Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

winlogon.exe crashing my computer

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

winlogon.exe crashing my computer

Unread postby apj868 » September 18th, 2008, 8:33 pm

Hi all,
my computer is connected to a university network that recently was upgraded and didn't work for a while. It appears now that the network problem has been fixed by our IT support team, but as soon as it was a virus came through the network(???) and infected my computer.

Whenever I start up my computer within a few seconds of windows (XP) loading the start bar changes to the classical start bar (from earlier versions of windows) and my computer re-starts. When windows is loaded again it syas that winlogon.exe caused the crash (with a date and time) and gives me the option to send an error report. The cycle keeps happening. I can boot the computer in safe mode and its fine. When it first occured I could run system restore and it would run fine for a while (5-10 minutes) before it started crashing again.

I have been able to find a solution to run my computer by stoping a program by the name of Windows NT Logon Application from accessing the internet through a firewall or physically removing my computer from the network (i.e. pulling the connection grom the socket) though when I do this I don't have any internet access. It appears from my firewall's information that the Windows NT Logon Application is attempting to access the internet every 5 seconds, this is the information the firewall gave me on the attempts:
Application path C:\WINDOWS\SYSTEM32\WINLOGON.EXE
Application description: Windows NT Logon Application
Proticol: TCP
Source IP Address LIP
Source pord: different each time: raises 1 number each time starting from around 1035
Destination: differnt each time
Destination port: 80
This works to get my computer running, but I now can't access the interned (just says page connot be displayed) even with the network cable pluged in and the firewall stopping the malaware from running.

The IT staff at uni have told me to try the following:
1) do a system restore and quickly install windows and antivirus updates before the virus can reinstall itself. When the problem first occured system restore did work, but now every time I've try it it says that it fails.
2) windows restore from CD. This process workde, however id did not fix the problem.
3) reformat the hard drive and reinstall windows. I would like to avoid this if possible.

I have also noticed lately that my system has quite variable performance, it will work fine for a few minutes and then run slow for a couple. This is moslty evident when playing games. Not sure if this is related to the above problem, a seperate virus, or hardware related.

As I have had no internet for a while my antivirus and windows updates are not up to date.

Below is my HJThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:57:57 AM, on 19/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\essspk.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uow.edu.au/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.uow.edu.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.uow.edu.au;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [activeds] C:\WINDOWS\system32\activeds.exe
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Policies\Explorer\Run: [scApp] C:\DOCUME~1\User\LOCALS~1\Temp\suchost.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O23 - Service: Microsoft ASPI Manager (aspimgr) - Unknown owner - C:\WINDOWS\system32\aspimgr.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 6527 bytes

Any help you can give me on this will be appreciated

p.s. sorry about the length of the post, I have jsut been digging and found quite a bit about this problem and thought some of it may help you
apj868
Active Member
 
Posts: 11
Joined: September 17th, 2008, 12:31 am
Advertisement
Register to Remove

Re: winlogon.exe crashing my computer

Unread postby Carolyn » September 23rd, 2008, 4:04 pm

Hello and Welcome to the forums! My name is Carolyn.

I hate to give you bad news but one or more of the identified infections is a backdoor trojan.

Backdoor Trojans are the most dangerous and most widespread type of Trojan. Backdoor Trojans provide the author or "master" of the Trojan with remote "administration" of victim machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
In addition to the backdoor Trojan that has been identified, your computer is afflicted with multiple other infections. Although we can make an attempt to clean this machine, we cannot guarantee that it will be secure afterwards. Your best and safest course of action is a reformat and reinstallation of the Windows operating system.

If you do decide to attempt cleaning rather than a reformat, do understand that although we may be able to remove all known visible malware, we cannot guarantee that unknown and unseen malware will have been removed, nor will your system be restored to its pre-infection state. We cannot remedy unknown changes the malware may likely have made in order to allow itself access, nor can we repair the damages it may possibly have caused to vital system files.

Please note that even if we should be successful in removing these infections from your system, it is quite possible that the changes made to the system by the malware may impact negatively on your computer during the removal process. In short, your system may never regain its former stability or its full functionality without a reformat.

Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

Should you have any questions, please feel free to ask.
Please let us know what you have decided to do in your next post.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: winlogon.exe crashing my computer

Unread postby apj868 » September 23rd, 2008, 11:09 pm

Thanks for the reply,
I am currently around 6 weeks from handing in my honours year thesis and at this stage of the year can't have this computer out of action for too long. I was just wondering how long it would take to reformat my computer and weather you would advise me to do it on my own or take it to a shop and get it done professionally (I am generally quite computer-literate however ahve never attempted something like this before).

The other option would be to wait until I finish uni for the year and reformat it then. If my computer would be down for more than a couple of days this may be my better option. I can live without internet on this computer as I have shared compputers that I can use to get onto the internet at college and Uni. If I was to go this way is there anything you would recomend me to do?

I also thought I should mention that I dan't use this computer for any kind of internet banking or bying over the internet so that should not be a problem. The only sensitive information on it should be my uni login details, I have changed my password and checkde that all my details are still correct (which they are), is there anything else I should do as far as this is concerned.
apj868
Active Member
 
Posts: 11
Joined: September 17th, 2008, 12:31 am

Re: winlogon.exe crashing my computer

Unread postby Carolyn » September 24th, 2008, 3:58 pm

Hi,

Well, I think that if you not going to reformat until after the school year concludes, then we should clean the malware from your computer to the best of our ability.

Reformatting and reinstalling Windows is a fairly involved process but one you can most likely handle. You might get a faster turn-around by taking the computer to a shop. You could make some phone calls to get an idea how quickly a shop could get the computer back to you.

Here's my usual post to User's that are preparing to format/reinstall:


Formatting your hard drive and reinstalling Windows are fairly involved processes. You might do well to post requesting assistance from this bleepingcomputer.com forum Windows XP Home and Professional
The helpers there are well equipped to guide you through the format and installation processes. They may also be able to assist you with backing up data before you format your hard drive.

Here is a link with information that will be helpful: Reformatting Windows by wng_z3r0

Here are some important points to keep in mind before you begin this process:

Some Re-installation Notes (taken from When should I re-format? How should I reinstall?)


* Be sure to back-up all data before re-formatting the computer's hard drive. This includes address books, documents, music, settings, saved games, and anything else not obsolete.

The re-format process will wipe the computer's hard drive clean, destroying all data and programs.

