25 replies to this topic

[Lost1]

Hi all

I have something that no scanner seems to pick up on ...winlogon.exe is trying to connect to the internet every so often...I used all the stuff (Hi Jack This etc) got rid of the offending files the other day and all was fixed.....I thought now its poping up again...has any one else hear of this.....I done a google a few others have it also but no answers?

Any way im not sure what its doin its blocked by the firewall...it looks sneaky I dont like it

Cheers Guys have a great Easter

[hazelnut]

There is a thread about this here, near the bottom someone found a solution to their version of the problem. It's worth a look anyway!

http://www.outpostfi...ead.php?t=16912

[Lost1]

WOW


Thanks Hazlenut..

.It looks more serious than I thought reading through the posts thanx for the link

[Andavari]

If you think you're infected with something you don't have to try and figure out how to heal your system all by yourself, you can get help via the CCleaner Forums HijackThis Analysis. Read and follow the instructions in the Spyware Removal Guide, and then post a HijackThis log here.

A forum member whom is qualified at HijackThis analysis will analyze your log(s) which will probably be AndyManchesta, other qualified members are rridgely, DJLizard, and Tarun.

[Lost1]

Thanks Andavari


I used hijack this...this is beyond that
and im not trying to figure this out all by my self

the link hazelnut gave Sums it all up

http://www.outpostfi...ead.php?t=16912

Cheers Guys

[hazelnut]

Lost1,
even though I gave you a link to read, I would still post a hijackthis log on this forum as Andavari suggests.

Andy Manchesta in particular has a great deal of experience regarding these problems and I am sure would be able to help you solve this.

[Lost1]

hazelnut, on Apr 15 2006, 03:35 PM, said:

Lost1,
even though I gave you a link to read, I would still post a hijackthis log on this forum as Andavari suggests.

Andy Manchesta in particular has a great deal of experience regarding these problems and I am sure would be able to help you solve this.

Yeah sorry

I actualy fixed it with Spyware Doctor

any way Andy and Andavari
(if you are not the same person lol) I hope this log helps? (I deleted some of the log as it was personal cookies etc)

these were the offenders by memory
>
Trojan.Popuper C:\WINDOWS\system32\dfrgsrv.exe High
Trojan.Popuper C:\WINDOWS\system32\ncompat.tlb High

I cant send a Hijack this log now as its obviously been fixed but this was the log when I first ran this program Activity Report
Generated on 18/04/2006 7:35:20 AM

Scan Results:
scan start: 18/04/2006 7:37:15 AM
scan stop: 18/04/2006 7:45:02 AM
scanned items: 86515
found items: 72
found and ignored: 0
tools used: General Scanner, Process Scanner, LSP Scanner, Startup Scanner, Registry Scanner, Hosts Scanner, Browser Scanner, Browser Activity Scanner, Disk Scanner, ActiveX Scanner



