WIN MIN Error at shutdown

cchristensen · 07-29-2004, 09:41 AM

Hi everyone,

I'm getting a Win Min error at shutdown, and my homepage keeps resetting to a blank page by default. And some other aspects of my computer, such as viewing image files are running very slowly. Could any one possibly assist me?

I'm running Windows 2000. Here's my Hijackthis log:

Logfile of HijackThis v1.97.7
Scan saved at 11:36:00 AM, on 7/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\NavNT\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\PROGRA~1\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\DSentry.exe
C:\WINNT\system32\sdsyhrc.exe
C:\WINNT\addins\libcab.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\stickies\stickies.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\Novell\ZENworks\NALDESK.EXE
C:\Novell\GroupWise\GrpWise.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\SAP\FrontEnd\SAPGUI\saplogon.exe
C:\Documents and Settings\cchristensen\Desktop\Desktop Files\spyware cleaners\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50026
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\CCHRIS~1\LOCALS~1\Temp\bacbil.dat
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [vthirhlvu] C:\WINNT\system32\sdsyhrc.exe
O4 - HKLM\..\Run: [libcab] C:\WINNT\addins\libcab.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe
O4 - Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE
O9 - Extra button: AIM (HKLM)
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...197.3213194444

Any help would be appreciated.

greyknight17 · 07-29-2004, 10:43 AM

Welcome to TSF.

Make sure to update Internet Explorer at http://windowsupdate.microsoft.com. If you don’t have a fast internet connection, you can get the security update CD from Microsoft for free.

Go into HijackThis->Config->Misc. Tools->Check for update online to get version HiJackThis v1.98. If the server is down, get it at the bottom of this message or here.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box where it says “Turn off System Restore”. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it’s clean, you may turn it back on and create a new restore point.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also.

Go to this site for WinTools Removal instructions.

Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one:

C:\Program Files\Common files\WinTools\WToolsS.exe
C:\WINNT\system32\sdsyhrc.exe
C:\WINNT\addins\libcab.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Common Files\WinTools\WSup.exe

Make sure to close any open browsers you have. Check and fix the following in HijackThis (make sure not to miss any):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50026
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll
O2 - BHO: (no name) - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\CCHRIS~1\LOCALS~1\Temp\bacbil.dat
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [vthirhlvu] C:\WINNT\system32\sdsyhrc.exe
O4 - HKLM\..\Run: [libcab] C:\WINNT\addins\libcab.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe

Reboot into Safe Mode (hit F8 key until menu shows up). Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINNT\mxTarget.dll
C:\WINNT\systb.dll
C:\WINNT\system32\sdsyhrc.exe
C:\WINNT\addins\libcab.exe
C:\WINNT\wupdt.exe
C:\Program Files\Common Files\WinTools\
C:\DOCUME~1\%USER_PROFILES%\LOCALS~1\Temp\ - go into all your user profiles and empty all the contents in their Temp folders

Reboot into Normal Mode.

Please download Adaware and install it. Make sure to update it when you run it. Also make sure to customize the settings in Adaware for better scan results.

Run an online virus scan at TrendMicro or RAV Antivirus. Select the Autoclean option if you use TrendMicro. After that’s done, post a new HJT log file so we can make sure it’s clean.

cchristensen · 07-29-2004, 12:53 PM

Thank you for your guidance those steps corrected the issue.

