Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Logfile


  • Please log in to reply

#16
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
I had a Feeling that would happen!

Please open Notepad, and Copy&Paste the code in the box below into a new text file. Save it as FindFile.bat and save it on your Desktop.


dir C:\WINDOWS\system32\WNLOGO~1.EXE  /a h > files.txt
notepad files.txt


Locate FindFile.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the results back here!


I asked you about all the Poker Games in the 09s of the HijackThis log,did you install those or do you know where they came from?
  • 0

Advertisements


#17
Pete88

Pete88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Hi again.. sorry, I missed your answer, found it now.. :tazz: I did the thing with the code and here is the text that appears in notepad:

Volume in drive C has no label.
Volume Serial Number is B4D9-92FB

Directory of C:\WINDOWS\system32

05/17/2005 06:13 PM 430,080 w?nlogon.exe
1 File(s) 430,080 bytes

Directory of C:\Documents and Settings\Peter Haraldsson\Desktop


And yes, I have installed those games myself.
  • 0

#18
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
OK...Go to Safe Mode....Navigate to C:\WINDOWS\System32

You are looking for a file that looks similar or identical in name to this one

w?nlogon.exe

The file is gonna be 430,080 bytes or about 419KB Created on 05/17/2005 06:13 PM

Thats the bugger you want to delete!

If you have any doubts have it scanned here
http://virusscan.jotti.org/


The legit version of Winlogon.exe is

502,272 bytes or 490 KB and has an Icon above it of a Windows Seal and the Moon!
  • 0

#19
Pete88

Pete88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Ok.. I found both the files and deleted the bad one in safemode.. then I restarted and ran pandascan again and it still found 6 infected files. I have a new hijacklog here and the pandascan.

Logfile of HijackThis v1.99.1
Scan saved at 12:52:23 AM, on 05/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
E:\Program\iTunes\iTunesHelper.exe
C:\WINDOWS\Mixer.exe
E:\Program\PCI Audio Applications\Bin\EchoCtrl.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
E:\Program\Winamp\winampa.exe
E:\Program\Grisoft\AVGFRE~1\avgcc.exe
E:\Program\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
E:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] E:\Program\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [C-Media Echo Control] E:\Program\PCI Audio Applications\Bin\EchoCtrl.exe
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [WinampAgent] E:\Program\Winamp\winampa.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\Program\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\Program\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Coral Eurobet Poker - {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - F:\Spel\Poker\Eurobet\coraleurobetpoker.exe
O9 - Extra 'Tools' menuitem: Coral Eurobet Poker - {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - F:\Spel\Poker\Eurobet\coraleurobetpoker.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: StarLuck.com - {2B6AA6C9-1646-46e7-8D23-D54274F2F2F2} - F:\Spel\Poker\Starluck Casino\bin\IEExtension_SL.dll
O9 - Extra 'Tools' menuitem: StarLuck.com - {2B6AA6C9-1646-46e7-8D23-D54274F2F2F2} - F:\Spel\Poker\Starluck Casino\bin\IEExtension_SL.dll
O9 - Extra button: PokerNow - {2DB0FBAF-5223-4c96-8C25-F60D5E437D34} - F:\Spel\Poker\PokerNow\PokerNow.exe
O9 - Extra 'Tools' menuitem: PokerNow - {2DB0FBAF-5223-4c96-8C25-F60D5E437D34} - F:\Spel\Poker\PokerNow\PokerNow.exe
O9 - Extra button: Expekt.com Poker - {3852AC86-965F-4abe-A75F-3DCB7E81A4B2} - C:\Program Files\expektMPP\MPPoker.exe
O9 - Extra button: Intertops Poker - {5706EACE-252A-4af9-AA8D-1F8813B50469} - F:\Spel\Poker\Intertops\IntertopsPoker.exe
O9 - Extra 'Tools' menuitem: Intertops Poker - {5706EACE-252A-4af9-AA8D-1F8813B50469} - F:\Spel\Poker\Intertops\IntertopsPoker.exe
O9 - Extra button: MultiPoker - {641F4F4E-6C91-4159-869E-9F5CE6F0F64E} - F:\Spel\Poker\MultiPoker\MultiPoker.exe
O9 - Extra 'Tools' menuitem: MultiPoker - {641F4F4E-6C91-4159-869E-9F5CE6F0F64E} - F:\Spel\Poker\MultiPoker\MultiPoker.exe
O9 - Extra button: PlanetLuck.com - {6F477182-DE4F-4326-ACE3-3110A676771B} - F:\Spel\Poker\Planetluck\bin\IEExtension_PL.dll
O9 - Extra 'Tools' menuitem: PlanetLuck.com - {6F477182-DE4F-4326-ACE3-3110A676771B} - F:\Spel\Poker\Planetluck\bin\IEExtension_PL.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - F:\Spel\Poker\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - F:\Spel\Poker\EmpirePoker\EmpirePoker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Spel\Poker\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - F:\Spel\Poker\PartyPoker\PartyPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by1fd.bay1.ho...es/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1111641210527
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pdownloader.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: F-Secure Anti-Virus 2005 (BackWeb Plug-in - 4476822) - Unknown owner - E:\Program\F-SECU~1\backweb\4476822\Program\SERVIC~1.EXE (file missing)
O23 - Service: fsbwsys - Unknown owner - E:\Program\F-Secure Anti-Virus\backweb\4476822\program\fsbwsys.exe (file missing)
O23 - Service: iPod-tjänst (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


