wintest.exe\startup PROBLEM HELP!!!!

[Ja-c-to-the-K]

OK

I just installed AVG Anti Sypyware 7.5 (updated it also)
And Microsoft Windows Defender (updated also)

Enabled the viewing of hidden files

And will now boot into safe mode, and scan my system.

I will post both logs here, including the HJT log after I boot normaly.

[Ja-c-to-the-K]

AVG Anti Sypware Scan Log:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:29:10 PM 4/19/2007

+ Scan result:



C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OHMFOLMF\Setup104[1].exe -> Adware.Cdnup : No action taken.
C:\WINDOWS\temp\03882731.exe -> Adware.Cdnup : No action taken.
C:\WINDOWS\temp\Setup104.exe -> Adware.Cdnup : No action taken.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OHMFOLMF\dodolook017[1].exe -> Adware.Cinmus : No action taken.
C:\WINDOWS\temp\dodolook017.exe -> Adware.Cinmus : No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : No action taken.
C:\Program Files\NewDotNet -> Adware.NewDotNet : No action taken.
C:\Program Files\Common Files\{C8137B09-06FC-1033-0907-030309050001}\Update.exe -> Adware.Softomate : No action taken.
C:\Program Files\Common Files\{C8137B09-06FC-1033-0907-030309050001}\system.dll -> Adware.Softomate : No action taken.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\G52JK96B\tdsetup[1].exe -> Adware.Zhongsou : No action taken.
C:\WINDOWS\temp\tdsetup.exe -> Adware.Zhongsou : No action taken.
C:\WINDOWS\system32\msprivsd.dll -> Downloader.Small.cgu : No action taken.
C:\Documents and Settings\LocalService\Cookies\balbinka@fastclick[2].txt -> TrackingCookie.Fastclick : No action taken.


::Report end

A tottal of 9 Infections were found with AVG.


HJT Scan log:

Logfile of HijackThis v1.99.1
Scan saved at 7:36:04 PM, on 4/19/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\wintest.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\Magentic\bin\MgApp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Documents and Settings\Balbinka\My Documents\hijackthis\hjtscan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {73364D99-1240-4dff-B12A-67E448373148} - blank (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Removecpl] removecpl.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Microsoft Update] wintest.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [Microsoft Update] wintest.exe
O4 - HKCU\..\Run: [Magentic] C:\PROGRA~1\Magentic\bin\Magentic.exe /c
O4 - HKCU\..\Run: [Microsoft Update] wintest.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{7713265B-8769-42A1-AAD9-81035DFED2A3}: NameServer = 207.69.188.187 207.69.188.186
O20 - AppInit_DLLs:
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe


It looks like wintest.exe was not removed, maybe this is needed for some type of program installed on my system.?????

[Ja-c-to-the-K]

Oh yeah and Microsoft Windows Defender found NO infections.

I think my system is OK now.....No?
Do the logs still show signs of infection?

[jholland1964]

If BigFix doesn't download any patches then why have it on the computer?

You have disabled some Start Up items using msconfig. Please go back in and re-enable those items. We must see what is on the machine.

Go to Add/Remove and look for the program
Magentic
Uninstall it.

I believe wintest is an indicator of a LOP infection.

LOP Violates Physical Memory Protection allowing it to take control of yout PC. Opens and scans your email address book . Has a keylogger that can spy on and log keystrokes without your knowldege or permission. Changes file type execution and program maps. Creates multiple copies of the Adware infection on your PC. Creates registry run keys to ensure it is restarted every time you boot your PC. Installs other malicious programs. Examines which processes are running on your PC allowing it to explore vulnerabilities in Windows and your antivirus and anti-spyware products. Modifies the HostsFile which could stop your antivirus or anti-spyware protection or put your personal information at risk. Connects with 3rd party computer systems and forwards data via the internet. Hijacks other processes.

Download Findlop by Metallica. Unzip it to your desktop. Double click findlop.bat. It will open a notepad file. Copy the content of that file and paste it here in your reply.

Update your Anti-virus program.

