TechSpot

020 - winlogon notify

By BenJen
Nov 19, 2005
  1. Hi
    I am new to this enviroment and I just want to post my issues with dealing with a virus.

    I am running a loptop with xp and managed to pickup a virus. this virus would consistently load about four different sites and although I managed to block them with the host file from opening the virus would continue to open the sites every time i logged on. So I tried all the usual things like adware, spybot, cwshredder, troganhunter and heaps of others but to no efffect.
    I noticed that adware vx2 tool would come up with "a possible new vx2 varient" and then show a path as c:\windows\system32\filename.dll.
    However I also ran hijackthis and recognised the file name at "020" and on using windows explorer would see the named file. Not able to delete the file as in use.
    Regedit would only show one entry at hkey_users\software\microsoft\...\currentversion\winlogon\notify.. that would be c:\windows\system32\filename as found in Hijackthis.dll
    Everytime I rebooted the name of the file changed, varied from 3 to 15 characters long.
    If hijackthis deleted the file then on normal shutedown a msg would flash on the screen that i could not read. A normal reboot would see another file loaded at "020" in the hijackthis log. I could not get updates for spybot as each time an error msg would be "error check digit" . By chance I also tried to install filemon from www.sysinternals.com but I received the error msg "debug programs" not set. When I went to local security policy\local policy\user rights assignment\.... I found many policies that had security settings of *S-1-5-21-2-2428780762-10161301495-1006 . Not sure just what it meant but when I changed the security setting on "Debug programs" the setting was deleted.

    Answer
    After much discussion with everyone I know a friend suggested the following.

    disconnect from the internet then
    1 run hijackthis and identify the file -write down the name
    2 have a boot disk at hand then pull the plug on the pc. -important do not shut down in the normal fashon.
    3 boot from the disk to the command prompt - important do not load winlogon.
    4 using good old dos commands find the file and delete. This will require the changing of attrib from -r-s.
    5 reboot in normal fashon. run HijackThis and I got the msg that the the file at 020 was missing. use hijackthis to Fix.
    6 using explorer locate all files in the system32 directory that have attributes set to -r-s. check the files if in doubt otherwise copy to a floppy then delete.
    7 one file will not delete
    8 copy its name and crash the pc again.
    9 boot from the disk
    10 locate the file and delete, changing attrib as required
    11 reboot in normal fashon run hijackthis should not be any reference to location 020.
    12 check regedit for hkey_users\software\microsoft\...currentversion\winlogon\notify..
    should be a number of files loaded.
    13 correct all security settings to remove unwanted authorities.
    14 reboot and run hijackthis again. check for any odd files or any instance of 020 .
    15 if any dll's loaded at 020 and you don't know them then write the file name down and crash the pc,
    16 repeat steps 10 to 15 until hijackthis is clean.
    17 look at windows\system32 for all files that have -r-s attributes. check and delete.
    18 bingo works for me and the virus - what ever its name is gone.

    I also used windows to uninstall just about every program i had on the pc to make the identification of the virus files easer. Reading Hijackthis loc was much easer.

    cheers and good luck.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.