Member Avatar for SillyBilly

When I boot my system I get a blue screen like a login box, except it has foriegn symbles of some kind at the first line. I can't get a snap shot and it only has an "x" to close, which does nothing,, an "OK" box which lets it proceed to log in. It only has a few characters, and I cant duplicate them. When I did all my scans plus some new ones just in case of a new threat, I rebooted and at the top of the box at end it had "winlogon". Before that it in the same line had about ten different symbles, kinda looked chineese or somthing. here is latest hijack log. Any help or clue about what I am describing?? I also attached one of the symbols to a word doc, it is as if you could write text in it, with the little curser flashing,,, god this is hard to explain,,, maybe I can use camera to take picture and upload if that will help.


Logfile of HijackThis v1.99.1
Scan saved at 6:31:35 PM, on 5/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Down loades and info\Windows Tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = *http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = *http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = *http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = *http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6066\SiteAdv.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Microsoft Office\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone:
O15 - Trusted Zone: *.line6.net
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) -
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) -
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSN Messenger\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe

symbol_insid_box_as_if_text_where_there.doc (23.5 KB)
  • 5 Contributors
  • 10 Replies
  • 137 Views
  • 1 Week Discussion Span
  • Latest Post Latest Post by RueB2sDe

Recommended Answers

All 10 Replies

Member Avatar for Serunson

A picture of this screen would help us out!

Member Avatar for SillyBilly

I noticed while trying to get a good shot of the screen, that the symbols inlayed in the blue erea would change dramaticly as in the number of symbols that where there. It started with 3 or 4, then after it sat for a minute, it chang to about nine, with ".ILO", and not sure about the ILO part, but I couldn't get a snap off before it changed. Hope this will help... well I did get a shot of it changing But they are not real clear. Best I could get. And is IPSEC service supposed to be running, it is set to Automatic but is the only one set to auto that is not runnig at start up?? Thanks very much for the help.

3rd_change.jpg 410.6 KB before_it_changed.jpg 369.92 KB Billy_005.jpg 416.47 KB center_bottom_of_the_dialog_box.jpg 351.63 KB corner_of_the_screen_that_appears.jpg 417.84 KB error_after_trying_to_start_IPSEC_services.jpg 387.57 KB last_change_that_stayed.jpg 398.59 KB second_change.jpg 335.98 KB
Member Avatar for The Dude

I hope thats not a virus,i have heard that there is a virus "Winlogon" that is also a virus (I saw it mentioned on another site)

Winlogon IS A LEGIT PROCESS!! But there is also a virus using this same name!!!!

http://www.neuber.com/taskmanager/process/winlogon.exe.html

Good luck my friend :)

Member Avatar for SillyBilly

Already all virus scans from many known venders and not winlogon, already checked...

Member Avatar for The Dude

OK good,its not something bad then (@ least virus wise)

Member Avatar for jbennet

Winlogon may have been replaced by a false one (virus). You can check it matches the one on the windows cd (you will need your cd) by going to run and typing

sfc /scannow

. This process is silent. Reboot it finishes and see if the problem still occurs.

Member Avatar for SillyBilly

Ok guys,, it was that I was first using tuneupxp 2006, and in the system control section there was a boot up screen option that you could have say something before logging on. somehow this got triggerd and was actually just being annoying instead of a threat. it was a bug but not dangeruose. the other errors I was getting,, I feel dumb about this,,, anyways, was I was tring to log on to my network in a domain, and from what I gatherd, xp doesnt support that type,,, not sure anyways,,, all seems to be fine,, If someone could look at that hijack.log at top to make a final descision I would thank you!!!! peace out,,, and sorry again for the wild goose chase!!

Member Avatar for The Dude

No problem my friend!

Good luck getting it fixed

Member Avatar for RueB2sDe

What does your last picture say? Cannot locate file? When I click on it to make it bigger the resolution will not clear and cannot make out what it says.
Will it load your user profiles to log into Windows XP?

Try this at your own risk:
Tap F8 upon startup. Choose Safe mode.
Go to Start Run and type MSConfig
click on Services and take the check mark out of: C:\WINDOWS\system32\winlogon.exe
Restart.
Then go to Start and Run and type
sfc /scannow
See if finds any errors in your system file and repair if need be.

This link might give you more information on your issue:
http://www.liutilities.com/products/wintaskspro/processlibrary/winlogon/

Hope that helps

Member Avatar for RueB2sDe

Hey disregard my suggestion on disabling. Just go to that link to read more about WinLogon.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.