* PCs are made so they can be reformatted. But sometimes, especially with major brand-name computers, there are special procedures that require reading the manual, visiting the manufacturer's website, or, if the manufacturer has gone out of business, searching on http://www.google.com.

Some computers have the BIOS or re-installation software in small partitions on the hard drive.

- Do not re-partition the hard drive without carefully consulting the maker's manual and website.
- Check on the use of any partition, other than C:, before re-formatting it.

* Some computers require special drivers which are downloadable from the computer manufacturer's or vendor's website or device manufacturer's website. Use an uninfected computer to download these files to diskettes or a CD, and print out the installation instructions, in advance.

* Gather together the CDs, diskettes, and Internet addresses required to re-install the software.

* Since you should avoid searching the web until your computer is fully secured, it is a good idea to download any programs you will need to secure your computer prior to re-formatting. Use an uninfected computer to do this.

* Physically unplug the computer from the Internet before re-formatting.

* Leave the computer physically disconnected (unplugged) from the Internet until it is protected by a firewall (ICF, an NAT router, or other hardware or software firewall).

If the computer has a wireless card, remove or shield the card so that the computer cannot connect to any access points.)

* An unpatched computer without proper firewall protection can be infected within seconds of being connected to the Internet.

The computer must be protected by a hardware firewall, NAT router, or a software firewall before plugging it back in to the internet or you can be infected in a few seconds.

* When installing from a Windows XP SP2 CD, the installation will default to having the Windows XP SP2 Firewall activated, so the hazard is greatly reduced. With earlier service packs of Windows XP and earlier versions of Windows, you must manually turn on a firewall.



After your computer is back up and running with all of the Service Packs and Updates installed, here are some steps that can help you to keep your computer safe from malware:
  • Turn System Restore on
    • On the Desktop, right click on the My Computer icon.
    • Click Properties.
    • Click the System Restore tab.
    • Uncheck *Turn off System Restore*.
    • Click Apply, and then click OK.
    Note: only do this once,and not on a regular basis
  • Set correct settings for files
    • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
    • Under Hidden files and folders if necessary select Do not show hidden files and folders.
    • If unchecked please check Hide protected operating system files (Recommended)
    • If necessary check Display content of system folders
    • If necessary Uncheck Hide file extensions for known file types.
    • Click OK
  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

  • Install and use a firewall with outbound protection
    The Windows firewall only monitors incoming traffic, NOT outgoing. Using a software firewall in its default configuration to replace the Windows firewall greatly reduces the risk of your computer being hacked. Make sure your firewall is always enabled while your computer is connected to the internet.
    Note: You should only have one firewall installed at a time. Having more than one firewall installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.

  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.
    Note: The update process uses ActiveX, so you will need to use internet explorer for it and allow the ActiveX control to install.

  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.

  • Make Internet Explorer More Secure
    Upgrade to Internet Explorer 7, then please read and follow the recommendations at this SITE
Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.

  • SpywareBlaster
    SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing on your computer. If you don't know what ActiveX controls are, see HERE. You can download SpywareBlaster from HERE.

  • Malwarebytes' Anti-Malware
    Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.You can download Malwarebytes' Anti-Malware from HERE. You can find a tutorial HERE.

  • Hosts File
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.

    Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
    If this isn't done first, the next reboot may take a VERY LONG TIME.
    This is how to do it. First be sure you are signed in as a user with administrative privileges:
    Stop and Disable the DNS Client Service
    Go to Start, Run and type Services.msc and click OK.
    Under the Extended Tab, Scroll down and find this service.
    DNS Client
    Right-Click on the DNS Client Service. Choose Properties
    Select the General tab. Click on the Stop button.
    Click the Arrow-down tab on the right-hand side at the Start-up Type box.
    From the drop-down menu, click on Manual
    Click the Apply tab, then click OK



  • Use an alternative Internet Browser
    Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
    Firefox
    Opera
Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

Please let me know how you would like to proceed.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: winlogon.exe crashing my computer

Unread postby apj868 » September 25th, 2008, 9:10 pm

Hi,

I thisk I'll wait until uni is finished to reformat my computer. I have a couple of questions about your previous post:

1) Is it possible to download Windows and/or antivirus updates on a different computer and transfer them to the infected computer. The major porblem I has when I came here was that my computer was crashing and the only way to stop this was to lock the internet down tight bby pulling it out of the wall or stopping all internet activity through a firewall (I believe a virus that is crashing the computer needs the internet to run).

2) I appear to already have a Hosts file. I didn't know I had it until I thied to run HJthis and my firewall blocked attempts to access the Hosts file. Should I be concerned about this? The following appears to be its contents:
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

Thanks
apj868
Active Member
 
Posts: 11
Joined: September 17th, 2008, 12:31 am

Re: winlogon.exe crashing my computer

Unread postby Carolyn » September 26th, 2008, 7:12 am

apj868 wrote:1) Is it possible to download Windows and/or antivirus updates on a different computer and transfer them to the infected computer. The major porblem I has when I came here was that my computer was crashing and the only way to stop this was to lock the internet down tight bby pulling it out of the wall or stopping all internet activity through a firewall (I believe a virus that is crashing the computer needs the internet to run).


When we begin to clean your computer, I will ask you to download tools using another computer and transfer them to the infected computer using removable media. Once we regain control of the infected box, you will be able to download additional tools as needed using that computer's internet connection. You should not download Windows or other updates until I instruct you to do so.

2) I appear to already have a Hosts file. I didn't know I had it until I thied to run HJthis and my firewall blocked attempts to access the Hosts file. Should I be concerned about this?


That Hosts file is the windows default Hosts file. After your computer is clean, as an added security measure, you can consider using a more comprehensive Hosts file or you could even just make the default one read-only. All of those recommendations I included in my prior post should only be implemented after your computer is clean.

Let me know if you are ready to begin the cleaning process or if you have any further questions.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: winlogon.exe crashing my computer

Unread postby apj868 » September 28th, 2008, 11:53 pm

Sorry for the delay in reply, I have been out of town over the weekend.

I am ready to start the cleaning process now.

Thanks
apj868
Active Member
 
Posts: 11
Joined: September 17th, 2008, 12:31 am

Re: winlogon.exe crashing my computer

Unread postby Carolyn » September 29th, 2008, 12:57 pm

Hello,

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


Download and Run ComboFix (by sUBs)

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper.


We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

The SDFix report
C:\ComboFix.txt
New HijackThis log.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: winlogon.exe crashing my computer

Unread postby apj868 » September 30th, 2008, 8:05 pm

Here are the logs you requested:

I have noticed that the "windows NT logon application" in no longer attempting to access the internet. I still can't connect to the internet, but it may be something to do with something I've blocked with my firewall or something to do with my network setup. As I said in my orriginal post, we've recently changed our network setup and I have not been able to get it working properly.

SDFix

SDFix: Version 1.230
Run by User on Tue 30/09/2008 at 01:02 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Rootkit Found :
C:\WINDOWS\system32\drivers\QQJ68.sys - Rootkit Pandex/Cutwail - Protect.sys

Name :
aspimgr
QQJ68

Path :
C:\WINDOWS\system32\aspimgr.exe
System32\Drivers\Qqj68.sys

aspimgr - Deleted
QQJ68 - Deleted



Restoring Default Security Values
Restoring Default Hosts File

Rebooting

Service QQJ68 - Deleted

Checking Files :

Trojan Files Found:

C:\WINDOWS\db32.txt - Deleted
C:\WINDOWS\s32.txt - Deleted
C:\WINDOWS\system32\form.txt - Deleted
C:\WINDOWS\system32\info.txt - Deleted
C:\WINDOWS\ws386.ini - Deleted
C:\WINDOWS\system32\drivers\QQJ68.sys - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-30 13:10:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

