Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windir32.exe Is It Always A Bad Thing?


  • Please log in to reply
12 replies to this topic

#1 marlajm

marlajm

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 23 February 2007 - 01:41 PM

Ok, so I have been having a few problems from time to time which I mostly manage on my own by having multiple antispyware programs, practicing regular computer hygeine, keeping antivirus programs on guard, scanning frequently.

I got hijacked the other day from paypal but was smart enough not to pay directly with my credit card. The HJT log, which I ran immediately, showed a hijacking, which is now gone.

I have noticed my home page is getting slower and slower to load despite all my efforts and I can see things fly by on the bottom bar...ad programs, about blank, and then the page shifts a bit after it is loaded. Minor, I know compared to other out of control problems I see.

I have spent some time now trying to scour through my computer to clean it up.

Here is my first concern:

Windir32.exe Is it ever ok?
It doesn't show up in the scans but it is in my registry:
found this on my own: HKEY_LOCAL_MACHINE_SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Microsoft Windows DLL Services Configuration
Command Windir32.exe and item windir

Thoughts?

BC AdBot (Login to Remove)

 


#2 nigglesnush85

nigglesnush85

  • Members
  • 4,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:03:43 PM

Posted 23 February 2007 - 01:56 PM

Hello

windir32.exe is a process which is registered as the WORM_RBOT.BRQ worm. This virus is distributed via the Internet through e-mail and comes in the form of an e-mail message, in the hopes that you open its hostile attachment. The worm has its own SMTP engine which means it gathers E-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data. This process is a security risk and should be removed from your system.

http://www.trendmicro.com/vinfo/virusencyc...BRQ&VSect=T

Quite a nasty piece of work
Regards,

Alan.

#3 marlajm

marlajm
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 23 February 2007 - 02:04 PM

Thanks for the fast reply. Why haven't any of the scans I have done, and I have done a boatload, including from trendmicro, found this? Is it hiding in a new place?

I also have this huge proliferation of HP software, despite having uninstalled the printer propoerly. Could something attached itself to that?

Thanks again.

#4 buddy215

buddy215

  • Moderator
  • 13,089 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:43 AM

Posted 23 February 2007 - 02:20 PM

Install Super Antispyware. Run it in safe mode. Allow it to quarantine whatever it finds.
http://www.superantispyware.com/

Run the online scan for Bit Defender in normal mode. Allow it to quarantine whatever it finds.
http://www.bitdefender.com/scan8/ie.html

Post a Hijack This log in the appropriate forum by following the directions in the link below.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#5 marlajm

marlajm
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 23 February 2007 - 04:16 PM

I have SuperAntiSpyware and it hasn't found anything. I just almost finished the Bit Defender online scan but it crashed IE and didn't allow me to send an error report. It was at, and this is no typo, file 60853 out of 60850.

The combo scan shows the windir32 entry, by the way. I will post the Hijack log.

Thanks

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:43 AM

Posted 23 February 2007 - 05:50 PM

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

If after 5 days you still have received no response, then post a link to your HJT log in the thread titled "Haven't Had A Reply In Five Days?".

After posting a log you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc.) unless advised by a HJT Team member. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make may cause confusion for the member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 marlajm

marlajm
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 23 February 2007 - 07:41 PM

Quiet Man, I am sorry if you misunderstood. I was posting the results of what the previous person, Buddy215, asked me to do.

Buddy, just like last night, the SuperAntiSpyware didn't show anything.

On the other hand, I wasn't aware I should wait to try to change things if they come up. I ran the HJT and tried to delte the Microsoft Works calendar reminder because I never have used that and it reported a wrong file name Unexpected error occurred!

Error #52 (Bad file name or number) in Sub GetLongPath(?.exe).

Please send a report to merijn@spywareinfo.com, mentioning what you were doing, and what version of Windows you have.

This message has been copied to your clipboard.


I am also aware that my log should be posted in another forum. I appear in different forums because I have been sent there by the original ones.

Edited by marlajm, 23 February 2007 - 07:44 PM.


#8 buddy215

buddy215

  • Moderator
  • 13,089 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:10:43 AM

Posted 23 February 2007 - 08:41 PM

You need to post your Hijack This log. I have seen a lot of mistakes made by others not qualified to use the Hijack This tools. Be sure to post in the correct forum. Good Luck to you!
“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss
A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:43 AM

Posted 23 February 2007 - 08:48 PM

I understand marlajm

Since your posting a log I just wanted to give up a heads up about being patient and what not to do afterwards to ensure you are helped expeditiously. As buddy215 said, we wish you good luck as you will be in good hands.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 marlajm

marlajm
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 18 March 2007 - 07:20 PM

I started a new topic because I got the WinDir off--I think it was just an old registry entry. I posted a log but I am not hopeful. Mostly I would like someone to figure out what this is so some inroads can be made for others.

Thanks

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:43 AM

Posted 19 March 2007 - 06:14 AM

You posted a hijackthis log yesterday
http://www.bleepingcomputer.com/forums/t/85260/anti-spyware-anti-virus-disabled-keylogger-hijack-worms/

Windir32.exe = WORM_SDBOT.BHF
http://www.trendmicro.com/vinfo/virusencyc...BHF&VSect=T
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 marlajm

marlajm
  • Topic Starter

  • Members
  • 60 posts
  • OFFLINE
  •  
  • Local time:10:43 AM

Posted 19 March 2007 - 09:52 AM

Thanks. I don't think I have that one anymore. I can't find Winddir32.exe anywhere in the registry or on my files. I don't know how to check to see the names used to logon other than when they appear in Zone Alarm to access the internet. Where would I find those?

Thanks

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,263 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:43 AM

Posted 19 March 2007 - 10:00 AM

Please refrain from asking for help from other members or staff until the HJT Team has checked your posted log. The HJT Team work very hard to investigate and develop a unique solution to your problem. Just like your computer is different from every other computer, the solution will be tailored to the problems associated with your computer as you receive individual expert assistance. This takes time and effort. The staff here are all professionals and they volunteer their time to help.

Thus, we ask you to please be patient while waiting for assistance and NOT to make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc.) unless advised by a HJT Team member. Any modifications you make can result in system changes which may not show it the log you already posted. Further, following advice outside of that post may cause confusion for the team member assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

Thanks for your cooperation.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users