Help my Winlogon.exe is infected

View previous topic View next topic Go down

Solved Re: Help my Winlogon.exe is infected

Post by cristian_lorale on Fri Nov 28, 2008 9:13 pm

Alright thanks man,I was bout to go to Best buy Geek squad when i stepped upon this website In Yahoo Answers.Its better and simpler since im doing all the things on my computer in my house and not some other guy in a store

cristian_lorale
Intermediate
Intermediate

Posts Posts : 50
Joined Joined : 2008-11-28
OS OS : windows xp home edition sp2
Points Points : 29318
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Help my Winlogon.exe is infected

Post by cristian_lorale on Fri Nov 28, 2008 9:28 pm

Spy sweeper detected a program launching it was something called Nah_shell
it was on my documents and settings/owner folder i did a hijack this log can you check it out if its another malware or trojan :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:24, on 2008-11-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\Explorer.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [You must be registered and logged in to see this link.]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - (no file)
O2 - BHO: Compete ToolHelper - {55825511-174A-4b4e-84B7-69AAC4E294B6} - (no file)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SVCHOST.EXE] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {A7ECD556-D6F6-4F41-8C6B-14AB246801A0} (Secure Delivery) - [You must be registered and logged in to see this link.]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - [You must be registered and logged in to see this link.]
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [You must be registered and logged in to see this link.]
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: (no name) - [You must be registered and logged in to see this link.]
O24 - Desktop Component 1: (no name) - [You must be registered and logged in to see this link.]

--
End of file - 10678 bytes

cristian_lorale
Intermediate
Intermediate

Posts Posts : 50
Joined Joined : 2008-11-28
OS OS : windows xp home edition sp2
Points Points : 29318
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Help my Winlogon.exe is infected

Post by Belahzur on Fri Nov 28, 2008 9:30 pm

Hello.
Guess I was wrong, it came back.
Probably winlogon.exe is the dropper.

Please delete your copy of combofix now and download a fresh copy, and run it without a CFScript.txt file, lets see what happens.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Help my Winlogon.exe is infected

Post by cristian_lorale on Fri Nov 28, 2008 9:38 pm

Ill bring the report in

cristian_lorale
Intermediate
Intermediate

Posts Posts : 50
Joined Joined : 2008-11-28
OS OS : windows xp home edition sp2
Points Points : 29318
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Help my Winlogon.exe is infected

Post by cristian_lorale on Fri Nov 28, 2008 9:41 pm

Combofix Wont Start I see it in my TaskManager but its in Not responding Mode

cristian_lorale
Intermediate
Intermediate

Posts Posts : 50
Joined Joined : 2008-11-28
OS OS : windows xp home edition sp2
Points Points : 29318
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Help my Winlogon.exe is infected

Post by cristian_lorale on Fri Nov 28, 2008 9:43 pm

Send Me a link to it mustve gotten a corrupted one

cristian_lorale
Intermediate
Intermediate

Posts Posts : 50
Joined Joined : 2008-11-28
OS OS : windows xp home edition sp2
Points Points : 29318
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Help my Winlogon.exe is infected

Post by Belahzur on Fri Nov 28, 2008 9:46 pm

[You must be registered and logged in to see this link.]

If this doesn't work also, don't worry. I have another idea and we can replace winlogon.exe at the same time, I think.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Help my Winlogon.exe is infected

Post by cristian_lorale on Fri Nov 28, 2008 9:48 pm

Its working but do i continue with the combo fix setup ?

cristian_lorale
Intermediate
Intermediate

Posts Posts : 50
Joined Joined : 2008-11-28
OS OS : windows xp home edition sp2
Points Points : 29318
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Help my Winlogon.exe is infected

Post by Belahzur on Fri Nov 28, 2008 9:52 pm

It shouldn't warn you about the recovery console since it's already installed.
Double click it to run it and let it run. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Help my Winlogon.exe is infected

Post by cristian_lorale on Fri Nov 28, 2008 10:03 pm

Heres the ComboFix Log:

ComboFix 08-11-28.02 - Owner 2008-11-28 16:55:06.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2520 [GMT -5:00]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\svchost.exe
c:\windows\system32\drivers\TDSSpaxt.sys
c:\windows\system32\TDSScfum.dll
c:\windows\system32\TDSSfxwp.dll
c:\windows\system32\TDSSnmxh.log
c:\windows\system32\TDSSnrsr.dll
c:\windows\system32\TDSSofxh.dll
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSrhym.log
c:\windows\system32\TDSSriqp.dll
c:\windows\system32\TDSSsbhc.dll
c:\windows\system32\TDSStkdv.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSSERV.SYS
-------\Legacy_TDSSSERV.SYS


((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-28 )))))))))))))))))))))))))))))))
.