07-29-2004, 09:41 AM	#1 (permalink)
cchristensen Registered User Join Date: Jul 2004 Posts: 2 OS: windows 2000	WIN MIN Error at shutdown Hi everyone, I'm getting a Win Min error at shutdown, and my homepage keeps resetting to a blank page by default. And some other aspects of my computer, such as viewing image files are running very slowly. Could any one possibly assist me? I'm running Windows 2000. Here's my Hijackthis log: Logfile of HijackThis v1.97.7 Scan saved at 11:36:00 AM, on 7/29/2004 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\Ati2evxx.exe C:\PROGRA~1\NavNT\DefWatch.exe C:\WINNT\System32\svchost.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Novell\ZENworks\nalntsrv.exe C:\PROGRA~1\NavNT\rtvscan.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Common files\WinTools\WToolsS.exe C:\WINNT\system32\svchost.exe C:\Program Files\Novell\ZENworks\wm.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\wuauclt.exe C:\WINNT\System32\DSentry.exe C:\WINNT\system32\sdsyhrc.exe C:\WINNT\addins\libcab.exe C:\Program Files\Common files\WinTools\WToolsA.exe C:\WINNT\system32\ctfmon.exe C:\Program Files\AIM\aim.exe C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe C:\Program Files\stickies\stickies.exe C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe C:\Program Files\Common Files\WinTools\WSup.exe C:\Program Files\Novell\ZENworks\NALDESK.EXE C:\Novell\GroupWise\GrpWise.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\SAP\FrontEnd\SAPGUI\saplogon.exe C:\Documents and Settings\cchristensen\Desktop\Desktop Files\spyware cleaners\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50026 R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\CCHRIS~1\LOCALS~1\Temp\bacbil.dat O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) O4 - HKLM\..\Run: [DVDSentry] C:\WINNT\System32\DSentry.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [vthirhlvu] C:\WINNT\system32\sdsyhrc.exe O4 - HKLM\..\Run: [libcab] C:\WINNT\addins\libcab.exe O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCScheduler.exe" /startup O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Startup: Stickies.lnk = C:\Program Files\stickies\stickies.exe O4 - Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE O9 - Extra button: AIM (HKLM) O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...197.3213194444 Any help would be appreciated.

07-29-2004, 10:43 AM	#2 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,331 OS: Windows 98 & Windows XP Home/Pro My System	Welcome to TSF. Make sure to update Internet Explorer at http://windowsupdate.microsoft.com. If you don’t have a fast internet connection, you can get the security update CD from Microsoft for free. Go into HijackThis->Config->Misc. Tools->Check for update online to get version HiJackThis v1.98. If the server is down, get it at the bottom of this message or here. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box where it says “Turn off System Restore”. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it’s clean, you may turn it back on and create a new restore point. Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Go to this site for WinTools Removal instructions. Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one: C:\Program Files\Common files\WinTools\WToolsS.exe C:\WINNT\system32\sdsyhrc.exe C:\WINNT\addins\libcab.exe C:\Program Files\Common files\WinTools\WToolsA.exe C:\Program Files\Common Files\WinTools\WSup.exe Make sure to close any open browsers you have. Check and fix the following in HijackThis (make sure not to miss any): R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50026 R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINNT\mxTarget.dll O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINNT\systb.dll O2 - BHO: (no name) - {60112085-E1CE-4e0e-823A-EBB1AD98804C} - C:\DOCUME~1\CCHRIS~1\LOCALS~1\Temp\bacbil.dat O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) O4 - HKLM\..\Run: [vthirhlvu] C:\WINNT\system32\sdsyhrc.exe O4 - HKLM\..\Run: [libcab] C:\WINNT\addins\libcab.exe O4 - HKLM\..\Run: [Win Server Updt] C:\WINNT\wupdt.exe O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common Files\WinTools\WToolsA.exe Reboot into Safe Mode (hit F8 key until menu shows up). Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\WINNT\mxTarget.dll C:\WINNT\systb.dll C:\WINNT\system32\sdsyhrc.exe C:\WINNT\addins\libcab.exe C:\WINNT\wupdt.exe C:\Program Files\Common Files\WinTools\ C:\DOCUME~1\%USER_PROFILES%\LOCALS~1\Temp\ - go into all your user profiles and empty all the contents in their Temp folders Reboot into Normal Mode. Please download Adaware and install it. Make sure to update it when you run it. Also make sure to customize the settings in Adaware for better scan results. Run an online virus scan at TrendMicro or RAV Antivirus. Select the Autoclean option if you use TrendMicro. After that’s done, post a new HJT log file so we can make sure it’s clean. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools

07-29-2004, 12:53 PM	#3 (permalink)
cchristensen Registered User Join Date: Jul 2004 Posts: 2 OS: windows 2000	That resolved the issue Thank you for your guidance those steps corrected the issue.