Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Think I Blocked Winlogon.exe


  • Please log in to reply
36 replies to this topic

#1 Waygook

Waygook

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 02 June 2008 - 07:17 AM

Hi. I hope someone out there can help.

My computer was taking a long time to start up - I'm talking 10-12 minutes from pressing the button to the desktop actually becoming active. I ran the TrendMicro Online Scan and found a bunch of crap, which I had TrendMicro delete. I then downloaded a McAfee security suite and scanned with that. It found a bunch more stuff which I deleted. One of them was Vundo, which it couldn't delete.

However, while McAfee was still installed on my computer, it asked me if I wanted to block winlogon.exe. I didn't know what this was and a quick internet search brough up the words winlogon.exe and trojan, spyware, etc. So I blocked it.

Since then, my computer has looked like it's Window's 95. A grey taskbar instead of the normal XP one. I have no access to the internet - my network connection icon has completly disappeared. I can't even create a new one. Pressing control-alt-delet brings up and empty process box. I cannot do a system restore as it says that it has been turned off and cannot be restarted. The Windows help menu (F1) doesn't work. I get an error message.

I have since uninstalled McAfee hoping that would bring access back to winlogon.exe. Didn't seem to work. Has my blocking winlongon altered the registery some way and is it reversable?

Am I wrong, and my problem is related to something else? If so, how can I fix it without internet access?

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:35 PM

Posted 02 June 2008 - 01:40 PM

Hello this is an XP machine??

CONNECTION PROBLEMS...try this one:

Go to Start ... Run and type in cmd
A dos Window will appear.
Type in the dos window: netsh winsock reset
Click on the 'enter' key.

Reboot your system to complete the process.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Waygook

Waygook
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 02 June 2008 - 06:09 PM

Hello this is an XP machine??

CONNECTION PROBLEMS...try this one:

Go to Start ... Run and type in cmd
A dos Window will appear.
Type in the dos window: netsh winsock reset
Click on the 'enter' key.

Reboot your system to complete the process.


Yeah, it is Windows XP.

I'll try that when I get home.

What does it do?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:35 PM

Posted 02 June 2008 - 08:53 PM

Most of the Internet connectivity problems arise out of corrupt Winsock settings. Windows sockets settings may get corrupted due to the installation of a networking software, or perhaps due to Malware infestation. You will be able connect to the Internet, but the packets won't transfer back and forth. And errors such as Page cannot be displayed may occur when using Internet Explorer. This article lists the methods (with links to third-party websites) to reset/repair the Winsock configuration to defaults.


by Ramesh Srinivasan.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 Waygook

Waygook
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 03 June 2008 - 06:32 PM

Hi again.

I tried that but I got an error message saysing it couldn't find winsok reset. Was I supposed to type it in exactly as you said, or netsh <enter> winsok <enter> reset <enter>? The second way didn't occur to me until I got to work this morning.

I played with the computer a little last night and basically found that there are 10-12 processes running, including winlogon.exe - so I guess I haven't blocked it after all. Still, it takes a good 10 minutes to open and close windows.

The interface still looks like Windows 95 and I have no inernet connection. And cannot create one. All other programs (Office, iTunes, etc) work fine. Ohhhh, videos play, but I have no sound.

Any ideas?

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:35 PM

Posted 03 June 2008 - 06:59 PM

start

run

cmd

then when the dos box opens copy and paste


netsh winsock reset

press enter, it's all one command
Chewy

No. Try not. Do... or do not. There is no try.

#7 Waygook

Waygook
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 03 June 2008 - 08:20 PM

bleep - I think I spelt 'sock' wrong. What a dumbass.

I'll try that tonight and see what happens.

Thanks.

#8 Waygook

Waygook
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 04 June 2008 - 06:41 PM

Just checked it out - I didn't spell it wrong after all.

I ran that command and this is what came up..

WARNING: Could not obtain host information from machine [DJQ65Y19LTSSYUV]. Some commands may not be available.

The specified service does not exist as an installed service.

Successfully reset the Winsock Catalogue. Reset the system for the changes to take affect


I rebooted - and noticed no difference. Still cannot connect to the internet; still cannot create a new connection.

Any other ideas?

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:35 PM

Posted 04 June 2008 - 07:26 PM

http://www.bleepingcomputer.com/files/lspfix.php

this is always worth a try


however before you run that, did you run the McAfee uninstaller?

why don't you give mbam a try


http://www.bleepingcomputer.com/forums/ind...mp;#entry811062
Chewy

No. Try not. Do... or do not. There is no try.

#10 Waygook

Waygook
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 05 June 2008 - 07:05 PM

Thanks for that.

As you know, I can't access the internet from my computer, so my only hope is to use another computer to download the programs to a portable HDD and then install them onto my computer. If it lets me.

Are there other programs that I should download as well, just in case I need them? It would be easier to do that all at once, than go back and forth every 24 hours.

Thanks!

#11 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:06:35 PM

Posted 05 June 2008 - 07:38 PM

Here's a list we are compliling

Flash Disinfector by sUbs
Malwarebytes AntiMalware
ATF Cleaner
SuperAntiSpyware
Deckard's System Scanner,which includes a HiJackThis log

LSP-Fix Download Link attempts to correct Internet connection problems resulting from buggy or improperly-removed Layered Service Provider (LSP) software.. Should not be used in your own
Winsock2Fix You can use this utility to repair the LSP chains when the registry is corrupt

URL to BC's HJT forum
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

Edited by boopme, 05 June 2008 - 07:45 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#12 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:35 PM

Posted 05 June 2008 - 07:47 PM

http://www.malwarebytes.org/mbam/database/mbam-rules.exe

the manual updates for MBAM

http://www.superantispyware.com/definitions.html

SAS's updates, note the special instructions for applying them
Chewy

No. Try not. Do... or do not. There is no try.

#13 Waygook

Waygook
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 05 June 2008 - 10:25 PM

OK, I will download all of those programs and hit you guys up for a play-by-play in a day or so.

Appreciate your time!

#14 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:06:35 PM

Posted 06 June 2008 - 04:54 AM

Here's a post by Quietman7, that if I had taken the time to read and understand, would have kept me from infecting my own computer.

regarding sub's disinfector

http://www.bleepingcomputer.com/forums/ind...st&p=798468
Chewy

No. Try not. Do... or do not. There is no try.

#15 Waygook

Waygook
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:35 PM

Posted 06 June 2008 - 08:38 AM

Hi again.

I've downloaded the programs that you posted above. I ran the MBAM program and it found a bunch of crap. I've posted the log below, just in case it sheds some light. Because I can't connect my computer to the internet still, the version of MBAM that I am using in the standard download - no updates.

Malwarebytes' Anti-Malware 1.15

Database version: 830



8:05:21 PM 6/06/2008

mbam-log-6-6-2008 (20-05-21).txt



Scan type: Full Scan (C:\|)

Objects scanned: 165958

Time elapsed: 44 minute(s), 37 second(s)



Memory Processes Infected: 1

Memory Modules Infected: 3

Registry Keys Infected: 14

Registry Values Infected: 1

Registry Data Items Infected: 4

Folders Infected: 0

Files Infected: 10



Memory Processes Infected:

C:\WINDOWS\winlogon.exe (Trojan.Agent) -> Unloaded process successfully.



Memory Modules Infected:

C:\WINDOWS\system32\qoMffGvt.dll (Trojan.Vundo) -> Unloaded module successfully.

C:\WINDOWS\system32\crypts.dll (Trojan.Agent) -> Unloaded module successfully.

C:\WINDOWS\system32\WinNt32.dll (Trojan.Agent) -> Unloaded module successfully.



Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ecd5ff58-adbd-4f50-85c5-510f7fe38392} (Trojan.Vundo) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{ecd5ff58-adbd-4f50-85c5-510f7fe38392} (Trojan.Vundo) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winnt32 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpsr (Rootkit.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ICF (Rootkit.Agent) -> Quarantined and deleted successfully.



Registry Values Infected:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\run\runwinlogon (Trojan.Agent) -> Quarantined and deleted successfully.



Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\qomffgvt -> Delete on reboot.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\qomffgvt -> Delete on reboot.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.



Folders Infected:

(No malicious items detected)



Files Infected:

C:\WINDOWS\system32\qoMffGvt.dll (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\tvGffMoq.ini (Trojan.Vundo) -> Delete on reboot.

C:\WINDOWS\system32\tvGffMoq.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Candice\Local Settings\Temporary Internet Files\Content.IE5\J7A0UTG6\hctp[1] (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Candice\Local Settings\Temporary Internet Files\Content.IE5\N1T62ED7\kb713501[1] (Trojan.LowZones) -> Quarantined and deleted successfully.

C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\43I7CV8D\help32[1].exe (Backdoor.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\43I7CV8D\help32[2].exe (Backdoor.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\winlogon.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\crypts.dll (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\system32\WinNt32.dll (Trojan.Agent) -> Delete on reboot.


I then restarted the computer and ran the scan again.......log below. It seems that it didn't get everything the first time.

Malwarebytes' Anti-Malware 1.15

Database version: 830



9:13:42 PM 6/06/2008

mbam-log-6-6-2008 (21-13-42).txt



Scan type: Full Scan (C:\|)

Objects scanned: 165725

Time elapsed: 43 minute(s), 38 second(s)



Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5



Memory Processes Infected:

(No malicious items detected)



Memory Modules Infected:

C:\WINDOWS\system32\WinNt32.dll (Trojan.Agent) -> Unloaded module successfully.



Registry Keys Infected:

(No malicious items detected)



Registry Values Infected:

(No malicious items detected)



Registry Data Items Infected:

(No malicious items detected)



Folders Infected:

(No malicious items detected)



Files Infected:

C:\WINDOWS\system32\qoMffGvt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tvGffMoq.ini (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tvGffMoq.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\crypts.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\WinNt32.dll (Trojan.Agent) -> Delete on reboot.


I'm also going to post a screenshot of my desktop. I've opened up a bunch of error messages that might help. As you can see, it looks like Win 95.

Posted Image

Edited by Waygook, 06 June 2008 - 08:40 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users