My browser keeps getting hijacked. I've done some looking w/ adaware and hijack, and I'm pretty sure the problem is a copy of winlogon.exe that has appeared in my windows startup folder. however, I cannot delete it because it is running, and because of its name, I can't kill it w\ task manager or w/ hijack this. Here's a copy of the hijack this log: ----------- Logfile of HijackThis v1.97.3 Scan saved at 12:36:21 PM, on 11/6/2003 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\System32\Ati2evxx.exe C:\WINNT\System32\drivers\CDAC11BA.exe C:\WINNT\System32\svchost.exe C:\PROGRA~1\Iomega\System32\AppServices.exe C:\Program Files\Network Associates\Common Framework\FrameworkService.exe C:\Program Files\Network Associates\VirusScan\Mcshield.exe C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\oracle\ora81\bin\dbsnmp.exe C:\WINNT\Explorer.exe C:\WINNT\system32\Atiptaxx.exe C:\WINNT\system32\Promon.exe C:\oracle\ora81\bin\vppdc.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINNT\system32\PRPCUI.exe C:\PROGRA~1\Adaptec\DirectCD\directcd.exe C:\oracle\ora81\Apache\Apache\Apache.exe C:\Program Files\Network Associates\VirusScan\SHSTAT.exe C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe C:\oracle\ora81\BIN\TNSLSNR.exe C:\Program Files\PestPatrol\PPControl.exe C:\PROGRA~1\PESTPA~1\PPMemCheck.exe C:\PROGRA~1\PESTPA~1\CookiePatrol.exe C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe C:\WINNT\system32\ctfmon.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\554\bin_2k\Cmdnetw.exe C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe C:\Program Files\TechSmith\SnagIt\SnagIt32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\system32\svchost.exe C:\oracle\ora81\Apache\jdk\bin\java.exe C:\oracle\ora81\Apache\Apache\Apache.exe C:\Program Files\Microsoft Office\Office\OUTLOOK.exe C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\JC_THO~1\LOCALS~1\Temp\Rar$EX00.654\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O1 - Hosts file is located at: C:\WINNT\System32\drivers\etc\hosts O1 - Hosts: 66.250.107.100 msn.com O1 - Hosts: 66.250.107.100 www.msn.com O1 - Hosts: 66.250.107.100 search.msn.com O1 - Hosts: 66.250.107.100 auto.search.msn.com O1 - Hosts: 66.250.107.101 google.com O1 - Hosts: 66.250.107.101 google.de O1 - Hosts: 66.250.107.101 google.co.in O1 - Hosts: 66.250.107.101 google.ca O1 - Hosts: 66.250.107.101 google.fr O1 - Hosts: 66.250.107.101 google.it O1 - Hosts: 66.250.107.101 google.com.au O1 - Hosts: 66.250.107.101 google.co.uk O1 - Hosts: 66.250.107.101 google.be O1 - Hosts: 66.250.107.101 google.com.ar O1 - Hosts: 66.250.107.101 www.google.com O2 - BHO: (no name) - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.1.5.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe O4 - HKLM\..\Run: [Promon.exe] Promon.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\Adaptec\DirectCD\directcd.exe O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.exe TWEAKUI.CPL,TweakMeUp O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" /STANDALONE O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PestPatrol Control Center] C:\Program Files\PestPatrol\PPControl.exe O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\Adaptec\EASYCD~1\CreateCD\CreateCD.exe -r O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe O4 - Startup: SnagIt 5.lnk = C:\Program Files\TechSmith\SnagIt\SnagIt32.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: COMMANDnetwork.lnk = C:\554\bin_2k\Cmdnetw.exe O4 - Global Startup: winlogon.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm O9 - Extra button: Run DAP (HKLM) O16 - DPF: Microsoft Office Workgroup Web Control - http://design-srv-01/devweb/common/wkgrpweb.cab O16 - DPF: {7608AFAE-F937-4BC9-82C5-8567C3A0EAAF} (OBXRetrieval Control) - http://cai-intranet.commandalkon.com/onbaseweb/Applets/OBXRetrieval.cab O16 - DPF: {8285080A-3FAF-41B1-B7BD-933EE724B650} (OBXDocumentSelect Control) - http://cai-intranet.commandalkon.com/onbaseweb/Applets/OBXSelect.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37851.4517939815 O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://cai-intranet.commandalkon.com/viewer/activeXViewer/activexviewer.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab Can anyone help?

I think I worked it out on my own. Used Hijack This to get rid of everything except the rogue winlogon.exe. Then I moved that file to the desktop. Rebooted. Deleted the file. I still would not mind if someone would go over the log in case there's more crap in there that I missed.

Delete the following: winlogon.exe from your log Now you have to delete it in your system registry. To go about doing that do the following: -Shutdown computer -Restart computer hit F8 -Start Windows in Safe Mode When Windows starts up in Safe Mode. You need to delete winlogon.exe out of your system registry. Do go about doing that do the following: Start-Run-Type in regedit Your syster registry should come up. On the left side of you screen make sure My Computer is highlighted (also make sure you do not have any thing else open on the left side it should just have My Computer highlighted. Then go to Edit-Click on Find-Type in winlogon.exe and delete that. When you do that your computer should have be okay. Write to tell me if you did that or if you have any questions. CompNewb

All of the references to winlogon.exe were to the real copy in \system32. I thought it best to leave those in place. :) Thanks,

1.Hijacking of your browser. Open the HijackThis Log Tik all items satarting with "O1 - Hosts" Push "Fix" button and restart your computor. 2.Winlogon.exe Usualy this is a legitimate file of Windows if its stored as "C:\Winnt\System32\Winlogon.exe", but suspicious if located as "c:\winnt\winlogon.exe". http://www.answersthatwork.com/Tasklist_pages/tasklist_w.htm Legitimate file of Windows will be recovered by System automatically though you deleted it. Good luck heto2

Winlogon WinLogon.exe(Microsoft)Windows NT4/2000/XP/2003 Logon application. This process manages users’ logons and logoffs on your PC/Server. The window which pops up and prompts you for your username and password, or which allows you to logoff or shutdown, is the WINLOGON process.Recommendation : An integral part of the operating system, leave alone.