1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] Bvcer582649

Discussion in 'Virus & Other Malware Removal' started by lostoreador, Feb 18, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. lostoreador

    lostoreador Thread Starter

    Joined:
    Feb 18, 2003
    Messages:
    165
    The code in the subject line appears in the title bar of an error code that keeps popping up on my desktop. The message in the error is HTTP component is busy. I have tried end tasking multiple programs to figure out which one is the culprit, however no soloution yet. Does anyone know a common or typical cause or soloution to this annoyance?
     
  2. steamwiz

    steamwiz

    Joined:
    Oct 4, 2002
    Messages:
    2,773
  3. lostoreador

    lostoreador Thread Starter

    Joined:
    Feb 18, 2003
    Messages:
    165
    I have linked to the panda, and trojan links you have suggested. The panda has determined there was a virus in my windows folder but could not fix it. The trojan said i did not have any trojans. Im trying to locate the file winmgm32 and see what i can do.

    Any more tips?
     
  4. steamwiz

    steamwiz

    Joined:
    Oct 4, 2002
    Messages:
    2,773
  5. The_Egg

    The_Egg

    Joined:
    Sep 16, 2002
    Messages:
    1,157
  6. lostoreador

    lostoreador Thread Starter

    Joined:
    Feb 18, 2003
    Messages:
    165
    Here you go. By the way, thanks for all the attention!


    StartupList report, 2/18/2003, 4:19:46 PM
    StartupList version: 1.51
    Started from : C:\WINDOWS\TEMP\STARTUPLIST.EXE
    Detected: Windows ME (Win9x 4.90.3000)
    Detected: Internet Explorer v5.50 (5.50.4134.0100)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\SSDPSRV.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\PRPCUI.EXE
    C:\PROGRAM FILES\ONE-TOUCH\CP32NBTN.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\WT\UPDATER\WCMDMGR.EXE
    C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE
    C:\PROGRAM FILES\ONE-TOUCH\CDROMMNT.EXE
    C:\PROGRAM FILES\ONE-TOUCH\KBOSDCTL.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\ONE-TOUCH\CP32NKCC.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\EXCEL.EXE
    C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\WINWORD.EXE
    C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
    C:\WINDOWS\TEMP\STARTUPLIST.EXE

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
    TaskMonitor = C:\WINDOWS\taskmon.exe
    PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    SystemTray = SysTray.Exe
    PRPCMonitor = PRPCUI.exe
    CP32NOT = C:\PROGRA~1\ONE-TO~1\CP32NBTN.EXE
    Vshwin32EXE = C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\VSHWIN32.EXE
    wcmdmgr = C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
    QuickTime Task = C:\WINDOWS\SYSTEM\QTTASK.EXE
    WT GameChannel = C:\Program Files\WildTangent\Apps\GameChannel.exe
    WindowsMGM = C:\WINDOWS\WINMGM32.EXE
    MPtask Services = C:\WINDOWS\SYSTEM\mptask.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    SSDPSRV = C:\WINDOWS\SYSTEM\ssdpsrv.exe
    *StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    Weather = C:\PROGRAM FILES\AWS\WEATHERBUG\WEATHER.EXE 1
    WindowsMGM = C:\WINDOWS\WINMGM32.EXE

    --------------------------------------------------

    C:\WINDOWS\WININIT.INI listing:
    (Created 18/2/2003, 10:52:58)

    [rename]
    NUL=C:\WINDOWS\IS-177OK.EXE

    --------------------------------------------------

    C:\WINDOWS\WININIT.BAK listing:
    (Created 18/2/2003, 10:52:10)

    [Rename]
    NUL=C:\WINDOWS\WINMGM32.EXE

    --------------------------------------------------

    C:\AUTOEXEC.BAT listing:

    SET windir=C:\WINDOWS
    SET winbootdir=C:\WINDOWS
    SET COMSPEC=C:\WINDOWS\COMMAND.COM
    SET PATH=C:\INET2000;C:\WINDOWS;C:\WINDOWS\COMMAND
    SET PROMPT=$p$g
    SET TEMP=C:\WINDOWS\TEMP
    SET TMP=C:\WINDOWS\TEMP

    --------------------------------------------------

    C:\WINDOWS\WINSTART.BAT listing:

    C:\WINDOWS\tmpcpyis.bat

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\ACROBAT\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    Tune-up Application Start.job
    PCHealth Scheduler for Data Collection.job
    Maintenance-Defragment programs.job
    Maintenance-ScanDisk.job
    Maintenance-Disk cleanup.job

    --------------------------------------------------

    Enumerating Download Program Files:

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [QuickTime Object]
    InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
    CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

    [{41F17733-B041-4099-A042-B518BB6A408C}]
    CODEBASE = http://a1540.g.akamai.net/7/1540/52...apple.com/qt505/us/win/QuickTimeInstaller.exe

    [{9DBAFCCF-592F-FFFF-FFFF-00608CEC297C}]
    CODEBASE = http://download.weatherbug.com/minibug/tricklers/AWS/minibuginstaller.cab?

