Please help!

I'm setting up a small home network consisting of 3 computers: PC -
host (HPHOST), laptop (LAPTOP) and another PC (GAMEROOM).

I've just bought the computer thst I now treat as the host. Before that
I had a very small network - consisting of that laptop and the PC
(GAMEROOM) that served as a host.

I used before and still use a cable modem an a DL router. Everything
was working fine when I had two computers only in my network.

Now, with the changes, still the connection host-laptop works
perfectly. I can share the files and the printers (which by the way are
connected directly to the host). Both host and laptop show in the
Network Places the files I selected to be shared on the network. They
also show all of the computers in the workgroup - including tthe other
PC. I tried to send from a laptop a file to be printed and it worked
fine. So, this part of the network works very well.

However, I have problem with the other PC (GAMEROOM).
I've checked the properties of the network card and they look OK. There
is no problem with Internet connection on that PC - works fine. Strange
things is that when I I was setting up this part of the network, I sent
a file to be printed and it was printed! However now when I try it, it
doesn't work - the file doesn't go to the printer.

Still, the main reason I want to have this PC on the network is that I
have lots of important files there and want to use/transfer them to
current host, but it's impossible for now.

I selected those imported files and marked them as shared and they are
listed under My Network Places>Local Network of that PC (along with the
shared folders at the two other computers).

Also, when I click on view all computers of the workgroup, all 3
computers are listed there.

(But when I right click on GAMEROOM at either the host or laptop, I get
the message that it's not available or something like that - "Microsoft
Networking: The server GAMEROOM could not be found on the network").

All the shared network printers are listed in Printers & Faxes at the
GAMEROOM PC, but as I said, right now I can't print a file sent from
the GAMEROOM, although somehow it was possible at the beginning.

To verify that the network is working, I was trying (many times!) the
Network Setup Wizard, however each time I was getting an error message
at the end:

"Cannot complete the Network Setup Wizard.
An error occurred during configuration of the network on this computer.
You can configure your network manually, or you can run the wizard
again with different settings".

I looked for some answers on the Internet, and found out that ther may
be a problem with (ICF) - maybe because this PC was a host before??? -
or there is something wrong with WMI.

In fact, this may be the main problem, but I don't know how to solve
it. Here is what I know regarding WMI at the GAMEROOM computer:

- when I go to Network Connections>LAN or High-Speed
Internet>Properties>Advanced, I get this important (I'm afraid)
message: "Windowws cannot display the properties of this connection.
The WMI information might be corrupted. To correct this, use System
Restore to restore Windows to earlier time (called restore point)."
Note: I used SR, went 2 months back, but it didn't help, so I restored
it back...

- when I try My Computer>Manage>Services & Applications, I found there
- in the right column that WMI is NOT STARTED. Should it be started? Is
it possibly the cause??

Also, somewhere elseI got his error message:
"Unable to connect to WMI service '\\.\root\cimv2'

I think that's all. I would highly appreciate any help. Thanks in
advance!


Stan Hill

Hi there Stan.

Yup , wmi should be running. If you rightclick the wmi entry and select "start" does it run then? And if you rightclick it and select properties , what does it say after "startup type"? It should be set to automatic.

I have Startup type: Automatic
Status: Stopped
Should I click on Start to start it?
Please let me know.
Also, I'm sure I have the new type of Vundo, trying to get rid of it.
Can its presence have impact on WMI and on problems with setting up home network?
Thanks,
Stan

Yup , see if you can start it , and if it works then. If it does , then reboot youre pc to see if it also automaticly runs from then on.

And i havent heard or seen anything related about a vundo infection and this kind of problem , but lets kick that bugger out of there anyway ofcourse.


Please download VundoFix.exe from here , and save it to your desktop.

• Double-click VundoFix.exe to run it.
• Put a check next to Run VundoFix as a task.
• You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
• When VundoFix re-opens, click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will shutdown your computer, click OK.
• Turn your computer back on.

Please post the contents of C:\vundofix.txt , and also post an HiJackThis log (see link below in my sig) then i can have a look if there is more malware on there.

Thanks, Joe5,
I tried to start WMI - I clicked on "Start this service" and got the error message:
"Could not start the WMI service on Local Computer.
Error 1068: The dependency service on group failed to start."

I downloaded and tried to use VundoFix - couple times. Every time it fails! As soon as I click on OK to confirm that it will close for a minute it disappears and never re-opens.

I did ewido scan overnight and just got the results - TERRIBLE!!!

see attached plus I enclose current HJT log

Note:
As you see from HJT, that awvtu.dll still is there, even though ewido said it was cleaned.
But now we know (from ewido) that there is somewhere also awvvu.dll and ssqrp.dll - not shown by HJT!
Still my question is - could that Trojan.Passview and Adware.Virtumonde create the networking problems I have?
How to really get rid of all of that?
Thanks in advance!

Stan

Attached Files

	hijackthis.log (8.6 KB, 3 views)
	Scan report_20060428.txt.txt (44.9 KB, 3 views)

Trojan.Passview has been very busy it seems... But so has Ewido.

And Virtumundo is the same as Vundo , they just use a different name , but we'll get that bugger in an other way , there are severall ways to kill a vundo infection.8)


Please download Process Explorer by Systernals from HERE.

Also download KillBox by Option^Explicit from HERE.

Then boot up in SAFE MODE and stay in safe mode (hit f8 when booting up), untill the entire fix is done.

Unzip Process Explorer and double click on procexp.exe

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of awvtu.dll once and then click the kill button.
After you have killed all of the awvtu.dll's under winlogon click OK.

Next In the top section of the Process Exlporer screen again , double click on explorer.exe and again click once on each instance of awvtu.dll then click the kill button.

Once you have done that click OK again.


Next run HijackThis and place a check beside each of the following:



Now click fix checked and close HijackThis.



Please copy the text in the quote below, and paste it into a blank notepad window.

Save it as vundo.reg and in the "save as" type box choose "all files".
Once you have saved it double click it and allow it to merge with the registry.


Double click on Killbox.exe and then check the delete on reboot button.

Enter the following filepath and filename into the Full path of file to delete box:

C:\WINDOWS\system32\awvtu.dll

Click the red circle with the white x and allow your computer to reboot.
(if killbox doesn't reboot on its own then please reboot manually)




And to try to fix the WMI problem (if the malware removal hasn't fixed it yet):

Extract (Open with Winrar, Winzip or similiar) file wbemoc.in_ from the full Windows CD i386 (or amd64) folder to Windows\inf folder then run (Start - Run) this:

rundll32 advpack.dll,LaunchINFSection wbemoc.inf, WBEM

When it asks for the files point it to the full Windows CD, i386 (or amd64) folder.
After it finishes copying, reboot the machine.


If that didn't help at first, get a tool called Dial-a-Fix.

In it, under Tools choose "Reset WMI" and Go.

Reboot after finished.

If maybe it still doesn't work then try this but be careful when tampering with the registry.

Repeat it all but first add to the end of the string (do not replace the whole string, just add to the end of it), this:

;%SystemRoot%\System32\Wbem

To the registry key using regedit (Start - Run - Regedit) under:

HKEY_LOCAL_MACHINE
\SYSTEM
\CurrentControlSet
\Control
\Session Manager
\Environment
\Path

So it looks something like:

%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\Sy stem32\Wbem



When done post a new hjt log please.