Infection Name Location Risk
Trojan.Popuper HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run##wininet.dll
WebDir HKCR\AppID\pxwma.DLL Medium
WebDir HKCR\AppID\pxwma.DLL## Medium
WebDir HKCR\AppID\pxwma.DLL##AppID Medium
WebDir HKCR\Interface\{B1317C08-617A-435D-A24F-A930F4540696} Medium
WebDir HKCR\Interface\{B1317C08-617A-435D-A24F-A930F4540696}## Medium
WebDir HKCR\Interface\{B1317C08-617A-435D-A24F-A930F4540696}\ProxyStubClsid Medium
WebDir HKCR\Interface\{B1317C08-617A-435D-A24F-A930F4540696}\ProxyStubClsid## Medium
WebDir HKCR\Interface\{B1317C08-617A-435D-A24F-A930F4540696}\ProxyStubClsid32 Medium
WebDir HKCR\Interface\{B1317C08-617A-435D-A24F-A930F4540696}\ProxyStubClsid32## Medium
WebDir HKCR\Interface\{B1317C08-617A-435D-A24F-A930F4540696}\TypeLib Medium
WebDir HKCR\Interface\{B1317C08-617A-435D-A24F-A930F4540696}\TypeLib## Medium
WebDir HKCR\Interface\{B1317C08-617A-435D-A24F-A930F4540696}\TypeLib##Version Medium
WebDir HKCR\TypeLib\{FAC55B9F-8F6A-4A41-AE16-36845D4679B2} Medium
WebDir HKCR\TypeLib\{FAC55B9F-8F6A-4A41-AE16-36845D4679B2}## Medium
WebDir HKCR\TypeLib\{FAC55B9F-8F6A-4A41-AE16-36845D4679B2}\1.0 Medium
WebDir HKCR\TypeLib\{FAC55B9F-8F6A-4A41-AE16-36845D4679B2}\1.0## Medium
WebDir HKCR\TypeLib\{FAC55B9F-8F6A-4A41-AE16-36845D4679B2}\1.0\0 Medium
WebDir HKCR\TypeLib\{FAC55B9F-8F6A-4A41-AE16-36845D4679B2}\1.0\0## Medium
WebDir HKCR\TypeLib\{FAC55B9F-8F6A-4A41-AE16-36845D4679B2}\1.0\0\win32 Medium
WebDir HKCR\TypeLib\{FAC55B9F-8F6A-4A41-AE16-36845D4679B2}\1.0\0\win32## Medium
WebDir HKCR\TypeLib\{FAC55B9F-8F6A-4A41-AE16-36845D4679B2}\1.0\0\win32##default Medium
WebDir HKCR\TypeLib\{FAC55B9F-8F6A-4A41-AE16-36845D4679B2}\1.0\FLAGS Medium
WebDir HKCR\TypeLib\{FAC55B9F-8F6A-4A41-AE16-36845D4679B2}\1.0\FLAGS## Medium
WebDir HKCR\TypeLib\{FAC55B9F-8F6A-4A41-AE16-36845D4679B2}\1.0\HELPDIR Medium
WebDir HKCR\TypeLib\{FAC55B9F-8F6A-4A41-AE16-36845D4679B2}\1.0\HELPDIR## Medium
Trojan.Downloader.Delf.ACR C:\Documents and Settings\lost\Favorites\roms - gbc.url < High
(this was a game boy color rom site)
Trojan.Popuper C:\WINDOWS\system32\dfrgsrv.exe High
Trojan.Popuper C:\WINDOWS\system32\ncompat.tlb High
7AdPower HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A1426AC5-8CE5-4A00-B71E-011D35709AC6} High
7AdPower HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}## High
7AdPower HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}\iexplore High
7AdPower HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}\iexplore## High
7AdPower HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}\iexplore##Type High
7AdPower HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}\iexplore##Count High
7AdPower HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}\iexplore##Time High
7AdPower HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A1426AC5-8CE5-4A00-B71E-011D35709AC6}\iexplore##Blocked High
Common Components for AZE nEtwork HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D7BF3304-138B-4DD5-86EE-491BB6A2286C} Medium
Common Components for AZE nEtwork HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D7BF3304-138B-4DD5-86EE-491BB6A2286C}## Medium
Common Components for AZE nEtwork HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D7BF3304-138B-4DD5-86EE-491BB6A2286C}\iexplore Medium
Common Components for AZE nEtwork HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D7BF3304-138B-4DD5-86EE-491BB6A2286C}\iexplore## Medium
Common Components for AZE nEtwork HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D7BF3304-138B-4DD5-86EE-491BB6A2286C}\iexplore##Type Medium
Common Components for AZE nEtwork HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D7BF3304-138B-4DD5-86EE-491BB6A2286C}\iexplore##Count Medium
Common Components for AZE nEtwork HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D7BF3304-138B-4DD5-86EE-491BB6A2286C}\iexplore##Time Medium
Common Components for AZE nEtwork HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D7BF3304-138B-4DD5-86EE-491BB6A2286C}\iexplore##Blocked Medium
Iebar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{56A7DC70-E102-4408-A34A-AE06FEF01586} Elevated
Iebar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{56A7DC70-E102-4408-A34A-AE06FEF01586}## Elevated
Iebar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{56A7DC70-E102-4408-A34A-AE06FEF01586}\iexplore Elevated
Iebar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{56A7DC70-E102-4408-A34A-AE06FEF01586}\iexplore## Elevated
Iebar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{56A7DC70-E102-4408-A34A-AE06FEF01586}\iexplore##Type Elevated
Iebar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{56A7DC70-E102-4408-A34A-AE06FEF01586}\iexplore##Count Elevated
Iebar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{56A7DC70-E102-4408-A34A-AE06FEF01586}\iexplore##Time Elevated
Iebar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{56A7DC70-E102-4408-A34A-AE06FEF01586}\iexplore##Blocked Elevated
YourSiteBar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658} High
YourSiteBar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658}## High
YourSiteBar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658}\iexplore High
YourSiteBar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658}\iexplore## High
YourSiteBar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658}\iexplore##Type High
YourSiteBar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658}\iexplore##Count High
YourSiteBar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658}\iexplore##Time High
YourSiteBar HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{42F2C9BA-614F-47C0-B3E3-ECFD34EED658}\iexplore##Blocked

