TechSpot

possible winres.dll issue... experience unusual high banwidth usage

By mhgriffin
May 10, 2006
  1. possible winres.dll issue... experiencing unusual high bandwidth usage

    Hello,

    I've recently noticed a "lag" in my webpage loading as well as an unusual jump in bandwidth usage in the past couple of days. I've scanned my computer using spybot, ad-aware and ewido and have cleaned all infected areas. However i'm still having the same problem. After running hijackthis i noticed a mentioning of winres.dll which i understand can be a problem (however im not sure what to do to correct that problem). Also, McAffee has recently found a file named "srvlbin5[1].exe" that can't be cleaned or deleted and I can't seem to find the path it "exists" in (a temp folder that mcaffee shows as its location but isn't actually on my computer per my attempts at finding it). At any rate i thought a run of a Hijackthis log might shed light on my problem and i would appreciate any help in figuring out if i have some sort of adware/spyware/malware on my computer that i've overlooked. Thanks very much in advance.

    - Heath
     
  2. Spike

    Spike TS Evangelist Posts: 2,168

    Welcome to Techspot. :wave:

    Please go HERE and follow the instructions, and post a new HJT log once finished.
     
  3. mhgriffin

    mhgriffin TS Rookie Topic Starter

    Spike,

    I have followed your instructions per the link you gave me.

    I've included a current Hijackthis log as well as the results of my Bitdefender report (as i wasn't sure how to interperet the findings). Please let me know what needs to be done. Thanks again.

    - Heath
     
  4. Spike

    Spike TS Evangelist Posts: 2,168

    Reboot your computer into safe mode, turn on hidden files and folders in explorer, and disable system restore.
    If you aren't a uni student...
    open taskmanager and end task...
    rpcnet.exe

    otherwise...

    open a cmd window and type
    " regsvr32 /u winkjf32.dll " at the prompt (without the quotes). Hit enter.
    Then close the window.

    Next, run HJY and tell it to remove the following (paying attention to my bold notes)...
    //-- remove rpcnet.exe only if this isn't a university laptop --// - tracker software in case of theft, else probable malware.
    C:\WINDOWS\system32\rpcnet.exe
    //see note above --//
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 128.31.1.12:3128
    O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-48675AA2B494} - C:\WINDOWS\winres.dll (file missing)
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
    O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
    O16 - DPF: {12F9CCA0-CF5B-11D2-B606-008098809FCA} - http://www.aleks.com/aleks/j2re/install_j2re.cab?cache
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
    O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

    //-- Remove these 017 entries only if you are not a student or otherwise affiliated with oklahoma christian university --//
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = oc.edu
    O17 - HKLM\Software\..\Telephony: DomainName = oc.edu
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D7145D1F-C241-464B-92AE-6CD87874A989}: NameServer = 205.171.3.65,205.171.2.65
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = oc.edu
    //-- See bold note above --//

    O20 - Winlogon Notify: winkjf32 - C:\WINDOWS\SYSTEM32\winkjf32.dll
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

    Then, open "my computer", browse to C:\WINDOWS\SYSTEM32\ and delete the file " winkjf32.dll "

    re-enable system restore, and reboot to normal mode.
     
  5. mhgriffin

    mhgriffin TS Rookie Topic Starter

    Spike,

    I followed your instructions (and yes i am a university student) and everything worked except when i tried to delete the winkjf32.dll file. I was given an error saying that the file had no unregister.dll (i think) and a register point couldn't be created. So i tried to delete it manually as per the end of your previous post and i was given an access denied error (as you might've guessed i am not an administrator, however i gave myself full permission over the system32 folder and it still gave me that error). As a result i renamed the file to winkjf32a.dll to try and delete it and nothing happened. Upon rebooting, the file was no longer visable in my system32 folder and when i ran hijackthis it gave me a file missing error for that file. Should I reboot in safe mode and see if it is gone as well? Please let me know! Also, the R1 proxyserver line is a proxy i've used to circumvent my universities webpage blocking software so although i checked it to be fixed, it still remains.

    I've included a current hijackthis log for you inspection. Thank again!

    - Heath
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Boot into safe mode. See how HERE. http://www.bleepingcomputer.com/forums/tutorial61.html

    Turn off system restore.(XP/ME only) See how HERE. http://www.bleepingcomputer.com/forums/tutorial56.html

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE. http://www.bleepingcomputer.com/forums/tutorial62.html

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    Viewpoint\Viewpoint Manager

    Close control panel.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    ViewMgr.exe

    Close task manager.

    Run HJT with no other programmes open. Have HJT fix the following, by placing a tick in the little box next to(if there).

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 128.31.1.12:3128 Only fix this, if you have not set this proxy server yourself

    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = oc.edu
    O17 - HKLM\Software\..\Telephony: DomainName = oc.edu
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D7145D1F-C241-464B-92AE-6CD87874A989}: NameServer = 205.171.3.65,205.171.2.65
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = oc.edu

    Only fix the above 017 enties, if they do not belong to your ISP.

    O20 - Winlogon Notify: winkjf32 - winkjf32.dll (file missing)

    Click on the fix checked button.

    Close HJT.

    Locate and delete the following bold files(if there).

    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    Reboot into normal mode and turn system restore back on.

    Post a fresh HJT log.


    Regards Howard :)
     
  7. mhgriffin

    mhgriffin TS Rookie Topic Starter

    Thanks to both of you for the help. I've followed all the instructions and posted a fresh HJT log if you wouldn't mind double checking it.

    - Heath
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your HJT log is clean.

    Regards Howard :)
     
  9. mhgriffin

    mhgriffin TS Rookie Topic Starter

    Thanks a ton!

    -Heath
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...