Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Formatting My Hard Drive


  • Please log in to reply
7 replies to this topic

#1 JPHarvey

JPHarvey

  • Members
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sydney, Australia
  • Local time:05:23 AM

Posted 11 April 2006 - 05:14 PM

Howdy all,

Just in relation to my other post "Setpoint.exe & BF2.exe "Unauthorized access logged", I can't really afford to have anyone stealing my account details etc. It appears I have a file infector (exe files) as when I removed SetPoint.exe (legitimate in this case), C:\Windows\system32\winlogon.exe took it's place. I dare say it will keep going in this fashion.

:thumbsup: As I have no actual symptoms of this virus infection (I believe it was a backdoor.trojan), as it is being contained by Norton AV. So if this is the case (and Norton can't actually find the virus in any files!! :inlove: ) can I format my harddrive and reinstall Windows XP (using the format whn you boot from the CD)?

:flowers: Additonally, if I back up images (jpg) and music (itunes) as they do not have exe files, will they be safe after scanning/cleaning to put back onto my system?

:trumpet: Has anyone encountered this problem before? The virus got in (and then reboot my PC), so I perform a system restore and it seems the virus is gone. However, setpoint.exe is trying to access ALL my Norton's files (god knows why!), yet no antivirus/spyware/malware software can locate the virus, including: Norton AV 2005 (up to date), Spybot S&D, Malevolence (by windows), a-squared, Ad-Aware, Ewdio anti-malware, McAfee Stinger, Backlight etc!!! :huh:

Any advice/suggestions welcome.

P.S. I do have a log in the HijackThis section, but I can't afford to wait. I am looking at starting the process tonight........
[CPU]Intel E6600 Core 2 Duo @ 3.19GHz
[MoBo]ASUS P5N32-SLI Premium (nForce590)
[RAM]4GB Corsair XMS2 DDR2-800 CL4 @ 710MHz
[GPU]XFX 8800 GTX 768MB [SLI] @ Stock
[PSU]CoolerMaster 1kW
[Audio]ASUS Xonar D2
[Case]Antec Nine Hundred
[OS]Windows Vista Ultimate 64
[LCD]SAMSUNG 226BW
[Other]WC'd CPU & SLI

BC AdBot (Login to Remove)

 


#2 Albert Frankenstein

Albert Frankenstein

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA
  • Local time:02:23 PM

Posted 12 April 2006 - 09:41 AM

Get everything you need first.

You can run Killdisk to delete everything including any infections. This is a free progam and can be downloaded HERE. Put the program on a floppy disk or a CD.

Then run a DOS disk, such as a Windows 98 start up disk, when the computer boots to DOS, type "C:" (without the quotes), push ENTER. Then type "fdisk" (without the quotes), push ENTER, then just push ENTER at each selection that you are prompted to make (in other words, just accept all defaults). You can download what you need HERE.

Then reboot with your XP CD in the cd drive and reinstall Windows, being sure to choose "Full Format" instead of quick format when prompted.

Be careful about reinstalling your data as it may contain a virus or other malware, even if it contains no .exe files.
ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!


#3 JPHarvey

JPHarvey
  • Topic Starter

  • Members
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sydney, Australia
  • Local time:05:23 AM

Posted 12 April 2006 - 07:25 PM

Thanks Albert,

I did a full format (not quick) but I hadn't gotten your post by then, and it is still happening. I have no other symptoms (than the Unauthorized access logged) but am worried that maybe our details (passwords included) are being stolen.

I was wondering if you had an answer for this one (I rang Nortons and Microsoft, and neither gave me a definitive answer as to why it was happening):

Firstly, why would ANY file be trying to access my Nortons antivirus .exe files?

Secondly, more specifically, why would C:\windows\system32\winlogon.exe & msiexec.exe be trying to access the Nortons antivirus files? An if they are meant to, why is Nortons blocking access.

I have ran all the virus detectors (Nortons, SPYbot, Bitdefender, Panda, Housecall, Stinger, Malevolence, a-squared, Ad-Aware, Ewdio and Backlight, and they don't detect anything but those damn cookies (eg. @207.com, etc).
The said the Devil's best achievement was to make people believe he didn't exist - what's to say this virus is the same?
[CPU]Intel E6600 Core 2 Duo @ 3.19GHz
[MoBo]ASUS P5N32-SLI Premium (nForce590)
[RAM]4GB Corsair XMS2 DDR2-800 CL4 @ 710MHz
[GPU]XFX 8800 GTX 768MB [SLI] @ Stock
[PSU]CoolerMaster 1kW
[Audio]ASUS Xonar D2
[Case]Antec Nine Hundred
[OS]Windows Vista Ultimate 64
[LCD]SAMSUNG 226BW
[Other]WC'd CPU & SLI

#4 Albert Frankenstein

Albert Frankenstein

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA
  • Local time:02:23 PM

Posted 12 April 2006 - 09:17 PM

Many infections can survive a formatting. Follow my directions carefully.

Especailly regarding reinstalling your data.
ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!


#5 JPHarvey

JPHarvey
  • Topic Starter

  • Members
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sydney, Australia
  • Local time:05:23 AM

Posted 13 April 2006 - 08:14 PM

Just an update Albert (BTW, thanx for your help),

I downloaded and ran the Kill disk (twice, to be sure), and then the fdisk program from the W 98 boot disk, and then the full format with the W XP Home Install disk. Back to the point where I was at before, and I still have Setpoint.exe (legitimate - just installed), occassionally msiexec.exe & winlogon.exe (both in C:\windows\system32\ folder) trying to access my Nortons files (and Nortons is blocking them).

Can you or anyone give me a reason as to why that is?

Thanx m8

: ) Justin
[CPU]Intel E6600 Core 2 Duo @ 3.19GHz
[MoBo]ASUS P5N32-SLI Premium (nForce590)
[RAM]4GB Corsair XMS2 DDR2-800 CL4 @ 710MHz
[GPU]XFX 8800 GTX 768MB [SLI] @ Stock
[PSU]CoolerMaster 1kW
[Audio]ASUS Xonar D2
[Case]Antec Nine Hundred
[OS]Windows Vista Ultimate 64
[LCD]SAMSUNG 226BW
[Other]WC'd CPU & SLI

#6 Albert Frankenstein

Albert Frankenstein

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA
  • Local time:02:23 PM

Posted 14 April 2006 - 05:49 AM

Well, let's see if we can make sense of this.

I downloaded and ran the Kill disk (twice, to be sure), and then the fdisk program from the W 98 boot disk, and then the full format with the W XP Home Install disk

Good, good, and good. Now we KNOW the computer is clean.

I still have Setpoint.exe (legitimate - just installed), occassionally msiexec.exe & winlogon.exe (both in C:\windows\system32\ folder) trying to access my Nortons files (and Nortons is blocking them).

First off, msiexec.exe and winlogon.exe running from the system32 folder means they are legitimate. Secondly, as regards setpoint.exe: If it's in System32 it's dangerous, if it's in C:/Program etc.. it's the Logitech keyboard/mouse driver and therefor perfectly safe. More info can be found HERE.

I understand setpoint.exe tries to contact the server from time to time. It sounds like your Norton is trying to stop it, or at least asking you if it should grant permission for this. It is up to you. (Frankly I do not know what setpoint.exe is trying to do, but I suppose it is looking for updates to Logitech software.) Perhaps you should disable it if you don't want it running as it is optional to the proper working of your computer. There are many ways to do this, the easiest way is to use msconfig:

Start > Run

type "msconfig" (without the quotes)

Click on the Startup tab. Here you will find a list of programs that start when you boot your computer. Uncheck any you don't want to start when you boot up. (You still will be able to start programs through their shortcuts or by going to Start > All Programs. Unchecked programs just won't start automatically at bootup and won't be running in the background.)

You can Google entries or use the Bleeping Computer Startup Database HERE to research the various startup entries, as sometimes they can be a bit cryptic.

Another idea is to email Logitech and ask how to turn the 'contacting server' feature off. I cannot find anything regarding this on their site. EMAIL LOGITECH

I hope that helps!

EDIT: ADDITIONAL INFO FOUND IN ANOTHER THREAD IN THIS FORUM.

From the Logitech website:

"With millions of people buying Logitech products through retail dealers and worldwide distributors, Logitech wanted to establish a direct relationship with our customers and improve our after-sales customer experience. By ensuring that our customers receive critical content such as notice of software upgrades, patches, and product promotions in a seamless, timely and cost-effective manner, Logitech is able to provide a high level of customer satisfaction with our products. We accomplish this using BackWeb's Proactive technology and patented Polite® communications technology, which avoids disrupting you by downloading content in the background during network idle time. We only retrieve information about your Logitech devices; no other information is uploaded to our servers or any other internet servers.

If you want to remove this feature, simply remove "Logitech Desktop Messenger" from Add/Remove programs in the control panel."

Edited by Albert Frankenstein, 14 April 2006 - 08:16 AM.

ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!


#7 JPHarvey

JPHarvey
  • Topic Starter

  • Members
  • 508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sydney, Australia
  • Local time:05:23 AM

Posted 15 April 2006 - 06:37 AM

Thanx again Albert, that has probably been the most honest and sensical answer I've been given yet! I have looked for the Logitech Desktop Manager (also suggested by boopme) but it isn't in there (which sparked my interest), but I do need setpoint running for the mouse during online gaming (it's not games!! its serious!). They are all in the legitimate folders. SO I guess I am stuck with it.
Under your advice, I will email logitech about this (they didnt handle it too well on the phone).
For additional info, when I load Battlefield 2 (BF2.exe) it tries to access the same files whilst it is in the process list...interesting (I permitted it access when prompted by Nortons, but have not yet been promted for Setpoint.exe).

Thanx again. If I get a reply from Logitech (fingers crossed), I will provide an update both both our piece of mind.....

Cheers

Justin
[CPU]Intel E6600 Core 2 Duo @ 3.19GHz
[MoBo]ASUS P5N32-SLI Premium (nForce590)
[RAM]4GB Corsair XMS2 DDR2-800 CL4 @ 710MHz
[GPU]XFX 8800 GTX 768MB [SLI] @ Stock
[PSU]CoolerMaster 1kW
[Audio]ASUS Xonar D2
[Case]Antec Nine Hundred
[OS]Windows Vista Ultimate 64
[LCD]SAMSUNG 226BW
[Other]WC'd CPU & SLI

#8 Albert Frankenstein

Albert Frankenstein

  • Members
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Michigan, USA
  • Local time:02:23 PM

Posted 15 April 2006 - 06:59 AM

Thanks, and keep this thread updated if you find out anything else.

Notice that Logitech is using Backweb to contact Logitech's servers looking for software updates. This is a rather simple program that a lot of major manufacturers use to contact their servers. Some folks have copied and used Backweb for their own malicious purposes. It is possible to get an infection of malware and have Backweb as a part of it. In that case Backweb is used to contact some server to download adware and spyware. And certain types of Internet Protection software or antispyware scanners will flag it as potentially malicious.

For instance, SpyBot picks up Backweb from Kodak software, even though it is legitimate.

And it would explain why Norton is asking your permission to grant it access to the internet.

Just a heads up!

I have looked for the Logitech Desktop Manager (also suggested by boopme) but it isn't in there

You could always try Uninstall Plus! It is a program that is available on a trial basis HERE. I use it regularly and like it. Not only will it start a specific program's uninstaller, but then it will search the registry for any traces of the deleted program. See if it shows up with that program.

Edited by Albert Frankenstein, 15 April 2006 - 07:30 AM.

ALBERT FRANKENSTEIN
I'M SO SMART IT'S SCARY!


Currently home chillin' with the fam and my two dogs!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users