Trojan, I think it's winloggn.exe?

[sierobin]

I guess I got something bad this time.. usually I'm able to figure it all out myself but I'm stumped.

Every time I restart my PC or Log Off my computer says that my automatic updates are disabled.. even though they're not. I found in my Task Manager "winloggn.exe." It also says that I'm not an administrator however I'm the only user on the computer making ME the admin. Also, if you go into explorer and go under "Tools" Folder Options is missing, however I think this accounts for me not being an "admin" which I already discussed that I am.

This is getting annoying, if someone could help that'd be great.

[Carbon Dudeoxide]

You're going to want to start here:
http://www.computerhope.com/forum/index.php/topic,46313.0.html

[chalks]

I discovered this malware on my son's computer today. It's new and we hadn't got round to putting our Kaspershy Antivirus on it .

It's taken me all day to work out what the problem is and I'm close to getting rid of it. It is found in a user's temp folder. documents and settings/user name/local settings/temp.

I have bought a utility to release the blocks on  the file options, registry and browser restrictions. This is called remove restrictions tool. I'm using sysinternals.exe to see what processes are running and also normans malware cleaner to find and remove the problem.

Not entirely sorted yet and I'll post later with more information once I've finally got rid of it.

Steve

[Carbon Dudeoxide]

Ummm....Okay....thanks for sharing Chalks.

[chalks]

The simple fix for me was to logon in safemode as administrator and delete the contents of all C:\documents and settings\user name\local settings\temp. Two files logoggn.exe and csrsss.exe need to be removed from each temp folder. These files were in each the user account folder but not the administrator's.

I found that Normans Malware Remover unlocked the restrictions on viewing the folder options and regedit but the restriction remover tool that I paid for was useless.

I used sysinternals explorer to view the running processes to see the bad files running when logged in as a user. Useful to discover the names of the rogue files - which you know now anyway.

I hope this helps. I've wasted around 12 hours trying to fix this problem. I've now been able to register my anti virus software (Kaspersky), I've also installed Adaware Alert to monitor spyware and ErrorKiller to clean the registry. Shutting the stable door you might say!

Happy Christmas.

Steve

[sierobin]

I've gotten down to where I have my Folder Options back and now nothing loads on startup. Only probelm it seems i have left is with the Automatic Updates. To make things better I'll follow the outline suggested by posting a HJT.. anyhow here you go.

Also thank you everyone for the replies.

[attachment deleted by admin]

[chalks]

Follow up

After getting rid of the winloggn and csrsss I found that internet explorer and firefox had been hijacked and all searches were being redirected to rubbish websites. Nothing could find and remove whatever was hijacking the browsers. I bit the bullet and reinstalled the pc back to factory settings which definitely solves the problem. On reflection I should of done this when the problem first appeared but it was a challenge to try and solve the problem.

Now I've got a clean build with antivirus and spyware software running as intended.

[evilfantasy]

You have to fight virus in the registry as well as the program files/folders. Killing the process is not sufficient in most cases.

@ seirobin

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
- O4 - HKLM\..\Run: [winlogon] C:\WINDOWS\csrss.exe
- O4 - HKLM\..\Run: [jsf8j34rgfght] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\winloggn.exe
- O4 - HKLM\..\Run: [3cc9899f] rundll32.exe "C:\WINDOWS\system32\bprvxjed.dll",b
- O4 - HKCU\..\Run: [jsf8j34rgfght] C:\DOCUME~1\CHRIST~1\LOCALS~1\Temp\winloggn.exe
- O20 - AppInit_DLLs: wqxlfh.dll

Important: Close all windows except for HijackThis and then click Fix checked.

Exit HijackThis.

----------

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Go to Start > Run and type notepad.exe then click OK

Copy and paste the below into Notepad and save as fixme.reg to Your Desktop

Code: [Select]

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentVersion\Run]
"winlogon"=-
"jsf8j34rgfght"=-
"3cc9899f"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"jsf8j34rgfght"=-
Locate fixme.reg on your Desktop and double-click it. Answer Yes when prompted to merge with the Registry.

Make sure that you tell me if you receive a success message about adding the above to the registry. If you do not get a success message, it did not work.

Delete the fixme.reg from the Desktop.

----------

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.

For Windows XP Systems install the Recovery Console:

- If you are using Windows XP and do not already have the Recovery Console installed, please ensure your Internet connection is active (if possible) and click Yes.
- If for some reason your Internet is not working click No.
- If you are not using Windows XP, you will not be prompted.
- When prompted to accept the EULA click OK.
- Accept Microsoft's EULA (Click Yes).
- When you are told that the RC is installed correctly click YES to continue scanning for malware.

When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

[sierobin]

Ok so I used the combofix and I also did HiJackThis and deleted the things you told me to. Here is also the log for combofix.

[attachment deleted by admin]

[evilfantasy]

Remove ComboFix from where it is installed and place it directly on the Desktop as the instructions stated please.

Your going to have to remove the cracks in order for me to continue helping.

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Folder::
c:\program files\Bethesda Softworks
c:\documents and settings\All Users\Application Data\Fallout3
c:\windows\system32\XPSViewer
c:\program files\DriverCleanerDotNET

File::
c:\documents and settings\Christopher Boss\Application Data\serial2.zip
c:\documents and settings\Christopher Boss\Application Data\serial2.dat
c:\documents and settings\Christopher Boss\Application Data\dr.exe
c:\program files\inc1.bat
c:\program files\sleep.bat
c:\program files\Fallout 3 crack.exe
c:\program files\Win.All Fallout 3 crack.exe
c:\program files\NOCD Fallout 3 crack.exe
c:\windows\Tasks\At1.job
c:\documents and settings\Christopher Boss\Application Data\wunauclt.exe
c:\windows\Tasks\At2.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\wxvthiic.job
c:\windows\system32\rundll32.exe
c:\windows\system32\imon.dll

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[sierobin]

K got it, did everything you told me.. sorry for the combofix thing not on my desktop lol. Anyhow here is the log.

[attachment deleted by admin]

[evilfantasy]

Run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

• Click on SCAN NOW
  
• Click Accept.
  
• The program will then begin downloading the latest definition files.
• Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
  
• The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

• Next, in the Save as prompt, Save in area, select: Desktop.
  
• In the File name area use KScan, or something similar.
  
• In Save as type: click the drop arrow and select: Text file [*.txt]
  
• Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

[sierobin]

Well that scan took forever but here we are.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
 Saturday, December 27, 2008
 Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
 Kaspersky Online Scanner 7 version: 7.0.25.0
 Program database last update: Saturday, December 27, 2008 01:43:31
 Records in database: 1519266
--------------------------------------------------------------------------------

Scan settings:
   Scan using the following database: extended
   Scan archives: yes
   Scan mail databases: yes

Scan area - My Computer:
   C:\
   D:\

Scan statistics:
   Files scanned: 46380
   Threat name: 9
   Infected objects: 12
   Suspicious objects: 0
   Duration of the scan: 01:03:38


File name / Threat name / Threats count
C:\Program Files\ESET\infected\LUGPV5BA.NQF   Infected: Rootkit.Win32.TDSS.cfj   1
C:\Program Files\ESET\infected\RCIWX1BA.NQF   Infected: Trojan.Win32.Patched.dw   1
C:\Program Files\ESET\infected\YMOE04DA.NQF   Infected: Trojan-Proxy.Win32.Agent.bdq   1
C:\Program Files\Pcsx2_0.9.4\pcsx2.exe   Infected: Trojan.Win32.Agent.axxp   1
C:\Qoobox\Quarantine\C\Program Files\Fallout 3 crack.exe.vir   Infected: P2P-Worm.Win32.P2PAdware.a   1
C:\Qoobox\Quarantine\C\Program Files\NOCD Fallout 3 crack.exe.vir   Infected: P2P-Worm.Win32.P2PAdware.a   1
C:\Qoobox\Quarantine\C\Program Files\Win.All Fallout 3 crack.exe.vir   Infected: P2P-Worm.Win32.P2PAdware.a   1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\TDSSpqxt.sys.vir   Infected: Packed.Win32.Krap.e   1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ebsrvilw.dll.vir   Infected: not-a-virus:AdWare.Win32.SuperJuan.fjo   1
C:\Qoobox\Quarantine\C\WINDOWS\system32\msqpdxwvbddvdw.dll.vir   Infected: not-a-virus:AdWare.Win32.Agent.ivf   1
C:\Qoobox\Quarantine\C\WINDOWS\system32\oznivk.dll.vir   Infected: not-a-virus:AdWare.Win32.SuperJuan.fjo   1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rqRKecdb.dll.vir   Infected: Trojan.Win32.Agent.aywp   1

The selected area was scanned.

[evilfantasy]

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

C:\Program Files\Pcsx2_0.9.4\pcsx2.exe
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze


How is the computer running now?

[sierobin]

I'm sorry for the slow response, been very busy with the Holidays and such. However, the computer is running great now.. not problems so far and every problem has been fixed thus far. I've attached the log also from what you told me to run.

[attachment deleted by admin]

[evilfantasy]

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.
• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.
----------

Download

ATF Cleaner by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator

• Under Main: Select Files to Delete choose: Select All.
  
• Click the Empty Selected button.
  
• If you use Firefox browser click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• If you use Opera browser click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• Click Exit on the Main menu to close the program.

Note that your system will run slower for a reboot or two after having used this tool so don't panic.

----------

Download OTCleanIt.exe and save it to your Desktop.

• Double-click OTCleanIt.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it yourself.

Important: Restart the computer before continuing.

----------

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

Concerned about Browser Security? Consider using Mozilla Firefox 3.0 with Adblock Plus and NoScript

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[sierobin]

Everything seems to be great now, thank you for all the help. Now I know where to go whenever I get stuck on some sort of crappy malware/virus :] Thank you!

[evilfantasy]

Your welcome.

Safe surfing...