Hello, Today I was browsing around my system folder and my anti-virus software picked up a TrojanClicker.win32.small.j from winlogon.exe in winnt/system/ folder. It couldn't remove it (dunno why, it just reported 'nothing performed'). I did housecall internet virus scan and it found it with a name of forover.a or something. I googled it and it found few matches but they all pointed to taskmon.exe wich could be killed manually in process list. However, I see the winlogo.exe on the process list and it's there all the time, even after logging in and I can't kill it because windows gives me an error of Cannot kill vital process. Any help would be appreciated.

Hi Download HijackThis from here: http://majorgeeks.com/download3155.html Make a seperate folder for it eg: c:\hijack\hijackthis.exe, double click to start, click "scan", scan button changes to "save log" button, save the log to same folder. It will automatically open up in notepad, copy/paste the results in reply. Please don't fix anything with it yet....most of what you see in the log is safe or essential! Thanks! ___________________________________ I never give up!

Hello, and thanks for the answer! Here's the log file: Logfile of HijackThis v1.97.7 Scan saved at 9:23:13, on 24.2.2004 Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\TIETOT~1\backweb\227364\Program\SERVIC~1.exe C:\WINNT\System32\svchost.exe C:\Program Files\Tietoturvapalvelu\Anti-Virus\fsgk32st.exe C:\Program Files\Tietoturvapalvelu\Anti-Virus\FSGK32.exe C:\Program Files\Tietoturvapalvelu\backweb\227364\program\fsbwsys.exe C:\Program Files\Tietoturvapalvelu\Anti-Virus\fssm32.exe C:\WINNT\System32\nvsvc32.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\system32\stisvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\System32\mspmspsv.exe C:\WINNT\explorer.exe C:\Program Files\Tietoturvapalvelu\Common\FSMA32.exe C:\Program Files\Tietoturvapalvelu\Common\FSMB32.exe C:\Program Files\Tietoturvapalvelu\Common\FCH32.exe C:\Program Files\Tietoturvapalvelu\Anti-Virus\fsav32.exe C:\Program Files\Tietoturvapalvelu\Common\FAMEH32.exe C:\Program Files\Tietoturvapalvelu\DFW\Program\fsdfwd.exe C:\Program Files\Tietoturvapalvelu\Common\FSM32.exe C:\Program Files\Tietoturvapalvelu\backweb\227364\Program\BackWeb-227364.exe C:\mIRC\mirc.exe C:\ohjelmat\Mozilla Firefox\firefox.exe C:\Documents and Settings\kytomaki\Desktop\Proggies\spyware tiedot\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fi/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer,SearchAssistant = , R1 - HKCU\Software\Microsoft\Internet Explorer,CustomizeSearch = , F0 - system.ini: Shell=C:\WINNT\explorer.exe F2 - REG:system.ini: Shell=C:\WINNT\explorer.exe O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {371C6960-302C-45D0-9504-50B820247439} - C:\ohjelmat\WinGet\WinIE.dll O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\FlashGet\jccatch.dll O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\FlashGet\fgiebar.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINNT\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb04.exe O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Tietoturvapalvelu\Common\FSM32.exe" /splash O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Tietoturvapalvelu\TNB\TNBUtil.exe" /CHECKALL O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.exe TWEAKUI.CPL,TweakMeUp O4 - HKCU\..\Run: [System Update] C:\WINNT\System\winlogon.exe O4 - HKCU\..\Run: [WindowBlinds] C:\ohjelmat\WindowBlinds\wbload.exe auto O8 - Extra context menu item: Download All by FlashGet - C:\FlashGet\jc_all.htm O8 - Extra context menu item: Download using FlashGet - C:\FlashGet\jc_link.htm O8 - Extra context menu item: Download with &WinGet - res://C:\ohjelmat\WinGet\WinIE.dll/300 O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: FlashGet (HKLM) O9 - Extra 'Tools' menuitem: &FlashGet (HKLM) O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll O10 - Unknown file in Winsock LSP: c:\winnt\system32\ua_lsp.dll O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/vet_install_popup.pl?1&04.00.05.04&http://www.ghostopsmod.com/images/viewpoint/9weapon.html O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/076c13f558e6e0bb2605/netzip/RdxIE601.cab O16 - DPF: {59131903-4A33-40D5-80C2-5242DD365AB3} (MS3DViewerOCX Control) - http://www.swissquake.ch/chumbalum-soft/files/MS3DViewerOCX.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37875.318125 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab I noticed that the regular winlogon is in system32 folder, am I correct?! This trojan file is in system folder and it's hidden defaultly but I have show hidden files enabled. So would it be safe to delete the file directly from there?

Sorry for doublepost but I found a registry point for the trojan file: O4 - HKCU\..\Run: [System Update] C:\WINNT\System\winlogon.exe Any help on this? thanks!

ville You picked the right one... Winlogon.exe should be loading from the system32 folder... Norton cannot delete it because "it's in use" You will need to boot to safe mode to fix this to prevent the bad winlogon.exe from running: Shut down computer Wait 30 seconds Restart it in safe mode (tap f8 key on boot) Choose safe mode from menu [enter] Start hijackthis and check the following to fix: O4 - HKCU\..\Run: [System Update] C:\WINNT\System\winlogon.exe O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/076c13f558e6e0bb2605/netzip/RdxIE601.cab Close any open windows except hijack and click "fix checked" While still in safe mode delete the winlogon.exe file from the system folder. LEAVE the one in system32. Reboot and rescan with your antivirus. Repost new log when done. Has your internet connection been unreliable or working fine? I never give up!