has my browser been hijacked?

  Number six 23:27 27 Dec 04
Locked

I have just reinstalled windows XP from scratch. Now I keep getting message from Sygate firewall: "winlogin.exe (or maybe winlogon.exe)has been blocked from accessing the network" also something about "trying to connect to 64.sytes.net" I suspect this maybe something to do with msn messenger, or is it a hijacker? Can anyone help?

  Nellie2 23:39 27 Dec 04

It's quite important to know if it is winlogon or winlogin, one is a legitimate windows file the other is a virus. click here and click here

I suggest you do some online scans and let them fix what they find click here and click here

Download and install and run Adaware and Spybot, set up instructions and download links click here Then reboot and post a hijack log if you wish click here I'll have a look tomorrow.

  Number six 21:21 28 Dec 04

Nellie2 - thanks for your help. I have located "winlogin.exe" in my system32 directory. I cannot delete it. Also entries under "run" and "run services" in registry and in startup/msconfig. These just re-appear if I remove them. I tried the online scans, did not find anything. What next?

  Nellie2 21:33 28 Dec 04

I gave you a link to download a program called hijackthis, extract it into it's own folder and then double click on the dynamite icon, scan and save the log and post the log here for me to look at. You may have to do it in two posts though as there is a 800 word limit to posts here

  Number six 22:01 28 Dec 04

Hi Nellie2. Thanks again. Here is logfile you requested:


Logfile of HijackThis v1.99.0
Scan saved at 21:54:16, on 28/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\anvshell.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\winlogin.exe
C:\DOCUME~1\JOHNSI~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = click here
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [MSN Messenge] winlogin.exe
O4 - HKLM\..\RunServices: [MSN Messenge] winlogin.exe
O4 - HKCU\..\Run: [MSN Messenge] winlogin.exe
O4 - HKCU\..\RunServices: [MSN Messenge] winlogin.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - click here
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - click here
O17 - HKLM\System\CCS\Services\Tcpip\..\{B82816A2-0628-43C5-A837-40AE6C1CB8E9}: NameServer = 213.120.62.98 213.120.62.103
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ASUS Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

  Nellie2 22:34 28 Dec 04

Have you disabled anything using msconfig?

First of all can you extract hijackthis out of the zip file and into it's own folder and then run it from there. If you run it from a temp file like that then backups could be lost on reboot

Boot into safe mode and bring up task manager ctrl-Alt-Del and end this process if it is running

winlogin.exe

Then find and delete C:\WINDOWS\system32\winlogin.exe

Then, still in safe mode run hijackthis and put a tick against the following and click 'fix checked'

O4 - HKLM\..\Run: [MSN Messenge] winlogin.exe

O4 - HKLM\..\RunServices: [MSN Messenge] winlogin.exe

O4 - HKCU\..\Run: [MSN Messenge] winlogin.exe

O4 - HKCU\..\RunServices: [MSN Messenge] winlogin.exe

Then reboot back to normal mode and post a fresh hijack log here

  Number six 23:09 28 Dec 04

I have not disabled anything in msconfig. I only have windows, AVG, Sygate firewall and spybot installed at the moment! Looks like you might have solved my problem, Nellie2, many thanks! Here is new hijack logfile. One thing i have just noticed: CTFMON.EXE has appeared (unticked-not running)in msconfig/startup. Any idea what this might be?
Logfile of HijackThis v1.99.0
Scan saved at 22:56:26, on 28/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\anvshell.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
D:\My Documents\Downloaded Programs\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = click here
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [anvshell] anvshell.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - click here
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - click here
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ASUS Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

  Number six 23:13 28 Dec 04

Forgot to say winlogin was not running in processes in safe mode. Thanks again!!

  Nellie2 23:22 28 Dec 04

Oh that was an easy one! :) Yes your logfile looks ok now.

Ctfmon.exe is involved with the language/alternative input services in Office XP. See here for more info click here;en-us;282599

Empty your temp files by using disk cleanup

Go to Start>Programs>Acccessories>System Tools> Disk Cleanup and put a check mark beside all the entries in the disk cleanup window that ask you what you want to clean. Clean all hard drives and all files. This will get rid of any malware that is hiding in the temporary folders.

Here are some suggestions to reduce the potential for spyware infection in the future. I strongly recommend installing the following :

click here - Spyware Blaster - It will prevent most spyware from ever being installed.

click here - Spyware Guard - It offers realtime protection from spyware installation attempts.

click here- IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

I also recommend reading this article written by Tony Klein click here

  Nellie2 23:24 28 Dec 04

sorry, I forgot about the MS links... try this for the link to the MS article on ctfmon click here

This thread is now locked and can not be replied to.

Surface Pro (2017) vs Surface Pro 4

Where HTML5 is headed next

MacBook Pro v Surface Pro 5