2008-11-28 16:20 . 2008-11-28 16:20 80,384 --a------ c:\documents and settings\Owner\nah_kxes.exe
2008-11-28 15:12 . 2008-11-28 16:46 d-------- C:\ComboFix
2008-11-28 14:11 . 2008-11-28 14:12 d-------- c:\windows\ERUNT
2008-11-28 14:10 . 2004-08-27 04:54 d-------- c:\documents and settings\Administrator.GATEWAY506GR\WINDOWS
2008-11-28 14:10 . 2006-07-28 22:54 d-------- c:\documents and settings\Administrator.GATEWAY506GR\Application Data\SampleView
2008-11-28 14:10 . 2006-07-28 22:56 d-------- c:\documents and settings\Administrator.GATEWAY506GR\Application Data\McAfee
2008-11-28 14:10 . 2008-11-28 14:11 d-------- c:\documents and settings\Administrator.GATEWAY506GR
2008-11-28 14:05 . 2008-11-28 14:52 d-------- C:\SDFix
2008-11-28 12:10 . 2008-11-28 12:10 d-------- C:\-Combo-Fix-
2008-11-28 12:05 . 2008-11-28 12:05 d-------- c:\program files\Trend Micro
2008-11-27 20:27 . 2008-11-28 12:39 28 --a------ c:\windows\ODBC.INI
2008-11-27 16:36 . 2008-11-27 16:36 d-------- c:\program files\SystemRequirementsLab
2008-11-02 14:06 . 2008-11-02 14:06 d-------- c:\program files\EA GAMES

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-28 21:08 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-28 17:39 --------- d-----w c:\program files\Webroot
2008-11-28 04:35 --------- d-----w c:\program files\Steam
2008-11-27 21:36 --------- d-----w c:\documents and settings\Owner\Application Data\SystemRequirementsLab
2008-11-27 15:41 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-03 02:00 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-12 17:54 --------- d-----w c:\program files\Common Files\Adobe
2008-10-12 17:53 --------- d-----w c:\program files\Bonjour
2008-10-12 17:50 --------- d-----w c:\program files\Aftereffects
2008-10-12 17:45 --------- d-----w c:\program files\Common Files\Macrovision Shared
2008-10-11 17:41 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-02 23:04 22,328 ----a-w c:\documents and settings\Owner\Application Data\PnkBstrK.sys
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-29 22:28 --------- d-----w c:\documents and settings\Owner\Application Data\Move Networks
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-30 01:06 1,350,664 ----a-w c:\windows\system32\msxml6.dll
2008-08-29 01:12 98,304 ----a-w c:\windows\system32\CmdLineExt.dll
2008-03-19 21:52 389,120 ----a-w c:\documents and settings\Owner\GoToAssist_phone__268_en.exe
2007-11-06 23:06 10 ----a-w c:\documents and settings\All Users\Application Data\mmrpplic.dat
2006-12-10 23:27 852 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2006-12-06 01:08 12 ----a-w c:\documents and settings\Owner\USERDATA.DAT
2007-03-08 22:21 0 -csha-w c:\windows\SMINST\HPCD.sys
2007-05-24 02:41 772,384 --sha-w c:\windows\system32\drivers\fidbox.dat
2007-05-24 02:41 287,008 --sha-w c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeper.exe" [2004-08-25 3321344]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2007-06-01 100056]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-10-18 135168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 36975]
"SSC_UserPrompt"="c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 218240]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NAV CfgWiz"="c:\program files\Norton AntiVirus\CfgWiz.exe" [2004-08-17 132248]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 58728]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"SoundMan"="SOUNDMAN.EXE" [2004-09-23 c:\windows\SOUNDMAN.EXE]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 c:\windows\system32\Hdaudpropshortcut.exe]
"AlcWzrd"="ALCWZRD.EXE" [2004-09-24 c:\windows\ALCWZRD.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 c:\windows\system32\narrator.exe]

c:\documents and settings\marcos\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Steam\\steamapps\\blademasterchris\\half-life\\hl.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\system32\\sessmgr.exe"=

