winlogon.exe

[Guest]

Please help!!
i think i have picked up a virus while helping a friend with the same
problem. he called and said, on visiting a site it told me i had 27 problems
with my pc 'click here to fix them' so he did (he is new to the internet)
and it installed winspyware2006 WITHOUT CONSENT! when i visited the site to
see were he had been it did not install winspyware2006 ,i did not 'click
here to fix them', but i have got winlogon.exe using 22,000k in my task
manager. Now even i know that is not right!. Scans with Ad-aware and spybot
s&d have found tracking cookies from winspyware and tradedoubler.com, but no
registry entries. I think this may be a trojan. Can anyone point me in the
right direction PLEASE.

Regards
Lee.

 

[Guest]

Hi there Rob,

Try this:

1) Breathe man...you're gonna be ok.
2) Reboot your PC and tap on the F8 key to get to the Windows Safe Mode
select screen.
3) Choose the Safe Mode option.
4) While in Safe Mode, run your anti-virus scan and then perform a scan with
your anti-spyware application. This should take care of any viruses,
trojans, spyware, adware, etc.

If you do not have any anti-virus software installed, you can get a trial
version of an anti-virus application from these Microsoft Security Center
Anti-Virus Partners:

http://www.microsoft.com/athome/security/viruses/wsc/en-us/default.mspx

You really need to do some things to prevent this from happening on a
regular basis. The first of which is create user accounts for all of your
family members, and grant them user only rights. You can do this by going to
Start>Control Panel>User Accounts and click on the Create New Account Link.

While you're creating the account, set the account as Limited. This
however, will only be temporary. Be sure to create one for yourself as well.

When you have finished, right click on the My Computer icon, and click on
Manage.

Click on the + next to Users and Groups.

Click on the Users folder to highlight it.

On the right side of the pane, right click on one of the userID's for your
family members, and click on Properties.

Click on the Member Of tab.

Make sure that ONLY the Users group is in the list. Anything else must be
removed. Do this with all accounts EXCEPT THE ADMINISTRATOR ACCOUNT.

Go to the General Tab of the User Account page.

Click on the checkbox for "User must chage password at next logon"

Click on apply, then OK.

Do this for all accounts EXCEPT THE ADMINISTRATOR ACCOUNT.

For the administrator account, right click on it, and left click on Set
Password.

Set a password that is 8-10 characters long, and has at least 1 number in
it. If you can, use symbols as well. Like ch@nge1t, or somesuch. (Please
don't use the example.)

Write that password down on a card and keep it in your wallet, tell no one.

This allows you to essentially limit the abilities of you and your family
members from having rights to install anything on the PC. The plus to this,
is that if you go to a website and it attempts to install something on your
machine, it will more than likely not be able to, because you don't have the
rights to do so. And if there is something that you or your family needs to
have installed, then they have to come to you, and then you have to make a
consious decision to install it. Have your buddy do the same. It'll save
much frustration in the end.

On a sidenote, winlogon can actually take up that much with the Fast User
Switching turned on and if there is more than one person logged on to the
machine at once. But lets be on the safe side and run under the assumption
that something is wrong.

Sorry for the college dissertation, but I hope it's helpful!

Best Regards,

~Will

 

[David H. Lipman]

From: "RobLee" <[email protected]>

| Please help!!
| i think i have picked up a virus while helping a friend with the same
| problem. he called and said, on visiting a site it told me i had 27 problems
| with my pc 'click here to fix them' so he did (he is new to the internet)
| and it installed winspyware2006 WITHOUT CONSENT! when i visited the site to
| see were he had been it did not install winspyware2006 ,i did not 'click
| here to fix them', but i have got winlogon.exe using 22,000k in my task
| manager. Now even i know that is not right!. Scans with Ad-aware and spybot
| s&d have found tracking cookies from winspyware and tradedoubler.com, but no
| registry entries. I think this may be a trojan. Can anyone point me in the
| right direction PLEASE.

| Regards
| Lee.




Two phase answer...