IPC error: 2 The system cannot find the file specified.
scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"="C:\\WINDOWS\\system32\\usmt\\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\GPLSecrets\\iGOR\\iGOR.exe"="C:\\Program Files\\GPLSecrets\\iGOR\\iGOR.exe:*:Enabled:iGOR"
"C:\\Codemasters\\Toca2\\Game\\TC2.exe"="C:\\Codemasters\\Toca2\\Game\\TC2.exe:*:Enabled:TC2"
"C:\\Program Files\\Codemasters\\Colin McRae Rally 2\\CMR2Network.exe"="C:\\Program Files\\Codemasters\\Colin McRae Rally 2\\CMR2Network.exe:*:Enabled:Colin McRae Rally 2"
"C:\\SIMS\\RACER\\racer.exe"="C:\\SIMS\\RACER\\racer.exe:*:Enabled:racer"
"C:\\Program Files\\GetTiffany\\gettiffany.exe"="C:\\Program Files\\GetTiffany\\gettiffany.exe:*:Enabled:Macromedia Projector"
"C:\\Documents and Settings\\User\\Desktop\\Games\\New Folder(2)\\Racer\\racer053b4\\racer053b4\\racer.exe"="C:\\Documents and Settings\\User\\Desktop\\Games\\New Folder(2)\\Racer\\racer053b4\\racer053b4\\racer.exe:*:Enabled:racer"
"C:\\Program Files\\TrackMania United\\TmUnited.exe"="C:\\Program Files\\TrackMania United\\TmUnited.exe:*:Enabled:TmUnited"
"C:\\Program Files\\LucasArts\\Star Wars Battlefront II\\GameData\\BattlefrontII.exe"="C:\\Program Files\\LucasArts\\Star Wars Battlefront II\\GameData\\BattlefrontII.exe:*:Disabled:BattlefrontII"
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"="C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe:*:Enabled:LaunchPad"
"C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"="C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe:*:Enabled:Star Wars(TM): Empire at War(TM)"
"C:\\Program Files\\LucasArts\\Star Wars Empire at War Forces of Corruption\\swfoc.exe"="C:\\Program Files\\LucasArts\\Star Wars Empire at War Forces of Corruption\\swfoc.exe:*:Enabled:Star Wars(TM): Empire at War(TM): Forces of Corruption(TM)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 25 Sep 2008 6,482 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti4.tmp"
Wed 13 Jun 2007 428 A.SHR --- "C:\Program Files\Trend Micro\Internet Security\Quarantine\7.tmp"
Fri 15 Dec 2006 56,918 A.SH. --- "C:\Program Files\Trend Micro\Internet Security\Quarantine\8.tmp"
Wed 4 Aug 2004 89,800 A.SHR --- "C:\Program Files\Trend Micro\Internet Security\Quarantine\mmc32.EXE"
Fri 15 Dec 2006 56,918 A.SH. --- "C:\Program Files\Trend Micro\Internet Security\Quarantine\sys.exe"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\02de7e010b102d1b002eae730ee9a91d\BIT41.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\048af993ae2ed4d75a64004cdace7dc7\BIT19.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\06d2317625f446848180d6fbbd0965a3\BIT4E.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\09b697f708f0d361a93919ddce864231\BIT45.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\09cec975ca432e3755e6de59a832bc9d\BIT57.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0af245ae5d19789b0a9df918b46ae856\BIT46.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0c5ae7f0a55aa3945b0049c32bd1f87e\BIT48.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0e5cbd9014c23c871efde5edc54963ac\BIT13.tmp"
Tue 26 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0f8a5d0d09e527fa35dec9e085d4b802\BIT5.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\12bfcf41210f13b546425dc688958c13\BIT17.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\148de0326d477275a5caa143d99b91fe\BIT5B.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\167324100dbbfff75585b0b52411ea08\BIT59.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1e7d841a89d2047c5e06dcf3809e93b8\BIT20.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\23a7f75712f8cbc729856cbf376e24df\BIT7.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\29ca2472a894ab6b663960e3e9519fb8\BIT51.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2a8a398b93f073a8e89edb6f535b568c\BITD.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2e71ac0cc308cf93e5bb5cae2473c5ea\BIT5D.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2ff17bce83d84a37f6d73168ac4cd5a3\BIT5A.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\301e8514ea830e4e6c8f8d5bd3e3578c\BIT1B.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\31dc453374675c778860dee387a4ac67\BIT1D.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\32666cc549704fa2341b5add57cbf961\BIT53.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\349aa22f286a5433bf7cf22bcf689410\BIT6.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\36e4585faf6df3e4c5a94b70b19dd46a\BIT44.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\376020e6ae0e8e568362e33e4d21fe59\BIT10.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\39926d2492b9b2a731a4507a2714de25\BITE.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\410ff09308a833491dba7686f0aee2eb\BIT6.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\418f0868ac07e2fcc433b25de22247d2\BITC.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\438bc24c7cb2c143ad5de7462443c8e4\BIT4C.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\44a219e05bf8aab61a32f76e1613f631\BIT5C.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4a1d113346e5353c4f7b24c8452c3900\BIT27.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4dcd4446b998d375e5b0734125a6a3ea\BIT16.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\506f198aa4bc7a22b8d48638220cf911\BIT3A.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\5742cba01317789c563b69d023836e16\BIT42.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\577671533ce9b937c7e6ff17bc14b41b\BIT36.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\57a460cd944ff5b92133e289b4b4ec17\BIT55.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\57adc2a1d64537edaf7508721d7d5870\BIT15.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\57ce0f23a4145429f2afdb89a4f0d9a5\BIT52.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\59de2970273834fc3112b341c718d3a6\BIT7.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\625936674aa3ed7187e76cc3b42efd1a\BIT3D.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\64038029e289ee76631f2fd73dae42b1\BIT3C.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\69db34482d17350eadd9e2b536a72326\BIT38.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6d16d7dcb46eecf1378bd3f61cf15d6f\BIT21.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6e3d4f16fcb31d8ebf357cea7961963c\BIT8.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6f38067488e1e6a205cb7f733b0863a2\BIT2F.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7020bb12542a498a9f77988616f5dbdd\BIT2A.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\710f51dd3626cdbe0db29e955d0d0654\BIT11.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\753241eccbfd8f924ab29df2bd7093bd\BIT1F.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\76352185be1dd408499b19e4fe3680b7\BIT2C.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7bb95e6cd6e6da9c9a1f7a9f8d9df9d6\BIT43.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7ccb49ea6694b408ed174cd0bb9e10b4\BIT35.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8184670e6f0913c70f6199314bbe72c1\BITF.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\84a6d88cd9a3ca6afc46cea3a5254645\BIT33.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8a6aa52f985fb83cff0989edfe78337c\BIT2D.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8fd02a4dc1f75ba1200dd84cd416b476\BIT49.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\940cf3f254a012802b402b39c626b0d6\BIT4D.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\943ef6abcb273fde47b6a2755ef8a8bf\BITB.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\9a37091241a1b4b01e29705cd74fb749\BIT39.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a246fdeb20cdb52c2bd3a259bc386b32\BIT50.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a834f63554cc630060e378689935b487\BIT29.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a97c414dc028b7257c4812e79060155f\BIT4A.tmp"
Mon 18 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab9217b6e5750f9481b4ee261d21b730\BITE.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ae82eb975f11bf1a31f12ad33dfc983e\BIT34.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\aeb6b427eecbf9dc32a3f6568c381f19\BIT3B.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b5020c6226805fa7d3bb70d59bb8717c\BIT1A.tmp"