S3 scrcap;scrcap;c:\windows\system32\DRIVERS\scrcap.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-11-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\odrecyvm.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - [You must be registered and logged in to see this link.]
FireFox -: prefs.js - STARTUP.HOMEPAGE - [You must be registered and logged in to see this link.]
FF -: plugin - c:\program files\Java\jre1.5.0_03\bin\NPJava11.dll
FF -: plugin - c:\program files\Java\jre1.5.0_03\bin\NPJava12.dll
FF -: plugin - c:\program files\Java\jre1.5.0_03\bin\NPJava13.dll
FF -: plugin - c:\program files\Java\jre1.5.0_03\bin\NPJava14.dll
FF -: plugin - c:\program files\Java\jre1.5.0_03\bin\NPJava32.dll
FF -: plugin - c:\program files\Java\jre1.5.0_03\bin\NPJPI150_03.dll
FF -: plugin - c:\program files\Java\jre1.5.0_03\bin\NPOJI610.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-11-28 16:58:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\TDSSserv.sys]
"imagepath"="\systemroot\system32\drivers\TDSSpaxt.sys"
.
Completion time: 2008-11-28 16:59:38
ComboFix-quarantined-files.txt 2008-11-28 21:59:22

Pre-Run: 160,657,334,272 bytes free
Post-Run: 160,638,791,680 bytes free

159 --- E O F --- 2008-11-27 15:42:58

cristian_lorale
Intermediate
Intermediate

Posts Posts : 50
Joined Joined : 2008-11-28
OS OS : windows xp home edition sp2
Points Points : 29318
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Help my Winlogon.exe is infected

Post by Belahzur on Fri Nov 28, 2008 10:21 pm

Good news, I DON'T see any alert about winlogon being infected this time.
Lets get this cleaned up.

Now open a new notepad file.
Input this into the notepad file:

File::
c:\documents and settings\Owner\nah_kxes.exe

Registry::
[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\TDSSserv.sys]

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix.exe again, agree to it's terms and allow it to run, it may want to reboot after it's done. Post the resulting log back here.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Help my Winlogon.exe is infected

Post by cristian_lorale on Fri Nov 28, 2008 10:34 pm

ComboFix 08-11-28.02 - Owner 2008-11-28 17:22:02.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2515 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFixer.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFscript.txt
* Created a new restore point

FILE ::
c:\documents and settings\Owner\nah_kxes.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\nah_kxes.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-28 )))))))))))))))))))))))))))))))
.

2008-11-28 15:12 . 2008-11-28 16:46 d-------- C:\ComboFix
2008-11-28 14:11 . 2008-11-28 14:12 d-------- c:\windows\ERUNT
2008-11-28 14:10 . 2004-08-27 04:54 d-------- c:\documents and settings\Administrator.GATEWAY506GR\WINDOWS
2008-11-28 14:10 . 2006-07-28 22:54 d-------- c:\documents and settings\Administrator.GATEWAY506GR\Application Data\SampleView
2008-11-28 14:10 . 2006-07-28 22:56 d-------- c:\documents and settings\Administrator.GATEWAY506GR\Application Data\McAfee
2008-11-28 14:10 . 2008-11-28 14:11 d-------- c:\documents and settings\Administrator.GATEWAY506GR
2008-11-28 14:05 . 2008-11-28 14:52 d-------- C:\SDFix
2008-11-28 12:10 . 2008-11-28 12:10 d-------- C:\-Combo-Fix-
2008-11-28 12:05 . 2008-11-28 12:05 d-------- c:\program files\Trend Micro
2008-11-27 20:27 . 2008-11-28 12:39 28 --a------ c:\windows\ODBC.INI
2008-11-27 16:36 . 2008-11-27 16:36 d-------- c:\program files\SystemRequirementsLab
2008-11-02 14:06 . 2008-11-02 14:06 d-------- c:\program files\EA GAMES