    [ActiveScan Installer Class]
    InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\ASINST.DLL
    CODEBASE = http://www.pandasoftware.com/activescan/as/asinst.cab

    --------------------------------------------------
    End of report, 5,257 bytes
    Report generated in 0.535 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  7. The_Egg

    The_Egg

    Joined:
    Sep 16, 2002
    Messages:
    1,157
    Yes, the Winmgm32 (sobig) worm is there


    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    WindowsMGM = C:\WINDOWS\WINMGM32.EXE


    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    WindowsMGM = C:\WINDOWS\WINMGM32.EXE


    Removal instructions are actually on the McAfee page that steamwiz linked to:
    http://vil.mcafee.com/dispVirus.asp?virus_k=99950

    Removal Instructions

    All Users:
    Use current engine and DAT files for detection. Delete any file which contains this detection.

    Basically, you need to disable System Restore first.
    Additional Windows ME/XP removal considerations


    If for some weird reason Mcafee doesn't detect and remove it, then you should start by unchecking both entries for "WindowsMGM = C:\WINDOWS\WINMGM32.EXE" in:
    start -> run -> msconfig -> startup tab

    Or delete those two keys directly from the registry.

    Also make sure there's no shortcut to it in here:
    C:\WINDOWS\ALL USERS\START MENU\PROGRAMS\STARTUP

    After rebooting you will then be able to delete
    C:\WINDOWS\WINMGM32.EXE
    beacuse it will no longer be in use and running.

    If found, the following files should also be deleted:
    C:\WINDOWS\SNTMLS.DAT
    C:\WINDOWS\DWN.DAT



    After getting rid of the virus, I recommend that you download and run Spybot Search & Destroy, because there's one or two suspect entries in your startuplist (mainly: weatherbug, and possibly: wild tangent updater)

    Read the instructions here first (re: updating & general usage)
    http://forums.techguy.org/t118562/s.html
    http://tomcoyote.org/SPYBOT/
     
  8. lostoreador

    lostoreador Thread Starter

    Joined:
    Feb 18, 2003
    Messages:
    165
    Alright,
    Im going in

    If it works

    thanks alot

    If not

    Thanks anyway

    Ill let ya know
     
  9. lostoreador

    lostoreador Thread Starter

    Joined:
    Feb 18, 2003
    Messages:
    165
    WINMGM32.LGC
    This is the only instance of WINMGM32 in my windows file.
    It is in windows / applog.

    I could not find .exe

    Should I erase .LGC?

    I have completed all other suggestions.

    Thanks
     
  10. The_Egg

    The_Egg

    Joined:
    Sep 16, 2002
    Messages:
    1,157
    Yes, you can delete WINMGM32.LGC if you want, though it might be interesting to open this file in Notepad (rt click -> send to -> notepad) as it could shed further light on what WINMGM32.EXE was doing before your virus scanner deleted it.

    The Windows\Applog folder is where Task Manager stores information about all programs you open, mainly basic usage and file/memory access info. These logs are then used by Windows Defragmenter to determine which files/programs are used most frequently, in order to optimize and speed up the defrag process.

    More info:
    http://www.pcmag.com/article2/0,4149,13357,00.asp


    So, it looks like you've got rid of the nasty little worm then, yes?
    Congratulations! :)


    btw, I take it that this means the pop-up box no longer appears?
     
  11. lostoreador

    lostoreador Thread Starter

    Joined:
    Feb 18, 2003
    Messages:
    165
    OK,
    Problem solved. thank you very much.
    by the way, dont open an email sent by [email protected]. appearantly this was the culprit.

    Adios
     
  12. lostoreador

    lostoreador Thread Starter

    Joined:
    Feb 18, 2003
    Messages:
    165
    Well,
    maybe i shouldnt have spoken so soon

    popup still appears.
    but now it reads
    Application Error
    EAccess Violation in module MPTASK.EXE Address 01272034

    Once i close the application error popup
    the problem goes away
     
  13. lostoreador

    lostoreador Thread Starter

    Joined:
    Feb 18, 2003
    Messages:
    165
    OK,
    Resolved problem
    Apparently I was hit by two viruses.
    Sobig
    and a variant
    Sobig created autorun key and exe called WINMGM32
    variant created autorun key and exe called MPTASK
    after deleting both keys and exe's
    problem resolved.
    got both from email from [email protected]
    Thanks so much
    for help.
     
  14. steamwiz

    steamwiz

    Joined:
    Oct 4, 2002
    Messages:
    2,773
  15. The_Egg

    The_Egg

    Joined:
    Sep 16, 2002
    Messages:
    1,157
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/119505

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice