What's This?

[coldnorth]

I have an old computer I still use often that runs win95. I've been having some problems starting, it likes to freeze up and can be very difficult to get going. When I do get it going I have noticed somethings running that I am not sure what they are and suspect they are scumware and possibly part of the problem. I've run adware but it just does not seem to notice or find them. They are

Mkgvarfc.exe in C:\windows

Winkmmy.exe in C:\windows\system

Winh.exe in C:\windows

Anyone have any idea what these are? Is it safe to assume they are scumware and I can get rid of them? Thanks

[tesco]

Originally posted by coldnorth@15 March 2004 - 12:24
I have an old computer I still use often that runs win95. I've been having some problems starting, it likes to freeze up and can be very difficult to get going. When I do get it going I have noticed somethings running that I am not sure what they are and suspect they are scumware and possibly part of the problem. I've run adware but it just does not seem to notice or find them. They are

Mkgvarfc.exe in C:\windows

Winkmmy.exe in C:\windows\system

Winh.exe in C:\windows

Anyone have any idea what these are? Is it safe to assume they are scumware and I can get rid of them? Thanks

the WinH.exe file was the only one i was able to find info on with google, and most of teh pages say smoething about adware or spyware at the top so im sure that one is 'scumware'.

try running spysweeper, you can download it from here or download the full version from kazaa lite. make sure to update the definitions before running!

[h1]

Use Ad-Aware or Spybot-S&D to remove it.

[coldnorth]

I have used both and neither one seem to pick up on these and at least one, Winh is scumware. Guess I'll have to remove it manually. Spybot I just downloaded today and it found a couple I had not noticed before and computer is running better.

[dopey]

yeah, they don't target the many new 'random' stuff that comes out all the time.

download hijack this here.

scan, save a log, then copy and paste the contents.


cheers

[coldnorth]

All right dopey. I downloaded the program, ran it, and here is the log, rather large.

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\azexe.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\LXDBOXCP.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\WINDOWS\SYSTEM\ELEGANT TECH\INFO-GUARDIAN\INFOGUARD.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SVCHOST.EXE
C:\WINDOWS\SYSTEM\MSREXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\tapiexe.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://81.211.105.9/search.php?v=3
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://81.211.105.9/index.php?v=3
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.211.105.9/index.php?v=3
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.webcounter.cc/-/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.webcounter.cc/-/?ydtfs about:blank (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://msnmember.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MSN
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.pcpages.com/svc/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F1 - win.ini: run=lxdboxcp.exe
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: (no name) - {baf6dcf8-7c5f-476b-ae4a-79f05b783a83} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {DB044C3D-979A-A17C-120F-BAFEE81BE095} - C:\windows\system\vkwtbdmr.dll
O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll (file missing)
O2 - BHO: (no name) - {32BBB93F-1E01-9DAB-E404-F3A72E7C0F08} - C:\windows\system\osnnvlrg.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll (file missing)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MSWHEEL] C:\WINDOWS\SYSTEM\mswheel.exe
O4 - HKLM\..\Run: [POINTER] C:\MSINPUT\point32.exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [Msdapp] C:\WINDOWS\SYSTEM\Elegant Tech\Info-Guardian\infoguard.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [kxybwpjv] C:\WINDOWS\SYSTEM\kxybwpjv.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe
O4 - HKLM\..\Run: [Winkmmy] C:\WINDOWS\SYSTEM\Winkmmy.exe
O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE
O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
O4 - HKLM\..\Run: [fovrdtwi] C:\WINDOWS\mkgvarfc.exe
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\WINNET.EXE
O4 - HKLM\..\Run: [WinFavorites] C:\PROGRAM FILES\WINFAVORITES\WINFAVORITES.exe1
O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe
O4 - HKLM\..\RunServices: [azmodem] WINMODEM.101\azexe.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWB3DSND.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O14 - IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} - http://www.liveupdate.com/controls/getcab2.dll
O16 - DPF: Yahoo! Euchre - http://download.yahoo.com/games/clients/y/er1_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potb_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080...all/xscan53.cab
O16 - DPF: ChatSpace Java Client 2.1.0.84N - http://about.chatspace.com/Java/cs4msn084.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/...uditControl.cab
O16 - DPF: {A19A291A-9653-4498-93F6-5BA06CF699D8} - http://download.peopleonpage.com/pop/adx/PopLoad.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx
O16 - DPF: ConferenceRoom Java Client - http://chat.strictlyhosting.com:8080/java/cr.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_99/QDow.cab
O19 - User stylesheet: C:\WINDOWS\Web\tips.ini
O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)

[dopey]

make sure you update spybot before scanning.
you also have a coolwebsearch infection.

go back to here and download cwshredder. close all browser windows and hit fix.

reboot and post another log.

[coldnorth]

Thanks dopey. Nice to get rid of that coolwebsearch at last. It's been a real pain in the butt. Had trouble updating spybot tonight. Will try again tomorrow and post a new log then. Getting a little late for me. Thanks again for the link on the CWShedder, it worked great.

[coldnorth]

I should update on what I found ou regarding the files I mentioned in my first post.

Winkmmy.exe turned out to be a worm, spybot got rid of it. Winh.exe I did find some info on it, it's a worm. Neither adaware or spybot seem to be able to find it so I suppose I'll have to manually remove it. Was unable to find any info on Mkgvarfc.exe and that's the one I suspect is causing me problems.

Thanks everyone

[dopey]

your welcome.

but please do some follow up. there is alot more to do.

about the spybot update problem: a little trick that seems to help is to start the program--> search for updates--> switch the server. Unido (Europe) is the default selection. In the dropdown box, the Eon (Australia) server works best for me.

cheers.