Tue 26 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b857106b57491ac2a650851d43af1c92\BIT6.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bde84a03924f04406c03980f653f79f9\BITA.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\bf911d48d497aec0c0033b7a4b86edcd\BIT2B.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c2ecf6c2da65d5d64f88e8d402b203fe\BIT40.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c3a6a32dc0ed6789e34aedf049c0350f\BIT26.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c7f52460ddc6afc70d96c7e9ec1e6c76\BIT12.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c8a7094560050652641194b3024cbeee\BIT47.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d9fe85597d5c252bd0aabfad1c37b4cd\BIT4B.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\da2a6520674c2ce56388c742dcf6473d\BIT18.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ddca07bcb620825c51d9aca7c4b07ddf\BIT24.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\dddd4fd58f8653a905accd82045c29f3\BIT22.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\df69c3389005015895736dd7f0459197\BIT3F.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\dfd2d38348a762e3f31116c9a23cee05\BIT58.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e442506fa65395c8749a7dfe2ec2aba7\BIT37.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e4bf8f006502f9204098963abd7010cf\BIT4F.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e4d24020b8a9e7e135c013fa09117017\BIT56.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e528462852a5c8b08a2d48f605cb2421\BIT23.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\e634183047ffd8531f334ebd18ada957\BIT28.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ec29241af73a2eb59968a59226f3f5be\BIT2E.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ecd3bd81d1f40941618ee492951e9ba4\BIT54.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ece62508423308aa059800cc94f26df4\BIT3E.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ef8392c749b24d44edd78a38c5331f91\BIT25.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f8d41a82e9484aa824fe75defe58d513\BIT1E.tmp"
Tue 19 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f9cf27d79d98fda951d39177957a21e8\BIT9.tmp"
Thu 17 May 2007 7,126,016 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0105.tmp"
Tue 15 Aug 2006 53,248 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0215.tmp"
Thu 17 May 2007 7,122,944 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0455.tmp"
Mon 30 May 2005 26,112 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0691.tmp"
Tue 2 Aug 2005 72,192 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0701.tmp"
Thu 18 May 2006 44,032 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0715.tmp"
Tue 2 Aug 2005 16,896 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0836.tmp"
Thu 18 May 2006 51,712 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0957.tmp"
Tue 15 Aug 2006 51,200 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL0991.tmp"
Tue 8 Aug 2006 32,256 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1065.tmp"
Thu 17 May 2007 36,864 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1253.tmp"
Mon 16 Oct 2006 36,864 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1397.tmp"
Tue 6 Sep 2005 19,456 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1483.tmp"
Thu 17 May 2007 37,376 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1550.tmp"
Tue 8 Aug 2006 37,376 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1575.tmp"
Tue 6 Sep 2005 49,664 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1735.tmp"
Tue 2 Aug 2005 60,928 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1812.tmp"
Tue 2 Aug 2005 73,728 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1951.tmp"
Tue 22 May 2007 15,192,064 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL1978.tmp"
Tue 22 May 2007 15,194,112 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2076.tmp"
Tue 22 May 2007 15,312,384 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2099.tmp"
Tue 2 Aug 2005 33,280 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2132.tmp"
Tue 22 May 2007 15,315,456 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2467.tmp"
Tue 22 May 2007 15,191,552 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL2825.tmp"
Tue 2 Aug 2005 51,200 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3048.tmp"
Tue 15 Aug 2006 49,664 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3096.tmp"
Tue 15 Aug 2006 50,688 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3410.tmp"
Tue 22 May 2007 15,317,504 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3584.tmp"
Tue 2 Aug 2005 20,480 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3627.tmp"
Thu 17 May 2007 40,448 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL3830.tmp"
Tue 8 Aug 2006 33,792 ...H. --- "C:\Documents and Settings\User\Application Data\Microsoft\Word\~WRL4077.tmp"
Thu 24 Jul 2008 3,015 ...HR --- "C:\Documents and Settings\User\Application Data\SecuROM\UserData\securom_v7_01.bak"
Fri 26 May 2006 4,198,912 ...H. --- "C:\Documents and Settings\User\My Documents\Uni Autumn 2006\Chem218\~WRL0807.tmp"
Fri 26 May 2006 4,199,936 ...H. --- "C:\Documents and Settings\User\My Documents\Uni Autumn 2006\Chem218\~WRL0834.tmp"
Fri 26 May 2006 4,200,960 ...H. --- "C:\Documents and Settings\User\My Documents\Uni Autumn 2006\Chem218\~WRL1952.tmp"
Thu 25 May 2006 4,191,744 ...H. --- "C:\Documents and Settings\User\My Documents\Uni Autumn 2006\Chem218\~WRL2039.tmp"
Fri 26 May 2006 4,198,912 ...H. --- "C:\Documents and Settings\User\My Documents\Uni Autumn 2006\Chem218\~WRL2475.tmp"
Fri 26 May 2006 4,200,448 ...H. --- "C:\Documents and Settings\User\My Documents\Uni Autumn 2006\Chem218\~WRL3041.tmp"
Wed 27 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b322861a5bd076059a815861126a2a03\download\BIT9.tmp"
Fri 29 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b6bef673c2e4e242a39946c4931e8a98\download\BIT8.tmp"
Thu 17 May 2007 15,174,144 ...H. --- "C:\Documents and Settings\User\My Documents\Uni Autumn 2007\Environmental\Pracs\~WRL0034.tmp"
Tue 22 May 2007 15,311,872 ...H. --- "C:\Documents and Settings\User\My Documents\Uni Autumn 2007\Environmental\Pracs\~WRL0714.tmp"
Tue 22 May 2007 15,311,872 ...H. --- "C:\Documents and Settings\User\My Documents\Uni Autumn 2007\Environmental\Pracs\~WRL1029.tmp"
Tue 22 May 2007 15,300,608 ...H. --- "C:\Documents and Settings\User\My Documents\Uni Autumn 2007\Environmental\Pracs\~WRL1065.tmp"
Tue 22 May 2007 15,193,088 ...H. --- "C:\Documents and Settings\User\My Documents\Uni Autumn 2007\Environmental\Pracs\~WRL1259.tmp"
Thu 17 May 2007 72,704 ...H. --- "C:\Documents and Settings\User\My Documents\Uni Autumn 2007\Environmental\Pracs\~WRL1297.tmp"
Thu 17 May 2007 7,121,920 ...H. --- "C:\Documents and Settings\User\My Documents\Uni Autumn 2007\Environmental\Pracs\~WRL1722.tmp"
Tue 22 May 2007 15,311,360 ...H. --- "C:\Documents and Settings\User\My Documents\Uni Autumn 2007\Environmental\Pracs\~WRL1787.tmp"
Tue 22 May 2007 15,261,184 ...H. --- "C:\Documents and Settings\User\My Documents\Uni Autumn 2007\Environmental\Pracs\~WRL2237.tmp"
Thu 17 May 2007 73,728 ...H. --- "C:\Documents and Settings\User\My Documents\Uni Autumn 2007\Environmental\Pracs\~WRL2315.tmp"
Tue 22 May 2007 15,311,872 ...H. --- "C:\Documents and Settings\User\My Documents\Uni Autumn 2007\Environmental\Pracs\~WRL3230.tmp"
Thu 17 May 2007 7,128,064 ...H. --- "C:\Documents and Settings\User\My Documents\Uni Autumn 2007\Environmental\Pracs\~WRL3460.tmp"
Tue 22 May 2007 15,191,040 ...H. --- "C:\Documents and Settings\User\My Documents\Uni Autumn 2007\Environmental\Pracs\~WRL3652.tmp"
Tue 22 May 2007 15,300,608 ...H. --- "C:\Documents and Settings\User\My Documents\Uni Autumn 2007\Environmental\Pracs\~WRL3729.tmp"
Tue 22 May 2007 15,309,824 ...H. --- "C:\Documents and Settings\User\My Documents\Uni Autumn 2007\Environmental\Pracs\~WRL3873.tmp"
Tue 22 May 2007 15,311,360 ...H. --- "C:\Documents and Settings\User\My Documents\Uni Autumn 2007\Environmental\Pracs\~WRL4067.tmp"
Thu 17 May 2007 15,173,632 ...H. --- "C:\Documents and Settings\User\My Documents\Uni Autumn 2007\Environmental\Pracs\~WRL4070.tmp"

