wintest.exe\startup PROBLEM HELP!!!!

[Ja-c-to-the-K]

AVG Anti Sypware Scan Log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:29:10 PM 4/19/2007

+ Scan result:



C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OHMFOLMF\Setup104[1].exe -> Adware.Cdnup : No action taken.
C:\WINDOWS\temp\03882731.exe -> Adware.Cdnup : No action taken.
C:\WINDOWS\temp\Setup104.exe -> Adware.Cdnup : No action taken.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OHMFOLMF\dodolook017[1].exe -> Adware.Cinmus : No action taken.
C:\WINDOWS\temp\dodolook017.exe -> Adware.Cinmus : No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : No action taken.
C:\Program Files\NewDotNet -> Adware.NewDotNet : No action taken.
C:\Program Files\Common Files\{C8137B09-06FC-1033-0907-030309050001}\Update.exe -> Adware.Softomate : No action taken.
C:\Program Files\Common Files\{C8137B09-06FC-1033-0907-030309050001}\system.dll -> Adware.Softomate : No action taken.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\G52JK96B\tdsetup[1].exe -> Adware.Zhongsou : No action taken.
C:\WINDOWS\temp\tdsetup.exe -> Adware.Zhongsou : No action taken.
C:\WINDOWS\system32\msprivsd.dll -> Downloader.Small.cgu : No action taken.
C:\Documents and Settings\LocalService\Cookies\balbinka@fastclick[2].txt -> TrackingCookie.Fastclick : No action taken.


::Report end

A tottal of 9 Infections were found with AVG.


HJT Scan log:

Logfile of HijackThis v1.99.1
Scan saved at 7:36:04 PM, on 4/19/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\wintest.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\Magentic\bin\MgApp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Documents and Settings\Balbinka\My Documents\hijackthis\hjtscan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - blank (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Removecpl] removecpl.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Microsoft Update] wintest.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [Microsoft Update] wintest.exe
O4 - HKCU\..\Run: [Magentic] C:\PROGRA~1\Magentic\bin\Magentic.exe /c
O4 - HKCU\..\Run: [Microsoft Update] wintest.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{7713265B-8769-42A1-AAD9-81035DFED2A3}: NameServer = 207.69.188.187 207.69.188.186
O20 - AppInit_DLLs:
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe


It looks like wintest.exe was not removed, maybe this is needed for some type of program installed on my system.?????

[jholland1964]

If BigFix doesn't download any patches then why have it on the computer?

You have disabled some Start Up items using msconfig. Please go back in and re-enable those items. We must see what is on the machine.

Go to Add/Remove and look for the program
Magentic
Uninstall it.

I believe wintest is an indicator of a LOP infection.

LOP Violates Physical Memory Protection allowing it to take control of yout PC. Opens and scans your email address book . Has a keylogger that can spy on and log keystrokes without your knowldege or permission. Changes file type execution and program maps. Creates multiple copies of the Adware infection on your PC. Creates registry run keys to ensure it is restarted every time you boot your PC. Installs other malicious programs. Examines which processes are running on your PC allowing it to explore vulnerabilities in Windows and your antivirus and anti-spyware products. Modifies the HostsFile which could stop your antivirus or anti-spyware protection or put your personal information at risk. Connects with 3rd party computer systems and forwards data via the internet. Hijacks other processes.

Download Findlop by Metallica. Unzip it to your desktop. Double click findlop.bat. It will open a notepad file. Copy the content of that file and paste it here in your reply.

Update your Anti-virus program.

Download ATF-Cleaner.exe by Atribune(Windows XP & 2K ONLY) You can put this on your Desktop for easier access. This program removes temp files, cookies better than the built in Disk Cleanup. This way we know that all cookies are gone before running programs like the AVG Anti-spy and that it will then just have to work on removing adware, and trojans, which you do have on the machine.

AVG Anti-spyware was run Incorrectly. Please check the program for updates, then can be added daily.
Check the program to be absolutely certain it is set up this way;
RightClick the AVG Anti-Spy Icon in your system tray and do the following:

-- Uncheck Resident Shield
-- Uncheck Automatic Updates
-- Uncheck Start with Windows

Now follow these intructions EXACTLY

Disconnect Completely from the Internet and Close ALL Browser Windows! Now, Please Boot to Safe Mode

RUN ATF-Cleaner.exe.
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK > EXIT

Next;
Do a FULL SYSTEM SCAN with your Anti-virus program and allow it to FIX anything it finds.