Download ATF-Cleaner.exe by Atribune(Windows XP & 2K ONLY) You can put this on your Desktop for easier access. This program removes temp files, cookies better than the built in Disk Cleanup. This way we know that all cookies are gone before running programs like the AVG Anti-spy and that it will then just have to work on removing adware, and trojans, which you do have on the machine.

AVG Anti-spyware was run Incorrectly. Please check the program for updates, then can be added daily.
Check the program to be absolutely certain it is set up this way;
RightClick the AVG Anti-Spy Icon in your system tray and do the following:

-- Uncheck Resident Shield
-- Uncheck Automatic Updates
-- Uncheck Start with Windows

Now follow these intructions EXACTLY

Disconnect Completely from the Internet and Close ALL Browser Windows! Now, Please Boot to Safe Mode

RUN ATF-Cleaner.exe.
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK > EXIT

Next;
Do a FULL SYSTEM SCAN with your Anti-virus program and allow it to FIX anything it finds.

Please Launch AVG Anti-Spyware.
-- Click on the Scanner button and choose the Settings Tab.
---> Under How to act?, click on Recommended action and choose Quarantine to set default action for detected malware.
--->Under Reports make sure Automatically generate report after every scan is selected and UNCHECK the Only if threats were found box.
-- Leave everything else at their default settings and Select the Scan tab and CLICK Complete System Scan to scan your machine.
-- Upon completion of the scan, Click Apply all actions to place any detected baddies in Quarantine.
-- AFTER clicking Apply all actions, Click on Save Report and select Save the report to your Desktop

Open Microsoft® Windows Defender and Click the downward pointing arrow next to SCAN and Select Full Scan. Allow it to run and fix what it finds.

Reboot to Normal Mode. Run a NEW HiJackThis scan and save the log.
Reconnect to the internet and come back here and post the following;
HJT LOG, AVG log and the Findlop log.
Judy

[jholland1964]

Oh yeah and Microsoft Windows Defender found NO infections.

I think my system is OK now.....No?
Do the logs still show signs of infection?

As I noted above (we must have posted around the same time)
A good chance of a LOP infection
also;
Troj/Cimuz-AZ trojan a Trojan for the Windows platform. When Troj/Cimuz-AZ is installed it creates the file <System>\ipv6mons.dll.
The file ipv6mons.dll is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries.

and also;
Trojan.Downloader.Small.CGU contacts a remote server in order to download additional malware onto a users computer without their knowledge.

[Ja-c-to-the-K]

If BigFix doesn't download any patches then why have it on the computer?

You have disabled some Start Up items using msconfig. Please go back in and re-enable those items. We must see what is on the machine.

Go to Add/Remove and look for the program
Magentic
Uninstall it.

I believe wintest is an indicator of a LOP infection.
Download Findlop by Metallica. Unzip it to your desktop. Double click findlop.bat. It will open a notepad file. Copy the content of that file and paste it here in your reply.

Update your Anti-virus program.

Download ATF-Cleaner.exe by Atribune(Windows XP & 2K ONLY) You can put this on your Desktop for easier access. This program removes temp files, cookies better than the built in Disk Cleanup. This way we know that all cookies are gone before running programs like the AVG Anti-spy and that it will then just have to work on removing adware, and trojans, which you do have on the machine.

AVG Anti-spyware was run Incorrectly. Please check the program for updates, then can be added daily.
Check the program to be absolutely certain it is set up this way;
RightClick the AVG Anti-Spy Icon in your system tray and do the following:

-- Uncheck Resident Shield
-- Uncheck Automatic Updates
-- Uncheck Start with Windows

Now follow these intructions EXACTLY

Disconnect Completely from the Internet and Close ALL Browser Windows! Now, Please Boot to Safe Mode

RUN ATF-Cleaner.exe.
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK > EXIT

Next;
Do a FULL SYSTEM SCAN with your Anti-virus program and allow it to FIX anything it finds.

Please Launch AVG Anti-Spyware.
-- Click on the Scanner button and choose the Settings Tab.
---> Under How to act?, click on Recommended action and choose Quarantine to set default action for detected malware.
--->Under Reports make sure Automatically generate report after every scan is selected and UNCHECK the Only if threats were found box.
-- Leave everything else at their default settings and Select the Scan tab and CLICK Complete System Scan to scan your machine.
-- Upon completion of the scan, Click Apply all actions to place any detected baddies in Quarantine.
-- AFTER clicking Apply all actions, Click on Save Report and select Save the report to your Desktop

Open Microsoft® Windows Defender and Click the downward pointing arrow next to SCAN and Select Full Scan. Allow it to run and fix what it finds.

Reboot to Normal Mode. Run a NEW HiJackThis scan and save the log.
Reconnect to the internet and come back here and post the following;
HJT LOG, AVG log and the Findlop log.
Judy

I did not disable ANYTHING using msconfig, I only went to the boot tab and selected "Safe Boot" what startup items are you talking about??

You know that's EXACTLY what I was thinking...That Magentic is what installed the wintest.exe

I DID run AVG just like that, I disabled Resident shield, Auto updates, and Winstartup. And my AVG virus protection is updated daily using Auto update.

After AVG Anit Spy found 9 infections, they were Quarantined, then I went in there and deleted them.


Looks like I have to do it all over again, but I'm 100% sure I did everything right. I will also run ATF-Cleaner as I did NOT do that last time.

[Ja-c-to-the-K]

I did exactly what you told me with findlop and here's the text file results:

[TRACE] Enumerating jobs and queues

[jholland1964]

I did not disable ANYTHING using msconfig, I only went to the boot tab and selected "Safe Boot" what startup items are you talking about??

This entry shows that msconfig was being used;
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
So, does this mean msconfig was being used at the time the scan was run? Yes. Go back in there and make sure that everything was enabled.
When asked to boot to Safe Mode don't use msconfig, use the F8 method.

After AVG Anit Spy found 9 infections, they were Quarantined, then I went in there and deleted them.

No they were NOT quarantined. Note your log;

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OHMFOLMF\Setup104[1].exe -> Adware.Cdnup : No action taken.
C:\WINDOWS\temp\03882731.exe -> Adware.Cdnup : No action taken.
C:\WINDOWS\temp\Setup104.exe -> Adware.Cdnup : No action taken.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\OHMFOLMF\dodolook017[1].exe -> Adware.Cinmus : No action taken.
C:\WINDOWS\temp\dodolook017.exe -> Adware.Cinmus : No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : No action taken.
C:\Program Files\NewDotNet -> Adware.NewDotNet : No action taken.
C:\Program Files\Common Files\{C8137B09-06FC-1033-0907-030309050001}\Update.exe -> Adware.Softomate : No action taken.
C:\Program Files\Common Files\{C8137B09-06FC-1033-0907-030309050001}\system.dll -> Adware.Softomate : No action taken.
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\G52JK96B\tdsetup[1].exe -> Adware.Zhongsou : No action taken.
C:\WINDOWS\temp\tdsetup.exe -> Adware.Zhongsou : No action taken.
C:\WINDOWS\system32\msprivsd.dll -> Downloader.Small.cgu : No action taken.
C:\Documents and Settings\LocalService\Cookies\balbinka@fastclick[2].txt -> TrackingCookie.Fastclick : No action taken.

If they had been quarantined the entries would have read this way;
Cleaned (quarantined) or Cleaned with backup (quarantined).
Yours clearly say No Action Taken...meaning No Action Taken.

[Ja-c-to-the-K]

Ok I finally got everything cleaned up! Thankz to AVG Anti Spy and your help!
I appreciate all your time ALOT, again THANKZ!

Wintest.exe = Backdoor.Rbot.adf

[jholland1964]

So pleased you got everything fixed. Can I ask...
where did you find this info;

Wintest.exe = Backdoor.Rbot.adf

I searched forever and never found this worm in reference to this file name. If I see it again I will know.
I only found it in regards to a LOP infection