# [Resolved] win min problems



## katarina57 (Dec 31, 2003)

I am so relieved to finally find some help for this nasty problem. I have downloaded Hijack this and copied my scan list. what do I do now? You don't know how relieved I am to find this site!

Logfile of HijackThis v1.97.7
Scan saved at 9:14:21 PM, on 12/30/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
C:\ESM2\Stms.exe
C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
C:\ESM2\EBRR.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\America Online 8.0\aol.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Documents and Settings\default\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.windowws.cc/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://if.searchcentrix.com/sidecat.jsp?p=98567&appid=21&id=08154019216829
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.lookfor.cc/sp.php?p=87896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#87896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://out.true-counter.com/a/?344012 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://out.true-counter.com/b/?344012 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.windowws.cc/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://out.true-counter.com/b/?344012 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#87896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.lookfor.cc/sp.php?p=87896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#87896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.lookfor.cc/sp.php?p=87896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://out.true-counter.com/b/?344012 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://if.searchcentrix.com/sidecat.jsp?p=98567&appid=21&id=08154019216829
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://teen-biz.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://webcoolsearch.com/?id=54
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?344012 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?344012 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.008i.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.008i.com/search.html
O1 - Hosts: 205.177.124.66 auto.search.msn.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll
O2 - BHO: (no name) - {4B021269-DD24-48B2-96B4-DA121E9C0502} - C:\WINDOWS\SYSTEM32\ctpp1_94.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - C:\WINDOWS\gsim.dll
O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\Documents and Settings\default\Application Data\iefeatsl\iefeatsl.dll
O2 - BHO: (no name) - {AEFCDEC8-EB7D-429F-BC73-4F30D07BFE41} - C:\WINDOWS\SYSTEM32\ctadl1.dll
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\DOCUME~1\default\APPLIC~1\iefeatsl\msiesh.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [susp] C:\WINDOWS\susp.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDUpgrade] DVDUpgrd.exe /async
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [UMHWFDNTJNDY] C:\WINDOWS\OTPAXROVRXJ.exe
O4 - HKCU\..\RunOnce: [iefeatslUpdate] rundll32 C:\DOCUME~1\default\APPLIC~1\iefeatsl\iefeatsl.dll,UpdateDll s
O4 - Global Startup: winlogon.exe
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Epson.lnk = C:\WINDOWS\RUNEPSON.EXE
O4 - Global Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Global Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: Support (HKCU)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/30a2aa6809317586a717/netzip/RdxIE601.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2887D908-99DA-4B57-9A31-AA7738B74C46}: NameServer = 205.188.146.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{2887D908-99DA-4B57-9A31-AA7738B74C46}: NameServer = 205.188.146.146
O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp
O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)


----------



## Lance1 (Aug 4, 2003)

What problems are you having?


----------



## katarina57 (Dec 31, 2003)

Same as many of the others I have read on this site. Running Windows XP and cannot log off without win min error. Nasty offensive pop ups that I cannot get eliminate. Constantly reloads as favorite sites under all my user accounts repeatedly. Seems from this site that this has a resolution. I would like to use the resolution that has helped others resolve this issue.


----------



## katarina57 (Dec 31, 2003)

As I have had more time to look over the site, I realized that this should have gone under the security category. I thought it was an XP problem. Should I move it to the right spot. I was a little confused when I first found the site.


----------



## ~Candy~ (Jan 27, 2001)

You can't move it, I'll move it to security.

Welcome to TSG, by the way


----------



## cybertech (Apr 16, 2002)

You have a CWS hijacker and peper trojan among other things.

Click on the link below to download CWshredder
http://www.spywareinfo.com/~merijn/cwschronicles.html

Run the program and let it do it's thing.

*Make sure you follow the advice about the security updates listed at the bottom of the page, in order to prevent re-infection.*

Next:

Download Spybot http://tomcoyote.org/SPYBOT/index1.php

*Make sure to follow the instructions for updates prior to running the scan.*

Click on "Search For updates" After the search has completed, the available Updates will be listed. Choose which Updates you would like to Download. Click "Download updates." The Updates will self install. The screen will change again. 
Sometimes the Default Download Location will produce an Error. If that happens, look in the right panel. There you will find a small arrow next to the name of the current Download site. Click on it for a list of alternate sites. One of those should be able to retrieve the files you have selected.

Reboot and download AdAware http://www.lavasoftusa.com/
*Before you scan with AdAware, check for updates of the reference file by using the webupdate.*

Reboot and post another HJT log and let's see what's left.


----------



## Rollin' Rog (Dec 9, 2000)

You will first need to run the CoolwebShredder available here:

http://www.spywareinfo.com/~merijn/cwschronicles.html

http://www.spywareinfo.com/~merijn/files/cwshredder.zip

Check out the "prevention" tips and as a final measure make sure you have the updates required for this:

ByteVerifier:

http://support.microsoft.com/default.aspx?kbid=828026
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-011.asp

After running CoolWebShredder, do the following. Have HijackThis and these instructions in a notepad file in a convenient, permanent, location (not a temp one which it currently is in)

Then:

1 - Restart in Safe Mode: http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001060608000039

2 -- In Safe Mode run HijackThis and check and fix all of these entries which may remain:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.windowws.cc/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://if.searchcentrix.com/sidecat.jsp?p=98567&appid=21&id=08154019216829
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.lookfor.cc/sp.php?p=87896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#87896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://out.true-counter.com/a/?344012 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://out.true-counter.com/b/?344012 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.windowws.cc/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://out.true-counter.com/b/?344012 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://mshp.dll/index.html#87896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.lookfor.cc/sp.php?p=87896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://mshp.dll/index.html#87896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.lookfor.cc/sp.php?p=87896
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://out.true-counter.com/b/?344012 (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://if.searchcentrix.com/sidecat.jsp?p=98567&appid=21&id=08154019216829

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://teen-biz.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://webcoolsearch.com/?id=54
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?344012 (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://out.true-counter.com/b/?344012 (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = http://www.008i.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = http://www.008i.com/search.html
O1 - Hosts: 205.177.124.66 auto.search.msn.com

O2 - BHO: (no name) - {2E9CAFF6-30C7-4208-8807-E79D4EC6F806} - C:\Program Files\Submit\submithook.dll
O2 - BHO: (no name) - {4B021269-DD24-48B2-96B4-DA121E9C0502} - C:\WINDOWS\SYSTEM32\ctpp1_94.dll

O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-DFF7-EC6BF4D5FA7D} - C:\WINDOWS\gsim.dll
O2 - BHO: . - {587DBF2D-9145-4c9e-92C2-1F953DA73773} - C:\Documents and Settings\default\Application Data\iefeatsl\iefeatsl.dll
O2 - BHO: (no name) - {AEFCDEC8-EB7D-429F-BC73-4F30D07BFE41} - C:\WINDOWS\SYSTEM32\ctadl1.dll
O2 - BHO: (no name) - {FD9BC004-8331-4457-B830-4759FF704C22} - C:\DOCUME~1\default\APPLIC~1\iefeatsl\msiesh.dll

O4 - HKLM\..\Run: [susp] C:\WINDOWS\susp.exe

O4 - HKCU\..\Run: [UMHWFDNTJNDY] C:\WINDOWS\OTPAXROVRXJ.exe
O4 - HKCU\..\RunOnce: [iefeatslUpdate] rundll32 C:\DOCUME~1\default\APPLIC~1\iefeatsl\iefeatsl.dll,UpdateDll s

O19 - User stylesheet: C:\WINDOWS\Web\oslogo.bmp
O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)

3 -- Open a command prompt (Start > Run, enter *cmd*)

-- a command shell will open -- carefully type and enter each line below:

*del C:\WINDOWS\susp.exe
del C:\WINDOWS\OTPAXROVRXJ.exe*

4 -- Manually navigate to the following location:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

>> delete the file *winlogon.exe* in that location. Do not delete winlogon.exe from any other location.

5 -- reboot and post another Scanlog.

I would also recommend installing, UPDATING and running either Spybot or Ad-aware to detect and remove other possible hijacks.

Spybot Instructions and Download
Ad-Aware Home Page and Ad-Aware 6: Reference Guide by Winchester73


----------



## katarina57 (Dec 31, 2003)

I completed the steps as outlined. I did not find winlogon.exe under the c:\....\programs\startup or c:\windows\otpaxrovrx.exe to delete while in safe mode. I updated and ran spybot and found a few tracking cookies which I fixed. For the first time I have been able to logoff without the Win Min error. Below is my scan log after the fixes. Does it look as though I cleaned it all up? Wasn't sure about some of the entries after hijack this ran?

Logfile of HijackThis v1.97.7
Scan saved at 3:39:00 PM, on 12/31/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\WINDOWS\System32\dvdupgrd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
C:\ESM2\Stms.exe
C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
C:\ESM2\EBRR.EXE
C:\Program Files\America Online 8.0\aoltray.exe
C:\WINDOWS\System32\devldr32.exe
C:\Documents and Settings\default\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/greg/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/greg/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/greg/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://super-spider.com/greg/hp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://super-spider.com/greg/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDUpgrade] DVDUpgrd.exe /async
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [VFWMEXMOTYVGV] C:\WINDOWS\APOWKOQOJQYQ.exe
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Epson.lnk = C:\WINDOWS\RUNEPSON.EXE
O4 - Global Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Global Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: Support (HKCU)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/30a2aa6809317586a717/netzip/RdxIE601.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


----------



## cybertech (Apr 16, 2002)

You have a different CWS hijacker now, run shredder again.

End Task on APOWKOQOJQYQ.exe then find and delete the file. It may be hidden so make sure you are showing all files and folders.

Run HJT again and put checks against these:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://super-spider.com/greg/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://super-spider.com/greg/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://super-spider.com/greg/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://super-spider.com/greg/hp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://super-spider.com/greg/sp.php
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [MOSearch] C:\PROGRA~1\COMMON~1\System\MOSearch\Bin\mosearch.exe
O4 - HKCU\..\Run: [VFWMEXMOTYVGV] C:\WINDOWS\APOWKOQOJQYQ.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/30a2aa68093175...ip/RdxIE601.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave

*Close all browser windows before clicking "fix checked".*

Reboot your machine. Post another log and let us know how things are going.


----------



## katarina57 (Dec 31, 2003)

Followed your instructions. How does it look? (See my file below) I can already tell the difference in how my system is running. Should I make a backup after this is fixed so I can have a clean system should this ever happen again? Should I run hijack and spybot programs daily or weekly. Have you all published prevention tips for catching these "problems" early?

Logfile of HijackThis v1.97.7
Scan saved at 6:19:16 PM, on 12/31/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\dvdupgrd.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
C:\WINDOWS\RUNEPSON.EXE
C:\ESM2\Stms.exe
C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
C:\ESM2\EBRR.EXE
C:\Program Files\America Online 8.0\aoltray.exe
C:\WINDOWS\System32\devldr32.exe
C:\Documents and Settings\default\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = ,
R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = ,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDUpgrade] DVDUpgrd.exe /async
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFREE.EXE"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: MiniMavis.lnk = C:\Program Files\Broderbund\Mavis Beacon Teaches Typing 12 Standard\MiniMavis.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Epson.lnk = C:\WINDOWS\RUNEPSON.EXE
O4 - Global Startup: EPSON Background Monitor.lnk = C:\ESM2\Stms.exe
O4 - Global Startup: Camio Viewer 3.2.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Help (HKCU)
O9 - Extra button: Support (HKCU)
O9 - Extra button: Dell Home (HKCU)
O12 - Plugin for .avi: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npavi32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .swf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npswf32.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - https://support.dell.com/systemprofiler/SysPro.CAB


----------



## Rollin' Rog (Dec 9, 2000)

That looks better. If you haven't done it yet, I would now recommend that you turn off System Restore, reboot the computer and turn it back on again to completely purge the Restore Archive.

Windows will soon create a new restore point, but you can do so manually if you wish by running *msconfig* > launch system restore > create a new check point.

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039

Running Spybot or Ad-ware weekly is probably a good choice. They will always be finding something, but usually it will just be harmless tracking cookies.

Winlogon.exe got removed one way or another -- that is the principal cause of the "win min" error, but you had a lot else there as well. Remember, the one in system32 is legit, so don't worry about that.


----------



## katarina57 (Dec 31, 2003)

You guys and gals R-O-C-K ! It looks like my Win Min problem is resolved. I could not have done it without your help. I am donating to your cause and will tell everyone I know about this site. My children thank you too! Now they can use the computer without being bombarded by "nasty" images! Your services are invaluable. I will pray for God's blessings for all of you. It is nice to know that there are good folks out there in cyberspace who are willing to share their knowledge (without a high cost) with those of us who are not as computer literate. I will now use this site to help keep me "in the know" Thanks again!


----------



## Rollin' Rog (Dec 9, 2000)

That's great Katarina and I will mark this as resolved.

I'm wondering however if you can shed any light on what you installed that is loading this file:

C:\WINDOWS\System32\dvdupgrd.exe

My favorite reference doesn't seem to know what it is.

Program Name: DVDUpgrade 
Executable Name: DVDUpgrd.exe 
Required: Unknown at this time 
Comments: ??

http://www.lafn.org/webconnect/mentor/startup/PENINDEX.HTM

I'm concerned that it may be a variation of what Symantec describes here:

http://216.239.53.104/search?q=cach...32.hllw.zaffi.html+[DVDUpgrade&hl=en&ie=UTF-8


----------



## katarina57 (Dec 31, 2003)

I checked out the DVDupgrd.exe. I found two files on my PC related, both are in C:\Windows\System32\dvdupgrd.exe and another called C:\Windows\Prefetch\dvdupdrd-310d535B.pf. The properties information says its a Microsoft corporation file. I believe it is part of the software programs that came with the computer where they give you the basic software package of Roxio Easy CD creator or Windows Media Player and try to get you to upgrade to the deluxe versions. I belive that screen always pop up before all the viruses I had but I can't swear to it. I could delete it and see what happens. I don't plan to updgrade. We usually see it, after we have been playing games which use media format such as the The Sims...never in the middle of something. 

I'm thinking, it is not virus related.


----------



## Rollin' Rog (Dec 9, 2000)

Yes you're quite right, it turns out to be a Microsoft file. I have it too, for that matter -- I've just never seen it starting.

Don't delete it.


----------



## dvk01 (Dec 14, 2002)

Just for info:

Cwshredder deletes the bad winlogon file on a reboot in XP & 2000, but it needs manual removal in 95/98/ME


----------



## Rollin' Rog (Dec 9, 2000)

Thanks for the info Derek, I was wondering why it seemed to work for some but not others.


----------



## ~Candy~ (Jan 27, 2001)

Closing thread to avoid taggers. Anyone else with similar problems, PLEASE start your own thread. DO NOT tag onto the end of another one.


----------

