|
Posted by =?Utf-8?B?Sm9obg==?= on February 16, 2007, 11:46 am
If you were Registered and logged in, you could reply and use other advanced thread options
I have a fully patched XPSP2 system, some virus keeps on adding
c:\windows\winlogon.exe, c:\windows\smss.exe into
HKLM\software\microsoft\currentversion\run. I checked the c:\windows and
those files do not exists in c:\windows. I know they normally live in
system32 folder, and they do exists in system32 folder.
I ran Norton Antivirus, Window Defender and they could not find anything.
This system was previous infected with dsrss.exe, ieredir.exe, smss.exe,
Trojan.Qhosts, and someother ones. The computer user kept on saying "NO" to
popup for Windows Update, until it was too late.
Anybody know of a virus they maybe doing this.
|
|
Posted by Malke on February 16, 2007, 12:56 pm
If you were Registered and logged in, you could reply and use other advanced thread options
John wrote:
> I have a fully patched XPSP2 system, some virus keeps on adding
> c:\windows\winlogon.exe, c:\windows\smss.exe into
> HKLM\software\microsoft\currentversion\run. I checked the c:\windows and
> those files do not exists in c:\windows. I know they normally live in
> system32 folder, and they do exists in system32 folder.
>
> I ran Norton Antivirus, Window Defender and they could not find anything.
>
> This system was previous infected with dsrss.exe, ieredir.exe, smss.exe,
> Trojan.Qhosts, and someother ones. The computer user kept on saying "NO" to
> popup for Windows Update, until it was too late.
>
> Anybody know of a virus they maybe doing this.
Your machine is still not clean. Go through these general malware
removal steps systematically -
http://www.elephantboycomputers.com/page2.html#Removing_Malware
Include scanning with either Sysclean or Multi_AV, plus AVG Anti-Spyware
(formerly Ewido - http://www.ewido.net/en/) and follow instructions to
do all scans in Safe Mode.
When all else fails, run HijackThis and post your log in one of the
specialty forums listed at the link above (not here, please).
Standard caveat: If the procedures look too complex - and there is no
shame in admitting this isn't your cup of tea - take the machine to a
professional computer repair shop (not your local version of
BigStoreUSA). Please be aware that not all local shops are skilled at
removing malware and even if they are, your computer may be so infested
that Windows will need to be clean-installed. Have all your data backed
up before you take the machine into a shop.
Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
|
|
Posted by David H. Lipman on February 16, 2007, 4:08 pm
If you were Registered and logged in, you could reply and use other advanced thread options
| I have a fully patched XPSP2 system, some virus keeps on adding
| c:\windows\winlogon.exe, c:\windows\smss.exe into
| HKLM\software\microsoft\currentversion\run. I checked the c:\windows and
| those files do not exists in c:\windows. I know they normally live in
| system32 folder, and they do exists in system32 folder.
|
| I ran Norton Antivirus, Window Defender and they could not find anything.
|
| This system was previous infected with dsrss.exe, ieredir.exe, smss.exe,
| Trojan.Qhosts, and someother ones. The computer user kept on saying "NO" to
| popup for Windows Update, until it was too late.
|
| Anybody know of a virus they maybe doing this.
|
Download and execute HiJack This! (HJT)
http://www.spywareinfo.com/~merijn/files/HijackThis.exe
Create a HJT log file and post it in one of the below locations...
{ Please - Do NOT post the HJT Log here ! }
Forums where you can get expert advice for HiJack This! (HJT) logs.
NOTE: Registration is not required in the below before posting a log
http://www.thespykiller.co.uk/forum/?action=forum
NOTE: Registration is REQUIRED in any of the below before posting a log
http://www.bleepingcomputer.com/forums/forum22.html
http://castlecops.com/forum67.html
http://www.dslreports.com/forum/cleanup
http://www.cybertechhelp.com/forums/forumdisplay.php?f=25
http://www.atribune.org/forums/index.php?showforum=9
http://www.geekstogo.com/forum/Malware_Removal_HiJackThis_Logs_Go_Here-f37.html
http://gladiator-antivirus.com/forum/index.php?showforum=170
http://forum.networktechs.com/forumdisplay.php?f=130
http://forums.maddoktor2.com/index.php?showforum=17
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.spywareinfo.com/index.php?showforum=18
http://forums.techguy.org/f54-s.html
http://forums.tomcoyote.org/index.php?showforum=27
http://forums.subratam.org/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://www.malwarebytes.org/forums/index.php?showforum=7
http://makephpbb.com/phpbb/viewforum.php?f=2
http://forums.techguy.org/54-security/
http://forums.security-central.us/forumdisplay.php?f=13
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
|
|
Posted by Tim on February 16, 2007, 9:13 pm
If you were Registered and logged in, you could reply and use other advanced thread options
First, open the "msconfig", checked to "boot", to see if there is sth.
(here is the stuff not important for the system, carefully check
likes:winlogon.exe or *.com,they are not real system files!)
Then, checked to "Services", make sure that "hide all microsoft services"
is true, then check it carefully.
Third, open the "regedit"(register edit), locate to
"HKLM\Software\Microsoft\WindowsNT\Winlogon",to check the values followed at
the right side:
shell: "Explorer.exe"(without anything else, and be sure that there
is no Explorer.exe exist in the system32 folder)
UIHost: "%SystemRoot%\system32\logonui.exe"(without anything else)
Userinit: "C:\WINDOWS\system32\userinit.exe," (without anything else)
if they can't solute the problem, then creat a folder named
"winlogon.exe","smss.exe" under the windows folder
>I have a fully patched XPSP2 system, some virus keeps on adding
> c:\windows\winlogon.exe, c:\windows\smss.exe into
> HKLM\software\microsoft\currentversion\run. I checked the c:\windows and
> those files do not exists in c:\windows. I know they normally live in
> system32 folder, and they do exists in system32 folder.
>
> I ran Norton Antivirus, Window Defender and they could not find anything.
>
> This system was previous infected with dsrss.exe, ieredir.exe, smss.exe,
> Trojan.Qhosts, and someother ones. The computer user kept on saying "NO"
> to
> popup for Windows Update, until it was too late.
>
> Anybody know of a virus they maybe doing this.
>
>
>
|
| Similar Threads | Posted | | Registry Virus Help | January 28, 2008, 12:32 pm |
| Second Try: Any Anti Virus Applications That Do Not Require Install to Registry? | July 4, 2008, 6:56 pm |
| Re: virus diables registry, task manager, run button, and more...help removal | September 27, 2005, 8:23 am |
| virus diables registry, task manager, run button, and more...help removal | September 27, 2005, 7:33 am |
| Registry Adware? | April 1, 2006, 11:47 am |
| Run Registry Entries? | November 21, 2006, 12:21 pm |
| REGISTRY CLEAN POP UPS | February 5, 2007, 12:29 pm |
| Pop Up Registry Error Message | November 9, 2005, 7:38 pm |
| how to recover registry damage | April 6, 2008, 5:57 pm |
| Where to locate Registry files? | June 4, 2008, 1:50 pm |
|
XML site map