Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.

wini10801.exe dreaded "Your Computer is Infected" Help!!!

4K views 0 replies 1 participant last post by  shadowzreloaded 
#1 ·
Yesterday, I was browsing causually, I cant remember which site I was on. Anyway, A window Came up, a genuine firewall window, "Firewall is Blocking Certain Aspects of Svchost.exe. Keep Blocking?" As i thought scvhost must have been corrupted or something, i clicked on Keep Blocking.

Immediately, my computer just restarted, and when i turned my computer on, I got a dodgy message about "Your Computer is Infected! You Spyware!" or something along those lines. There was a red X Which was somewhat different than my Usually Icon As i have a vista iconpack mod ( im sure this is not the cause). The Red X would be shiny usual, but this time it wasnt. I read the message and there were many grammar and spelling mistakes such as "pervent" instead of "prevent" etc. Also, my Internet Explorer, not my Firefox hompage, had been changed to Google from something else.

I was offline and I was sure nothing could happen, so i clicked it and the download window came up, but the fake antispyware couldnt download. I traced the process using Task Manager and came up with the result "wini10801.exe" I then did a search for it, after ending its process tree, and found it in the system32 dir, where i scanned it and moved it to AVG Virus Vault. I have worked out some of the anatomy of the virus. "brastk.exe" is loaded at startup causing the message to appear and "wini10801.exe" is the downloader and installer. The rest of the corrupted files are for the internet browser corruption.

A side affect of this is that some websites like windowsupdate and avgupdate are denied, i've checkd my firewall and all its exceptions and i've checked Internet Explorer, and firefoxs blocked lists, but i cannot find a way to unblock these. Also, i get directed to random sites advertising fake antispware, and other dodgey sites, ( i am accessing this via safemode with networking).

Through safemode, i did an online scan, which found many threats such as "brastk.exe" "av.bat" "wini10801.exe". All of these threats i cleaned and moved them to the VIrus Vault, where i have managed to get rid of the messages and all process (i got rid of the X, by going into msconfig startup and removing "brastk" from the list. All the visuall aspects of my problem are removed by me, including the registry keys, but i am still experiencing problems with my internet connection, and redirected to sites, which work perfectly in safe mode.

Due to this, I believe that the Virus/ Fake antispyware trojan, is still lingering somewhere in my computer, or the affter affects of it. I have racked my brains, and i cannot thing of anything to do so i await your help, I have downloaded HiJackThis, but i am unsure how to post a log, as i am new to help forums (usually i fix the malware myself, but this remnant is very stubborn and resistant).

Awaiting your Help,

~SHADOWZ

|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
||||||||||||||| || || || || ||| || | ||||||||||||||||||||||||
||||||||||||||| || ||| ||| ^ || ||||| |||||||||||||||||||||||||
||||||||||||||| || || || ||| || ||| || | ||||||||||||||||||||||||
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||

--------------HIJACK-LOG-BELOW --------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:38:15, on 25/10/2008
Platform: Windows XP SP3 (WinNT

5.01.2600)
MSIE: Internet Explorer v7.00

(7.00.6000.16735)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla

Firefox\firefox.exe
C:\Documents and

Settings\Luizinha\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet

Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=6915

7
R1 - HKCU\Software\Microsoft\Internet

Connection Wizard,ShellNext =

http://www.yahoo.co.uk/
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\PROGRA~1\Yahoo!\Companion\Installs\c

pn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper -

{02478D38-C3F9-4efb-9B51-7695ECA05670} -

C:\PROGRA~1\Yahoo!\Companion\Installs\c

pn\yt.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C -

{EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\PROGRA~1\Yahoo!\Companion\Installs\c

pn\yt.dll
O4 - HKLM\..\Run: [SpeedTouch USB

Diagnostics] "C:\Program

Files\Thomson\SpeedTouch

USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WorksFUD]

C:\Program Files\Microsoft

Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works

Portfolio] C:\Program Files\Microsoft

Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works

Update Detection] C:\Program

Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Adobe Reader Speed

Launcher] "C:\Program Files\Adobe\Reader

8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvCplDaemon]

RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,NvStartu

p
O4 - HKLM\..\Run: [NvMediaCenter]

RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll,NvT

askbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program

Files\Common

Files\Real\Update_OB\realsched.exe"

-osboot
O4 - HKLM\..\Run: [AVG8_TRAY]

C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched]

"C:\Program

Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task]

"C:\Program Files\QuickTime\QTTask.exe"

-atboottime
O4 - HKLM\..\Run: [LVCOMSX]

C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair]

C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray]

C:\Program

Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SiSUSBRG]

C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LTSMMSG]

LTSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for

Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [AGRSMMSG]

AGRSMMSG.exe
O4 - HKCU\..\Run: [ctfmon.exe]

C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager]

"C:\Program

Files\Yahoo!\Messenger\YahooMessenger.exe

" -quiet
O4 - HKCU\..\Run: [Google Update]

"C:\Documents and Settings\Luizinha\Local

Settings\Application

Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [AdobeUpdater]

C:\Program Files\Common

Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [LDM] C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\BackWeb-8876

480.exe
O4 - HKCU\..\Run:

[LogitechSoftwareUpdate] "C:\Program

Files\Logitech\Video\ManifestEngine.exe"

boot
O4 - HKCU\..\Run: [SVCHOST.EXE]

C:\WINDOWS\system32\drivers\svchost.exe
O4 - Global Startup: Adobe Gamma

Loader.exe.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma

Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Logitech Desktop

Messenger.lnk = C:\Program

Files\Logitech\Desktop

Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Works

Calendar Reminders.lnk = ?
O4 - Global Startup: VAIO Action Setup

(Server).lnk = ?
O8 - Extra context menu item: &Download

All with FlashGet - C:\Program

Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download

with FlashGet - C:\Program

Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to

Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EX

CEL.EXE/3000
O8 - Extra context menu item: Sothink SWF

Catcher - C:\Program Files\Common

Files\SourceTec\SWF

Catcher\InternetExplorer.htm
O9 - Extra button: Run WinHTTrack -

{36ECAF82-3300-8F84-092E-AFF36D6C7040}

- C:\Program

Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch

WinHTTrack -

{36ECAF82-3300-8F84-092E-AFF36D6C7040}

- C:\Program

Files\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: Yahoo! Services -

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A789

7} - C:\Program

Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research -

{92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEB

AR.DLL
O9 - Extra button: FlashGet -

{D6E814A0-E0C5-11d4-8D29-0050BA6940E3} -

C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet -

{D6E814A0-E0C5-11d4-8D29-0050BA6940E3} -

C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Sothink SWF Catcher -

{E19ADC6E-3909-43E4-9A89-B7B676377EE3} -

C:\Program Files\Common

Files\SourceTec\SWF

Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF

Catcher -

{E19ADC6E-3909-43E4-9A89-B7B676377EE3} -

C:\Program Files\Common

Files\SourceTec\SWF

Catcher\InternetExplorer.htm
O9 - Extra button: (no name) -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

%windir%\Network

Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem:

@xpsp3res.dll,-20001 -

{e2e2dd38-d088-4134-82b7-f2ba38496583} -

%windir%\Network

Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows

Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL]

International*
O12 - Plugin for .spop: C:\Program

Files\Internet

Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF:

START_PAGE_URL=http://www.club-vaio.s

ony-europe.com
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF:

{1239CC52-59EF-4DFA-8C61-90FFA846DF7E}

(Musicnotes Viewer) -

http://www.musicnotes.com/download/mnv

iewer.cab
O16 - DPF:

{215B8138-A3CF-44C5-803F-8226143CFC0A}

(Trend Micro ActiveX Scan Agent 6.6) -

http://housecall65.trendmicro.com/housecall

/applet/html/native/x86/win32/activex/hcI

mpl.cab
O16 - DPF:

{238F6F83-B8B4-11CF-8771-00A024541EE3}

(Citrix ICA Client) -

http://a516.g.akamai.net/f/516/25175/7d/run

aware.download.akamai.com/25175/citrix/w

ficat-no-eula.cab
O16 - DPF:

{2D8ED06D-3C30-438B-96AE-4D110FDC1FB8

} (ActiveScan 2.0 Installer Class) -

http://acs.pandasoftware.com/activescan/ca

bs/as2stubie.cab
O16 - DPF:

{30528230-99f7-4bb4-88d8-fa1d4f56a2ab}

(Installation Support) - C:\Program

Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF:

{4EFA317A-8569-4788-B175-5BAF9731A549}

(Microsoft Virtual Server VMRC Advanced

Control) -

http://www.windowsvistatestdrive.com/Act

iveX/VMRCActiveXClient1.cab
O16 - DPF:

{6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://update.microsoft.com/windowsupdate

/v6/V5Controls/en/x86/client/wuweb_site.ca

b?1196111463330
O16 - DPF:

{67DABFBF-D0AB-41FA-9C46-CC0F21721616}

(DivXBrowserPlugin Object) -

http://download.divx.com/player/DivXBro

wserPlugin.cab
O16 - DPF:

{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}

(MUWebControl Class) -

http://www.update.microsoft.com/microsoft

update/v6/V5Controls/en/x86/client/muweb

_site.cab?1202660852000
O16 - DPF:

{A8F2B9BD-A6A0-486A-9744-18920D898429

} (ScorchPlugin Class) -

http://www.sibelius.com/download/software

/win/ActiveXPlugin.cab
O16 - DPF:

{D4323BF2-006A-4440-A2F5-27E3E7AB25F8}

(Virtools WebPlayer Class) -

http://a532.g.akamai.net/f/532/6712/5m/virt

ools.download.akamai.com/6712/player/insta

ll/installer.exe
O18 - Protocol: linkscanner -

{F274614C-63F8-47D5-A4D1-FBDDE494F8D1

} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: ms-help -

{314111C7-A502-11D2-BBCA-00C04F8EC294} -

C:\Program Files\Common Files\Microsoft

Shared\Help\hxds.dll
O20 - AppInit_DLLs: karna.dat
O20 - Winlogon Notify: dimsntfy -

%SystemRoot%\System32\dimsntfy.dll (file

missing)
O21 - SSODL: WPDShServiceObj -

{AAA288BA-9A4C-45B0-95D7-94D524869DB

5} -

C:\WINDOWS\system32\WPDShServiceObj.d

ll
O23 - Service: AVG Free8 WatchDog

(avg8wd) - AVG Technologies CZ, s.r.o. -

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Belkin Wireless USB Network

Adapter (Belkin Wireless USB Network

Adapter Service) - Unknown owner -

C:\Program Files\Belkin\Belkin Wireless

Network Utility\WLService.exe
O23 - Service: Google Updater Service (gusvc)

- Google - C:\Program

Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter

(JavaQuickStarterService) - Unknown owner

- C:\Program Files\Java\jre6\bin\jqs.exe"

-service -config "C:\Program

Files\Java\jre6\lib\deploy\jqs\jqs.conf (file

missing)
O23 - Service: NVIDIA Display Driver

Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP -

C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner -

C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner -

C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Sony SPTI Service (SPTISRV) -

Sony Corporation -

C:\PROGRA~1\COMMON~1\SONYSH~1\AVL

ib\Sptisrv.exe
O23 - Service: Windows Defender

(WinDefend) - Unknown owner - C:\Program

Files\Windows Defender\MsMpEng.exe (file

missing)
 
See less See more
Status
Not open for further replies.
You have insufficient privileges to reply here.
Top