possible winres.dll issue... experience unusual high banwidth usage

[mhgriffin]

possible winres.dll issue... experiencing unusual high bandwidth usage

Hello,

I've recently noticed a "lag" in my webpage loading as well as an unusual jump in bandwidth usage in the past couple of days. I've scanned my computer using spybot, ad-aware and ewido and have cleaned all infected areas. However i'm still having the same problem. After running hijackthis i noticed a mentioning of winres.dll which i understand can be a problem (however im not sure what to do to correct that problem). Also, McAffee has recently found a file named "srvlbin5[1].exe" that can't be cleaned or deleted and I can't seem to find the path it "exists" in (a temp folder that mcaffee shows as its location but isn't actually on my computer per my attempts at finding it). At any rate i thought a run of a Hijackthis log might shed light on my problem and i would appreciate any help in figuring out if i have some sort of adware/spyware/malware on my computer that i've overlooked. Thanks very much in advance.

- Heath

 

[Spike]

Welcome to Techspot. :wave:

Please go HERE and follow the instructions, and post a new HJT log once finished.

 

[mhgriffin]

Spike,

I have followed your instructions per the link you gave me.

I've included a current Hijackthis log as well as the results of my Bitdefender report (as i wasn't sure how to interperet the findings). Please let me know what needs to be done. Thanks again.

- Heath

 

[Spike]

Reboot your computer into safe mode, turn on hidden files and folders in explorer, and disable system restore.
If you aren't a uni student...
open taskmanager and end task...
rpcnet.exe

otherwise...

open a cmd window and type
" regsvr32 /u winkjf32.dll " at the prompt (without the quotes). Hit enter.
Then close the window.

Next, run HJY and tell it to remove the following (paying attention to my bold notes)...
//-- remove rpcnet.exe only if this isn't a university laptop --// - tracker software in case of theft, else probable malware.
C:\WINDOWS\system32\rpcnet.exe
//see note above --//
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 128.31.1.12:3128
O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-48675AA2B494} - C:\WINDOWS\winres.dll (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {12F9CCA0-CF5B-11D2-B606-008098809FCA} - http://www.aleks.com/aleks/j2re/install_j2re.cab?cache
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

//-- Remove these 017 entries only if you are not a student or otherwise affiliated with oklahoma christian university --//
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = oc.edu
O17 - HKLM\Software\..\Telephony: DomainName = oc.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7145D1F-C241-464B-92AE-6CD87874A989}: NameServer = 205.171.3.65,205.171.2.65
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = oc.edu
//-- See bold note above --//

O20 - Winlogon Notify: winkjf32 - C:\WINDOWS\SYSTEM32\winkjf32.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Then, open "my computer", browse to C:\WINDOWS\SYSTEM32\ and delete the file " winkjf32.dll "

re-enable system restore, and reboot to normal mode.

 

[mhgriffin]

Spike,

I followed your instructions (and yes i am a university student) and everything worked except when i tried to delete the winkjf32.dll file. I was given an error saying that the file had no unregister.dll (i think) and a register point couldn't be created. So i tried to delete it manually as per the end of your previous post and i was given an access denied error (as you might've guessed i am not an administrator, however i gave myself full permission over the system32 folder and it still gave me that error). As a result i renamed the file to winkjf32a.dll to try and delete it and nothing happened. Upon rebooting, the file was no longer visable in my system32 folder and when i ran hijackthis it gave me a file missing error for that file. Should I reboot in safe mode and see if it is gone as well? Please let me know! Also, the R1 proxyserver line is a proxy i've used to circumvent my universities webpage blocking software so although i checked it to be fixed, it still remains.

I've included a current hijackthis log for you inspection. Thank again!

- Heath

 

[howard_hopkinso]

Hello and welcome to Techspot.

Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

Go to add remove programmes in your control panel and uninstall anything to do with(if there).

Viewpoint\Viewpoint Manager

Close control panel.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ViewMgr.exe

Close task manager.

Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 128.31.1.12:3128 Only fix this, if you have not set this proxy server yourself

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = oc.edu
O17 - HKLM\Software\..\Telephony: DomainName = oc.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{D7145D1F-C241-464B-92AE-6CD87874A989}: NameServer = 205.171.3.65,205.171.2.65
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = oc.edu

Only fix the above 017 enties, if they do not belong to your ISP.

O20 - Winlogon Notify: winkjf32 - winkjf32.dll (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files(if there).

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

Reboot into normal mode and turn system restore back on.

Post a fresh HJT log.


Regards Howard

 

[mhgriffin]

Thanks to both of you for the help. I've followed all the instructions and posted a fresh HJT log if you wouldn't mind double checking it.

- Heath

 

[howard_hopkinso]

Your HJT log is clean.

Regards Howard

 

[mhgriffin]

Thanks a ton!

-Heath