Please Launch AVG Anti-Spyware.
-- Click on the Scanner button and choose the Settings Tab.
---> Under How to act?, click on Recommended action and choose Quarantine to set default action for detected malware.
--->Under Reports make sure Automatically generate report after every scan is selected and UNCHECK the Only if threats were found box.
-- Leave everything else at their default settings and Select the Scan tab and CLICK Complete System Scan to scan your machine.
-- Upon completion of the scan, Click Apply all actions to place any detected baddies in Quarantine.
-- AFTER clicking Apply all actions, Click on Save Report and select Save the report to your Desktop

Open Microsoft® Windows Defender and Click the downward pointing arrow next to SCAN and Select Full Scan. Allow it to run and fix what it finds.

Reboot to Normal Mode. Run a NEW HiJackThis scan and save the log.
Reconnect to the internet and come back here and post the following;
HJT LOG, AVG log and the Findlop log.
Judy

[Ja-c-to-the-K]

If BigFix doesn't download any patches then why have it on the computer?

You have disabled some Start Up items using msconfig. Please go back in and re-enable those items. We must see what is on the machine.

Go to Add/Remove and look for the program
Magentic
Uninstall it.

I believe wintest is an indicator of a LOP infection.
Download Findlop by Metallica. Unzip it to your desktop. Double click findlop.bat. It will open a notepad file. Copy the content of that file and paste it here in your reply.

Update your Anti-virus program.

Download ATF-Cleaner.exe by Atribune(Windows XP & 2K ONLY) You can put this on your Desktop for easier access. This program removes temp files, cookies better than the built in Disk Cleanup. This way we know that all cookies are gone before running programs like the AVG Anti-spy and that it will then just have to work on removing adware, and trojans, which you do have on the machine.

AVG Anti-spyware was run Incorrectly. Please check the program for updates, then can be added daily.
Check the program to be absolutely certain it is set up this way;
RightClick the AVG Anti-Spy Icon in your system tray and do the following:

-- Uncheck Resident Shield
-- Uncheck Automatic Updates
-- Uncheck Start with Windows

Now follow these intructions EXACTLY

Disconnect Completely from the Internet and Close ALL Browser Windows! Now, Please Boot to Safe Mode

RUN ATF-Cleaner.exe.
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK > EXIT

Next;
Do a FULL SYSTEM SCAN with your Anti-virus program and allow it to FIX anything it finds.

Please Launch AVG Anti-Spyware.
-- Click on the Scanner button and choose the Settings Tab.
---> Under How to act?, click on Recommended action and choose Quarantine to set default action for detected malware.
--->Under Reports make sure Automatically generate report after every scan is selected and UNCHECK the Only if threats were found box.
-- Leave everything else at their default settings and Select the Scan tab and CLICK Complete System Scan to scan your machine.
-- Upon completion of the scan, Click Apply all actions to place any detected baddies in Quarantine.
-- AFTER clicking Apply all actions, Click on Save Report and select Save the report to your Desktop

Open Microsoft® Windows Defender and Click the downward pointing arrow next to SCAN and Select Full Scan. Allow it to run and fix what it finds.

Reboot to Normal Mode. Run a NEW HiJackThis scan and save the log.
Reconnect to the internet and come back here and post the following;
HJT LOG, AVG log and the Findlop log.
Judy

I did not disable ANYTHING using msconfig, I only went to the boot tab and selected "Safe Boot" what startup items are you talking about??

You know that's EXACTLY what I was thinking...That Magentic is what installed the wintest.exe

I DID run AVG just like that, I disabled Resident shield, Auto updates, and Winstartup. And my AVG virus protection is updated daily using Auto update.

After AVG Anit Spy found 9 infections, they were Quarantined, then I went in there and deleted them.


Looks like I have to do it all over again, but I'm 100% sure I did everything right. I will also run ATF-Cleaner as I did NOT do that last time.