Winlogon.exe

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Panther270, Feb 11, 2004.

  1. Panther270

    Panther270 Private E-2

    Sorry to bother you guys, but I run a pc with a 350 MHz processor, 38 meg ram, with Windows 98SE. I have this program writting/running to my drive preventing me from running programs, and interfering with my internet. I downloaded a progam from here called Task Info. It revealed to me that Winlogon.exe was the program in question, and it said the are 3 of them running. I saw that it is a part of Windows, and it's a hidden file. So I marked it a viewable in it's properties option, and clicked all 3 to view them. Only to find 1 listed in my windows folder. Is it possible that I had a virus that cloned this program? Is it necessary to have the program running? Is there a way of de-cloning it? Or is there a way to just get rid of it? Please help!!! Thank you very much.
     
  2. alanc

    alanc MajorGeek

    I sure hope that's a typo... might you mean 384MB RAM?
    What exact folder is it running in?
     
  3. Panther270

    Panther270 Private E-2

    OMG I just noticed it lol it's 384mb lol. Sorry.

    It's runing in the windows folder. Not in any sub folders.
     
  4. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    did you look at the link provided by star 17

    edit:also if you use the search from your start menu for winlogon exe can you post the exact directorys they are located in
    like C:\Windows\system32
    you may need to search hidden files and folders as well
     
    Last edited: Feb 12, 2004
  5. Panther270

    Panther270 Private E-2

    Yes I did look. As far as the directory for my Winlogon.exe it reports it as C:\Windows

    The only exe I found in System32 was a exe called FService.exe.

    Any more help I can provide please let me know. This wont even let me run my virus scan now.
     
  6. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    which virus scanner are you using
     
  7. Panther270

    Panther270 Private E-2

  8. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    try an online scan here
    http://housecall.trendmicro.com/

    can you run your anti-virus in safe mode (press f8 when booting up)

    turn off your system restore before scanning
    start-programs--accesories--system tools--system restore--system restore settings--then check then box to turn off--apply--ok
     
  9. Panther270

    Panther270 Private E-2

    Going to trend micro right now. If no luck I'll try safe mode. Will report results as soon as I'm finished. By the way....Thank you for all your help!
     
  10. Panther270

    Panther270 Private E-2

    Ok Trend Micro did not find anything wrong, and when I went to safe mode. The winlogon.exe and 2 clones interfered with my own virus scan again. I really do think it's a virus cause I am also getting mailer daemon email saying my emails were undeliverable, but I never sent any. I am about to go nucking futz!!!!!
     
  11. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    ok we really need to see whats running to be able to remove it can you go here download this
    http://www.majorgeeks.com/download3155.html

    unzip the file and run it then save your log and post it in here

    dont panic well get there :)
     
  12. alanc

    alanc MajorGeek

    General Lee, no System Restore in Win98...;)

    It is. As per Star's link above, c:\windows\winlogon.exe is a file dropped by a virus, the problem is that we don't know which virus without more info. Hijack This will hopefully give us a better idea.

    The c:\windows\system\winlogon.exe file is the genuine (necessary) Windows file. Ya don't wanna mess with that.
     
  13. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    glad you dropped by alan
    didnt even look assumed she was on xp :rolleyes:

    glad you agreed about hijack this i didnt want to touch any files till we could nail it down
    ive got to crash fairly soon so hopefully you can step in here and see it through ill look back in tomorrow

    @panther hope you get it sorted real soon

    and dont worry your in good hands with alanc
     
  14. Panther270

    Panther270 Private E-2

    Thank you again General Lee, and hi Alan. As Alice Cooper's song title states,"Welcome to my nightmare." LOL Ok I got the report for you two. Here it goes;

    Logfile of HijackThis v1.97.7
    Scan saved at 6:56:56 PM, on 2/12/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\AGRSMMSG.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\WINLOGON.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\ASUS\PROBE\ASUSPROB.EXE
    C:\WINDOWS\SYSTEM\ATITASK.EXE
    C:\WINDOWS\WINLOGON.EXE
    C:\WINDOWS\WINLOGON.EXE
    C:\WINDOWS\SYSTEM\ATICWD32.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R3 - URLSearchHook: (no name) - _{A045DC85-FC44-45be-8A50-E4F9C62C9A84} - (no file)
    F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\system\sservice.exe
    F1 - win.ini: run=C:\WINDOWS\system\sservice.exe
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
    O4 - HKLM\..\Run: [Atikey] Atitask.exe
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [agrsmMSG] agrsmMSG.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Winsafe] C:\WinSafe\Safe.exe
    O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
    O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
    O9 - Extra button: PhoenixNet (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37982.7191087963
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/1,5,0,4322/mcfscan.cab

    Good Luck!
     
  15. alanc

    alanc MajorGeek

    Panther, close all browser windows, and in HijackThis, check these lines:

    F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\system\sservice.exe
    F1 - win.ini: run=C:\WINDOWS\system\sservice.exe

    and click "Fix checked" - then reboot and delete these files:

    c:\WINDOWS\winlogon.exe
    c:\WINDOWS\SYSTEM\sservice.exe
    c:\WINDOWS\SYSTEM32\fservice.exe

    Then run your anti-virus and see what it finds, if anything. If you're still having problems, run HijackThis again and post new logfile here.
     
  16. Panther270

    Panther270 Private E-2

    Ok. I did it. I went into my C drive after I booted and tried to delete them. They kept re appearing after I delete them, and winlogon won't let me delete it cause it says it's being used by windows. Still got three winlogons running, and my anti-virus still is being interfered with. LOL Here is the new report from Hijack;

    Logfile of HijackThis v1.97.7
    Scan saved at 7:41:21 PM, on 2/12/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\AGRSMMSG.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\WINLOGON.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\ASUS\PROBE\ASUSPROB.EXE
    C:\WINDOWS\WINLOGON.EXE
    C:\WINDOWS\SYSTEM\ATITASK.EXE
    C:\WINDOWS\WINLOGON.EXE
    C:\WINDOWS\SYSTEM\ATICWD32.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\PALTALK\PNETAWARE.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R3 - URLSearchHook: (no name) - _{A045DC85-FC44-45be-8A50-E4F9C62C9A84} - (no file)
    F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\system\sservice.exe
    F1 - win.ini: run=C:\WINDOWS\system\sservice.exe
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: NavErrRedir Class - {0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
    O4 - HKLM\..\Run: [Atikey] Atitask.exe
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [agrsmMSG] agrsmMSG.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Winsafe] C:\WinSafe\Safe.exe
    O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
    O9 - Extra button: PhoenixNet (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37982.7191087963
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class)
     
  17. alanc

    alanc MajorGeek

    Looks the same as before :confused:

    Ok, let me take a closer look. Anyone else feel free to jump in here, I've got to step away for awhile...
     
  18. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    hi there sorry its really late here in the uk and ive been working on something

    theres obviously something very naughty going on here in the past ive found removing the hard drive putting it in another pc as a slave then running some anti-virus on it and deleting those files has done the trick

    so do you by any chance have access to another machine you can perform a scan on

    ill drop by again tomorrow but i really need to get to bed
     
  19. Panther270

    Panther270 Private E-2

    Hey Gen. Thanks again for lookin in. Unfortunately my other pc has been incorperated into this one, and the leftovers were layed to waste in the garbage. :(
     
  20. alanc

    alanc MajorGeek

    This is a tough one to nail down - or maye I'm just having a brain fart. :rolleyes:

    General, here are the links to what I've found, apparently a trojan called Backdoor.ProRat (1.0, 1.1, or 1.3), hopefully you can come up with a removal procedure from this mishmash of info, and what hasn't worked up until now.

    http://www.megasecurity.org/trojans/p/prorat/Prorat1.0complete.html
    http://www.megasecurity.org/trojans/p/prorat/Prorat1.1.html
    http://www.megasecurity.org/trojans/p/prorat/Prorat1.3.html
    http://www.resellerratings.com/forum/t97015.html (see Welshie's posts)

    These are the affected lines in the HijackThis log. Sounds like win.ini and system.ini need to edited manually.

    F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\system\sservice.exe
    F1 - win.ini: run=C:\WINDOWS\system\sservice.exe

    These files need to be nuked:

    c:\WINDOWS\winlogon.exe
    c:\WINDOWS\SYSTEM\sservice.exe
    c:\WINDOWS\SYSTEM32\fservice.exe

    And possibly these (if they exist):

    c:\WINDOWS\SYSTEM\winkey.dll
    c:\WINDOWS\SYSTEM\ktd32.atm

    And there are some registry entries (see above links) that need to be deleted...
     
    1 person likes this.
  21. Panther270

    Panther270 Private E-2

    I think this is going in the right direction Alan. I just clicked the first link on your list for Prorat, and if I am not mistaking it says it has something to do with DirectX? I keep getting an update from Microsoft for a security patch for my DirextX, but after I download it...Microsoft says I still need the same patch like I never downloaded it. So it seem I am being prevented from getting this patch? Any help?
     
  22. Panther270

    Panther270 Private E-2

    Also welshy's prob. sounds like an axact dupliacte of mine.
     
  23. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    great job alanc
    panther you need to reboot into safe mode and locate these files

    c:\WINDOWS\winlogon.exe
    c:\WINDOWS\SYSTEM\sservice.exe
    c:\WINDOWS\SYSTEM32\fservice.exe

    you will probably have to show hidden files and folders not sure in win 98 but i expect its the same in the top toolbar of a normal window click tools then folder options then view then you need to check the box show hidden files and folders apply and ok
    find these files and nuke them also if these are there nuke these
    c:\WINDOWS\SYSTEM\winkey.dll
    c:\WINDOWS\SYSTEM\ktd32.atm

    you then need to click start then run and type msconfig then enter
    click the system ini tab find and locate this
    Shell=Explorer.exe C:\WINDOWS\system\sservice.exe
    and delete it
    next click the win ini tab find and locate this
    C:\WINDOWS\system\sservice.exe
    and delete it
    apply and ok
    reboot make sure your anti-virus is up to date and then hopefully it should run so do a full system scan clean anything found then re post a fresh log from hijack this

    side note once in safe mode press CTRL-ALT-DEL and check none of the things you want to delete are not running if they are kill the process

    good luck and happy hunting
     
  24. Panther270

    Panther270 Private E-2

    Argh!!!!!!! Well I found the c:\Windows\System\ktd32.atm. Thats now gone.

    I couldn't find the one marked winkey.dll. I even did a file search.

    I can't figure out how to delete the Shell sservice.exe outta the system.ini list.
    Also can't delete the sservice.exe outta the win.ini list. Can't figure how to.

    Both keep replecating when I try to delete them out of the C folder, and winlogon says it's being used by windows.

    I just counted 5 new grey hairs LMAO.
     
  25. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    hi panther
    to fix your win ini just select the file you want to kill and select the edit tab to wipe it out same for system ini apply and ok on way out

    can you not delete those files in safe mode if not go read this its about a tool that can wipe it out for you explained in detail by wizewiz
    download that file and wipe them suckers out

    http://www.majorgeeks.com/vb/showthread.php?t=26553&highlight=dellater
     
    1 person likes this.
  26. Panther270

    Panther270 Private E-2

    OMG! I think it worked!!!! TY TY Gen if you are a woman and near me I'd kiss ya!!!! LOL TY to you two alanc I kinda know you are male so a heart felt handshake to you! Here is my latest Hijack log.....Let me know if it is true!

    Logfile of HijackThis v1.97.7
    Scan saved at 6:31:32 PM, on 2/13/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\AGRSMMSG.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\ASUS\PROBE\ASUSPROB.EXE
    C:\WINDOWS\SYSTEM\ATITASK.EXE
    C:\WINDOWS\SYSTEM\ATICWD32.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\PROGRAM FILES\IARSN\TASKINFO2003 5.0\TASKINFO.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    F0 - system.ini: Shell=
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
    O4 - HKLM\..\Run: [Atikey] Atitask.exe
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [agrsmMSG] agrsmMSG.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [AVGCtrl] C:\PROGRAM FILES\AVPERSONAL\AVGCTRL.EXE /min
    O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\SYSTEM\LXSUPMON.EXE RUN
    O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [ccEvtMgr] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
    O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
    O9 - Extra button: PhoenixNet (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37982.7191087963
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  27. General_Lee_Stoned

    General_Lee_Stoned BuZZed Lightyear

    ok looking good and no im not a woman so ill give the kissing thing a miss thanks :D

    make sure you get the latest updates for your anti-virus and run a full scan to make sure nothings left if you aint already ;)

    also thanks alanc for helping and getting the info we needed much appreciated :)
     
  28. alanc

    alanc MajorGeek

    Panther, just looking at your log there and it looks like you've got two anti-virus proggies running, NAV and something else (AntiVir?). It's OK to have two, but you could run into problems with two AVs running at the same time. And as the good General said, make sure you've got the latest virus definition updates for the AV program you want to use.

    Looks like you might be fixed up there friend. Hearty handshake accepted!
     
  29. Panther270

    Panther270 Private E-2

    Ty to both of you, and a handshake to you Gen. lol. I did run Norton after it was all said and done. It did find a trojan called PWSteal.exe trojan. It did delete it, and all seem finally quiet here. I am in the process of getting the other anti-vir. of my pc. Again ty very much. My gratitude to both of you.
     
  30. alanc

    alanc MajorGeek

    BTW good call on DelLater General Lee. It's amazing how often that little gem comes in handy :)
     
  31. Panther270

    Panther270 Private E-2

    Actually didn't need it, but I am gonna hang on to it for just in case purposes lol
     
  32. mmmmmarrrrr

    mmmmmarrrrr Private E-2

    im not a major geek but had same sort of problem as this and pretty sure taskmon.exe is not a valid windows dewberry taskmgr.exe is what it should be try searching the web for taskmon.exe i found some sites explaining this is a bug. as i said im not a major geek so what i have just explained could be nonsence
     
  33. mmmmmarrrrr

    mmmmmarrrrr Private E-2

    pretty soon i think u will delete a crusial file and need to hard reset your computer if u havent allready if u have smart restore in the all programs in the start menu use that but be warned your computer will just the same as when u first set it up
     
  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please stop writing sentences that make no sense what so ever. And why are you wasting time even attempting to answer an almost 7 month old thread that is already resolved. And not only that, your answers make no sense.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds