Win32sl.exe, What is it ?

[Jp]

Hello,

I have installed and uninstalled spyware detections and tried to rid my computer of the Trojan Downloader, and seemingly have made matters worse, I have discovered a TBON, a type of advertising download that somehow installed itself in my computer and have a suspicion that it has somrthing to do with the Trojan Downloader.

When I started this malware investigation and tried to delete the Trojan Downloader there were about 8 entries before uninstalling the Active Virus Shield and others there must have been 30-40 entries, I have heard that this keeps getting worse.

I now have some instructions to use the Task manager to, "end process",
and I want to end the, Win32sl.exe process and understand that this will end the process until the next time I start.

Is this correct ? and can you tell me is this TBON related to the Trojan Malware ?

Jp

[patio]

It is related to Dell's Open Client package...See Here

Suggest DLoading and running AVG Anti-Spyware and run it in Safe Mode.

[Dusty]

And for TBON see here.

What AV and firewall are you using :-?

Good luck

[Jp]

patio,

thanks, I see win32sl.exe is a process belonging to the Dell OpenManage Client Instrumentation software. It allows remote management application programs to access a client computer for maintenance purpose.
Scan Your PC including win32sl.exe to Detect any Security Threat

I have never had remote access of my computer, and don't know how or why it was installed unless it was stock.

My question is, . .  can some remote hacker access my computer ?

Also if I do a scan, do you reccomend uninstalling the scan device afterwards ?

Jp

[Jp]

      (.......  What AV and firewall are you using :-?   ........)

Rusty thanks, . .

I am running as far as I know, . . since I deleted all other,

 ? a spy zapper ? that comes on everynow and then and does a quick scan but I don't think it finds anything, and it is a part of the AOL systems, . . .

If sp2 has spyware, etc., I will have it I have downloaded it but can not figure or where it is yet unless MS is calling it Windows Hotfix (SP2) Q819696 ??
otherwise, I'm going to need something reliable and will check out stock computer stuff like McKafee.

Firewall !!!!! aaahhhh,  I'mmmmmmmm gonna need to look into that too.


I'll check out that TBON site.

Jp

[dl65]

Jp.......  Would you please post a hijackthis logfile here so we my look at it .

I hope that you have system restore turned off .

dl65  

[Jp]

dl65,
Systems restore, I dont know if its on but, WHY???

I will check into it right away and I will do the HYJT asap.

Jp

[Jp]

dl65,

I pulled up the systems Properties box from Systems file in Control Panel, . . .
it reads, (box empty) Turn off systems restore, . .

if it isn't suppose to be that way than what's going on and whats next?

Jp

[Jp]

Logfile of HijackThis v1.99.1
Scan saved at 12:58:13 AM, on 1/26/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\System32\carpserv.exe
C:\PROGRA~1\Compaq\COMPAQ~2\cpqdmi.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\COMPAQ~2\CHKADMIN.EXE
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\Downloaded Program Files\AtHoc.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\WINDOWS\system32\netdde.exe
C:\WINDOWS\system32\clipsrv.exe
C:\PROGRA~1\RINGCE~1\RINGCE~1\R0FAXEDT.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Common Files\AOL\1143471933\ee\aolsoftware.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Joe Poole\Desktop\HijackThis.exe

(continued in the next post)

[Jp]

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/yessentials_cq/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SST - {FFFFDA2C-A0D5-4D60-8EE1-1B7F8929E24D} - C:\Program Files\Lycos\sst.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ThomasNet.com Toolbar - {46AE03C0-BCFA-4728-90E7-00EB4A8B3863} - C:\WINDOWS\Downloaded Program Files\AtHocTBr.DLL
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~2\CHKADMIN.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [netdefense2003] C:\Documents and Settings\Joe Poole\Desktop\epc protector\netdefense.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143471933\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [masqform.exe] C:\Program Files\PureEdge\Viewer 6.0\masqform.exe -UpdateCurrentUser
O4 - HKLM\..\Run: [ImInstaller_IncrediMail] C:\DOCUME~1\JOEPOO~1\LOCALS~1\Temp\ImInstaller\IncrediMail\incredimail_install[1].exe -startup -product IncrediMail
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: ThomasNet.com Toolbar.LNK = ?
(continued in next post)

[Jp]

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1143817725593
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169617713187
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_3_16_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4F7A1AF5-AB99-4CB3-8138-3C843F1ED6DA}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Compaq Local Alerter (CPQALERT) - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~2\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent (cpqWebDmi) - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe
O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

[dl65]

Jp........ First of all ...... your system restore is turned on .....
To turn it off , go to control panel and click on the system icon ...... when it opens select the system restore tab ....... now put a check mark in the box in front of turn of system retore on all drives..... click apply and restore .
Please tell me again what programs you used to scan for viruses and trojans ?
list the programs you used .
Did you run these scans in the safe mode ?

Do you ever use that Compaq computer management program ?

You do not have SP2 installed ........... why not ?
You also should D/L Prevx1  ......  http://info.prevx.com/pxparall.asp?PXC=40055688922      run it to remove Tbon.
Use hijackthis to remove....
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML         this is deemed to be nasty.

dl65  

[Jp]

dl65,

I used the two programs from AOL. Active virus shield and another, and another, . . I'm sorry I'll try to locate that information for you.

Please tell me;
Since my systems restore is on what has this meant in the past,
in does not appear that it has reverted to its previous state, . . or has it and I have not known about it, . .nothing seems to have changed, . ., as long as my document file is oK.

Again, sorry, I know little about the safe mode. I'll look into it.

The computer is presently running pretty good.

No, I do not use the management program, but will look into it, as tody I seem to be getting a glimmer of insight, as is much needed as I have used my computer mainly for internet connecting to business people and e-mail and fax communicating.

Ultimately it has all caught up to me, and now I have to catch up.

I'll try to get the list of programs.
Appreciate your assistance.

Jp

[dl65]

Jp........  ok...lets try this again.....
I would like you to d/L the following programs:

AVG Free anti virus.  http://free.grisoft.com/freeweb.php/doc/2/

AVG Antispyware 7.5   http://free.grisoft.com/freeweb.php/doc/20/lng/us/tpl/v5

Spybot Search and destroy 1.4   http://www.tucows.com/preview/310138

Prevx ...... http://info.prevx.com/pxparall.asp?PXC=40055688922    [highlight]you need this to remove Tbon[/highlight]

Once you have them all downloaded and installed, get the latest updates for all of them.

Now reboot into safe mode and run Prevx first ........
then AVG ant virus
then AVG antispyware
Spybot

shut off your pc .......
start it up and As your computer restarts but before Windows launches, tap F8
repeatedly until you see a list of how to start .....select SAFE mode.  let it load up and then run the scans ......... when all the scans are complete , reboot the pc and it will start in normal mode .

Then you must get SP2.

dl65  

[Jp]

dl65,
Thanks, I'll try this.

Before I shut down, . .  I'll d/L the 4 AV's and turn off
Systems Restore, I really would like to know why this was on and why it seemingly had no effect ? . . . As I have also had this responce leaving me a little confused ;

System restore reverts your PC's drivers and registry settings back to a different date in time.
System restore is inportant and extremely useful in suituations where malware/spyware installs itself and corrputs your registry. You will do no harm turning it off (you will free up alot of disk space if you do) but I would reccomend keeping it on.

Jp