HJT doesn't remove winapa.exe

Status
Not open for further replies.

bazeel

Posts: 60   +0
Hi.
I am helping an associate with the 'cleaning' of his XP Pro SE system.
I have just been through all the steps in safe mode as recommended. I tried to fix the 023 entry for winapa.exe with Hijackthis but it is still there.
Thanks in advance for the help.
bazeel.
 
The computer is infected with the Rbot worm/trojan.

Go HERE and follow the instructions.

Post a fresh HJT log into this thread after doing the above.

Regards Howard :)

This thread is for the use of bazeel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Win XP system

Hi Howard.
I followed as per the instructions(safe mode, rdrivrem, atf, ewido). Ewido found 9 items, 8 medium and one serious. We deleted them all.
Then I rebooted into normal modde and ran a HJT log., The 023 winapa.exe item is still there. Log attached.
What should I try next? Cheers and thanks. bazeel.
 
It appears you`re not running any antivirus or firewall software. If that`s the case, you should get some ASAP. The free AVG antivirus programme and the free Zonealarm, or free Kerio firewalls are available from HERE HERE and HERE.

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.


Boot into safe mode, under your normal user name. See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Do a full system scan with your antivirus programme and delete what ever it finds.

Click start/run and type services.msc into the run box and press the enter key.

When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

Winamp media player (winapa.exe)
Windows Media Player


Close the services window.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

mpwe.exe
avsoft.exe
winapa.exe

Close task manager.

Run HJT with no other programmes open(except notepad).Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O4 - HKLM\..\Run: [Windows Media Player] mpwe.exe

O4 - HKLM\..\Run: [firewall] C:\WINDOWS\avsoft.exe /i

O4 - HKLM\..\RunServices: [Windows Media Player] mpwe.exe

O4 - HKCU\..\Run: [Windows Media Player] mpwe.exe

O11 - Options group: [JAVA_IBM] Java (IBM)

O15 - Trusted Zone: .windowsupdate.com[/url]

O23 - Service: Winamp media player (winapa.exe) - Unknown owner - C:\WINDOWS\System32\winapa.exe" -netsvcs (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\System32\winapa.exe
C:\WINDOWS\avsoft.exe
mpwe.exe You will need to search your system for this file and delete all instances of it.

Reboot into normal mode and turn system restore back on.

Post a fresh HJT log.


Regards Howard :)


This thread is for the use of bazeel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
winapa removed

Hi and thanks Howard.
They are running Windows XP firewall and have their OS up to date as well as an up to date antivirus program through their ADSL provider (Telus).
I followed your instructions and the log (attached) looks ok.
I think that the reason it wasn't cleared before was that I logged in under the Administrator account when going into safe mode (thinking that the Administrator account would be the all powerfull account).
Anyway, once again thanks for the help.
Cheers, bazeel.
 
Mosearch.exe

Hi All.
Should this item be removed or not? When I ran an HJK log through http://www.hijackthis.de/ it listed it as 'Nasty' but when I googled it I found that it was part of MS Office and some links did not recommend that it be removed. This appears on the local Community School admin computer running Win 98 SE.
Cheers and thanks, bazeel.
 
It`s not nasty. See HERE.

However, it`s not essential and can be disabled if you wish.

I have merged your new thread into this one.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of bazeel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
HJT Log and questions

Hi Howard.
Please give this log (my friend's win2000 system) a check. I ran all the programs recommended and have a few questions.

1. Is it necessary to run SmitFraudFix, Look2me Destroyer, AboutBuster, CWShredder, VundoFix before running AdAware and SpyBot? It appears that AdAware and Spybot look for all of the nasties that the other programs specifically target.
2. SpyBot found a couple of items (one was ZLOB) that it couldn't remove (even after allowing it to start scanning at the next boot). What should I do?
Cheers and thanks, bazeel.
 
That HJT log is clean as a whistle.

1. Is it necessary to run SmitFraudFix, Look2me Destroyer, AboutBuster, CWShredder, VundoFix before running AdAware and SpyBot? It appears that AdAware and Spybot look for all of the nasties that the other programs specifically target.

Yes it is necessary. This is because SmitFraudFix, Look2me Destroyer, AboutBuster, CWShredder, VundoFix are specialist tools that target variants that spybot and Ad-aware won`t kill. I wish it wasn`t the case, but there it is.

2. SpyBot found a couple of items (one was ZLOB) that it couldn't remove (even after allowing it to start scanning at the next boot). What should I do?

Download and run the Microsoft malicious removal tool from HERE.

If that doesn`t get rid of it, boot into safe mode and turn system restore off. Run the tool again and do a full system scan with Spybot and your antivirus programme. Then, reboot into normal mode and turn system restore back on.

Regards Howard :)
 
Win 98 SE won't boot into Normal mode

Hi Howard.
A local author has a win98se system and AVG, Win98 and SpyBot are all up to date. She also runs ZoneAlarm. She runs AVG update daily and Spybot once per week.
This morning she could only boot into Safe Mode. Trying to go into Normal mode resulted in the infamous 'blue' screen. I ran Spybot in Safe Mode and removed several items. Still no luck booting back into Normal Mode.
I ran HijackThis and have attached it for your information.
The problem is that we cannot hook up to the internet with her dial up connection in Safe Mode so we can't get the latest updates for the programs that I will run per your previous instuctions (i.e. AdAware, SmitFraudFix etc)
She can use it in Safe Mode to continue with her book but that is all. It performs beautifully in Safe Mode.
What should be our next step.
TIA. Basil.
 
That HJT log is clean. However, since you can`t boot into normal mode, I don`t know whether the system is clean.

It might be a good idea to backup any important data and reformat and reinstall.

Regards Howard :)
 
Margot's HJK Log

Hi Howard.
After going through all the usual steps on another friend's computer (XP) this is the log that I have. Spybot Search and Destroy found several items that we cleaned off. (we ran all the scan programs in Safe Mode with System Restore switched off). Please review for anything untoward.
Thanks. Bazeel.
 
Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ALCXMNTR.EXE

Close task manager.

Run HJT with no other programmes open. Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll

O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

O9 - Extra button: Shaw Help - {64D75328-7FB0-484B-83E7-B45ED26417C7} - http://support.shaw.home.com (file missing) (HKCU)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

ALCXMNTR.EXE Search the system for this file and delete all instances of it.

Reboot the system.

Other than the above, the HJT log is clean.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard :)

This thread is for the use of bazeel only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Can't install critical updates

Hi Howard and gang.
My friend Colin had his XP Home system repaired by a tech because it stopped acting normally after he installed some software off the web. The 80 critical updates could not be installed. Norton 2007 was disabled. I booted into safe mode (after I uninstalled the offending program AdAlert) and uninstalled Norton and Live Update. Colin did'nt have the Norton 2007 CD with him at this location so I installed AVG free and SpyBot S&R
I ran Spybot and it found and removed 7 nasties.
AVG was updated succesfully. All is ok except that Windows XP critical updates will not install. Even trying one at a a time - no go.
What should we try next?
TIA
Basil.
 
Status
Not open for further replies.
Back