Trojan Horse Wingor.A

Hi I know a thread has already been posted about this but I'm desperate....
My AVG antivirus found the wingor.A virus about 5 days ago, I run AVG and delete it and make sure it has been deleted from my system32 folder, but it is there everytime i start up my computer.
I have turned off system restore and also deleted the nicklist.txt file as told in the other thread but still is there.
Now when I start up and run AVG it says that it cannot be deleted.........
Please please help, this thing is driving me mad !!!!

 

Tryed that link and it found nothing despite AVG constantly telling me i had a virus! AVG is letting me delete it now, but still there when i start up the computer

 

some more info plz

what os are you using

what is the exact name or names of the files avg is reporting deleted

if you know them
do any of them show up in task manager or anywhere in your msconfig

 

I'm running xp home and AVG says it has remover updater.exe from the system32 folder, virus trojan horse wingor.A

I've just looked in msconfig and can't find anything that relates to this file or the trojan.
I have also just run 6 trojan removers and none of them have recognised it.

 

But i have just found it under processes in my task manager, if i end the process will this kill it u think???

 

this would only kill it temporarily
i would reccomend looking for this myself in safe mode and manually deleting it
make sure you have done this
in a normal window(not a browser) press the tools tab in the top taskbar then select folder options-view--check the show hidden files and folders option-and uncheck hide protected system operating files

 

donr that, but when i try and delete it the computer tells me access is denied and it cannot be deleted. slippery little bugger ain't it ! my AVG will no longer delete it either.

 

even in safe mode ?

then isuggest using this

http://www.diamondcs.com.au/index.php?page=dellater

 

I hate 2 sound thick, but i downloaded that file that u suggested but i cant find out how 2 work it, when i click on dellater.exe i just get a message saying usage:dellater.exe (filename)
Wot am i doing wrong?

 

http://www.majorgeeks.com/vb/showthread.php?t=26922&highlight=wingor.a

 

right, i did that and got a box up saying it was going to be deleted once rebooted, i rebooted and its still there !

 

ok carmed right tricky bugger this

everytime you start your machine does it re-establish itself in the running processes

you can not remove it either in safe mode or with dellater

does the nicklist txt file reappear as well

if yes to all these can you please download and run Hijack This save your log file and post it up here so we can have a look through and make theres not something else going on

 

right ok, i just tried it in safe mode again and it wasnt there at all so i restarted again and its back but its not in my running processes, the nicklist is back every time aswell.
i downloaded hijackthis anyway just in case though.

Logfile of HijackThis v1.97.7
Scan saved at 18:29:11, on 24/02/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\CursorXP\CursorXP.exe
C:\Program Files\Kodak\KODAK Picture Transfer Software\pts.exe
C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\WINDOWS\twain_32\PUSH650C.exe
C:\Documents and Settings\Gail\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchalot.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.timecomputers.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 216.93.168.167 sitefinder.verisign.com
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\Status.exe
O4 - HKLM\..\Run: [IW_ControlCenter] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\Comets~1\DM\bin\DMServer.exe /onreboot
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [winregsrv] C:\WINDOWS\System32\winregsrv.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - Global Startup: KODAK Picture Transfer Software.lnk = ?
O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O4 - Global Startup: PUSH650C.lnk = C:\WINDOWS\twain_32\PUSH650C.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.timecomputers.com
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {1FDEC088-A699-46FE-BF76-D5FD6DAE6150} (UCSearch.ucUCSearch) - http://www.armbender.com/UCSearch.CAB
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/en/SysWebTelecom.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

 

hi carmed what i want you to try is to use dellater to delete both those files on next reboot the exe and the nicklist so just start dellater twice and make sure you specify the full path to each file

next problem this is a trojan
O4 - HKLM\..\Run: [winregsrv] C:\WINDOWS\System32\winregsrv.exe
so guess what me need that whacked with dellater too

finally when you reboot to kill these ,reboot into safe mode then open regedit
start-run-type regedit-ok
then locate this key
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
in the right window look for this
winregsrv %windir%\system\winregsvr.exe
select and delete this and while your there check also for any references to the updater exe if found delete these also

also get HJT to fix these
O2 - BHO: MyWay Search Assistant BHO - {04079851-5845-4dea-848C-3ECD647AA554} - C:\Program Files\MyWay\SrchAstt\1.bin\MYSRCHAS.DLL (file missing)

O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\Comets~1\DM\bin\DMServer.exe /onreboot
O16 - DPF: {1FDEC088-A699-46FE-BF76-D5FD6DAE6150} (UCSearch.ucUCSearch) - http://www.armbender.com/UCSearch.CAB

and this unless you specifically chose this as your home page
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchalot.com/

someone else may spot something

sorry this seems a lot of work but it will be worth it in the end,anything your not sure of please just ask

 

Horray !!!!!!
It's all gone, everything working ok - again !
Ur a star
Thankyou so much, that virus was starting to send me mad ! ha ha
I can start sleeping at night now !

 

glad its gone carmed

dont be a stranger stick around majorgeeks is a great place to be