I can send a hijack log if need be

Cheers

Actualy I will (I have commented what I use in brackets)



Logfile of HijackThis v1.99.1
Scan saved at 7:57:13 PM, on 20/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe (Cant remember why I have this....some reg hive cleaner)
C:\WINDOWS\StartupMonitor.exe (this just shows what is being added to startup..its old now and can obviously be bypassed)
C:\Program Files\Zigzag_Cleaner\ZCleaner.exe ( this is like a bosskey you can hide stuff using a Z stroke of the mouse)
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wisptis.exe ( whats this one?)
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Documents and Settings\Lost\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/home.htm ( I did this on purpose it was recommended when the blank home page was being used for hijacking)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local

(Not sure about the proxy settings I do somtimes use proxys using the invisable browsing program)

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe ( this was explained above)

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k ( no Idea what does this mean?)
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui ( my Firewall)

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto ( forgot about this...looks suspect)
O4 - HKCU\..\Run: [UNIPHIZ Zigzag Cleaner] C:\Program Files\Zigzag_Cleaner\ZCleaner.exe ( explained above)

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{61359C73-57D0-4FD6-9968-D446C6474E1C}: Domain = my adsl connection
O17 - HKLM\System\CCS\Services\Tcpip\..\{CA6BEFF6-306C-48A6-92A9-27737964B4D4}: Domain = My Broadband connection
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: HF30Service - Unknown owner - C:\Program Files\Pilot Group LLC\Hide Folder 3.0\HF30Service.exe ( this is just a hide folders and drives program )

O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\system32\wdfmgr.exe (file missing)

Thats about all I have to offer ....the winlogon trouble I had seems to be fixed or gone for now


sorry about the long post

[Andavari]

You may get a quicker response if you move your HijackThis log here.

And no Andy and me are not the same person.

[AndyManchesta]

Hi Lost1

With the malware files being variants of Trojan Zlob ( 1, 2 ) its worth checking your registry policy keys and running Ewido Anti-Malware to make sure the system is clean.

C:\WINDOWS\system32\wisptis.exe <--- Tablet PC component

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

Both these are missing the path to the file so should be fixed using Hijack This to restore them to MS Default (%systemroot%\system32\blank.htm)

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

dumprep.exe is Microsoft's fault logging software. Once errors happen on the system this program will write the details to a text file and request the information be sent to Microsoft, the entry can be fixed if it remains in the log after a reboot.

