Cnml.exe & Winik.sys .......what To Do?

Mary Kate · March 30, 2005

Hello

1.) i've never posted on a board at all before so i hope i'm doing it right

2) my computer was a mess........I ran nortons and it came back with 236 viruses. I was able to delete the majority of them by simply finding where they were in the program files and deleting them. A few however were listed as locked. I went to the task manager and shut them off and tried to delete them again but to no avail.

3) the remaining pain in the rear viruses are:

winik.sys

-C:\WINDOWS\SYSTEM32\DRIVERS\winik.sys

cnml.exe

GEACH8hM.dll

GEACH8hM.exe

Mh8HCAEG.exe

-C:\ProgramFiles\wsruswpv\cnml.exe

(The last four are all in the same program file and i guess are related??)

I ran a Highthis log and will post it below.........Any help @ all that you can give me would be mUcH MuCh appreciated!!!!!!!! MK!

Removed attachment, placed it into the right log -- dk

Logfile of HijackThis v1.99.1

Scan saved at 2:33:21 AM, on 3/30/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\WINDOWS\system32\pctspk.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

C:\PROGRA~1\wsruswpv\GEACH8hM.exe

C:\Program Files\AIM95\aim.exe

C:\PROGRA~1\wsruswpv\Mh8HCAEG.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Hijack\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.psu.edu/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Registry Loader] regloadr.exe

O4 - HKLM\..\Run: [Config Loader] scvhost.exe

O4 - HKLM\..\Run: [Configuration Loader] wincrt32.exe

O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\av.exe

O4 - HKLM\..\Run: [eeomhoik] C:\WINDOWS\owpmxdwj.exe

O4 - HKLM\..\Run: [] c:\WINDOWS\System32\

O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe

O4 - HKLM\..\Run: [Windows DEC] windec.exe

O4 - HKLM\..\Run: [Microsoft Update] msawindows.exe

O4 - HKLM\..\Run: [Microsoft Services] svssshost.exe

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

O4 - HKLM\..\RunServices: [Registry Loader] regloadr.exe

O4 - HKLM\..\RunServices: [Config Loader] scvhost.exe

O4 - HKLM\..\RunServices: [Configuration Loader] wincrt32.exe

O4 - HKLM\..\RunServices: [Windows DEC] windec.exe

O4 - HKLM\..\RunServices: [Microsoft Update] msawindows.exe

O4 - HKLM\..\RunServices: [Microsoft Services] svssshost.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [] c:\WINDOWS\System32\

O4 - HKCU\..\Run: [Microsoft Services] svssshost.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: cms.psu.edu

O15 - Trusted Zone: http://*.windowsupdate.com

O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.mbakercorp.com/CFIDE/classes/CFJava.cab

O20 - Winlogon Notify: ComPlusSetup - C:\WINDOWS\System32\catsrvut.dll

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe

O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

O23 - Service: Windows Update (wupdate) - Unknown owner - C:\WINDOWS\System32\wudate.exe" -service (file missing)

Edited March 30, 2005 by dknoppix

Besttechie · March 30, 2005

Hi and Welcome,

Please run the following scan:

http://housecall.trendmicro.com/

Make sure you check the autoclean box. Then after the scan post a brand new HijackThis log.

Good luck!

B

Sign In

Cnml.exe & Winik.sys .......what To Do?

Recommended Posts

Mary Kate

Link to post

Share on other sites

Besttechie

Link to post

Share on other sites

Browse

Activity