winsi32.exe error

Discussion in 'Software Q&A' started by er_gurpreet, Jan 30, 2006.

Thread Status:
Not open for further replies.
  1. er_gurpreet

    er_gurpreet New Member

    Joined:
    Jan 31, 2005
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    0
    Hi

    Whenever i log on to the computer, a message is displayed..' winsi32.exe has encountered errors...'.. wat is this and how can i counter this problem?

    also there are host of other applications that start on their own and wud open websites on their own. i have installed sygate personal firewall but my system has started behaving like a 486..how can i resolve this issue??

    regds

    gsr
     
  2. Vishal Gupta

    Vishal Gupta Microsoft MVP

    Joined:
    Jul 28, 2005
    Messages:
    5,173
    Likes Received:
    121
    Trophy Points:
    0
    Location:
    AskVG.com
  3. anandk

    anandk Distinguished Member

    Joined:
    Mar 8, 2005
    Messages:
    3,786
    Likes Received:
    106
    Trophy Points:
    0
    Location:
    Pune
    ya, winsi32.exe is trojan, added by a variant of the WIN32.RBOT WORM

    running ur anti-virus at boot time or safe mode shud help u.
    else download 'ewido malware 3.5' . install, update and run its scan.
     
  4. OP
    OP
    er_gurpreet

    er_gurpreet New Member

    Joined:
    Jan 31, 2005
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    0
    cant find the s/w u had suggested..its not there on download.com..
     
  5. OP
    OP
    er_gurpreet

    er_gurpreet New Member

    Joined:
    Jan 31, 2005
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    0
    also what do i do about all the processes taking up my comps speed...
     
  6. sakumar79

    sakumar79 Active Member

    Joined:
    Nov 28, 2004
    Messages:
    2,441
    Likes Received:
    9
    Trophy Points:
    38
    Location:
    Madurai
    You can get ewido at http://www.ewido.net/en/

    Also download and install Lavasoft Adaware & Spybot Search and Destory, update their definitions and run scan. This should help clean out all spyware from your system...

    Finally, download HijackThis and post its results log to see if anything has been missed...

    Arun
     
  7. OP
    OP
    er_gurpreet

    er_gurpreet New Member

    Joined:
    Jan 31, 2005
    Messages:
    38
    Likes Received:
    0
    Trophy Points:
    0
    hi sakumar

    pasted below is the log of hijack this..can u suggest where is the prob that i need to fix:

    Logfile of HijackThis v1.99.1
    Scan saved at 9:32:17 PM, on 2/1/2006
    Platform: Windows 2000 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\Program Files\Sygate\SPF\smc.exe
    C:\WINNT\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\Z3VydQ\command.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\System32\mapi32.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\stisvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\system32\rundll32.exe
    C:\WINNT\Explorer.exe
    C:\Program Files\AIRTEL\AIRTEL-PPPoE\fts.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Winamp\Winampa.exe
    C:\WINNT\System32\WMTX.exe
    C:\dm.exe
    C:\windows\winsysban3.exe
    C:\WINNT\System32\msappview32.exe
    C:\WINNT\loadqm.exe
    C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    C:\WINNT\System32\lssas.exe
    C:\Program Files\Internet Optimizer\optimize.exe
    C:\windows\eee2.exe
    C:\WINNT\elitemediapop.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\PROGRA~1\MICROS~3\wcescomm.exe
    C:\PROGRA~1\MICROS~3\rapimgr.exe
    C:\Program Files\AIRTEL\AIRTEL-PPPoE\PPPoETray.exe
    C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
    C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
    C:\WINNT\msagent\AgentSvr.exe
    C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\PROGRA~1\WinZip\winzip32.exe
    C:\DOCUME~1\guru1\LOCALS~1\Temp\HijackThis.exe