Attached File  Activescan.txt   2.18KB   44 downloads
  • 0

#20
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Good Job....That log is clean!!!

PC acting any better?

Install these 2 programs

SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!

IE Spyad:
http://www.bleepingc...showtutorial=53
There is a direct download inside and great tutorial also!

Disable System Restore
http://service1.syma...src=sec_doc_nam

When you place the Check by Turn off System Restore....Move the Slider below it all the way to the Minimum position!

Restart the PC

Go back and Renable System Restore by Unchecking the Box and Moving the Slider to the Half Way Position!

So how did I get infected in the first place?
http://forums.net-in...?showtopic=3051

Browser Hijacking & How to Stop It
http://www.pcstats.c...?articleID=1579

What are Hackers looking for on your PC?
http://forums.thetec...read.php?t=8859
  • 0

#21
Pete88

Pete88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
I have not done anything yet. I have these programs installed:

CleanUp!
Ad-aware SE
CWShredder
Spybot S&D
Ewido
AVG

Should I uninstall any of these before I install the ones you recommend?

What about the things pandascan found. Will they dissapear after I disabled system restore?

Also I would like to know how to change the details showing underneath my folders in my computer. For exampel, if I doubleclick downloads I can see a map named Vice city. Underneath it it says 03/25/2005 5:03 AM.. It slows things down a bit.. How can I choose to not display all that info. It wasn't like that before.

Thank you very much for all the help.. never thought I would be able to clean all this up!
  • 0

#22
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
The 2 Programs I gave you are for Security reasons and Safer Surfing!

As for the others I would Hang on to them for a while!

Open the Control Panel and from the menu at the top left select Tools>>Folder Options>>View

Look at the 6th ot 7th entry down

Display the Full Path in the Title Bar

If it is checked uncheck it!
  • 0

#23
Pete88

Pete88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Ok! Now I have done everything.. Hope it is ok and will be that for a while now :tazz:

But I still se all that information on my files.. I tried to uncheck everything on that list but it did't help.. any ideas?

And I'm still curious why pandascand finds six infected files..
  • 0

#24
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Sorry about that!!!

The Save Entry is dead registry entries!

The other five belong to killboxes !Submit Folder!

Which if you open killbox you should see the Option under file to delete that folder!

As for the Names>>>I am clueless!

I will see if I can scrounge something up!
  • 0

#25
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Did you try Reset All Folders or Restore Defaults!
  • 0

Advertisements


#26
Pete88

Pete88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
Aaaah! I did try restore defaults before and it didn't help. But reset all folders fixed the problem! Thank you a lot for taking time to answer all my questions. I hope my pc will stay clean now on.. By the way.. Should I have windows firewall running or not?
  • 0

#27
Pete88

Pete88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
And.. I check windows for updates but it takes me to service pack 1.. but I have servicepack 2.. do I need to install anything here.. the virtual java also says to check for windows update..
  • 0

#28
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Go ahead and Renable System Restore amd make sure the slider below is at the Halfway Point

Windows Firewall just isnt enough,I suggest this one

Sygate Personal Firewall
http://smb.sygate.co...pf_standard.htm

Go ahead and follow through with the Windows Update and Let it over write any damaged files!

The Process may take a while to complete!
  • 0

#29
Pete88

Pete88

    Member

  • Topic Starter
  • Member
  • PipPip
  • 15 posts
So I should install service pack1 instead of two? Shall I install service pack 2 after the first again?
  • 0

#30
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
I would just let it install SP1 and then go to SP2 from there!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP