# [Resolved] Win Min



## kz6hdt (Dec 10, 2003)

Help! I have been trying to get rid of this Win Min error I keep getting when I logoff as well as these horrible nasty pictures that keep popping up on our computer. I downloaded Spyhunter v.1.4.42 from Enigma software which I thought would get rid of the spyware and even paid for it and I'm still having all of these nasty favorites pop up into our browser as well as extremely unwanted sites. I then read some messages on your site and downloaded Hijack this. Here's our log. Can you please advise on what I should do next?
Logfile of HijackThis v1.97.7
Scan saved at 8:46:58 PM, on 12/9/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\windows\system32\aucompat.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MSupdate.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\user\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allneedsearch.com/spm.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allneedsearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allneedsearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.alfa-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.alfa-search.com/search.html
F1 - win.ini: run=c:\windows\system32\aucompat.exe
O1 - Hosts: 216.200.3.32 thehun.net
O1 - Hosts: 216.200.3.32 www.thehun.net
O1 - Hosts: 216.200.3.32 thehun.com
O1 - Hosts: 216.200.3.32 www.thehun.com
O1 - Hosts: 216.200.3.32 worldsex.com
O1 - Hosts: 216.200.3.32 www.worldsex.com
O1 - Hosts: 216.200.3.32 sexocean.com
O1 - Hosts: 216.200.3.32 www.sexocean.com
O1 - Hosts: 216.200.3.32 easypic.com
O1 - Hosts: 216.200.3.32 www.easypic.com
O1 - Hosts: 216.200.3.32 free6.com
O1 - Hosts: 216.200.3.32 www.free6.com
O1 - Hosts: 216.200.3.32 al4a.com
O1 - Hosts: 216.200.3.32 www.al4a.com
O1 - Hosts: 216.200.3.32 thumbnailpost.com
O1 - Hosts: 216.200.3.32 www.thumbnailpost.com
O1 - Hosts: 216.200.3.32 drbizzaro.com
O1 - Hosts: 216.200.3.32 www.drbizzaro.com
O1 - Hosts: 216.200.3.32 hoes.com
O1 - Hosts: 216.200.3.32 www.hoes.com
O1 - Hosts: 216.200.3.32 absolut-series.com
O1 - Hosts: 216.200.3.32 www.absolut-series.com
O1 - Hosts: 216.200.3.32 elephantlist.com
O1 - Hosts: 216.200.3.32 www.elephantlist.com
O1 - Hosts: 216.200.3.32 ah-me.com
O1 - Hosts: 216.200.3.32 www.ah-me.com
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Comcast\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [SAUpdate] "C:\Program Files\Comcast\BBClient\Programs\SAUpdate.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Aucompat] c:\windows\system32\aucompat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aucompat] c:\windows\system32\aucompat.exe
O4 - Global Startup: MSupdate.exe
O4 - Global Startup: winlogon.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## Rollin' Rog (Dec 9, 2000)

1 -- , have HijackThis in its own permanent folder, not in a Temporary folder. Ensure "show hidden files" is checked in Folder Options > View (available through the Control Panel or any Explorer Tools Menu)

2 -- reboot in Safe Mode: run *msconfig* and put a check in */safeboot* under the Boot.ini tab. This will have to be unchecked to return to normal mode.

Once in Safe Mode, navigate to:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Delete:

*msupdate.exe
winlogon.exe*

3 -- click Start> Run, and enter *cmd*

a command shell will open. Type and enter:

*del c:\windows\system32\aucompat.exe*

4 -- run HijackThis and check and "fix" the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://allneedsearch.com/spm.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://allneedsearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allneedsearch.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.alfa-search.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.alfa-search.com/search.html

F1 - win.ini: run=c:\windows\system32\aucompat.exe

* All the 01 Entries!!*

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O4 - HKLM\..\Run: [Aucompat] c:\windows\system32\aucompat.exe

O4 - HKCU\..\Run: [Aucompat] c:\windows\system32\aucompat.exe

5 -- after returning to Normal Mode, verify that the deleted files no longer exist and run HijackThis again and post another Scanlog.

>>> Note you are only concerned about winlogon.exe in the folder you deleted it from. It is legitimate in other locations.


----------



## kz6hdt (Dec 10, 2003)

Ok, I did all steps you mentioned but #3 - I typed in the delete file "del c:\windows\system32\autompat.exe and received a message back it couldn't be found. Therefore, I wasn't able to "fix" any files with "aucompat" in it since they weren't there. Here's another copy of the log from hijack. Thanks again for your help!

Logfile of HijackThis v1.97.7
Scan saved at 9:28:37 PM, on 12/10/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\windows\system32\cabchk.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\user\Local Settings\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

F1 - win.ini: run=c:\windows\system32\cabchk.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Comcast\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [SAUpdate] "C:\Program Files\Comcast\BBClient\Programs\SAUpdate.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Cabchk] c:\windows\system32\cabchk.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Cabchk] c:\windows\system32\cabchk.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## Rollin' Rog (Dec 9, 2000)

It looks like it morphed into something else:

C:\windows\system32\*cabchk.exe*

Do a ctrl-alt-del and terminate that process

Then run *cmd* and enter:

*del C:\windows\system32\cabchk.exe*

Next run HijackThis and check and fix these two entries:

O4 - HKLM\..\Run: [Cabchk] c:\windows\system32\cabchk.exe

O4 - HKCU\..\Run: [Cabchk] c:\windows\system32\cabchk.exe

This file name be be changing during reboots, so we want to try to nail it first.

Once you have completed the above, reboot and run and post another Scanlog.


----------



## kz6hdt (Dec 10, 2003)

I terminated the process but when I went to delete the file on the C: drive it said it "could not be found" I was able to fix the 2 entries in Hijack This. How does this Scanlog look?

Logfile of HijackThis v1.97.7
Scan saved at 10:35:51 PM, on 12/10/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\windows\system32\cabchk.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\user\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

F1 - win.ini: run=c:\windows\system32\cabchk.exe
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Comcast\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [SAUpdate] "C:\Program Files\Comcast\BBClient\Programs\SAUpdate.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## Mosaic1 (Aug 17, 2001)

hi,
Could you please email me a copy of
c:\windows\system32\cabchk.exe
at 
Click here to email me

I would like to send it in for analysis. 
Thanks in advance,
Mo


----------



## Mosaic1 (Aug 17, 2001)

And I don;t see your start and search pages listed there. May we have a look please? IF you have the Ignorelist set for them, please uncheck that.

The Win Min error at shutdown often indicates that you have msconfd on the hard drive and set to load from a particular registry key.

Please open your registry (go to start>Run and type Regedit) press enter

Navigate to 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows

Right click on Widnows in the left pane and choose Export. Save the file as Appinit.txt

Copy and paste the contents of Appinit.txt into a reply here please.


----------



## kz6hdt (Dec 10, 2003)

Sorry Mo, I just tried to find the file in the same location and it's not there. Not sure what has happened!


----------



## Rollin' Rog (Dec 9, 2000)

The file must still be there:

C:\windows\system32\*cabchk.exe*

perhaps you didn't spell it right.

Also "fix" this HijackThis entry I missed seeing:

F1 - win.ini: run=c:\windows\system32\cabchk.exe

Copy it out of the system32 folder so you can send Mo a copy. Then after terminating the process try to delete it manually.

Make sure "show hidden files" is checked in Folder Options > View. If you still can't find it, also uncheck "hide system files" temporarily.


----------



## kz6hdt (Dec 10, 2003)

Mo, I got another email from you in the meanwhile. Do you still want me to do the registry thing?


----------



## Mosaic1 (Aug 17, 2001)

Yes. please. That's the usuak cause of the Win Min error at shutdown. So we are looking for a particular entry


----------



## Mosaic1 (Aug 17, 2001)

Also, When using WinXP search, even if Folder Options is set to Show all files, Search has its own settings. Win XP search will not by default show you hidden files.

Here's a link to a script to run if you want to set Folder Options and Search to find and show all files. Extract it and then run the vbs

http://mjc1.com/files/mo/Show & Find All.zip


----------



## kz6hdt (Dec 10, 2003)

Mo, please excuse my lack of knowledge in this area. I almost feel over my head on this website. I'm just so grateful to be getting some help as I've eliminated some of the nasty stuff already. I just tried to extract the above file and received a warning from my Norton Antivirus saying I should not run the script?


----------



## Mosaic1 (Aug 17, 2001)

Right. Often. scripts are evil and so Norton gives a warning when youtry to run one. But I wrote this one and promise you it is going to just set your search and file settings so you can find hidden files.


----------



## kz6hdt (Dec 10, 2003)

Mo, here's the registry you wanted...

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710


----------



## Mosaic1 (Aug 17, 2001)

That's good. You do not have msconfd.dll If you had it would have been listed here:
"AppInit_DLLs"= "msconfd"

That's a miserable one to remove. I'll leave you in Rog's more than capable hands. He taught me half of what I know. When I saw Win Min, I wanted to offer a hand. 

If you do find a copy of the nasty file in question, I'd appreciate a copy. Thanks. 

Night all.


----------



## kz6hdt (Dec 10, 2003)

Rog, I think I'm lost on what my next step should be. Can you check my latest log and see if I need to still delete or fix any files? Thanks SO MUCH for all your help (Mo, too). I ended up finding the cabchk.exe file for Mo but how should I delete? Still can't delete from cmd. It doesn't show up in the log so maybe that's a good thing? Let me know, I'm going to sleep now - got work in the AM. 
Logfile of HijackThis v1.97.7
Scan saved at 11:40:03 PM, on 12/10/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\user\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Comcast\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [SAUpdate] "C:\Program Files\Comcast\BBClient\Programs\SAUpdate.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## Rollin' Rog (Dec 9, 2000)

You're next step should be to get a good night's sleep. It's gone! 

One way or another we seem to have nixed it.

However if it is still on the hard drive, and you cannot delete it in "normal" mode, try starting in Safe Mode.

To start in Safe Mode, run *msconfig* and check */safeboot* under the boot.ini tab. You will have to uncheck it to return to normal.

If you are not getting any more "win min" errors I think we can mark this "resolved".

However this seems to have escaped the knife:

O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)

Just have HijackThis fix that one and hopefully you're set.


----------



## kz6hdt (Dec 10, 2003)

Hey Rog - thanks again for all your help. Win Min doesn't come up anymore, the nasty sites don't show up in our favorites as well as just popping up on our computer... All is so good. I know I could never have fixed this without your awesome help. I sure have an admiration for you computer gurus out there. Have a wonderful holiday!


----------



## Rollin' Rog (Dec 9, 2000)

Sounds good to me; you're most welcome for the help and I'll put a "resolved" on this one then.


----------



## iveysg (Jan 3, 2004)

I am having the same problems as the last guy. I didnt know if my problem would be the exact as his or if it was different individually. I getting pop-ups from al different sites that i would not want to view and gettting the Win Min error while trying to shut down. i d/l the HijackThis and this is my log...i hope you can help...thanks

Logfile of HijackThis v1.97.7
Scan saved at 8:59:21 PM, on 1/2/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\sistray.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\DOCUME~1\STANIV~1\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.5&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=5.0&ar=runonce&plcid=1103&sba=retail
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\SYSTEM32\sistray.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [DisplayTrayIcon] C:\WINDOWS\System32\TrayIcon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [QD FastAndSafe] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [PopUpStopperProfessional] "C:\PROGRA~1\PANICW~1\POP-UP~1\POPUPS~1.EXE"
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: winlogon.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{DE6C4192-2AF9-460F-9A36-F328F2649F6A}: NameServer = 207.203.159.252 205.152.37.254


----------