    O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [%FP%AIRTEL fts.exe] "C:\Program Files\AIRTEL\AIRTEL-PPPoE\fts.exe"
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [Microsoft Layer Service] WMTX.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINNT\System32\spooIsv.exe
    O4 - HKLM\..\Run: [taskbar.exe] C:\dm.exe
    O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd3.exe
    O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban3.exe
    O4 - HKLM\..\Run: [myupdates] c:\windows\myupdates.exe
    O4 - HKLM\..\Run: [Microsoft Application Viewer] msappview32.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [Window_Protect] winsi32.exe
    O4 - HKLM\..\Run: [ntdll.dll] C:\windows\winsysupd3.exe
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
    O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINNT\System32\lssas.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [TIAP] C:\windows\eee2.exe
    O4 - HKLM\..\Run: [>G9a] C:\windows\eee2.exe
    O4 - HKLM\..\Run: [elitemedia] C:\WINNT\elitemediapop.exe
    O4 - HKLM\..\RunServices: [Microsoft Layer Service] WMTX.exe
    O4 - HKLM\..\RunServices: [Microsoft Application Viewer] msappview32.exe
    O4 - HKLM\..\RunServices: [Window_Protect] winsi32.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    O4 - HKCU\..\Run: [Microsoft Layer Service] WMTX.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [ntdll.dll] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: *.elitemediagroup.net
    O15 - Trusted Zone: *.popuppers.com
    O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
    O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    O16 - DPF: {F5078F32-C551-11D3-89B9-0000F81FE221} (XML DOM Document 3.0) - https://signup.msn.com/pages/msxml3.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{268A9DDF-0B2A-4FE0-ACB4-367ADC64A437}: NameServer = 202.56.215.6 202.56.230.6
    O17 - HKLM\System\CS1\Services\Tcpip\..\{268A9DDF-0B2A-4FE0-ACB4-367ADC64A437}: NameServer = 202.56.215.6 202.56.230.6
    O17 - HKLM\System\CS2\Services\Tcpip\..\{268A9DDF-0B2A-4FE0-ACB4-367ADC64A437}: NameServer = 202.56.215.6 202.56.230.6
    O20 - Winlogon Notify: ActiveSync - C:\WINNT\SYSTEM32\WcesWlgn.dll
    O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
    O20 - Winlogon Notify: URL - C:\WINNT\system32\l0n4la5q1d.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\Z3VydQ\command.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: MAPI Mail Client (MAPI) - Unknown owner - C:\WINNT\System32\mapi32.exe
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
     
  8. alib_i

    alib_i New Member

    Joined:
    Jun 24, 2004
    Messages:
    1,191
    Likes Received:
    2
    Trophy Points:
    0
    Location:
    omnipresent
    You computer is overflowing with spywares.

    Check and Delete the following entries

    C:\WINNT\Z3VydQ\command.exe
    C:\WINNT\System32\WMTX.exe
    C:\dm.exe
    C:\WINNT\System32\msappview32.exe
    C:\windows\winsysban3.exe
    C:\windows\eee2.exe
    C:\WINNT\elitemediapop.exe
    O4 - HKLM\..\Run: [Spooler SubSystem App] C:\WINNT\System32\spooIsv.exe
    O4 - HKLM\..\Run: [taskbar.exe] C:\dm.exe
    O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd3.exe
    O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban3.exe
    O4 - HKLM\..\Run: [myupdates] c:\windows\myupdates.exe
    O4 - HKLM\..\Run: [Microsoft Application Viewer] msappview32.exe
    O4 - HKLM\..\Run: [TIAP] C:\windows\eee2.exe
    O4 - HKLM\..\Run: [>G9a] C:\windows\eee2.exe
    O4 - HKLM\..\Run: [elitemedia] C:\WINNT\elitemediapop.exe
    O4 - HKLM\..\RunServices: [Microsoft Application Viewer] msappview32.exe
    O4 - HKLM\..\RunServices: [Window_Protect] winsi32.exe
    O15 - Trusted Zone: *.elitemediagroup.net
    O15 - Trusted Zone: *.popuppers.com
    O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\Z3VydQ\command.exe

    There are so many .. I must have missed a few.

