TechSpot

wollf.16 and ipmonitor.win32.xtrojan

By cogenmaster
Jun 7, 2007
  1. System specs - Windows vista premium Norton Internet security 2007. All drivers and and windows updated. Got a copy of ghost recon with my motherboard which came in a white envelope with the cd key. Never could get the game to work right on vista with my 8800 gts. Damn game has laid around for 4-5 months. My son saw it last night and wanted to play it so he installed it on his computer downstairs and started asking me for the cdkey. We both searched through my desk and could not find it so I googled ghost recon cd keygens. Im sure you can guess the rest from the above title. I did run a virus scan before i excuted the keygen but norton did not find it. Anyways right after I excuted the program a dos box popped up momentarely and then I started getting Norton messages about a trojan being blocked and a virus. Then I got a windows error message in the task bar "spyware detected download and install system live protect" did this and it found the wollf.16 and ipmonitor.win32.xtrojan. Tried repair option with system live protect but computer crashes immedietly upon start of repair. Symantec list the wolf virus in their data base but my antivirus does not detect after full system scan in normal and safe mode. Hijackthis got rid of ipmonitor at least the process is no longer running at reboot. Cant seem to get rid of the wollf.16. Any Suggestions.

    Have run hijackthis as per howards instructions with rename. Have run avg rootkit, none detected. Have run avg antispyware fixed all problems. Have run fulll system scan norton2007 anti-virus does not detect wollf.16.

    Thanks E Murphy
     

    Attached Files:

  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Your system is infected with at least the Vundo trojan. You have posted your HJT log from safe mode, when I need to see the HJT from normal mode.

    Delete all files in AVG Antispyware quarantine.

    Download Vundofix from HERE.

    Double click the Vundofix.exe to run it.

    Right click in the vundofix window and click add files.

    Enter the full file path/s to the files you want Vundofix to delete and click the add files button, followed by the close window button. Click the remove vundo button and let Vundofix do it`s stuff.

    This is the filepath you need to enter into Vundofix.

    C:\Windows\SYSTEM32\gebyaya.dll

    Post a fresh HJT log as well as a Combofix log.

    Regards Howard :)

    This thread is for the use of cogenmaster only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. cogenmaster

    cogenmaster TS Enthusiast Topic Starter Posts: 117

    New Log as Requested

    Thanks Howard for your quick response. Some additional info. I have a process running called wininit.exe. I cannot end the process at all in normal or safemode. This is the process that is causing the bluescreen crash. I have read where people post minidumps, but I dont know where they are located of if I even have minidump setup.

    Eric
     
  4. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Have HijackThis fix the following.

    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O1 - Hosts: ::1 localhost
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O13 - Gopher Prefix:

    Apart from that, your log looks clean.

    With regards to the wininit.exe, please visit Viruses/Spyware/Malware, preliminary removal instructions and download AVG Antivirus.

    Run it in safe mode and fix any infected files.

    Let me know the results.


    Regards,
    Your friendly momok =)

    This thread is for the use of cogenmaster only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Can you please give us the full filepath to wininit.exe.

    I don`t think AVG Antispyware works with Windows Vista.

    Regards Howard :)

    This thread is for the use of cogenmaster only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  6. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Actually, this is quite recent news. Grisoft released a new build of AVG Antispyware on 4th June 2007 which is compatible with vista. I believe their antivirus is compatible too. ;) (see HERE)

    Regards,
    Your friendly momok =)

    This thread is for the use of cogenmaster only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s great news and thanks for the heads up mate.

    Regards Howard :)
     
  8. cogenmaster

    cogenmaster TS Enthusiast Topic Starter Posts: 117

    AVG and Norton

    I always thought you shouldn't try to run 2 different antivirus programs at the same time. I thought about downloading AVG and runnning it but I had no desire to attemp to remove Norton antivirus, that can lead to disaster. Regarding to wininit.exe it is in c:\windows\system32 windows startup application.

    Thanks All

    Eric

    PS I found my minidump files, what program do you use to open them.
     
  9. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    1. Please download The Avenger by Swandog46 from HERE. Save it to your Desktop and extract it.

    2. Download the attached avengerscript.txt and save it to your desktop. The Avenger script is attached to the bottom of this post.

    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Now, start The Avenger program by double clicking on its icon on your desktop.

    Under "Script file to execute" choose "Load script from file".
    Now click on the folder icon which will open a new window titled "open Script File"
    navigate to the file you have just downloaded, click on it and press open
    Now click on the Green Light to begin execution of the script
    Answer "Yes" twice when prompted.

    4. The Avenger will automatically do the following:

    It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
    On reboot, it will briefly open a black command window on your desktop, this is normal.
    After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
    The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

    5. Please attach the content of c:\avenger.txt into your reply. I also recommend you follow momok`s advice regarding running AVG Antispyware and post it`s logfile too.

    As for minidumps, please see this short tutorial HERE.

    Regards Howard :)
     

    Attached Files:

  10. cogenmaster

    cogenmaster TS Enthusiast Topic Starter Posts: 117

    Avenger and AVG Spyware

    The script you wrote says to delete the wininit.exe file. Does that mean you don't think it is a windows file? Ran AVG anti-spyware and posted logfile with the first post. Once again thank you for your time and effort.
     
  11. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    HERE`s some info on the wininit.exe file. You`ll see that it`s actually the WOLLF.16 virus, which is what you put in your thread title.

    Run the Avenger as per the instructions.

    Delete all files in AVG Antispyware quarantine.

    Regards Howard :)

    This thread is for the use of cogenmaster only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  12. cogenmaster

    cogenmaster TS Enthusiast Topic Starter Posts: 117

    Wininit.exe

    I found that info Howard as well as other info showing that it is a ligitimate windows application. When some of you other vista users reading this thread see if you have a wininit.exe running under you process, you have to tick show processes from all users to see if it is there thanks. They only reason I am even hesitant is the fact the Norton has never once picked up on this wollf.16, the only thing that did was "windows live system manager". I can't end that process without completely crashing to a blue screen.
     
  13. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    I see your point and don`t blame you for the hesitation.

    You could have the file checked out over at Jotti`s.

    Please visit this link http://virusscan.jotti.org/
    * Click the Browse... button
    * Navigate to the following file c:\windows\system32\wininit.exe
    * Click Open
    * Please let me know the results.

    Regards Howard :)

    This thread is for the use of cogenmaster only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  14. cogenmaster

    cogenmaster TS Enthusiast Topic Starter Posts: 117

    Found Nothing

    Jotti's found nothing on all scans. Guess that is a good thing! Still dont understand why that microsoft program says I have wollf.16 virus and Norton can't detect it.
     
  15. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    It is possible that it`s a false positive by the Windows programme. This can happen with any antivirus/antispyware programme from time to time.

    If you`re convinced that the file is legit and the Jotti scan tends to reinforce that view, don`t worry about it.

    However, having said all that, I don`t have that file on my system, which is running WindowsXP sp2.

    Regards Howard :)
     
  16. cogenmaster

    cogenmaster TS Enthusiast Topic Starter Posts: 117

    What me worry

    Guess I wont worry over it anymore. That file is not on my sons computer which is Windows XP SP2 but it is on my father-in-laws updated Vista premium.

    Thanks All
     
  17. momok

    momok TS Rookie Posts: 2,265

    Hi,

    Another possible situation is that your original winit file got corrupted or infected by whatever you had been trying to download. You could try a windows repair via this thread HERE.

    Maybe that will fix those warning messages.

    Regards,
    Your friendly momok =)

    This thread is for the use of cogenmaster only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...