time i got that RPC error with the shutdown that comes after. I finally got all updates from MS, but noticed 100CPU usage by WINAII.EXE. Sure enough TDS found this trojan. AVG did not by the way. My problem now is that TDS cannot kill WINAII>EXE or delete it. I can't seem to find much online about it. Any ideas how to kill this sucker? Thanks.

 

Heres a log of Hijack this---never figured it may be as easy as deleting them through Hijack? Logfile of HijackThis v1.97.7
Scan saved at 9:15:32 AM, on 3/24/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\TDS3\tds-3.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\winaii.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\rob\My Documents\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Video Proes] winaii.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\RunServices: [Video Proes] winaii.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38069.8501967593
O17 - HKLM\System\CCS\Services\Tcpip\..\{B6478C7D-E664-4A0F-9F9C-26ABC71831C4}: NameServer = 206.47.244.43 206.47.244.89

 

First off you'll need to kill this process
"C:\WINDOWS\System32\winaii.exe"
CTRL-ALT-DEL to bring your Task Manager up - Process Tab and kill it

Start - Settings - Control Panel - Adminstrative Tools - Services
In the list locate "winaii.exe" and stop the process from running further on.

Then the values below need to be removed
O4 - HKLM\..\Run: [Video Proes] winaii.exe
O4 - HKLM\..\RunServices: [Video Proes] winaii.exe

- Then RUN your TDS again and you should be able to KILL it (delete it ) with TDS. Then reboot.

 

Thanks--and will try it. What the heck is it and how did it hit me o fast?

 

very simple alot of the new virus just randomly probes port and if the port replys boom your infected has simple has that.

Also notice that you have NetAssistant... wich ISP ( Internet Service Provider ) are you with ?

 

Thanks Flux. the net assistant is my Sympatico IP software. I tried your remedy--went to services and could only find "VIDEOPROES" listed. I tried to stop the service and everything froze solid for over 10 minutes. There was 100 CPu usage. It also told me it could not stop the process just before that happened. I restarted in safe mode and disables it there. I haven't run TDS again yet. Strange I cannot find any infoabout either reference. i will let you know what happens after TDS.

 

OK--after disabling video proes in services while in safe mode. TDS does not detect any problems now. I assume I still have this trojan running in my machine or dormant? Either way how do I get rid of it? thanks again.

 

If you done the above the next thing I would do is find that file wiaii.exe and rename it to wiaii.ex_

( BTW you can get rid of the sympatico netassistant it's pretty much useless ) I work at sympatico ( well I should say use to work at sympatico until I switched over to HP )

 

Hi RIFLEMAN,

Can you do a Find Files for winaii.exe and mail the file to me please?

Then repeat the instructions posted by FluxGFX and post a new HijackThis log after rebooting.

Regards,

Pieter

 

Good Idea bro

 

Sure I cn send it--if I can find it--lol. How do I find your addy Peiter? I really would like to shake this thing clear of my machine. Like I said--I cannot stop the Videoproes service or pause it. It also refuses disabling unless in safe mode. Trying it in normal mode freezes the machine with CPU usage. If you can show me how to find it--doing search for files for "winaii.exe" and videoproes but nothing comes up so far. Thanks guys.

 

Maybe the file is hidden. Check here how to "unhide" those: http://www.tacktech.com/display.cfm?ttid=192

My address is in my profile. Click my name beside my post and you will see it.

Regards,

Pieter

 

Ok--found it and sent it. I zipped it to be safe. There is also a prefetch file--do you want that also? Can I delete the file and be rid of the thing ? I asked TDS to scan these files and they come up clean. Plase let me know what they are and what you find--I am curious about these things. I know just enough to get in trouble.

 

That was easy. It never reached me, but I got this:
winaii.exe was infected with the malicious virus W32.HLLW.Gaobot.gen and has been
deleted because the file cannot be cleaned.

Regards,

Pieter

 

how interesting

 

? Do you mean the Email I sent was cleaned in transit? I still have this file on m machine--just deactivated. I find it strnge TDS does not find it or trojan hunter--unless I let the service run. How can I mail it to you without everything being cleaned?

 

You won't need to the Trojan has been identified. What you can do is get a cleaner for it

removal tool wich can be found here
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.gaobot.removal.tool.html

 

I downloaded and ran the tool fromsymantec. It comes up not found also. I read about a few of these "gaobot" trojans and none seem to have the same name files as I still have. Why is nothing detecting this if it is still on my machine?

 

Well--I deleted the files and cleaned the recycle bin. I also went to the services and disabled the hardware profile it ran. I hope I am clean of it and can start with everything fresh. I also tried to send pieter a copy unzipped because if it was Gaobot.gen--it was acting differently than described at symantec. Their tool also never found it. Thanks for your time guys.

 

If nothing else at least you got your free space back. It is never fun to do an os reinstall but in some cases there aren't many options.