HJT Fix Deletiion giving blinking pop-up windows for missing system32\winsersec.exe

T

Thaqalainnaqvi

My desktop popping-up cmd windows intermittently after deletion of
C:\WINDOWS\system32\winsersec.exe. It was my wrong judgement to suspect

this file and I have fixed it by HT through HTfix.de.Now I can log-on
and connected but pop-up windows stopping mouse movement and it's
performance.
I may forward one of error text file on e-mail, if anyone is available
to help me. This file I coiped from technical details of Sdaemon.exe
(6.4.0.0-Servdll.dll) encountered problem.

Logfile of HijackThis v1.99.1
Scan saved at 11:00:00 AM, on 8/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\winsersec.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\WINDOWS\system32\CNAB4RPK.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\sdaemon.exe
C:\WINDOWS\winwd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\DOCUME~1\Mahdi\LOCALS~1\Temp\Rar$EX02.672\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://groups.google.com/group/24hoursupport.helpdesk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL
=
http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yah...

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yah...

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yah...

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar -
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program
Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper -
{02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program
Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
- C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button -
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program
Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper -
{9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common
Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class -
{AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} -
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Symantec\Norton
Ghost 2003\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program
Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
O4 - HKLM\..\Run: [kis] "C:\Program Files\Kaspersky Lab\Kaspersky
Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [SDaemon] C:\WINDOWS\sdaemon.exe
O4 - HKLM\..\Run: [SWd] C:\WINDOWS\winwd.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program
Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: &Search -
http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZS
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Program

Files\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm

O8 - Extra context menu item: Convert link target to Adobe PDF -
res://C:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF -
res://C:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF -
res://C:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF -
res://C:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF -
res://C:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF -
res://C:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program
Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF -
res://C:\Program Files\Adobe\Acrobat
7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus -
{1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky
Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Yahoo! Services -
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program
Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger -
{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program
Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
{E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program
Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class)
- C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 -
HKLM\System\CCS\Services\Tcpip\..\{597AF62B-8B66-4080-B6F5-2FEF53A99911}:

NameServer = 195.3.96.67,195.3.96.68
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} -
C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -
C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program
Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner -
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"

-r (file missing)
O23 - Service: GhostStartService - Symantec Corporation - C:\Program
Files\Symantec\Norton Ghost 2003\GhostStartService.exe
O23 - Service: winser - Unknown owner -
C:\WINDOWS\system32\winsersec.exe
 
P

PA Bear

By Gentlemen's Agreement, we do not interpret HT logs in the public
newsgroups due to security issues, and few of us would recommend using
HTfix.de because of the very issue you've encountered. (There's more to do
than just have HT fix something.)

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v1.99.1
(http://aumha.org/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. **Post
your log to http://aumha.net/viewforum.php?f=30,
http://castlecops.com/forum67.html,
http://forums.subratam.org/index.php?showforum=7, or other appropriate
forums for expert analysis, not here.**
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP, DTS-L.org

My desktop popping-up cmd windows intermittently after deletion of
C:\WINDOWS\system32\winsersec.exe. It was my wrong judgement to suspect
this file and I have fixed it by HT through HTfix.de.Now I can log-on
and connected but pop-up windows stopping mouse movement and it's
performance.
I may forward one of error text file on e-mail, if anyone is available
to help me. This file I coiped from technical details of Sdaemon.exe
(6.4.0.0-Servdll.dll) encountered problem.

Logfile of HijackThis v1.99.1
Scan saved at 11:00:00 AM, on 8/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Click to expand...
<snip>
 
W

Wesley Vogel

winsersec.exe is malware of some sort, get rid of it.

HijackThis log tutorial
http://www.spywareinfo.com/~merijn/htlogtutorial.html

HijackThis Log Tutorial
http://www.aumha.org/a/hjttutor.htm

How to use HijackThis to remove Browser Hijackers & Spyware
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42#warning

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
My desktop popping-up cmd windows intermittently after deletion of
C:\WINDOWS\system32\winsersec.exe. It was my wrong judgement to suspect

this file and I have fixed it by HT through HTfix.de.Now I can log-on
and connected but pop-up windows stopping mouse movement and it's
performance.
I may forward one of error text file on e-mail, if anyone is available
to help me. This file I coiped from technical details of Sdaemon.exe
(6.4.0.0-Servdll.dll) encountered problem.
Click to expand...

<snip>
 
T

Thaqalainnaqvi

Thanks for your concise answer. I posted here to know whether XPSP2
need system32\winsersec.exe or is it a malware as recommended by others
in the thread?
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

SVC host problem 3
Hanging Pc 10
IE redirection problem 2
Nt Authority System Please Help!! 0
Desktop Icons Missing at startup 7
can't remove abetterinternet spyware - please help! 3
IE6 slow and hangs when launched 4
WINDOWS XP BootUP Error 2

Top