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

This is the genuine MSConfig and is probably there because Selective Startup is running on the pc, the entry appears when you uncheck an item in the Startup group, and will disappear if on the next reboot you select the option to not be reminded that you are running in Selective Startup mode


Can you open Notepad (Start Menu > run > type notepad and press OK)

Then copy and paste the contents of the code box into Notepad:

regedit /e HKLM.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies"
regedit /e HKCU.txt "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies"
copy HKLM.txt + HKCU.txt = result.txt
del /q HKLM.txt
del /q HKCU.txt
notepad result.txt
del /q result.txt

Goto File on the top bar of notepad and choose Save As, On the Save As Type change it to All Files, name it Export.bat and save it to your desktop

Double click Export.bat to run the script, it will export the details and open the information with notepad, please post the export details back.


Download Ewido Anti Malware from Here

When installing, under "Additional Options" uncheck "Install background guard". Click on update in the left menu, then click the Start update button. After the update finishes (the status bar at the bottom will display "Update successful")

Click on the Scanner button in the left menu, then click on complete system scan. If ewido finds something, it will pop up a notification. Select "Remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on ok. When the scan finishes, click on "Save Report" from the bottom of the screen and save it to your desktop and post the results back.

Cheers

Andy

[Lost1]

Hi Andy

I think the Tablet PC component was installed to use in MSN messenger to use the Handwrite feature.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/home.htm ( I did this on purpose it was recommended when the blank home page was being used for hijacking)
might explain this ?
>>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
Should I add the path C:/home.htm to the registry?

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

After you explaining this to me I Guess its because I have error reporting etc turned off using XP anti spy
I am not sure but sounds like that http://xp-antispy.or...ent/view/17/45/
http://xp-antispy.org I dont mind those entries now I know what they are thanks

and your right with msconfig I do have selected startup

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:02:48 PM, 21/04/2006
+ Report-Checksum: 2EE2518D

+ Scan result:

C:\WINDOWS\cpu.exe -> Downloader.Hanlo.q : Cleaned with backup
C:\WINDOWS\system32\ld15C.tmp -> Downloader.Zlob.kp : Cleaned with backup


::Report End

Thanks Andy ( I know I havnt run your script I hope my using XP antispy etc answered that if not I can still run it if need be)

I am a bit paranoid about posting logs on public forums any way ewido found 2 more infections lol

Geez there sneaky

Cheers Have a great weekend

[AndyManchesta]

Quote

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/home.htm ( I did this on purpose it was recommended when the blank home page was being used for hijacking)
might explain this ?
>>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
Should I add the path C:/home.htm to the registry?

The Local Page will always be = %systemroot%\System32\blank.htm so its not related to you changing the Start Page, Fixing the entries with Hijack This will return it to the above path and then Hijack This will ignore it when you scan again.


Id still like you to run the Export script to check your Policy keys for problems, I appreciate your concerned about posting logs but I wouldnt ask anyone to use a scanner or export that reveals personal information. The policy keys may not get detected by the Anti-Malware scanners and will not show in Hijack This but they can be used to start files Automatically when the system boots or to set restrictions to prevent you changing the Desktop Wallpaper or running regedit etc.. so its well worth taking a look at them, (Ive attached the batch file to this post in a zipped folder (PolicyCheck.zip) or you can create it using the contents of the code box in my last post)

Here is the PolicyCheck results on my pc.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID]
"{17492023-C23A-453E-A040-C7C580BBF700}"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

[Lost1]

AndyManchesta, on Apr 21 2006, 11:59 AM, said:

The Local Page will always be = %systemroot%\System32\blank.htm so its not related to you changing the Start Page, Fixing the entries with Hijack This will return it to the above path and then Hijack This will ignore it when you scan again.
Id still like you to run the Export script to check your Policy keys for problems, I appreciate your concerned about posting logs but I wouldnt ask anyone to use a scanner or export that reveals personal information. The policy keys may not get detected by the Anti-Malware scanners and will not show in Hijack This but they can be used to start files Automatically when the system boots or to set restrictions to prevent you changing the Desktop Wallpaper or running regedit etc.. so its well worth taking a look at them, (Ive attached the batch file to this post in a zipped folder (PolicyCheck.zip) or you can create it using the contents of the code box in my last post)