Finished!

Combifix
ComboFix 08-09-28.03 - User 2008-09-30 13:24:36.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1036 [GMT 10:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\mdm.exe
C:\WINDOWS\system32\tmp30.tmp

.
((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-30 )))))))))))))))))))))))))))))))
.

2008-09-30 12:59 . 2008-09-30 12:59 <DIR> d-------- C:\WINDOWS\ERUNT
2008-09-30 12:56 . 2008-09-30 13:12 <DIR> d-------- C:\SDFix
2008-09-16 20:38 . 2008-09-16 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-09-02 14:06 . 2008-09-02 14:06 <DIR> d-------- C:\ie-spyad_zo
2008-09-02 14:04 . 2008-09-02 14:04 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-08-31 22:26 . 2004-08-04 22:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-08-31 22:25 . 2004-08-04 22:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-08-31 22:24 . 2008-08-31 22:24 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-08-31 22:24 . 2008-08-31 22:24 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-08-31 22:24 . 2008-08-31 22:24 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-08-31 22:24 . 2008-08-31 22:24 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-08-31 22:24 . 2008-08-31 22:24 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-08-31 22:08 . 2008-05-02 22:46 181,895 --a------ C:\WINDOWS\system32\nvdsp.chm
2008-08-31 22:08 . 2008-05-02 22:46 121,529 --a------ C:\WINDOWS\system32\nvcpl.chm
2008-08-31 22:08 . 2008-05-02 22:46 116,384 --a------ C:\WINDOWS\system32\nv3d.chm
2008-08-31 22:08 . 2008-05-02 22:46 54,988 --a------ C:\WINDOWS\system32\nvmob.chm
2008-08-31 21:59 . 2004-08-04 22:00 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-08-31 21:59 . 2004-08-04 22:00 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2008-08-31 21:59 . 2004-08-04 22:00 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-08-31 21:59 . 2004-08-04 22:00 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2008-08-31 21:27 . 2008-08-31 21:27 <DIR> d-------- C:\WINDOWS\LocalSSL
2008-08-31 17:52 . 2008-08-31 17:52 <DIR> d-------- C:\Program Files\Thrixxx
2008-08-26 16:28 . 2008-09-09 21:02 632 --a------ C:\WINDOWS\CoD.INI
2008-08-14 13:44 . 2008-08-31 21:25 <DIR> d-------- C:\WINDOWS\kdefense
2008-08-14 13:44 . 2008-08-14 13:44 846,336 --a------ C:\WINDOWS\system32\kdfinj.dll
2008-08-14 13:44 . 2008-09-25 19:03 722,472 --a------ C:\WINDOWS\system32\kdfmgr.exe
2008-08-14 13:44 . 2008-09-25 19:03 192,512 --a------ C:\WINDOWS\system32\kdfvmgr.exe
2008-08-14 13:44 . 2008-09-25 19:03 77,824 --a------ C:\WINDOWS\system32\kdfapi.dll
2008-08-14 13:44 . 2008-09-25 19:02 53,248 --a------ C:\WINDOWS\system32\Kdfhok.dll
2008-08-14 12:08 . 2008-02-17 03:00 138,384 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-08-14 12:08 . 2008-02-17 03:00 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-08-14 12:08 . 2008-02-17 03:00 52,240 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-08-14 12:06 . 2008-08-31 21:27 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-14 11:23 . 2008-08-14 11:23 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2008-08-14 11:22 . 2008-08-14 11:22 <DIR> d-------- C:\Program Files\PCPitstop
2008-08-14 11:11 . 2008-08-14 12:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-08-13 18:07 . 2008-08-13 18:07 427 --a------ C:\WINDOWS\system32\QuickTimeFavorites.qtr
2008-08-13 18:07 . 2008-08-13 18:07 0 --a------ C:\WINDOWS\system32\QuickTime.qtp
2008-08-10 20:30 . 2008-08-10 20:30 <DIR> d-------- C:\Program Files\MoTeC
2008-08-10 20:30 . 2008-08-10 20:30 <DIR> d-------- C:\MoTeC
2008-08-10 20:30 . 2008-08-10 20:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MoTeC

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-30 03:23 --------- d-----w C:\Documents and Settings\User\Application Data\EndNote
2008-09-26 04:52 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-18 02:13 --------- d-----w C:\Program Files\Microsoft Games
2008-09-09 10:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-08 09:08 163,644 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2008-09-08 09:06 --------- d-----w C:\Program Files\Playboy - The Mansion
2008-09-04 08:29 --------- d-----w C:\Program Files\LucasArts
2008-09-02 04:02 --------- d-----w C:\Program Files\Project64 1.6
2008-08-13 06:43 --------- d-----w C:\Program Files\rFactor
2008-07-31 10:01 --------- d-----w C:\Program Files\Infogrames
2008-07-28 06:44 --------- d-----w C:\Documents and Settings\User\Application Data\Petroglyph
2008-07-24 10:16 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-07-24 10:14 21,840 ----atw C:\WINDOWS\system32\SIntfNT.dll
2008-07-24 10:14 17,212 ----atw C:\WINDOWS\system32\SIntf32.dll
2008-07-24 10:14 12,067 ----atw C:\WINDOWS\system32\SIntf16.dll
2008-07-08 08:23 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2008-06-17 02:59 444,952 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-06-17 02:59 109,080 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2004-03-11 02:27 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
1998-12-09 02:53 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
1998-12-09 02:53 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 1667584]
"OE"="C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe" [2008-02-17 492808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 155648]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-20 57344]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 13529088]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"PC Pitstop Optimize Scheduler"="C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe" [2007-01-04 1700864]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-02-17 1398024]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 86016]
"nwiz"="nwiz.exe" [2008-05-02 C:\WINDOWS\system32\nwiz.exe]
"EssSpkPhone"="essspk.exe" [2001-10-19 C:\WINDOWS\essspk.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-22 734872]
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2007-11-13 282624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-18 65588]
Symantec Fax Starter Edition Port.lnk - C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-24 45568]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"vidc.iv32"= C:\WINDOWS\system32\ir32_32.dll
"vidc.iv31"= C:\WINDOWS\system32\ir32_32.dll
"vidc.VSPX"= vspxvfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\GPLSecrets\\iGOR\\iGOR.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Battlefront II\\GameData\\BattlefrontII.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Empire at War Forces of Corruption\\swfoc.exe"=

R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);C:\WINDOWS\system32\drivers\sfdrv01a.sys [2006-07-05 63352]
R2 ETDrv;ETDrv;C:\WINDOWS\system32\drivers\ETDrv.sys [2003-11-13 170128]
R2 GLOGODrv;GLOGODrv;C:\WINDOWS\system32\drivers\GLOGODrv.sys [2000-10-12 13332]
S3 papycpu;papycpu;C:\WINDOWS\system32\drivers\papycpu.sys [1998-09-04 1984]
S3 WMIBIOS;%WMIBIOS.ServiceName%;C:\WINDOWS\system32\Drivers\wmibios.sys [2002-10-15 18272]
S3 WMIINFO;WMIINFO Driver;C:\WINDOWS\system32\Drivers\wmiinfo.sys [2002-05-13 21184]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bdf14998-f0aa-11db-a6a8-000fea79f6d5}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sys.exe

*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-URLLSTCK.exe - C:\Program Files\Norton Internet Security\UrlLstCk.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\f7x6q11b.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.uow.edu.au/
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-30 13:25:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-30 13:26:30
ComboFix-quarantined-files.txt 2008-09-30 03:26:24

Pre-Run: 14,301,081,600 bytes free
Post-Run: 14,295,474,176 bytes free

163 --- E O F --- 2008-02-18 12:29:48

HJThis
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:27:51 PM, on 30/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\essspk.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uow.edu.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.uow.edu.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.uow.edu.au;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 6314 bytes
apj868
Active Member
 
Posts: 11
Joined: September 17th, 2008, 12:31 am

Re: winlogon.exe crashing my computer

Unread postby Carolyn » October 1st, 2008, 12:49 pm

  1. Please download Sysclean Package by Trend Micro and save it to your desktop.
  2. Download the latest Virus Pattern Files by Trend Micro and save it to your destkop. It is named lptXXX, where XXX are numbers.
    Note: Do not download the Virus Pattern Files if you don't intend to do a scan. Only download it when you want to do a scan, as they are being updated daily.
  3. Create a new folder on your desktop.
    • Right click on your desktop.
    • Click on New > Folder.
    • Type in Trend Micro as the name of the folder.
  4. Select sysclean.com by clicking once. Press Ctrl + X simultaneously.
  5. Open the Trend Micro folder you created earlier. Press Ctrl + V to paste sysclean.com into the folder.
    • Right click and select Extract All.
    • Click on Browse. Navigate to the Trend Micro folder and click OK.
    • Click Next, then Finish.
  6. Close all opened windows except the Trend Micro folder.
  7. Double click on sysclean.com to run it.
  8. Uncheck (untick) Automatically Clean Infected Files box.
  9. Once the scanning is done, click Exit.
  10. A sysclean.log is created in the Trend Micro folder.
  11. Copy and paste that log in your next reply along with a fresh HijackThis log and a description of how your computer is behaving.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: winlogon.exe crashing my computer

Unread postby apj868 » October 2nd, 2008, 8:56 pm

Hi,
My computer is no longer crashing on startup when the "Windows NT logon application" has access to the internet, nore is this program trying to access the internet anymore. The variable performance is still there (though as I said in my first post I'm not sure if this is hardware or malaware related). As I mentioned in my previous post I still can't connect to the internet, though my computer seems to be able to see the network now (I was getting a message saying that something along the lones of network has little or no speed which I'm not getting anymore). As I have also mentioned before I'm not sure if the lack of internet is malaware or network setup related as we have recently changed the internet provider at college and I haven't been able to get my internet functioning properly with this new system.

When I ran the sysclean scan I got a message saying that the program couldn't find a file and thus the spyware scan would not be able to be done. Here is the log file:


/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006-2007, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2008-10-02, 17:49:14, Initialized Rootkit Driver version 2.2.0.1004.
2008-10-02, 17:49:14, Running scanner "C:\Documents and Settings\User\Desktop\Trend Micro\TSC.BIN"...
2008-10-02, 17:49:31, Scanner "C:\Documents and Settings\User\Desktop\Trend Micro\TSC.BIN" has finished running.
2008-10-02, 17:49:31, TSC Log:

Damage Cleanup Engine (DCE) 5.32(Build 1011)
Windows XP(Build 2600: Service Pack 2)

Start time : Thu Oct 02 2008 17:49:14

Load Damage Cleanup Template (DCT) "C:\Documents and Settings\User\Desktop\Trend Micro\TMRDCT.ptn" (version ) [fail]
Load Damage Cleanup Template (DCT) "C:\Documents and Settings\User\Desktop\Trend Micro\tsc.ptn" (version 980) [success]

Complete time : Thu Oct 02 2008 17:49:31
Execute pattern count(3022), Virus found count(0), Virus clean count(0), Clean failed count(0)

2008-10-02, 17:49:31, Running scanner "C:\Documents and Settings\User\Desktop\Trend Micro\VSCANTM.BIN"...
2008-10-02, 18:43:12, Scanner "C:\Documents and Settings\User\Desktop\Trend Micro\VSCANTM.BIN" has finished running.
2008-10-02, 18:43:12, VSCANTM Log:

2008-10-02, 18:43:12, Files Detected:
Copyright (c) 1990 - 2006 Trend Micro Inc.
Report Date : 10/2/2008 17:49:32
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 573 (304965/304965 Patterns) (2008/09/30) (557300)

Command Line: C:\Documents and Settings\User\Desktop\Trend Micro\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /LR C:\*.* /P=C:\Documents and Settings\User\Desktop\Trend Micro\lpt$vpn.573

186089 files have been read.
186089 files have been checked.
186054 files have been scanned.
246461 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 10/2/2008 18:43:12 53 minutes 40 seconds (3219.50 seconds) has elapsed.(17.301 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2008-10-02, 18:43:12, Files Clean:
Copyright (c) 1990 - 2006 Trend Micro Inc.
Report Date : 10/2/2008 17:49:32
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 573 (304965/304965 Patterns) (2008/09/30) (557300)

Command Line: C:\Documents and Settings\User\Desktop\Trend Micro\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /LR C:\*.* /P=C:\Documents and Settings\User\Desktop\Trend Micro\lpt$vpn.573

186089 files have been read.
186089 files have been checked.
186054 files have been scanned.
246461 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 10/2/2008 18:43:12 53 minutes 40 seconds (3219.50 seconds) has elapsed.(17.301 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2008-10-02, 18:43:12, Clean Fail:
Copyright (c) 1990 - 2006 Trend Micro Inc.
Report Date : 10/2/2008 17:49:32
VSAPI Engine Version : 8.910-1002
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 573 (304965/304965 Patterns) (2008/09/30) (557300)

Command Line: C:\Documents and Settings\User\Desktop\Trend Micro\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /LR C:\*.* /P=C:\Documents and Settings\User\Desktop\Trend Micro\lpt$vpn.573

186089 files have been read.
186089 files have been checked.
186054 files have been scanned.
246461 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 10/2/2008 18:43:12 53 minutes 40 seconds (3219.50 seconds) has elapsed.(17.301 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*

and the HJ this log file
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:06:29 PM, on 2/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\essspk.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\control.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uow.edu.au/student
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.uow.edu.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.uow.edu.au;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 6627 bytes
apj868
Active Member
 
Posts: 11
Joined: September 17th, 2008, 12:31 am

Re: winlogon.exe crashing my computer

Unread postby Carolyn » October 3rd, 2008, 5:02 pm

Hello,

Download CCleaner from here and save it to your desktop.

Run CCleaner
CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!
  • Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
  • Then select the items you wish to clean up.
    • In the Windows Tab:
      • Clean all entries in the Internet Explorer section except Cookies
      • Clean all the entries in the Windows Explorer section
      • Clean all entries in the System section
      • Clean all entries in the Advanced section
      • Clean any others that you choose
    • In the Applications Tab:
      • Clean all except cookies in the Firefox/Mozilla section if you use it
      • Clean all in the Opera section if you use it
      • Clean Sun Java in the Internet Section
      • Clean any others that you choose
  • Click the Run Cleaner button.
  • A pop up box will appear advising this process will permanently delete files from your system.
  • Click OK and it will scan and clean your system.
  • Click exit when done.
  • If it asks you to reboot at the end, click NO
CCleaner should be run with the above settings for each User Account!

------------------------------------------------------------------------------------------------------------------------------------------------------------

Next, Download and run this tool:

WinSock XP Fix

After you run that tool, please Reboot your ocmputer.

------------------------------------------------------------------------------------------------------------------------------------------------------------

Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in your next reply.

Please post the Uninstall List along with a fresh HijackThis log and a description of how your computer is behaving.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: winlogon.exe crashing my computer

Unread postby apj868 » October 6th, 2008, 6:43 am

Hi,
I now have internet access though the variable performance problem is still there. After running CCleaner and WinSock XP Fix Trend Micro now loads very solwly (minutes) and doesn't appear to load the firewall. Here is the uninstall list.
ABBYY FineReader 5.0 Sprint
Adobe Acrobat 5.0
Adobe Acrobat eBook Reader
Adobe Flash Player 9
Adobe Reader 8
Adobe® Photoshop® Album Starter Edition 3.0
Bathurst Legends 1969 1.0
Britannica CD 98
Call of Duty Game of the Year Edition
CCleaner (remove only)
Cricket Captain 3
DVD Solution
Electronic Arts Game Updater
Enable S3 for USB Device
EndNote X1
Fable - The Lost Chapters
FaxTools
FinePixViewer Resource
FinePixViewer Ver.5.1
FUJIFILM USB Driver
GEM+ 2 & iGOR
GPLAIM
GPLCSM
GPLSeason
Grand Prix 4
Grand Prix Legends
Grand Prix World
GT Legends 1.0.0.0
GTR 2 1.0.0.0
HijackThis 2.0.2
Igor Pro
ImageMixer VCD2 LE for FinePix
InterActual Player
Java(TM) SE Runtime Environment 6
Lexmark X1100 Series
LiveReg (Symantec Corporation)
MathType 5
Microsoft Encarta 97 Encyclopedia
Microsoft Golf 3.0
Microsoft Office 2000 Premium
Microsoft Visual C++ 2005 Redistributable
Nero OEM
NetBattle
Norton AntiSpam
Norton AntiSpam
Norton Internet Security
Norton Internet Security
NVIDIA Drivers
OpenAL
PC Pitstop Optimize 1.5
Power2Go 3.0
PowerDirector
PowerDVD
PowerProducer
QuickTime
RACE 07 Offline
RAW FILE CONVERTER LE
Real Alternative 1.8.0
Realtek AC'97 Audio
rFactor (remove only)
Shockwave
Sierra Utilities
SiS 900 PCI Fast Ethernet Adapter Driver
Spotter Plugin 1.11
SpywareBlaster 4.1
Star Wars Battlefront II
Star Wars Empire at War
Star Wars Empire at War Forces of Corruption
SWBF Conversion Pack v1.9
System Requirements Lab
Trend Micro Internet Security Pro
Trend Micro Internet Security Pro
Trend Micro Remote File Lock
Uninstall ESS Modem
WinRAR archiver


I have noticed a few entries of programs I thought I had uninstalled, notibly the norton entries (my computer came with a trial version of it and I used it until the trial ran out and thought I'd since removed it) as well as Call of Duty Game of the Year Edition.

Here is the HJThis logfile
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:40:18 PM, on 6/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\essspk.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uow.edu.au/student
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.uow.edu.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.uow.edu.au;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [TrendSecure Remote File Lock] C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 7128 bytes
apj868
Active Member
 
Posts: 11
Joined: September 17th, 2008, 12:31 am

Re: winlogon.exe crashing my computer

Unread postby Carolyn » October 6th, 2008, 3:34 pm

Hi,

Remove Programs
Please Click Start > Control Panel > Add/Remove Programs
Remove these programs by clicking Remove

LiveReg (Symantec Corporation)
Norton AntiSpam
Norton Internet Security


There may more than one instance of each program in Add/Remove Programs. If so, please remove them all.

----------------------------------------------------------------------------------------------------------------------

Next, Run the Norton Removal Tool

Please click HERE and follow the instructions in STEP 3 to download and run the norton removal tool.

----------------------------------------------------------------------------------------------------------------------

Check TrendMicro Internet Security settings

Please open the TrendMicro contol panel and verify that the Firewall, Antivirus and other protection components are enabled.

----------------------------------------------------------------------------------------------------------------------

Once you verify that the TrendMicro Firewall is enabled, go to Start --> Control Panel, then double click Windows Firewall.

Make sure that Off (not recommended) is selected.

You want to make sure that you only have one Firewall running.

----------------------------------------------------------------------------------------------------------------------

Please post a fresh HijackThis log and a description of how your computer is behaving.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: winlogon.exe crashing my computer

Unread postby apj868 » October 7th, 2008, 7:50 am

Hi,
When I was trying to uninstall the programs the only one of those three that came up in the add/remove programs list was LiveReg (Symantec Corporation). When I tried to uninstall it it said that I could not uninstall it as it was needed by another program. I ran the norton removal tool (for the version of norton that I had) and now all these programs have dissappeared from the uninstall list in HJThis. I couldn't start up the Trend micro firewall so I decided to try and reinstall it. This appears to have worked and the firewall is now running porperly. As far as I can tell the only problem that I currently have is the variable performance which may be hardware related. I have attached a new HJThis log below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:57 PM, on 7/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\essspk.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFCommander.exe
C:\Program Files\Trend Micro\TrendSecure\TSCFPlatformCOMSvr.exe
C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\Dependent\HSChkProxyExe.exe
C:\WINDOWS\system32\kdfmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.uow.edu.au/student
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.uow.edu.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.uow.edu.au;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: TransactionProtector BHO - {C1656CCA-D2EA-4A32-94AE-AE0B180E6449} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O2 - BHO: TrendProtect - {E3578B37-6346-4EC1-A82B-38273A100DCF} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: TrendProtect - {F83BE649-1CC3-48EE-B2E2-0826CEF3822A} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O3 - Toolbar: Transaction Protector - {E7620C98-FCCC-40E5-92EC-C7685D2E1E40} - C:\Program Files\Trend Micro\TrendSecure\TransactionProtector\TSToolbar.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [EssSpkPhone] essspk.exe
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TrendSecure Remote File Lock] C:\Program Files\Trend Micro\TrendSecure\RemoteFileLock\FLMain.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab3.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDow ... eqlab2.cab
O18 - Protocol: trendprotect - {BC3A5F6F-12A0-4B14-A184-32939F413823} - C:\Program Files\Trend Micro\TrendProtect\MSIE\wrs.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 7713 bytes
apj868
Active Member
 
Posts: 11
Joined: September 17th, 2008, 12:31 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 27 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware