winsi32.exe error

[er_gurpreet]

Hi

Whenever i log on to the computer, a message is displayed..' winsi32.exe has encountered errors...'.. wat is this and how can i counter this problem?

also there are host of other applications that start on their own and wud open websites on their own. i have installed sygate personal firewall but my system has started behaving like a 486..how can i resolve this issue??

regds

gsr

 

[Vishal Gupta]

This is what I found about winsi32.exe:

*www.greatis.com/appdata/d/w/winsi32.exe_Removal.htm

 

[anandk]

ya, winsi32.exe is trojan, added by a variant of the WIN32.RBOT WORM

running ur anti-virus at boot time or safe mode shud help u.
else download 'ewido malware 3.5' . install, update and run its scan.

 

[er_gurpreet]

cant find the s/w u had suggested..its not there on download.com..

 

[er_gurpreet]

also what do i do about all the processes taking up my comps speed...

 

[sakumar79]

You can get ewido at *www.ewido.net/en/

Also download and install Lavasoft Adaware & Spybot Search and Destory, update their definitions and run scan. This should help clean out all spyware from your system...

Finally, download HijackThis and post its results log to see if anything has been missed...

Arun

 

[er_gurpreet]

hi sakumar

pasted below is the log of hijack this..can u suggest where is the prob that i need to fix:

Logfile of HijackThis v1.99.1
Scan saved at 9:32:17 PM, on 2/1/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Z3VydQ\command.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\mapi32.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.exe
C:\Program Files\AIRTEL\AIRTEL-PPPoE\fts.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\Winampa.exe
C:\WINNT\System32\WMTX.exe
C:\dm.exe
C:\windows\winsysban3.exe
C:\WINNT\System32\msappview32.exe
C:\WINNT\loadqm.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\System32\lssas.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\windows\eee2.exe
C:\WINNT\elitemediapop.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\MICROS~3\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\AIRTEL\AIRTEL-PPPoE\PPPoETray.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\WINNT\msagent\AgentSvr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\guru1\LOCALS~1\Temp\HijackThis.exe

O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [%FP%AIRTEL fts.exe] "C:\Program Files\AIRTEL\AIRTEL-PPPoE\fts.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [Microsoft Layer Service] WMTX.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINNT\System32\spooIsv.exe
O4 - HKLM\..\Run: [taskbar.exe] C:\dm.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd3.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban3.exe
O4 - HKLM\..\Run: [myupdates] c:\windows\myupdates.exe
O4 - HKLM\..\Run: [Microsoft Application Viewer] msappview32.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Window_Protect] winsi32.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\windows\winsysupd3.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINNT\System32\lssas.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [TIAP] C:\windows\eee2.exe
O4 - HKLM\..\Run: [>G9a] C:\windows\eee2.exe
O4 - HKLM\..\Run: [elitemedia] C:\WINNT\elitemediapop.exe
O4 - HKLM\..\RunServices: [Microsoft Layer Service] WMTX.exe
O4 - HKLM\..\RunServices: [Microsoft Application Viewer] msappview32.exe
O4 - HKLM\..\RunServices: [Window_Protect] winsi32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [Microsoft Layer Service] WMTX.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ntdll.dll] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - *signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - *cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {F5078F32-C551-11D3-89B9-0000F81FE221} (XML DOM Document 3.0) - *signup.msn.com/pages/msxml3.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{268A9DDF-0B2A-4FE0-ACB4-367ADC64A437}: NameServer = 202.56.215.6 202.56.230.6
O17 - HKLM\System\CS1\Services\Tcpip\..\{268A9DDF-0B2A-4FE0-ACB4-367ADC64A437}: NameServer = 202.56.215.6 202.56.230.6
O17 - HKLM\System\CS2\Services\Tcpip\..\{268A9DDF-0B2A-4FE0-ACB4-367ADC64A437}: NameServer = 202.56.215.6 202.56.230.6
O20 - Winlogon Notify: ActiveSync - C:\WINNT\SYSTEM32\WcesWlgn.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: URL - C:\WINNT\system32\l0n4la5q1d.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\Z3VydQ\command.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: MAPI Mail Client (MAPI) - Unknown owner - C:\WINNT\System32\mapi32.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

 

[alib_i]

You computer is overflowing with spywares.

Check and Delete the following entries

C:\WINNT\Z3VydQ\command.exe
C:\WINNT\System32\WMTX.exe
C:\dm.exe
C:\WINNT\System32\msappview32.exe
C:\windows\winsysban3.exe
C:\windows\eee2.exe
C:\WINNT\elitemediapop.exe
O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINNT\System32\spooIsv.exe
O4 - HKLM\..\Run: [taskbar.exe] C:\dm.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd3.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban3.exe
O4 - HKLM\..\Run: [myupdates] c:\windows\myupdates.exe
O4 - HKLM\..\Run: [Microsoft Application Viewer] msappview32.exe
O4 - HKLM\..\Run: [TIAP] C:\windows\eee2.exe
O4 - HKLM\..\Run: [>G9a] C:\windows\eee2.exe
O4 - HKLM\..\Run: [elitemedia] C:\WINNT\elitemediapop.exe
O4 - HKLM\..\RunServices: [Microsoft Application Viewer] msappview32.exe
O4 - HKLM\..\RunServices: [Window_Protect] winsi32.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - *cabs.elitemediagroup.net/cabs/mediaview.cab
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\Z3VydQ\command.exe

There are so many .. I must have missed a few.

-----
alibi

 

[swatkat]

Hi,
Lots of spyware! Lets start by removing Look2Me! Download WebRoot SpySweeper from HERE (It is a 2-week trial version.):

• Click on Free Spy Scan.
• On the next page, click on Start Scan Now
• Save the Setup file to your Desktop>click OK.
• Double-click on the file that you saved. (If you receive alerts from your firewall, allow all activities for Spy Sweeper)
• You will be prompted to check for updated definitions, please do so.
• Click on "Options" > "Sweep Options" and check "Sweep all Folders on Selected drives".
• Check "Local Disc C" and under "What to Sweep", check every box.
• Click on "Sweep" and allow it to fully scan your system.
• When the sweep has finished, click "Remove" to remove any items found.
• Exit SpySweeper and reboot your computer.

NOTE: After SpySweeper has finished and removed any items found, it is important that you exit and reboot your computer right away to ensure the infection is fully removed.

(If you cant perform the above scan in Normal Mode, do the same in Safe Mode.)


Next, reboot the PC to Safe mode.


Go to Start > Run and type services.msc and press ENTER. Here, navigate to the service named Command Service and right-click on it. Then click "Properties". Here, in the "Status" dialog box, select "Stop". Then, under "Startup type" dialog box, select "Disabled". Click "Apply" and then "OK".
Do the same process (of stopping and disabling) for these Services too:-
MAPI Mail Client


Run HijackThis and click Do only a System scan. Then put a check mark infront of below listed entries:-

O4 - HKLM\..\Run: [Microsoft Layer Service] WMTX.exe
O4 - HKLM\..\Run: [taskbar.exe] C:\dm.exe
O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd3.exe
O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban3.exe
O4 - HKLM\..\Run: [myupdates] c:\windows\myupdates.exe
O4 - HKLM\..\Run: [Microsoft Application Viewer] msappview32.exe
O4 - HKLM\..\Run: [Window_Protect] winsi32.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\windows\winsysupd3.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [TIAP] C:\windows\eee2.exe
O4 - HKLM\..\Run: [>G9a] C:\windows\eee2.exe
O4 - HKLM\..\Run: [elitemedia] C:\WINNT\elitemediapop.exe
O4 - HKLM\..\RunServices: [Microsoft Layer Service] WMTX.exe
O4 - HKLM\..\RunServices: [Microsoft Application Viewer] msappview32.exe
O4 - HKLM\..\RunServices: [Window_Protect] winsi32.exe
O4 - HKCU\..\Run: [Microsoft Layer Service] WMTX.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - *cabs.elitemediagroup.net/cabs/mediaview.cab
O20 - Winlogon Notify: URL - C:\WINNT\system32\l0n4la5q1d.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\Z3VydQ\command.exe
O23 - Service: MAPI Mail Client (MAPI) - Unknown owner - C:\WINNT\System32\mapi32.exe

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


Make Windows to show all files:-
Go to Start > My Computer.
Go to Tools menu, click Folder Options. Uncheck Hide protected operating system files. Then, click to select the option Show hidden files and folders. Click Apply and then click OK to exit.


Delete these files:-
C:\WINNT\System32\mapi32.exe
C:\WINNT\System32\WMTX.exe
C:\dm.exe
C:\windows\winsysban3.exe
C:\WINNT\System32\msappview32.exeb
C:\windows\eee2.exe
C:\WINNT\elitemediapop.exe
C:\windows\winsysupd3.exe
c:\windows\myupdates.exe


Delete these folders:-
C:\WINNT\Z3VydQ
C:\Program Files\Internet Optimizer


Go to Start > Search. Here click "All files and folders" in the left pane. Next, click on "More advanced options". Here select the options "Search system folders", "Search hidden files and folders" and "Search subfolders". Next, type/copy the below mentioned filename and search for it, if you find it, right-click on it and click delete:-
winsi32.exe


Reboot to Normal Mode. Perform an online virus scan at Kaspersky Online Scanner. Save the log it gives after the scan.

Run HijackThis again, click Do a System scan and save log, and post the fresh log along with the Kaspersky log.