Here is the PolicyCheck results on my pc.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID]
"{17492023-C23A-453E-A040-C7C580BBF700}"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system]
"dontdisplaylastusername"=dword:00000001
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00
"ClearRecentDocsOnExit"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]

Cheers Andy,,,its gobably gook to me

[AndyManchesta]

I wanted to check if any files were using the run value to autostart so its great to see the Run keys are not being used

Run Pandascan when you get the time but it looks like Spyware Doctor removed the problem as the Hijack Log & Policy Keys look fine.

Panda Activescan.

Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back if needed.

Let us know if you have any more problems or if Panda finds any junk (except cookies)

Have a Fun Weekend

Andy

[Lost1]

AndyManchesta, on Apr 21 2006, 01:27 PM, said:

I wanted to check if any files were using the run value to autostart so its great to see the Run keys are not being used

Run Pandascan when you get the time but it looks like Spyware Doctor removed the problem as the Hijack Log & Policy Keys look fine.

Panda Activescan.

Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan
(Note: It may take a couple of minutes)
- When the download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location so you can post it back if needed.

Let us know if you have any more problems or if Panda finds any junk (except cookies)

Have a Fun Weekend

Andy

[Lost1]

Wot do you recomend Andy really..what is the best Malware program out there?

[AndyManchesta]

There's plenty of free software around that works just as well as paid versions but I couldnt say which one is the best, I tend to find that each has different Malware lists so you can run one scan after another and they all find different parts of infections, I have Ad-Aware SE, Spybot S&D and Ewido installed (Ewido shows its a 14 day trial but it only stops the real time protection and auto updates after it expires, you can still update and run the scanner manually anytime so its worth keeping) then SpywareBlaster which works in a different way as it adds malicious sites to the restricted zone and blocks malicious ActiveX components, the MVPS Hosts file can also provide good protection by blocking access to the junk/download sites. There's some links to free protection programs Here if you need them anytime.

Andy

[Lost1]

Ad Aware and spybot..even Trent micro didnt fix the winlogon.exe....syware doctor did Then you gave me Ewido ...Man that found 2 more sneaks that spyware doc didnt pick up on !!

( a lot of cousins and freinds.. newbies in real life not on the net expect me to fix there pc's as I am quite the expert ...I am obviously not hahaha )

I love learning this stuff I know basics...Like to look at msconfig ...and run entries in reg and host file changes
also using hijack this gives me an idea if something is wrong


Thanks a million Andy Now I can fix my cousins PC with confidence and not look like a tool ...well maybe...I might end up having to post her log also

any way I really appreciate your wisdom....you rock man

Cheers

Lost1

[AndyManchesta]

No problem, Glad I could help

Post your cousin's log if you need a second opinion on anything or think there might be malware problems and we can help you get it cleaned up.

[joiner]

Lost1, on Apr 21 2006, 08:09 PM, said:

Ad Aware and spybot..even Trent micro didnt fix the winlogon.exe....syware doctor did Then you gave me Ewido ...Man that found 2 more sneaks that spyware doc didnt pick up on !!

( a lot of cousins and freinds.. newbies in real life not on the net expect me to fix there pc's as I am quite the expert ...I am obviously not hahaha )

I love learning this stuff I know basics...Like to look at msconfig ...and run entries in reg and host file changes
also using hijack this gives me an idea if something is wrong
Thanks a million Andy Now I can fix my cousins PC with confidence and not look like a tool ...well maybe...I might end up having to post her log also

any way I really appreciate your wisdom....you rock man

Cheers

Lost1

Andy is the most helpful person you will find on any forum he is on, he is the best, Joiner

[Lost1]

joiner, on Apr 21 2006, 08:54 PM, said:

Andy is the most helpful person you will find on any forum he is on, he is the best, Joiner

I will make my own mind up but your right!!!

Andy Rocks