Please help! Vicious little piece of ware

I also had this problem but have now cleared it Here's how.... 

Get Avast, Ewido, Trojan Hunter and update them all... Get CCleaner and run it, then reboot into Safe mode and run avast trojan hunter and then ewido in that order all seperatly, then run CCleaner. 

Then go into your Prefetch folder clear it out, plus all your temp folders (Windows, local settings etc...) 

Ensure that the file named "winetn32.dll" has gone as that it the one which causes all the problems. 

Then run "Regedit" search for any entries for "winetn32.dll" and delete them.

Reboot to normal and Vola!! Clean and free!! It took me all day to work that one out so please make cheques made payable to me!! ;0)

Edited by Osnail - 28 March 2006 at 1:53pm

Author	Message Share Topic Printable Version Delicious Digg Facebook Furl Google MySpace Newsvine reddit StumbleUpon Translate Twitter Windows Live Yahoo Bookmarks Topic Search Topic Options Post Reply Create New Topic
Osnail Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 28 March 2006 Online Status: Offline Posts: 1	Post Options Post Reply Quote Osnail Report Post Quote Reply Topic: Please help! Vicious little piece of ware Posted: 28 March 2006 at 1:51pm
	I also had this problem but have now cleared it Here's how.... Get Avast, Ewido, Trojan Hunter and update them all... Get CCleaner and run it, then reboot into Safe mode and run avast trojan hunter and then ewido in that order all seperatly, then run CCleaner. Then go into your Prefetch folder clear it out, plus all your temp folders (Windows, local settings etc...) Ensure that the file named "winetn32.dll" has gone as that it the one which causes all the problems. Then run "Regedit" search for any entries for "winetn32.dll" and delete them. Reboot to normal and Vola!! Clean and free!! It took me all day to work that one out so please make cheques made payable to me!! ;0) Edited by Osnail - 28 March 2006 at 1:53pm

DundeeMafia Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 28 February 2006 Location: United Kingdom Online Status: Offline Posts: 1	Post Options Post Reply Quote DundeeMafia Report Post Quote Reply Posted: 28 February 2006 at 2:59pm
	Looks like you're going to have to get a bit more involved in the list of processes upon your machine. You should download, and use http://www.sysinternals.com/Utilities/Autoruns.html and http://www.sysinternals.com/utilities/processexplorer.html With Process Explorer you'll find a list of active processes, where you will hopefully locate the ""winXXX.tmp.exe" executable application you have mentioned above - it may not be a seperate process, but actually started by another process within the process tree. If you right-click on this process you will be able to SUSPEND it's operation. This will allow you to stop this process, and it's parent if you suspend those, from creating the new instances of the "winXXX.tmp.exe" file within the TEMP folder. Once you figure out which process is generating the "winXXX.tmp.exe" files, you'll be in a better position and be able to decide how simple it will be to remove the autostart references. If the process is not suspended, it's very likely it would recognise you have taken away the autostart entry and just put it back before you were able to blink. For easy of identifying where the process is being executed from and it's commandline parameters, you should enable to columns "IMAGE PATH" and "COMMANDLINE" from within the VIEW -> SELECT COLUMNS... dialog window. If necessary there is an option to save the output from AUTORUNS and PROCESS EXPLORER, so they could be reviewed if required. Joe.
	--- oooOOOooo --- I am responsible for my own actions, don't blame anyone else.

beirtipol Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 28 February 2006 Online Status: Offline Posts: 2	Post Options Post Reply Quote beirtipol Report Post Quote Reply Posted: 28 February 2006 at 9:28am
	I also think that IIS is involved as the virus became 'more active when I disabled the IIS service. I should have said earlier, I'm running WinXP Pro SP2 with Norton AV, NoAdware4 and Sygate Firewall

beirtipol Members Profile Send Private Message Find Members Posts Add to Buddy List Newbie Joined: 28 February 2006 Online Status: Offline Posts: 2	Post Options Post Reply Quote beirtipol Report Post Quote Reply Posted: 28 February 2006 at 9:19am
	I downloaded a keygen from www.seriall.com - I know that was my first mistake... When I ran the exe, it popped up a dialog in spanish which quickly disappeared. My modem then cut out and redialled a different number. So far, I've removed the dialer but I can't remove the files in the temp folder which duplicate themselves about 4-5 times a minute. There are thousands of files with a .tmp extension named "winXXX.tmp" where XXX is in HEX. It then creates .exe files named "winXXX.tmp.exe". These run and try to connect to www.slimfind.com. I've attached the firewall log. Today, "winlogon.exe" tried to connect to "BT2n.com, connectpt.net, and boostservice.com" They're all in the 85.255.115 subnet. The following files were created today in the system32 folder: ncompat.tlb ld607F.tmp dfrgsrv.exe I also found a suspicous dll in the registry and System32 folder named "winzjc32.dll". I've tried disabling it in "HijackThis" (Log included) and with "Autoruns" but it still comes up. I've also deleted anything from the windows prefetch folder created after the time that I ran the keygen. Noadware4 and Norton AV but i'll download some more adware programs and keep trying. This is a mischevous little bugger - any ideas? I've attached any files I can find with their addresses. Most of them won't copy as they're in use by a running process - winlogon?? DONT RUN OPERATION_FLASHPOINT_KEYGEN - thats the F*** that started this whole mess. 2006-02-28_091555_Virus_Log.rar