Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combo Fix used, now strange logon notify box before login. XP


  • Please log in to reply
17 replies to this topic

#1 Redplauge

Redplauge

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 04 December 2013 - 05:00 PM

Hi,
 
So I work in a Computer repair shop I use a variety of tools similar if not the same as you guys use here.  The problem I am having is many times I have used combo fix at the end of a clean up to remove any leftovers and such, but the odd thing is on windows xp I notice that after combo fix has run, I receive a strange logon notify box with crazy ascii characters in it. Any idea how to remove this?
 
thanks

Edit: Moved topic from Windows XP to the more appropriate forum, since this is related to ComboFix use. ~ Animal

BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 56,566 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:30 PM

Posted 04 December 2013 - 06:36 PM

Screenshot of exactly what you are referring to?

 

Note that ComboFix is a tool used for neutralizing malware...not for "cleanup" of any other sort.  If you have a system problem stemming from your use of ComboFix to deal with malware...you really should post your ComboFix log in the appropriate forum for dealing with Malware...and allow persons knowledgeable about malware and ComboFix to express their opinions.  IMO, such is not an issue for the XP forum, since ComboFix usage and analysis is beyond the scope of "XP issues."

 

Preparations for Forum Software Upgrade - http://www.bleepingcomputer.com/forums/topic478024.html\

 

Note that the forum for posting malware logs...is the same forum reflecting the Prep Guide, not any other forum here at BC.

 

Thanks for understanding :).

 

Louis



#3 anisb3l

anisb3l

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Corning CA
  • Local time:12:30 PM

Posted 05 December 2013 - 12:00 AM

This is what ComboFix does

 

"ComboFix is a program, created by sUBs, that scans your computer for known malware, and when found, attempts to clean these infections automatically. In addition to being able to remove a large amount of the most common and current malware, ComboFix also displays a report that can be used by trained helpers to remove malware that is not automatically removed by the program."

 

use autorun and check if u can see the strange logon notify box with crazy ascii characters in it. if u do u can deleted from the startup 



#4 Redplauge

Redplauge
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 05 December 2013 - 08:27 AM

I know what combo fix does, I am a programmer and also work at a computer repair shop, I don't need a noob lesson on what combo fix does.  What I need is someone who knows windows xp to help me.
 
So from what I understand no one here can tell me how to remove the Logon Notify box that shows up in "Windows XP Only" after I have run a scan with combo fix.  I have tried removing the entries in the registry that display the Logon Notify window.  If you would like to help please send me email at <Redacted Email Address> because this is software that you use all the time I was hoping for some insight as to why this is happening.

Edit: Email deleted as we do not support help via email as it defeats the purpose of forums and prevents others learning from the information. Additionally we cannot verify that the help or suggestions submitted are safe and or credible. ~ Animal

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,092 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:30 PM

Posted 05 December 2013 - 11:20 AM

As far as I am aware, the issue you describe has not been reported by anyone else after running ComboFix. If it was responsible for causing that Logon Notify box to appear as you indicate, without an expert examining the entire log, its impossible to tell what ComboFix detected and removed which caused this problem. Unfortunately CF logs are not permitted in this forum and that's why your topic was moved here.

I will do some more researching to see if I can find any more information but thus far, I have not seen anything similar.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Redplauge

Redplauge
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 05 December 2013 - 11:34 AM

So I have found multiple forums regarding to this issue it seems that these people had used gmer, and some other tools here are the links to the forums.

 

http://www.techsupportforum.com/forums/f10/weird-characters-in-message-box-at-logon-390191.html

 

http://www.teachexcel.com/winxp/winxp-help.php?i=14846

 

http://www.techrepublic.com/forums/questions/strange-window-appears-before-windows-xp-logon/

 

http://forums.majorgeeks.com/showthread.php?t=195988

 

No one has been able to figure this out and it seems to be related to one of the tools either changing a registry entry or something.

 

I also have the combofix log do you want it in this forum?



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,092 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:30 PM

Posted 05 December 2013 - 11:46 AM

I am only familiar with the TSF forum and did not come across that one when I did a search. Most likely because those topics are several years old but the one from Majorgeeks appears to be what you are describing.

As I said, ComboFix logs are not permitted in this forum.

Please follow the instructions in the Preparation Guide For Requesting Help starting at Step 6.
When you have done that, start a new topic and post the required logs to include your ComboFix log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts.

After doing this, please reply back in this thread with a link to the new topic so we can closed this one.

Thanks.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:30 AM

Posted 05 December 2013 - 06:16 PM

Just to add FYI or if others are interested these links are all 4 to 6 years old. Not current=>

06-29-2009 Tech Support Forum
6 years ago TechRepublic community
08-09-09  MajorGeeks Support Forums

At times there has been a bad version of ComboFix released, but it is removed ASAP.

 

Thank you -



#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,092 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:30 PM

Posted 05 December 2013 - 06:48 PM

I have been reading the CF discussion topics here and at TSF since before those topics were posted and I don't recall anything about CF being responsible for such an issue. That doesn't mean its not the cause in this case with the current version which is why further investigation is needed.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Redplauge

Redplauge
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 06 December 2013 - 02:34 PM

Ok this Is the Fix I was looking for!!

 

its old but worked!

 

http://www.bleepingcomputer.com/forums/t/103663/strange-popup-before-winxp-login-screen-malware/

 

thnx



#11 Redplauge

Redplauge
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 06 December 2013 - 02:36 PM

seems to be something that is being removed (by combofix) out of the registry when malware infects it.  Only does this in xp and has done it maybe 4 times on different xp computers over the last 9 months

maybe this fix will help you guys out.

 

Thnx again folks for your time in this.


Edited by Redplauge, 06 December 2013 - 02:37 PM.


#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,092 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:30 PM

Posted 06 December 2013 - 04:03 PM

You must have checked the "Way Back Machine" to find that one.

The link to the screenshot image posted by miekiemoes no longer works.

She apparently was no sure what caused the issue either.

I don't know what exactly happened, but all I know is.. The most common values in the registry which are responsible for a message at Windows Logon (Logon banners) are next values:

LegalNoticeCaption = "The caption text"
LegalNoticeText = "The body of the banner"

They are present under the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon" key.
And, they may be present under the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system" - key in the registry.
And that's what we have done now.. we cleared out those values.


That most likely explains why it wasn't reported to sUBs or in any of the CF discussion topics.

In reviewing the topic the issue doesn't appear to be malware related in this instance. The OP wasn't certain about that and miekiemoes only had him remove a few unknown ActiveX components and browser extensions. Neither ComboFix or any other advanced tools were used.

Anyway glad to hear that solution worked.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 Redplauge

Redplauge
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 06 December 2013 - 04:20 PM

lol way back machine, "Google" actually found it because of the search words.  But yes it did work, thnx again.



#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,092 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:30 PM

Posted 06 December 2013 - 05:06 PM

Not a problem.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:30 AM

Posted 06 December 2013 - 07:37 PM

I did note the Service pack was only SP2 on the linked fix -

 

>> Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
<<

 

Leading me to think that the issue may occur on a machine that is not fully updated ??

 

You must remember that sUBs works on fully updated systems when updating his tool.

Please check that the Service Pack is 3 and all other updates are fully installed -

 

Also I have just installed / run / diagnosed a ComboFix log on a Fully Updated / XP SP3 based system (without problems).

Note : I do know the program is updated often, and old versions need to be deleted for these reasons.

 

Just a few random thoughts -






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users