Spyagent bv!inf - winlogon.exe

Interesting, because that is a valid windows file......however, lets to this:

Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

Open notepad and copy and paste the following text in the quote box into the window:

Save this as fix.bat
Choose to save as all files.
Doubleclick fix.bat and let the program run.
A small black dos window will flash, this is normal.

Now go to start / run / type "services.msc" without quotes and see if that service is still listed.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now download The Avenger by Swandog469, and save it to your Desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the Reboot now? question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will popup for you to view when you login after reboot.

Also delete all files in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\laflo\Local Settings\Temp\

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Be sure to tell us how things are running.

 

Did you have any problems with the fix.bat run....?

Please go to start / run / type "services.msc" without quotes and see if the Service: 50187 is still there.

Next, run C:\MGtools\analyse.exe, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
* At the lower right, click on the Config button
* Then click the Misc tools button
* Select Delete an NT Service
* Copy/paste 50187 into the box that opens, and press OK
* If you receive any error messages just ignore them and continue.
* Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Now re-Run C:\MGtools\analyse.exe and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

After clicking Fix, exit HJT.

Find and delete:
C:\WINNT\C

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Tell me how that went and what problems you may still have, if any.

 

Removing that service was the (hopefully) last thing we needed to do...let me know how things are running.

If you are not having any other malware problems, it is time to do our final steps:

1. If we used ComboFix then UNINSTALL COMBOFIX (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
2.
* Click START then RUN
* Now type "%userprofile%\Desktop\cf" /u in the runbox and click OK.
* Note: The space between the cf and the /U, it must be there.
3. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
4. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
5. If you are running Windows XP or Windows ME, do the below:
* Refer to the cleaning steps in the READ ME for your Window version and see the steps to Disable System Restore which will flush your Restore Points.
* Then reboot and Enable System Restore to create a new clean Restore Point.
6. After doing the above, you should work thru the below link:
How to Protect yourself from malware!

 

You are looking at an old Read and Run thread...that issue is gone with ComboFix....but if you downloaded it a while ago...delete it from the desktop and re-download it from the present Read and Run instructions.

Run Combo, attach the log and also tell me the exact path to the reported trojan...and what is reporting it ( a log would be helpful).

 

They are both legit files! I suspect that McAfee is giving a false positive (as it often does).

I'll tell you what:
Go to Bitscan link: agree to the license and then select Scan. DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED. That will make your logs huge and we don't need to see clean files. Once Bitdefender completes the scan:

Click-on the Detected Problems tab. Then select Click here to export the scan report

When the window comes up to save the report, change the Save as type: box to Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click save. This will save a file named bdscan.txt in whatever folder you are currently in when you save the file (take notice of where you are at so you can find it later). This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.

 

I'm also thinking it is a false positive as the date is:

Sounds like your system is running OK?

 

Let's try this ...go to:
C:\WINNT\ServicePackFiles\i386\winlogon.exe
Copy the winlogon.exe and paste it into C:\WINNT\system32\

It should ask if you want to replace it/overwrite it...say yes.

Now if you were able to do that...run another scan and tell me what happens.

Yes...you started getting malware back in Oct 2007.

 

I've slept.....how many users are on this system? Do you have to log on with a password?

If you remove the password for you account ...we may bypass the need for the winlogon exe and be able to deal with it ...

Also..go to the file and right click it ... properties ...is there a security tab?

 

This is not malware ....

It's part of your Thinkpad software....

 

That it is probably coincidental ....the process I showed you is for your particular laptop ...are you having other issues that would indicate malware (other than Mcafee's report)?

 

You may wish to look at this sticky : Basic computer maintenance everyone should do

You may also wish to use a Startup Manager

Let me know what issues you still have.