wintest.exe\startup PROBLEM HELP!!!!

[Ja-c-to-the-K]

My brother said he downloaded a file named:

Steinberg.Sequel.v1.2.0-PARADOX.rar

From emule, extracted the setup.exe and when he ran the setup, the computer paused and the setup.exe disapeared. He said before he ran the exe he made a restore point with System Restore, but unfortuently system restore was unable to roll back any changes made.

So I downloaded HiJackThis, ran it, saved a log and noticed somthing strange in the startup:

wintest.exe

But when I ran a search for the file, windows was unable to find it, so then I checked where it is located and HiJackThis tells me it's in:

C:\WINDOWS\System32\wintest.exe
O4 - HKLM\..\Run: [Microsoft Update] wintest.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wintest.exe
O4 - HKLM\..\Run: [Microsoft Update] wintest.exe

This file was not there when I checked manually even showing hidden files and folders.

So I am asking Is this a normal system file? I thought I'd ask before deleting it with HiJackThis, I don't remember seeing this file in Task Manager at startup, and I think this may be what the setup.exe installed...as it did disapear after running it. AVGFREE does not say anything about a virus, spyware doctor does not say anything about spyware, so then what is this???
It runs not one but two instances of the file on startup, and to me it smellz like a bug, but I want to be sure before I delete it as I don't want to mess windows up to the point where it won't boot up.

This file does not do anything that I'm aware of, it just simply runs at startup and takes up a little memory usage.

Any help is appreciated, and thanks for your time...

There is also another file named carpserve.exe witch I suspect is part of this???? Can anyone verify these files to be needed by windows?

[jholland1964]

This could be the sign of an infection but until we see the full log we cannot advise. Peer-to-peer file sharing is often dangerous business.
carpserve.exe is a file generally associated with the modem and found on many computers with a specific brand of modem.

[Ja-c-to-the-K]

Thanks for your reply...Here's the full log:


Logfile of HijackThis v1.99.1
Scan saved at 8:43:30 AM, on 4/16/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\wintest.exe
C:\Program Files\BigFix\BigFix.exe
C:\PROGRA~1\Magentic\bin\MgApp.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Balbinka\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - blank (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Removecpl] removecpl.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Microsoft Update] wintest.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wintest.exe
O4 - HKCU\..\Run: [Magentic] C:\PROGRA~1\Magentic\bin\Magentic.exe /c
O4 - HKCU\..\Run: [Microsoft Update] wintest.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O20 - AppInit_DLLs:
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

[PhilliePhan]

You should run the steps in the linky below and get a Kaspersky Online Scanlog and AVG Anti-Spy log and submit them for Judy.

ATTENTION: Read Me Before Posting For Help!!

Also, I would suggest renaming hijackthis.exe as directed in the linky. You would be well-served to do a rootkit scan as well. Try GMER or F-Secure's Blacklight and submit that too.....

Best Luck
PP

[Ja-c-to-the-K]

Thanks but right now I got waaaaay to much things to do to be installing new software, I think the HiJackThis log should be enough for now, I'm trying to fix a dead pixel on a brand new monitor I bought yesterday, witch is harder then I thought.

[PhilliePhan]

I think the HiJackThis log should be enough for now,

It's not.
Very rarely is a HJT log sufficient these days. Too much hides from HijackThis . . . . Your particular entry makes me suspicious that there might be a rootkit driver on your compy - I could be wrong, but it never hurts to check.

But, hey - it's your decision. Be sure to let Judy know if we can be of assistance.

PP

[pheonix73]

Another thing I might add,is that when you find the time to do what has been suggested and post the results here.After the pros have taken a look and come up with a game plan and after your system is deemed clean,that you should look at updating your XP to SP2,since this will add patches that may protect you further.Please wait to do this until you have gotten the all clean from the people here,since you don't want any problems following you and messing up the installation of the new files.

[jholland1964]

Thanks but right now I got waaaaay to much things to do to be installing new software, I think the HiJackThis log should be enough for now, I'm trying to fix a dead pixel on a brand new monitor I bought yesterday, witch is harder then I thought.

Well then I guess you need no help because of course the HiJack log is enough for you to find the fix yourself, that is why you posted here in the first place.

If you have the time, when you remove this infection, since the HiJack log is enough to decide how to remove...safe or normal mode...manual deletion or special tool or tools... could you post back and let us know the actual name of the unknown so that if others post with the same problem we can tell them that a HiJack log should be enough.

By the way, if it were MY newly purchased monitor with a dead pixel I would certainly have the common sense to just return it and get another but I imagine you are way too busy for that too.

[Ja-c-to-the-K]

Thanks alot for your replies guys, I really appreciate it...

I will delete wintest.exe with HiJack later tonight and I will post my results.
(crossing my fingers that windows will boot)

As for the dead pixel, I can't return or exchange the monitor due to the fact that compUSA is closing all branches in my state and all sales are final. My only hope is working out somthing with the manufacture, as I do have a 1 year warranty. I tried many programs that claim to fix dead, stuck pixels with no luck. But I won't give up untill this is fixed or I can exchange for a new one.

Again thanks alot guys!!!

[jholland1964]

No, no, NO don't just delete wintest.exe!!!! We have no idea what it actually is! A wrong fix can really complicate matters. HiJackThis is truly not a "fixer" program, it is a scanner program. Yes, some fixes can be made with HiJackThis but many, many cannot! It is first of all a program to show us IF there is something there...once we see there is then we must find out exactly what it is we are dealing with...the OTHER things you have been advised to do should hopefully give us a clue as to what exactly is on the computer and HOW to remove it. Just deleting a problem will not make it go away.
This could very well be a serious infection, requiring special tools to remove.