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-28 21:08 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-28 17:39 --------- d-----w c:\program files\Webroot
2008-11-28 04:35 --------- d-----w c:\program files\Steam
2008-11-27 21:36 --------- d-----w c:\documents and settings\Owner\Application Data\SystemRequirementsLab
2008-11-27 15:41 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2008-11-03 02:00 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-12 17:54 --------- d-----w c:\program files\Common Files\Adobe
2008-10-12 17:53 --------- d-----w c:\program files\Bonjour
2008-10-12 17:50 --------- d-----w c:\program files\Aftereffects
2008-10-12 17:45 --------- d-----w c:\program files\Common Files\Macrovision Shared
2008-10-11 17:41 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-02 23:04 22,328 ----a-w c:\documents and settings\Owner\Application Data\PnkBstrK.sys
2008-09-29 22:28 --------- d-----w c:\documents and settings\Owner\Application Data\Move Networks
2008-03-19 21:52 389,120 ----a-w c:\documents and settings\Owner\GoToAssist_phone__268_en.exe
2007-11-06 23:06 10 ----a-w c:\documents and settings\All Users\Application Data\mmrpplic.dat
2006-12-10 23:27 852 ----a-w c:\documents and settings\Owner\Application Data\wklnhst.dat
2006-12-06 01:08 12 ----a-w c:\documents and settings\Owner\USERDATA.DAT
2007-03-08 22:21 0 -csha-w c:\windows\SMINST\HPCD.sys
2007-05-24 02:41 772,384 --sha-w c:\windows\system32\drivers\fidbox.dat
2007-05-24 02:41 287,008 --sha-w c:\windows\system32\drivers\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeper.exe" [2004-08-25 3321344]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2007-06-01 100056]
"SunKistEM"="c:\program files\Digital Media Reader\shwiconem.exe" [2004-10-18 135168]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 36975]
"SSC_UserPrompt"="c:\program files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 218240]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-13 212992]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"NAV CfgWiz"="c:\program files\Norton AntiVirus\CfgWiz.exe" [2004-08-17 132248]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 58728]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-13 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-13 163840]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-13 135168]
"SoundMan"="SOUNDMAN.EXE" [2004-09-23 c:\windows\SOUNDMAN.EXE]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 c:\windows\system32\Hdaudpropshortcut.exe]
"AlcWzrd"="ALCWZRD.EXE" [2004-09-24 c:\windows\ALCWZRD.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 c:\windows\system32\narrator.exe]

c:\documents and settings\marcos\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Steam\\steamapps\\blademasterchris\\half-life\\hl.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"%windir%\\system32\\sessmgr.exe"=

S3 scrcap;scrcap;c:\windows\system32\DRIVERS\scrcap.sys []
.
Contents of the 'Scheduled Tasks' folder

2008-11-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-11-28 17:26:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mchInjDrv]
"ImagePath"="\??\c:\docume~1\Owner\LOCALS~1\Temp\mc22.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
c:\program files\Webroot\Spy Sweeper\sis.dll

- - - - - - - > 'lsass.exe'(780)
c:\program files\Webroot\Spy Sweeper\sis.dll

- - - - - - - > 'csrss.exe'(700)
c:\program files\Webroot\Spy Sweeper\sis.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Windows Defender\MsMpEng.exe
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Norton AntiVirus\NAVAPSVC.EXE
c:\program files\Norton AntiVirus\IWP\NPFMNTOR.EXE
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
.
**************************************************************************
.
Completion time: 2008-11-28 17:30:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-28 22:30:10
ComboFix2.txt 2008-11-28 21:59:39

Pre-Run: 160,599,711,744 bytes free
Post-Run: 160,580,595,712 bytes free

150 --- E O F --- 2008-11-27 15:42:58

cristian_lorale
Intermediate
Intermediate

Posts Posts : 50
Joined Joined : 2008-11-28
OS OS : windows xp home edition sp2
Points Points : 29318
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Help my Winlogon.exe is infected

Post by cristian_lorale on Fri Nov 28, 2008 10:36 pm

Btw Can you give me a list of programs i can use to protect my computer from this happening again,Free programs?

cristian_lorale
Intermediate
Intermediate

Posts Posts : 50
Joined Joined : 2008-11-28
OS OS : windows xp home edition sp2
Points Points : 29318
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Help my Winlogon.exe is infected

Post by Belahzur on Fri Nov 28, 2008 10:36 pm

Yes, I will do, but lets get this clean first.
Leftover to get rid of.


  • Now open a new notepad file.
  • Input this into the notepad file:

    Windows Registry Editor Version 5.00

    [-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\mchInjDrv]

  • Save this as fix.reg, save it to your desktop.
  • Double click fix.reg to run it.
  • Select yes to the registry merge prompt.

====

Download [You must be registered and logged in to see this link.]

  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:

  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:

  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

How is the machine now?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Help my Winlogon.exe is infected

Post by cristian_lorale on Fri Nov 28, 2008 10:46 pm

atf cleaned 15.15 MB of memory and also my computer is going faster than last time,One more question before i leave Do you work for a computer solving company because you got a Professional site here man and your solutions do work.Oh yeah can you also list the top programs i need to stay safe from this happening again

cristian_lorale
Intermediate
Intermediate

Posts Posts : 50
Joined Joined : 2008-11-28
OS OS : windows xp home edition sp2
Points Points : 29318
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Help my Winlogon.exe is infected

Post by Belahzur on Fri Nov 28, 2008 10:51 pm

Nope, I offer my time and services here for free.

We need to make a new restore point.

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Now we need to make a new restore point.
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Click the Turn off System Restore check box (To turn on System Restore), and then click OK.
===

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers. Goofy

1) Please navigate to [You must be registered and logged in to see this link.] and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

[You must be registered and logged in to see this link.]
A tutorial on using Ad-Aware to remove spyware from your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using Spybot to remove spyware from your computer may be found [You must be registered and logged in to see this link.]. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

[You must be registered and logged in to see this link.]
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found [You must be registered and logged in to see this link.].

[You must be registered and logged in to see this link.]
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found [You must be registered and logged in to see this link.].

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
[You must be registered and logged in to see this link.]

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

5) Finally, consider maintaining a firewall. Some good free firewalls are [You must be registered and logged in to see this link.], or
[You must be registered and logged in to see this link.]
A tutorial on understanding and using firewalls may be found [You must be registered and logged in to see this link.].

Please also read Tony Klein's excellent article: [You must be registered and logged in to see this link.]

Hopefully this should take care of your problems! Good luck. Big Grin


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Help my Winlogon.exe is infected

Post by cristian_lorale on Fri Nov 28, 2008 11:02 pm

Wait do i need to install Service pack 3

cristian_lorale
Intermediate
Intermediate

Posts Posts : 50
Joined Joined : 2008-11-28
OS OS : windows xp home edition sp2
Points Points : 29318
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Help my Winlogon.exe is infected

Post by Belahzur on Fri Nov 28, 2008 11:06 pm

You can do if you want to, I'd recommend it. SP3 has more updates and bug fixes than SP2. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Help my Winlogon.exe is infected

Post by cristian_lorale on Fri Nov 28, 2008 11:14 pm

One more thing i chose spybot search and destroy and it kinda looks like one of those Fake Protection programs are you sure its safe ?

cristian_lorale
Intermediate
Intermediate

Posts Posts : 50
Joined Joined : 2008-11-28
OS OS : windows xp home edition sp2
Points Points : 29318
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Help my Winlogon.exe is infected

Post by Belahzur on Fri Nov 28, 2008 11:15 pm

Yes.
I know there is a full version if you pay for it, but trust me. Spybot is legit.
If you don't want Spybot, I can recommend two more good scanners for free.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Help my Winlogon.exe is infected

Post by cristian_lorale on Fri Nov 28, 2008 11:19 pm

i trust your word man Once again thank you and i'll keep in touch with you guys Right On!

cristian_lorale
Intermediate
Intermediate

Posts Posts : 50
Joined Joined : 2008-11-28
OS OS : windows xp home edition sp2
Points Points : 29318
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: Help my Winlogon.exe is infected

Post by Belahzur on Fri Nov 28, 2008 11:19 pm

Heh, glad I could help. Smile


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: Help my Winlogon.exe is infected

Post by Doctor Inferno on Fri Dec 05, 2008 3:26 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104600
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum