Winmgm32.exe

dRob · 12 jan 2003

Als ik mijn pc opstart en ik maak verbinding met internet dan komt er een melding in beeld van mijn Sygate Personal Firewall dat Winmgm32.exe probeert verbinding te maken met een domain server....

Wat is dit voor .exe bestand dat dit doet? Ik heb al gezocht maar kan er niks over vinden..

hetzelfde geldt voor Wingate engine (ik heb geen 2 pc's die ik deel) en MPTask services die ik ook toestemming moet/kan geven voor verbinding.

Misschien dat iemand meer duidelijkheid kan geven?

m@rio · 12 jan 2003

Lijkt me op het eerste gezicht een virus:

http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.a@mm.html

En lees deze ook eens door. Gaat over het w32.sobig.a virus

http://www.helpmij.nl/forum/showthread.php?s=&threadid=103537

Kleinkramer · 12 jan 2003

Mee eens.

Doe ook dit eens:

Ga naar http://www.spywareinfo.com/downloads.php#startup , en download 'Startuplist'.

Uitpakken, erop dubbelklikken, en je krijgt een tekstbestand dat een uitgebreid overzicht geeft van alles wat er zich op jouw computer afspeelt.

Ga naar Bewerken > Alles selecteren, kopiëer het, en laat de inhoud hier eens zien.

dRob · 12 jan 2003

Een virus is het zeker niet omdat (zowel macaffee en housecall) na een check niks hebben gevonden.

ok startuplist gebruikt (mooi proggie trouwens) en dit krijg ik als resultaat:

StartupList report, 12-1-03, 16:39:11
StartupList version: 1.50
Started from : C:\DOWNLOADS\ZIP FILES\STARTOPLIST\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\TBPANEL.EXE
C:\WINDOWS\HOTKEY.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ALCATEL\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\PROGRAM FILES\MSI\LIVE UPDATE 2\LMONITOR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\MPTASK.EXE
C:\WINDOWS\SYSTEM\MMTASK.EXE
C:\PROGRAM FILES\COMMONSEARCH\VCATCH.EXE
C:\PROGRAM FILES\ERASER\ERASER.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
C:\PROGRAM FILES\SYMANTEC\ACT\ACTLDR.EXE
C:\WINDOWS\WINMGM32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINMX2.6\WINMX.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MAPI\1043\95\MAPISP32.EXE
C:\PROGRAM FILES\ICQ\ICQ.EXE
C:\PROGRAM FILES\WINAMP\WINAMP.EXE
C:\PROGRAM FILES\DAP\DAP.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\EXCEL.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HPFBKG14.EXE
C:\WINDOWS\HPFTBX14.EXE
C:\WINDOWS\SYSTEM\HPFVLS14.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\DOWNLOADS\ZIP FILES\STARTOPLIST\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programma's\Opstarten]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
ACT! Speed Loader.lnk = C:\Program Files\Symantec\ACT\ACTLDR.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
Taakcontrole = C:\WINDOWS\taskmon.exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Gainward = C:\WINDOWS\TBPanel.exe /A
CHotKey = HOTKEY.exe
SoundMan = soundman.exe
SystemTray = SysTray.Exe
LoadQM = loadqm.exe
SpeedTouch USB Diagnostics = "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
SmcService = C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
LiveMonitor = C:\PROGRAM FILES\MSI\LIVE UPDATE 2\LMONITOR.EXE
WindowsMGM = C:\WINDOWS\WINMGM32.EXE
MPtask Services = C:\WINDOWS\SYSTEM\mptask.exe
MMtask Service = mmtask.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
MSys32 =
SmcService = C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
WinServices = C:\WINDOWS\SYSTEM\WinServices.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

VCatch = C:\PROGRAM FILES\COMMONSEARCH\VCATCH.EXE
Eraser = C:\PROGRAM FILES\ERASER\ERASER.EXE -hide
WindowsMGM = C:\WINDOWS\WINMGM32.EXE

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

ICQ = C:\PROGRAM FILES\ICQ\ICQ.EXE -trayboot

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\SYSTEM\IE4UINIT.EXE

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=hpfsched

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll ctpnpscn.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 9/1/2003, 20:45:10)

[Rename]
NUL=C:\WINDOWS\DOWNLO~1\NAVENG32.DLL
C:\WINDOWS\DOWNLO~1\NAVENG32.DLL=C:\WINDOWS\DOWNLO~1\SETE3.TMP
NUL=C:\WINDOWS\DOWNLO~1\NAVEX32A.DLL
C:\WINDOWS\DOWNLO~1\NAVEX32A.DLL=C:\WINDOWS\DOWNLO~1\SET00E4.TMP
NUL=C:\WINDOWS\TEMP\_iu14D2N.tmp

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET SOUND=C:\PROGRA~1\CREATIVE\CTSND
SET MIDI=SYNTH:1 MAP:E
SET BLASTER=A220 I5 D1 H5 P330 T6
mode con codepage prepare=((850) C:\WINDOWS\COMMAND\ega.cpi)
mode con codepage select=850

--------------------------------------------------

C:\CONFIG.SYS listing:

device=C:\WINDOWS\COMMAND\display.sys con=(ega,,1)
Country=031,850,C:\WINDOWS\COMMAND\country.sys

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Task Scheduler jobs:

Toepassing Optimalisatie Start.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[InstallFromTheWeb ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\IFTW.DLL
CODEBASE = http://tw.msi.com.tw/autobios/client/iftwclix.cab

[HouseCall Besturing]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/2002121801/housecall.antivirus.com/housecall/xscan53.cab

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RUFSI.DLL
CODEBASE = http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\AVSNIFF.DLL
CODEBASE = http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: wps.dll (file MISSING)
Protocol #2: wps.dll (file MISSING)
Protocol #3: wps.dll (file MISSING)
Protocol #4: wps.dll (file MISSING)
Protocol #5: wps.dll (file MISSING)
Protocol #6: wps.dll (file MISSING)
Protocol #13: wps.dll (file MISSING)

--------------------------------------------------
End of report, 8.576 bytes
Report generated in 0,869 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Kleinkramer · 12 jan 2003

Je hebt niet alleen maar de sobig worm, maar ook nog Yaha.k, en een paar andere virussen/trojans.

Tja, geen antivirus, he?

Ik zou als de wiedeweerga maar eens on line laten scannen.

En ook de Yaha en Sobig cleaners gebruiken

m@rio · 12 jan 2003

Hier het yaha removaltooltje:

http://www.virushelp.nl/yahak.htm en daarna op www.housecall online laten scannen

En mocht je na geinfecteerd te zijn nog geen geld uit willen geven voor een virusscanner kun je hier 1 gratis halen:

http://www.grisoft.com/html/us_downl.htm

dRob · 12 jan 2003

Ok nu wel gevonden?? BKDR_DELF.DA (2x), BKDR_DELF.DA en BKDR_DELF.CY en dan ook nog Worm_Sobig.A via Housecall.

Vreemd dat ik dus eerder scan en er niks gevonden wordt. Dat yahaa virus heb ik al eerder verwijderd met die 'cleaner' die ik hier ook gekregen had (de link dan).

Nu dan maar aan de slag met het verwijderen ervan waarover ik op de site van Symantec al het en en ander gelezen heb. Dat wordt nog een leuke klus met instellingen enzo in veilige modus en dos.
Kan dat ook verwijderd worden met de akties die Housecall aangeeft?

Ik dacht btw altijd al dat ik een goede virusscanner had maar helaas dus niet (V Catch) en een goede firewall (Sygate Personal Firewall)

Bedankt voor de (snelle, razendsnelle) hulp voor nu!

Kleinkramer · 12 jan 2003

Je startup bestand van Yaha.k is er nog steeds.

Ga naar Start > Uitvoeren > Msconfig, en verwijder "Winservices" op het tabblad Opstarten.

Groetjes,

dRob · 12 jan 2003

Alles uitgevoerd (nieuwe virusscanner geinstalleerd, online virusscan, winservices verwijderd en bij het nog een keer scannen met Housetrend vindt de pc nog steeds de volgende geinfecteerde bestanden :
* BKDR_DELF.CY
Terwijl AVG er geeneen 'vindt'

Ook kreeg ik nog de vraag via Sygate Personal Firewall:
"Wingate Engine is being connected by the remote machine (212.129.138.214) using local port 53. Domain (Domain Name Server) Do you want to allow this progranm to acces the network"

Alleen dat laatste nog dan.....

Kleinkramer · 12 jan 2003

Waar precies vindt House Call dat bestand?
En noemt ie er een naam bij?
Zo ja, vind dat bestand, en verwijder het.

Is de prullenbak overigens geleegd?

Post anders nog een keer een nieuwe Startuplist log om te zien hoe de situatie nu is.

En wat is de locatie van dat Wingate Engine-bestand?

Heb je een Wingate map in Program Files? Dan is dat dus geen virus.

dRob · 13 jan 2003

Na opnieuw opstarten nog een keer een melding gekregen van Sugate Personal Firewall:
"Wingate Engine (66.227.104.38) is using local port 1182 Do you want to allow this .....etc."
Vervolgens op 'nee' klikken en Application Winmgm Engine has been blocked. Filename is MMTASK.EXE.

??

Na een keer scannen (na verwijdering van BKDR_DELF.CY) zijn er geen virussen meer gevonden

In program files staat geen Wingate Engine folder dus?
De prullenbak is geleegd.

ok start up lijst ziet er nu als volgt uit:

StartupList report, 13-1-03, 0:31:00
StartupList version: 1.50
Started from : C:\DOWNLOADS\ZIP FILES\STARTOPLIST\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\TBPANEL.EXE
C:\WINDOWS\HOTKEY.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ALCATEL\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MSI\LIVE UPDATE 2\LMONITOR.EXE
C:\WINDOWS\SYSTEM\MMTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\COMMONSEARCH\VCATCH.EXE
C:\PROGRAM FILES\ERASER\ERASER.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
C:\PROGRAM FILES\SYMANTEC\ACT\ACTLDR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OUTLOOK.EXE
C:\PROGRAM FILES\COMMON FILES\SYSTEM\MAPI\1043\95\MAPISP32.EXE
C:\PROGRAM FILES\ICQ\ICQ.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\DOWNLOADS\ZIP FILES\STARTOPLIST\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programma's\Opstarten]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
ACT! Speed Loader.lnk = C:\Program Files\Symantec\ACT\ACTLDR.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
Taakcontrole = C:\WINDOWS\taskmon.exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Gainward = C:\WINDOWS\TBPanel.exe /A
CHotKey = HOTKEY.exe
SoundMan = soundman.exe
SystemTray = SysTray.Exe
LoadQM = loadqm.exe
SpeedTouch USB Diagnostics = "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
SmcService = C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
LiveMonitor = C:\PROGRAM FILES\MSI\LIVE UPDATE 2\LMONITOR.EXE
WindowsMGM = C:\WINDOWS\WINMGM32.EXE
MPtask Services = C:\WINDOWS\SYSTEM\mptask.exe
MMtask Service = mmtask.exe
AVG_CC = C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
MSys32 =
SmcService = C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
Avgserv9.exe = C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

VCatch = C:\PROGRAM FILES\COMMONSEARCH\VCATCH.EXE
Eraser = C:\PROGRAM FILES\ERASER\ERASER.EXE -hide
WindowsMGM = C:\WINDOWS\WINMGM32.EXE

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

ICQ = C:\PROGRAM FILES\ICQ\ICQ.EXE -trayboot

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\SYSTEM\IE4UINIT.EXE

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=hpfsched

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll ctpnpscn.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 9/1/2003, 20:45:10)

[Rename]
NUL=C:\WINDOWS\DOWNLO~1\NAVENG32.DLL
C:\WINDOWS\DOWNLO~1\NAVENG32.DLL=C:\WINDOWS\DOWNLO~1\SETE3.TMP
NUL=C:\WINDOWS\DOWNLO~1\NAVEX32A.DLL
C:\WINDOWS\DOWNLO~1\NAVEX32A.DLL=C:\WINDOWS\DOWNLO~1\SET00E4.TMP
NUL=C:\WINDOWS\TEMP\_iu14D2N.tmp

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

@C:\PROGRA~1\GRISOFT\AVG6\bootup.exe
SET SOUND=C:\PROGRA~1\CREATIVE\CTSND
SET MIDI=SYNTH:1 MAP:E
SET BLASTER=A220 I5 D1 H5 P330 T6
mode con codepage prepare=((850) C:\WINDOWS\COMMAND\ega.cpi)
mode con codepage select=850

--------------------------------------------------

C:\CONFIG.SYS listing:

device=C:\WINDOWS\COMMAND\display.sys con=(ega,,1)
Country=031,850,C:\WINDOWS\COMMAND\country.sys

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Task Scheduler jobs:

Toepassing Optimalisatie Start.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[InstallFromTheWeb ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\IFTW.DLL
CODEBASE = http://tw.msi.com.tw/autobios/client/iftwclix.cab

[HouseCall Besturing]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/2002121801/housecall.antivirus.com/housecall/xscan53.cab

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RUFSI.DLL
CODEBASE = http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\AVSNIFF.DLL
CODEBASE = http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: wps.dll (file MISSING)
Protocol #2: wps.dll (file MISSING)
Protocol #3: wps.dll (file MISSING)
Protocol #4: wps.dll (file MISSING)
Protocol #5: wps.dll (file MISSING)
Protocol #6: wps.dll (file MISSING)
Protocol #13: wps.dll (file MISSING)

--------------------------------------------------
End of report, 8.456 bytes
Report generated in 0,682 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Kleinkramer · 13 jan 2003

Daar staat zowat alle troep nog op...

WindowsMGM = C:\WINDOWS\WINMGM32.EXE
MPtask Services = C:\WINDOWS\SYSTEM\mptask.exe
MSys32 =
WinServices = C:\WINDOWS\SYSTEM\WinServices.exe

Weet je zeker dat je niet per ongeluk de eerste logfile gepost hebt??

Je moet hem echt opnieuw draaien.

dRob · 13 jan 2003

Nou heb ik 'm zojuist weer gedraaid (nadat ik via start --> uitvoeren --> winmgm32 heb uitgezet) en dit is het resultaat.
Ik voeg hem dit keer weer toe:
StartupList report, 13-1-03, 7:25:03
StartupList version: 1.50
Started from : C:\DOWNLOADS\ZIP FILES\STARTOPLIST\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\TBPANEL.EXE
C:\WINDOWS\HOTKEY.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ALCATEL\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MSI\LIVE UPDATE 2\LMONITOR.EXE
C:\WINDOWS\SYSTEM\MMTASK.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\COMMONSEARCH\VCATCH.EXE
C:\PROGRAM FILES\ERASER\ERASER.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTSTRAY.EXE
C:\PROGRAM FILES\SYMANTEC\ACT\ACTLDR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\DOWNLOADS\ZIP FILES\STARTOPLIST\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programma's\Opstarten]
Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
ACT! Speed Loader.lnk = C:\Program Files\Symantec\ACT\ACTLDR.EXE

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
Taakcontrole = C:\WINDOWS\taskmon.exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Gainward = C:\WINDOWS\TBPanel.exe /A
CHotKey = HOTKEY.exe
SoundMan = soundman.exe
SystemTray = SysTray.Exe
LoadQM = loadqm.exe
SpeedTouch USB Diagnostics = "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\SYSTEM\NvCpl.dll,NvStartup
nwiz = nwiz.exe /install
SmcService = C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
LiveMonitor = C:\PROGRAM FILES\MSI\LIVE UPDATE 2\LMONITOR.EXE
WindowsMGM = C:\WINDOWS\WINMGM32.EXE
MPtask Services = C:\WINDOWS\SYSTEM\mptask.exe
MMtask Service = mmtask.exe
AVG_CC = C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
MSys32 =
SmcService = C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
Avgserv9.exe = C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

VCatch = C:\PROGRAM FILES\COMMONSEARCH\VCATCH.EXE
Eraser = C:\PROGRAM FILES\ERASER\ERASER.EXE -hide

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {44BBA840-CC51-11CF-AAFA-00AA00B6015C}

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = rundll32.exe advpack.dll,UserInstStubWrapper {7790769C-0471-11d2-AF11-00C04FA35D02}

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\SYSTEM\IE4UINIT.EXE

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=
run=hpfsched

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll ctpnpscn.drv

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 9/1/2003, 20:45:10)

[Rename]
NUL=C:\WINDOWS\DOWNLO~1\NAVENG32.DLL
C:\WINDOWS\DOWNLO~1\NAVENG32.DLL=C:\WINDOWS\DOWNLO~1\SETE3.TMP
NUL=C:\WINDOWS\DOWNLO~1\NAVEX32A.DLL
C:\WINDOWS\DOWNLO~1\NAVEX32A.DLL=C:\WINDOWS\DOWNLO~1\SET00E4.TMP
NUL=C:\WINDOWS\TEMP\_iu14D2N.tmp

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

@C:\PROGRA~1\GRISOFT\AVG6\bootup.exe
SET SOUND=C:\PROGRA~1\CREATIVE\CTSND
SET MIDI=SYNTH:1 MAP:E
SET BLASTER=A220 I5 D1 H5 P330 T6
mode con codepage prepare=((850) C:\WINDOWS\COMMAND\ega.cpi)
mode con codepage select=850

--------------------------------------------------

C:\CONFIG.SYS listing:

device=C:\WINDOWS\COMMAND\display.sys con=(ega,,1)
Country=031,850,C:\WINDOWS\COMMAND\country.sys

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Task Scheduler jobs:

Toepassing Optimalisatie Start.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[InstallFromTheWeb ActiveX Control]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\IFTW.DLL
CODEBASE = http://tw.msi.com.tw/autobios/client/iftwclix.cab

[HouseCall Besturing]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/2002121801/housecall.antivirus.com/housecall/xscan53.cab

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RUFSI.DLL
CODEBASE = http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\AVSNIFF.DLL
CODEBASE = http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: wps.dll (file MISSING)
Protocol #2: wps.dll (file MISSING)
Protocol #3: wps.dll (file MISSING)
Protocol #4: wps.dll (file MISSING)
Protocol #5: wps.dll (file MISSING)
Protocol #6: wps.dll (file MISSING)
Protocol #13: wps.dll (file MISSING)

--------------------------------------------------
End of report, 8.000 bytes
Report generated in 0,265 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Na een herstart blijft de melding

Wingate Engine (66.227.104.38) is using local port 1182 Do you want to allow this .....etc."

Vervolgens op 'nee' klikken en Application Winmgm

Engine has been blocked. Filename is MMTASK.EXE.

Kleinkramer · 13 jan 2003

Logisch, alles is er nog.

Ga naar Start > UItvoeren > Msconfig, en vink het volgende uit op het tabblad "Opstarten":

WindowsMGM = C:\WINDOWS\WINMGM32.EXE
MPtask Services = C:\WINDOWS\SYSTEM\mptask.exe
MMtask Service = mmtask.exe
MSys32 =

Klik OK, en opnieuw opstarten

Vervolgens zoek je en wis je de volgende bestanden:

C:\WINDOWS\WINMGM32.EXE
C:\WINDOWS\SYSTEM\mptask.exe
mmtask.exe
MSys32 =

dRob · 13 jan 2003

Ok gedaan..
Na opstarten via verkenner verwijderd;
MMTASK.EXE (stond in C:\Windows\System)

De overige (Winmgm32.exe en mptask.exe) waren net als msys32 niet gevonden op mijn harde schijf.

Nu zou het klaar moeten zijn?

Kleinkramer · 13 jan 2003

Dat hoop ik toch!

dRob · 13 jan 2003

Ok prullenbak geleegd........

En nu geen meldingen meer ofzo.

Mocht nog zo'n startuplijst gewenst zijn (ik voeg hem bij als bijlage).

Hartelijkdank voor je hulp. Je mag jezelf op de borst kloppen want ik kan het niet.
Dank je wel!

Kleinkramer · 13 jan 2003

WindowsMGM = C:\WINDOWS\WINMGM32.

dRob · 13 jan 2003

ok blijkt dat bestand er twee keer in te staan....eentje was inderdaad uitgevinkt maar de tweede (maar dat zag je al) dus niet.

Nu een laatste startuplist.

Kleinkramer · 13 jan 2003

OK, ik verklaar je genezen!

Winmgm32.exe

Gebruiker

Trotse Pappa

Inventaris

Gebruiker

Inventaris

Trotse Pappa

Gebruiker

Inventaris

Gebruiker

Inventaris

Gebruiker

Inventaris

Gebruiker

Inventaris

Gebruiker

Inventaris

Gebruiker

Bijlagen

Inventaris

Gebruiker

Bijlagen

Inventaris

Wij waarderen jouw privacy