Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Accordion]

Well done Kitz.

I've cleaned a few machines myself, but the infections these days are far more difficult to remove.
It used to be a case of getting the fix tool from Symantec - not any more though.

[mr_chris]

I went to a real pig of a virus once, that I eventually traced to being loaded along with the winlogon process .. yes, the one that starts pretty much as soon as your PC goes into the GUI and before you even get the chance to log on.

There's a list of DLLs that it notifies of logon/logoff activity, but it's very easy to simply slot another one in there in the registry. Prime target for virus writers I'm surprised there aren't more that exploit this.

While I'm here, without trying to take this thread off topic, but just for future reference, the winlogon registry stuff is:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

The keys that are there on my WinXP SP2 machine with all updates applied are:

• crypt32chain
• cryptnet
• cscdll
• ScCertProp
• Schedule
• sclgntfy
• SensLogn
• termsrv
• WgaLogon
• wlballoon

If anything looks different to that, or there are extra ones, that might be your culprit.

I had to remove it using recovery console, and hoped that winlogon wouldn't have a hissy fit when it couldn't find one of its DLLs, which it didn't, fortunately. I was then able to remove the extra registry key and all was ok.

All that on a Celeron 600 ... it took a while  ???

[fletch]

Hi kitz, With handling that many Viruses I hope you;v had a flu jab 

We are still missing you on CA

fletch

[kitz]

>> With handling that many Viruses I hope you;v had a flu jab 

heh - an injection of alchohol.

re CA  - I went back there yesterday and noticed something very interesting - I'll post it in another thread so as not to take this one OT.

[tickmike]

I went to a real pig of a virus once, that I eventually traced to being loaded along with the winlogon process .. yes, the one that starts pretty much as soon as your PC goes into the GUI and before you even get the chance to log on.

There's a list of DLLs that it notifies of logon/logoff activity, but it's very easy to simply slot another one in there in the registry. Prime target for virus writers I'm surprised there aren't more that exploit this.

While I'm here, without trying to take this thread off topic, but just for future reference, the winlogon registry stuff is:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

The keys that are there on my WinXP SP2 machine with all updates applied are:

• crypt32chain
• cryptnet
• cscdll
• ScCertProp
• Schedule
• sclgntfy
• SensLogn
• termsrv
• WgaLogon
• wlballoon

If anything looks different to that, or there are extra ones, that might be your culprit.

I had to remove it using recovery console, and hoped that winlogon wouldn't have a hissy fit when it couldn't find one of its DLLs, which it didn't, fortunately. I was then able to remove the extra registry key and all was ok.

All that on a Celeron 600 ... it took a while  ???

Out of curiosity I had a look in the registry using start>run>regedit.
I looked on three XP machines .
On the first one it had an extra entry ' wzcnotif'
On the second it had 'WgaLogon' missing.
On the third (it was a newly installed machine with no updates or sp1 or 2 installed )   also had 'WgaLogon' missing.
as far as I know I do not have any Trojans .

[mr_chris]

wzcnotif is at a guess, I'd say Wireless Zero Configuration - I haven't got a wireless adapter in my PC, but I'll have a look on my laptop at some point.

On your second or third PC, you probably haven't ever installed Windows Genuine Advantage (which is what the Wga is about).

The machine in question had one that was very obviously not a proper DLL... the registry key was pointing towards something like C:\WINDOWS\xlkjslte.tmp - just a tad suspect eh?!!

[tickmike]

wzcnotif is at a guess, I'd say Wireless Zero Configuration - I haven't got a wireless adapter in my PC, but I'll have a look on my laptop at some point.  I could be a bluetooth adapter I was playing with.

On your second or third PC, you probably haven't ever installed Windows Genuine Advantage (which is what the Wga is about).  Yes

The machine in question had one that was very obviously not a proper DLL... the registry key was pointing towards something like C:\WINDOWS\xlkjslte.tmp - just a tad suspect eh?!!    very suspect.