Mswin32.exe problem
- Thread starter sritce
- Start date
- Status
try thiiiisss
what i think is that there is a refrence to the file in the windows startup handles which it cannot find. which possibly could have caused this error.
you can try this
1 try running msconfig.exe by pressing window+R then type msconfig
then try go to the startup tab then try to find if there is any link to the file, then try to disable it
2 some registry tools can fix this for you such as system mechanic
3 if u have usb security software the one by zhengou, try go to it and there you can delete the file handle
what i think is that there is a refrence to the file in the windows startup handles which it cannot find. which possibly could have caused this error.
you can try this
1 try running msconfig.exe by pressing window+R then type msconfig
then try go to the startup tab then try to find if there is any link to the file, then try to disable it
2 some registry tools can fix this for you such as system mechanic
3 if u have usb security software the one by zhengou, try go to it and there you can delete the file handle
Bobbye
Posts: 16,313 +36
Let's get the terminology straight first:
mswin32.exe is the process for the Microsoft Update Service
win32.exe is added to the system as a result of the RATEGA virus. It is a Trojan horse give a remote user access to your computer.
So you removed the wrong file and still have the malware!
Unfortunately, sometimes people jump on with answers without checking content first.
Please move to the Virus and Malware Removal Forum and follow the steps set up here:
https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
When you have finished, attach the three logs. We will review them.
Be sure to check the lines in both Malwarebytes and Superantispyware for the removal of the malware they find. Don't remove anything in HijackThis. That's out job.
snowchick7669
Posts: 593 +0
MBAM didnt clean the reg files?
Sorry Bobbye, I'm not intruding on your fix
Just having a nosey
Sorry Bobbye, I'm not intruding on your fix
Just having a nosey
Bobbye
Posts: 16,313 +36
P2P: As long as you're doing file sharing, you're going to get malware. Please see P2P Warning in Step 3.
C:\Program Files\uTorrent\utorrent.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\utorrent.exe"
FYI: when the Mbam results come back showing No action taken it means that the following wasn't done:
* Make sure that everything is checked, and click Remove Selected.
Malwarebytes needs to be UPDATED and run again with this checked. The infection isn't 'coming back'- it wasn't removed!
Superantispyware has a similar line:
* Make sure everything found has a checkmark next to it,then press 'Next'
Same thing> if it wasn't checked, malware wasn't removed.
So the Vundo infection remains. Understand: it's not a matter of "still infected"- it's a matter of not removing the malware due to not following directions in the cleaning programs.
Please open HijackThis, and select Do a system scan only.
Place a checkmark next to the following entries (if present):
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60341
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://order.kagi.com/?6FAEY
(FYI: From time to time Kagi may use external service providers who need to know all your financial payment information to help verify the information provided or to help Kagi make business decisions.)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60341
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60341
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60341
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60341
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60341
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\system.exe,>> a Backdoor W32.Spybot.OBB
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: (no name) - {8DF6AD7A-3096-49A3-96FF-9ED869DA8AC1} - c:\windows\system32\jvrbjiu.dll
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - Winlogon Notify: nauzbsuj - C:\WINDOWS\SYSTEM32\jvrbjiu.dll
Then, close all other open windows, leaving only HijackThis open, and select Fix checked.
Please download ComboFix HERE
With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.
• Run Combo-Fix.exe and follow the prompts.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be completed.
• If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)
Do not click on the ComoboFix window, as it may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Rescan with HijackThis AFTER running Malwarebytes again and Combofix. Attach all logs and reports.
C:\Program Files\uTorrent\utorrent.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\utorrent.exe"
FYI: when the Mbam results come back showing No action taken it means that the following wasn't done:
* Make sure that everything is checked, and click Remove Selected.
Malwarebytes needs to be UPDATED and run again with this checked. The infection isn't 'coming back'- it wasn't removed!
Superantispyware has a similar line:
* Make sure everything found has a checkmark next to it,then press 'Next'
Same thing> if it wasn't checked, malware wasn't removed.
So the Vundo infection remains. Understand: it's not a matter of "still infected"- it's a matter of not removing the malware due to not following directions in the cleaning programs.
Please open HijackThis, and select Do a system scan only.
Place a checkmark next to the following entries (if present):
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60341
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://order.kagi.com/?6FAEY
(FYI: From time to time Kagi may use external service providers who need to know all your financial payment information to help verify the information provided or to help Kagi make business decisions.)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.crawler.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=60341
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = 192.168.1.2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60341
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60341
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60341
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60341
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\system.exe,>> a Backdoor W32.Spybot.OBB
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: (no name) - {8DF6AD7A-3096-49A3-96FF-9ED869DA8AC1} - c:\windows\system32\jvrbjiu.dll
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - Winlogon Notify: nauzbsuj - C:\WINDOWS\SYSTEM32\jvrbjiu.dll
Then, close all other open windows, leaving only HijackThis open, and select Fix checked.
Please download ComboFix HERE
With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
Please disable all security programs, such as antiviruses, antispywares, and firewalls.
Also disable your internet connection.
• Run Combo-Fix.exe and follow the prompts.
**Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.
• Wait for the scan to be completed.
• If it requires a reboot, please do it.
• After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)
Do not click on the ComoboFix window, as it may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Rescan with HijackThis AFTER running Malwarebytes again and Combofix. Attach all logs and reports.
@above
No I did checked all items and then only removed it..i did it many times..It says items will be removed after next restart..Any how after scanning with comba fix ,it got removed i think..because now malware scanner didnt show any infected file..check the log files ..thank you..
No I did checked all items and then only removed it..i did it many times..It says items will be removed after next restart..Any how after scanning with comba fix ,it got removed i think..because now malware scanner didnt show any infected file..check the log files ..thank you..
Bobbye
Posts: 16,313 +36
Let's go through some of the entries I found:
1. Firefox
C:\Program Files\Mozilla Firefox 3 Beta 3\firefox.exe
The final for v3 has been out for a long time. Please update to current version v3.0.10-link is on lower right:
http://www.mozilla.com/en-US/firefox/3.0/releasenotes/
2. [BFile Sharing:[/B]
c:\program files\TeamViewer (2009-04-12) Remote access/Desktop sharing
C:\Program Files\uTorrent\utorrent.exe
3. Pirating:
The following indicates you are using a crack/keygen program to download software. Pirating is NOT supported on TS:
IE: Download All Links with IDM - d:\softwaress\downloader\Internet Download Manager v5.01 Trial to Full by Great Elmo!!\IEGetAll.htm
IE: Download with IDM - d:\softwaress\downloader\Internet Download Manager v5.01 Trial to Full by Great Elmo!!\IEExt.htm
4. Antivirus programs:
c:\program files\WinClamAVShield> 2009-05-25 12:35
c:\program files\ESET\ESET NOD32 Antivirus
5. Registry Cleaner:
c:\program files\Uniblue>> Registry Booster>> (KillRBProcess.exe)
All of these need to be handled as soon as possible:
1. Firefox: it's important to keep updates current. Many are for security reasons.
2. Files haring is a trip straight to malware. Recommend uninstall these programs.
3. Using crack programs to load software is the same thing as stealing it.
4. You should run only 1 antivirus program. Uninstall one of them
5. Registry Cleaners are not recommended. Recommend uninstall this.
1. Firefox
C:\Program Files\Mozilla Firefox 3 Beta 3\firefox.exe
The final for v3 has been out for a long time. Please update to current version v3.0.10-link is on lower right:
http://www.mozilla.com/en-US/firefox/3.0/releasenotes/
2. [BFile Sharing:[/B]
c:\program files\TeamViewer (2009-04-12) Remote access/Desktop sharing
C:\Program Files\uTorrent\utorrent.exe
3. Pirating:
The following indicates you are using a crack/keygen program to download software. Pirating is NOT supported on TS:
IE: Download All Links with IDM - d:\softwaress\downloader\Internet Download Manager v5.01 Trial to Full by Great Elmo!!\IEGetAll.htm
IE: Download with IDM - d:\softwaress\downloader\Internet Download Manager v5.01 Trial to Full by Great Elmo!!\IEExt.htm
4. Antivirus programs:
c:\program files\WinClamAVShield> 2009-05-25 12:35
c:\program files\ESET\ESET NOD32 Antivirus
5. Registry Cleaner:
c:\program files\Uniblue>> Registry Booster>> (KillRBProcess.exe)
All of these need to be handled as soon as possible:
1. Firefox: it's important to keep updates current. Many are for security reasons.
2. Files haring is a trip straight to malware. Recommend uninstall these programs.
3. Using crack programs to load software is the same thing as stealing it.
4. You should run only 1 antivirus program. Uninstall one of them
5. Registry Cleaners are not recommended. Recommend uninstall this.
touch
Posts: 976 +0
Uninstall this folder:
c:\documents and settings\sri\Application Data\uTorrent
Please upload and have thes files scanned:
c:\windows\system32\dllcache\TCPIP.SYS
c:\windows\system32\termsrv.dll
Here
http://virusscan.jotti.org/ Or here: http://www.virustotal.com/en/indexf.html
Attach back the back the results.
c:\documents and settings\sri\Application Data\uTorrent
Please upload and have thes files scanned:
c:\windows\system32\dllcache\TCPIP.SYS
c:\windows\system32\termsrv.dll
Here
http://virusscan.jotti.org/ Or here: http://www.virustotal.com/en/indexf.html
Attach back the back the results.
@above
i have send you what u asked.
1)tcpip
http://www.virustotal.com/analisis/...c1ec27c167485133a48277314fda04232c-1243628371
2)tempsrv
http://www.virustotal.com/analisis/...2335d298cad78052cef3b3f75691eb3f50-1243754150
i have send you what u asked.
1)tcpip
http://www.virustotal.com/analisis/...c1ec27c167485133a48277314fda04232c-1243628371
2)tempsrv
http://www.virustotal.com/analisis/...2335d298cad78052cef3b3f75691eb3f50-1243754150
- Status
Similar threads
Latest posts
-
The Best Handheld Gaming Consoles- MarkHughes replied
