winzod32.exe removal

Welcome to Majorgeeks!

HijackThis is the last step not the first step!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis
​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
  • Bitdefender
  • Panda Scan
  • HijackThis

.

 

You need to follow the READ & RUN ME from beginning to end completing all steps in order. Thus running you scans over again. Note your tools are out of date. Spybot 1.3 has not been used for more than a year. You better check Ad-Aware too. Click our links and verify you have the correct software versions and then get all updates too.

 

Actually Internet Explorer cannot and should not be truly uninstalled from a system. This is a bad idea if you did that (as you can see). Many, many websites will only work properly with IE. Especially Microsoft. Without IE, you cannot get all of your require Windows Updates and possibly other Microsoft software updates. [/quote]

Some one in the Software Forum may be able to give you some help with IE.

In the mean time, substitute the below for the instructions in step 6 of the READ ME and then continue onto step 7.

Running Ewido Anti-Malware - attach the requested log


Also run the below procedure and attach the newfiles.txt log.

Using ShowNew

 

You must not run multiple instances of HijackThis and you must post HijackThis logs from normal boot mode as per step 7 of the READ ME.

C:\DOCUME~1\MONIQU~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\Program Files\Spyware Tools\HijackThis.exe

Please get a new log (after doing the below steps too) from Normal Boot mode using only this one C:\Program Files\Spyware Tools\HijackThis.exe

Also make sure you have selected Normal Startup with MSconfig.

Also DISABLE Spybot's Teatimer as requested in the READ ME.

Now Disable Spybot's TeaTimer

• Run Spybot and click Mode
• Select Advanced Mode.
• Then click Tools and select Resident.
• Now in the right window pane, uncheck TeaTimer.
• Also while this is open, in the left column now select IE Tweaks
• and then in the right pane make sure all the Miscellaneous locks are unchecked.
• Now quit Spybot!

 

Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZod32.exe
C:\Documents and Settings\Monique Meyer\Start Menu\Programs\Startup\WinZod32.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [winndata] C:\WINDOWS\SYSTEM32\zod32.exe
O4 - HKLM\..\RunServices: [Winupd] C:\WINDOWS\SYSTEM32\zod32.exe
O4 - HKLM\..\RunOnce: [Winupd] C:\WINDOWS\SYSTEM32\zod32.exe
O4 - HKLM\..\RunServicesOnce: [Winupd] C:\WINDOWS\SYSTEM32\zod32.exe
O4 - HKCU\..\Run: [Winupd] C:\WINDOWS\SYSTEM32\zod32.exe
O4 - HKCU\..\RunOnce: [Winupd] C:\WINDOWS\SYSTEM32\zod32.exe
O4 - Startup: WinZod32.exe
O4 - Global Startup: WinZod32.exe
O21 - SSODL: winup - C:\WINDOWS\SYSTEM32\zod32.exe - (no file)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZod32.exe
C:\Documents and Settings\Monique Meyer\Start Menu\Programs\Startup\WinZod32.exe
C:\WINDOWS\SYSTEM32\zod32.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Yes Norton/Symantec software. Be careful what you ask for, you just may get it. I'm only kidding, we don't particularly like Symantec because it is such a massive resource hog and we don't find it to be particularly good at blocking or fixing many malware issues. But if you are happy with it, keep it.

Is your copy of Ewido a free trial or a paid version? If free, you should uninstall it and keep Windows Defender.

If Ewido is a paid version, keep it, and uninstall Windows Defender.

You don't need the below to run at Startup either, so you can have HJT fix them. This will help improve performance and startup time.
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE



Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

Boot in safe mode and delete the file you mentioned:

c:\documents and setting\mm\application data\tvmcwrd.dll

If you cannot delete it, try renaming the file to tvmcwrd.ddd. Then reboot again and try to delete the tvmcwrd.ddd file.

It is part of Windows. See the below:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/shellcc/platform/shell/programmersguide/shell_basics/shell_basics_extending/custom.asp

You can delete it if you want but it is not a problem.

 

Did you follow the below instructions that were given in message number 15?

Do this now and tell me if you still get any messages from Norton.

You did not empty your Norton Quarantine as requested in step 0.

You can also delete the below which have nothing to do with the infection Norton found.
C:\WINDOWS\backup\TB041015.DAT
C:\WINDOWS\INF\biini.inf
C:\WINDOWS\INF\polall1r.inf

 

Not if you are no longer having any problems with things being detected.

No! The MS firewall is totally inadequate and would still have to be told what to allow in an out anyway. In most cases you should know that an executable is related to something that you just ran. In other cases, you can search Google or Excite for the file to determine what it is.

A site you may find useful is below:

http://www.liutilities.com/products/wintaskspro/processlibrary/

Another is below (click on the A to Z letters to look up the process your want to know about):

http://www.bleepingcomputer.com/startups/

 

You're welcome. Surf safely!