Perform Part 1 then perform Part 2

If the first two parts don't work, perform the alternate utility.

It is suggested that you execute each tool in Normal Mode then in Safe Mode.

If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE
Version 5.0. There are vulnerabilities in them and they are actively being exploited.
This is most likely why you got infected with malware.

Therefore, it is highly suggested that if there are any prior versions of Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE Version 5.0 Update 6
be installed ASAP.

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version...

C:\Program Files\Java\jre1.5.0_06


http://www.java.com/en/download/manual.jsp



Part 1
------------
Download Adware-Virtumundo Removal Tool --
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

Information on the Adware-Virtumundo Removal Tool:
http://forums.mcafeehelp.com/viewtopic.php?t=57049

Part 2
------------
Download WinFixerFix.exe from the URL --
http://www.ik-cs.com/programs/virtools/WinFixerFix.exe

Execute; WinFixerFix.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan, it will be
displayed in your browser (Opera, FireFox or Internet Explorer). However, if you are
using WinXP, Win2K or Win2003 your system will be left in a state where you will have to
manually shutdown/reboot the PC. On Win9x/ME platforms the report will not be shown in
your bowser but your PC will automatically be shutdown. It is suggested that you move the
report out of c:\mcafee before performing another scan.

It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


ALTERNATE:
--------------

Download Atribune's VUNDOFIX.EXE
http://www.atribune.org/ccount/click.php?id=4

Save VUNDOFIX.EXE to "C:\" ( C:\VUNDOFIX.EXE ) and execute it from there.


Please Copy and Paste the contents of the HTML Log files;
C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your reply.

* * * Please report back your results * * *

 

[Elendil]

David may I borrow Part 1 of your advise to use on my website?

 

[Guest]

From: "RobLee" <[email protected]>

| Please help!!
| i think i have picked up a virus while helping a friend with the same
| problem. he called and said, on visiting a site it told me i had 27 problems
| with my pc 'click here to fix them' so he did (he is new to the internet)
| and it installed winspyware2006 WITHOUT CONSENT! when i visited the site to
| see were he had been it did not install winspyware2006 ,i did not 'click
| here to fix them', but i have got winlogon.exe using 22,000k in my task
| manager. Now even i know that is not right!. Scans with Ad-aware and spybot
| s&d have found tracking cookies from winspyware and tradedoubler.com, but no
| registry entries. I think this may be a trojan. Can anyone point me in the
| right direction PLEASE.

| Regards
| Lee.




Two phase answer...

Perform Part 1 then perform Part 2

If the first two parts don't work, perform the alternate utility.

It is suggested that you execute each tool in Normal Mode then in Safe Mode.

If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE
Version 5.0. There are vulnerabilities in them and they are actively being exploited.
This is most likely why you got infected with malware.

Therefore, it is highly suggested that if there are any prior versions of Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE Version 5.0 Update 6
be installed ASAP.

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version...

C:\Program Files\Java\jre1.5.0_06


http://www.java.com/en/download/manual.jsp



Part 1
------------
Download Adware-Virtumundo Removal Tool --
http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

Information on the Adware-Virtumundo Removal Tool:
http://forums.mcafeehelp.com/viewtopic.php?t=57049

Part 2
------------
Download WinFixerFix.exe from the URL --
http://www.ik-cs.com/programs/virtools/WinFixerFix.exe

Execute; WinFixerFix.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan, it will be
displayed in your browser (Opera, FireFox or Internet Explorer). However, if you are
using WinXP, Win2K or Win2003 your system will be left in a state where you will have to
manually shutdown/reboot the PC. On Win9x/ME platforms the report will not be shown in
your bowser but your PC will automatically be shutdown. It is suggested that you move the
report out of c:\mcafee before performing another scan.

It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


ALTERNATE:
--------------

Download Atribune's VUNDOFIX.EXE
http://www.atribune.org/ccount/click.php?id=4

Save VUNDOFIX.EXE to "C:\" ( C:\VUNDOFIX.EXE ) and execute it from there.


Please Copy and Paste the contents of the HTML Log files;
C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your reply.

* * * Please report back your results * * *

hi david, thx for your reply.
before i take the steps you suggested just wanna let you know what i found
regarding java, >C>program files>javasoft>JRE>1.3.1_04. obviously this needs
updating to jre1.5.0_06. do i just delete the folder in C then d/l the latest
version? cant find it in add/remove programs to uninstall. I also installed
Windows Defender and now the process winlogon.exe is only using 2,500k.

regards
lee

 

[David H. Lipman]

From: "RobLee" <[email protected]>


| hi david, thx for your reply.
| before i take the steps you suggested just wanna let you know what i found
| regarding java, >C>program files>javasoft>JRE>1.3.1_04. obviously this needs
| updating to jre1.5.0_06. do i just delete the folder in C then d/l the latest
| version? cant find it in add/remove programs to uninstall. I also installed
| Windows Defender and now the process winlogon.exe is only using 2,500k.
|
| regards
| lee

Lee:

That is definitely a vulnerable of Sun Java. You should go to the "Add/Remove Programs"
control panel applet and remove the software from there. Then reboot the PC. Download Sun
Java v5 update 6 and then install that version.

I strongly urge you to follow the rest of the utility suggestions I made.

 

[David H. Lipman]

From: "Elendil" <[email protected]>

| David may I borrow Part 1 of your advise to use on my website?
|


You need to be more specific.

 

[Guest]

From: "RobLee" <[email protected]>


| hi david, thx for your reply.
| before i take the steps you suggested just wanna let you know what i found
| regarding java, >C>program files>javasoft>JRE>1.3.1_04. obviously this needs
| updating to jre1.5.0_06. do i just delete the folder in C then d/l the latest
| version? cant find it in add/remove programs to uninstall. I also installed
| Windows Defender and now the process winlogon.exe is only using 2,500k.
|
| regards
| lee

Lee:

That is definitely a vulnerable of Sun Java. You should go to the "Add/Remove Programs"
control panel applet and remove the software from there. Then reboot the PC. Download Sun
Java v5 update 6 and then install that version.

I strongly urge you to follow the rest of the utility suggestions I made.

hi,
i have installed jre1.5.0_06. it now appears as an icon in control panel
and J2SE runtime enviroment 5.0 update 6 in the add/remove programs list.
JRE>1.3.1_04 does not appear in the add/remove programs list so i am assuming
this is just a folder in my C>program files and is not installed on my
system. After installing jre1.5.0_06 i did a scan verify on the web site and
here are the results:

AVA SOFTWARE for Your Computer

VERIFY YOUR JAVA SOFTWARE INSTALLATION


We detected your Java environment as follows;
Description Your Environment

Java Runtime Vendor: Sun Microsystems Inc.
Java Runtime Version 1.5.0_06

CONGRATULATIONS, you have the Latest version of Java!

the scan did not detect the old version but the folder is still there

regards
Lee. XP Home SP2

 

[David H. Lipman]

From: "RobLee" <[email protected]>


| hi,
| i have installed jre1.5.0_06. it now appears as an icon in control panel
| and J2SE runtime enviroment 5.0 update 6 in the add/remove programs list.
JRE>> 1.3.1_04 does not appear in the add/remove programs list so i am assuming
| this is just a folder in my C>program files and is not installed on my
| system. After installing jre1.5.0_06 i did a scan verify on the web site and
| here are the results:
|
| AVA SOFTWARE for Your Computer
|
| VERIFY YOUR JAVA SOFTWARE INSTALLATION
|
| We detected your Java environment as follows;
| Description Your Environment
|
| Java Runtime Vendor: Sun Microsystems Inc.
| Java Runtime Version 1.5.0_06
|
| CONGRATULATIONS, you have the Latest version of Java!
|
| the scan did not detect the old version but the folder is still there
|
| regards
| Lee. XP Home SP2
|

If you can NOT find the uninstaller for the OLD version of Sun Java, manually delete the
folder.