Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Spyware Problem - Locked onto Winlogon shell


  • Please log in to reply

#1
krylex

krylex

    New Member

  • Member
  • Pip
  • 6 posts
Ok, here's the issue. I work in a PC shop. Customer brought in a PC complaining of viruses/spyware/running slow. You know, the usual. Anyways, I start doing my normal scanning routine, which gets rid of just about everything:

AntiVirXP
Adaware
Spybot
MS Antispyware

Now, there was one or two things that these couldn't get rid of, so I grabbed the other two things I use when needed:
Ewido
HiJackThis

There's something that keeps creating a new .dll file and attaches itself as a part of the winlogon process. I can't kill the process to unregister it. It sets itself with a new name on every reboot. It can't be fixed by HiJackThis.

I'm also recieving popups, even though all but the ewido scan come up clean. If I kill the rundll process, it stops them temporarily.

Here's my HJT log from safe mode:

Logfile of HijackThis v1.99.1
Scan saved at 3:29:45 PM, on 6/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'nnsp.dll' missing
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1118692977359
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\h24mlch11f4.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe (file missing)

The Winlogon Notify is the unfixable problem. #010 is also unfixable, but I believe it is negligable.


Also, for some reason not known to me, windows update does not work at all on this system. Automatic updates are enabled, but the security center can't tell they are, nor can it change settings for it. Anytime I pull up the Windows update on the web, it errors out. I think the two may be related.

Thanks for the help.
  • 0

Advertisements


#2
bobthemailman

bobthemailman

    Member

  • Member
  • PipPipPip
  • 193 posts
hi,
you are in the wrong forum plz go to the malaware forum, where experts who are trained to deal with malaware will help you. :tazz:
go here, http://www.geekstogo..._Log-t2852.html
then here,
http://www.geekstogo...o_Here-f37.html


Bobthemailman ;)
  • 0

#3
krylex

krylex

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thanks,
I don't read too well sometimes.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP