Tech Support Forum - View Single Post - Having a problem, possibly malware in winlogon.exe

**Deckard** · 12-02-2006, 03:34 PM

Hello phrozenwind, welcome to TSF and thanks for your patience. You may wish to Subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools (above the first post), then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please do these steps in order and do not skip any.

Unhide Files
Go to My Computer > Tools > Folder Options > View tab and select "Show hidden files and folders". Uncheck the "Hide protected operating system files (Recommended)" option. Also make sure there is no checkmark beside "Hide file extensions for known file types". Click OK.

Reboot
Reboot your system to Safe Mode by repeatedly tapping the F8 key until the menu appears and choosing Safe Mode from the list. On some systems, this may be the F5 key so try that if F8 doesn't work. Login on with your usual account. Make sure to close any open windows.

Uninstall
Click Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist):

Viewpoint Toolbar

Please let me know if any of these were unable to uninstall.

HijackThis Fixes
Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they still exist (make sure you do not miss any):

O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [AOL Services Hosts] aolserviceshosts.exe
O4 - HKLM\..\Run: [irfk] C:\WINDOWS\NITEAIM.EXE
O4 - HKLM\..\RunServices: [AOL Services Hosts] aolserviceshosts.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

Please remember to close all other windows, including browsers then click Fix checked. Close HijackThis.

Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\Viewpoint
C:\WINDOWS\NITEAIM.EXE
aolserviceshosts.exe << find using Start>Search

Try booting into Normal mode again. If you can, we'll start scanning your system for other malware that may be lurking about.

Post a new HijackThis log for me (in Normal mode if you can) when you've done all these steps.

12-02-2006, 03:34 PM	#2 (permalink)
Deckard Mentor, Analyst - Security Team Join Date: May 2006 Location: Oregon Posts: 2,503 OS: MacOS X, Debian, OpenBSD, Windows	Hello phrozenwind, welcome to TSF and thanks for your patience. You may wish to Subscribe to this thread so that you are notified when you receive a reply. To do this click Thread Tools (above the first post), then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please do these steps in order and do not skip any. Unhide Files Go to My Computer > Tools > Folder Options > View tab and select "Show hidden files and folders". Uncheck the "Hide protected operating system files (Recommended)" option. Also make sure there is no checkmark beside "Hide file extensions for known file types". Click OK. Reboot Reboot your system to Safe Mode by repeatedly tapping the F8 key until the menu appears and choosing Safe Mode from the list. On some systems, this may be the F5 key so try that if F8 doesn't work. Login on with your usual account. Make sure to close any open windows. Uninstall Click Start > Control Panel > Add / Remove Programs and uninstall the following programs (if they exist): Viewpoint Toolbar Please let me know if any of these were unable to uninstall. HijackThis Fixes Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they still exist (make sure you do not miss any): O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll O4 - HKLM\..\Run: [AOL Services Hosts] aolserviceshosts.exe O4 - HKLM\..\Run: [irfk] C:\WINDOWS\NITEAIM.EXE O4 - HKLM\..\RunServices: [AOL Services Hosts] aolserviceshosts.exe O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML Please remember to close all other windows, including browsers then click Fix checked. Close HijackThis. Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\Program Files\Viewpoint C:\WINDOWS\NITEAIM.EXE aolserviceshosts.exe << find using Start>Search Try booting into Normal mode again. If you can, we'll start scanning your system for other malware that may be lurking about. Post a new HijackThis log for me (in Normal mode if you can) when you've done all these steps. __________________ The chance to begin again in a golden land of opportunity and adventure. Need HijackThis help? Please read MicroBell's Five Step Process before posting. Please donate and help keep this site free to all. UNITE/ASAP: Proud member since 2006