    -----
    alibi
     
  9. swatkat

    swatkat New Member

    Joined:
    Mar 12, 2004
    Messages:
    2,058
    Likes Received:
    1
    Trophy Points:
    0
    Location:
    Shimoga/ಶಿವಮೊಗ್ಗ
    Hi,
    Lots of spyware! Lets start by removing Look2Me! Download WebRoot SpySweeper from HERE (It is a 2-week trial version.):
    • Click on Free Spy Scan.
    • On the next page, click on Start Scan Now
    • Save the Setup file to your Desktop>click OK.
    • Double-click on the file that you saved. (If you receive alerts from your firewall, allow all activities for Spy Sweeper)
    • You will be prompted to check for updated definitions, please do so.
    • Click on "Options" > "Sweep Options" and check "Sweep all Folders on Selected drives".
    • Check "Local Disc C" and under "What to Sweep", check every box.
    • Click on "Sweep" and allow it to fully scan your system.
    • When the sweep has finished, click "Remove" to remove any items found.
    • Exit SpySweeper and reboot your computer.
    NOTE: After SpySweeper has finished and removed any items found, it is important that you exit and reboot your computer right away to ensure the infection is fully removed.

    (If you cant perform the above scan in Normal Mode, do the same in Safe Mode.)


    Next, reboot the PC to Safe mode.


    Go to Start > Run and type services.msc and press ENTER. Here, navigate to the service named Command Service and right-click on it. Then click "Properties". Here, in the "Status" dialog box, select "Stop". Then, under "Startup type" dialog box, select "Disabled". Click "Apply" and then "OK".
    Do the same process (of stopping and disabling) for these Services too:-
    MAPI Mail Client


    Run HijackThis and click Do only a System scan. Then put a check mark infront of below listed entries:-

    O4 - HKLM\..\Run: [Microsoft Layer Service] WMTX.exe
    O4 - HKLM\..\Run: [taskbar.exe] C:\dm.exe
    O4 - HKLM\..\Run: [winsysupd] C:\windows\winsysupd3.exe
    O4 - HKLM\..\Run: [winsysban] C:\windows\winsysban3.exe
    O4 - HKLM\..\Run: [myupdates] c:\windows\myupdates.exe
    O4 - HKLM\..\Run: [Microsoft Application Viewer] msappview32.exe
    O4 - HKLM\..\Run: [Window_Protect] winsi32.exe
    O4 - HKLM\..\Run: [ntdll.dll] C:\windows\winsysupd3.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [TIAP] C:\windows\eee2.exe
    O4 - HKLM\..\Run: [>G9a] C:\windows\eee2.exe
    O4 - HKLM\..\Run: [elitemedia] C:\WINNT\elitemediapop.exe
    O4 - HKLM\..\RunServices: [Microsoft Layer Service] WMTX.exe
    O4 - HKLM\..\RunServices: [Microsoft Application Viewer] msappview32.exe
    O4 - HKLM\..\RunServices: [Window_Protect] winsi32.exe
    O4 - HKCU\..\Run: [Microsoft Layer Service] WMTX.exe
    O15 - Trusted Zone: *.elitemediagroup.net
    O15 - Trusted Zone: *.popuppers.com
    O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
    O20 - Winlogon Notify: URL - C:\WINNT\system32\l0n4la5q1d.dll
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\Z3VydQ\command.exe
    O23 - Service: MAPI Mail Client (MAPI) - Unknown owner - C:\WINNT\System32\mapi32.exe


    Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.


    Make Windows to show all files:-
    Go to Start > My Computer.
    Go to Tools menu, click Folder Options. Uncheck Hide protected operating system files. Then, click to select the option Show hidden files and folders. Click Apply and then click OK to exit.


    Delete these files:-
    C:\WINNT\System32\mapi32.exe
    C:\WINNT\System32\WMTX.exe
    C:\dm.exe
    C:\windows\winsysban3.exe
    C:\WINNT\System32\msappview32.exeb
    C:\windows\eee2.exe
    C:\WINNT\elitemediapop.exe
    C:\windows\winsysupd3.exe
    c:\windows\myupdates.exe


    Delete these folders:-
    C:\WINNT\Z3VydQ
    C:\Program Files\Internet Optimizer


    Go to Start > Search. Here click "All files and folders" in the left pane. Next, click on "More advanced options". Here select the options "Search system folders", "Search hidden files and folders" and "Search subfolders". Next, type/copy the below mentioned filename and search for it, if you find it, right-click on it and click delete:-
    winsi32.exe


    Reboot to Normal Mode. Perform an online virus scan at Kaspersky Online Scanner. Save the log it gives after the scan.

    Run HijackThis again, click Do a System scan and save log, and post the fresh log along with the Kaspersky log.
     
Thread Status:
Not open for further replies.

Share This Page