Windows XP logon on screen messages
A friend of mine has had his xp hiijacked by Zeus before so now he monitors quite closely. He noticed the other day that a user "backup" had 6 programs running next to its' icon at the logon screen. Upon logging on he couldn't see any applications running at all. I've run a full malware ( malwarebytes) and Norton scan on the machine with nothing amiss. There are a least 6 "update" type processes that will run from time to time but again i couldn't see anything amiss using msconfig. SOO the question is when and how does the logon on screen update it's running programs infomation , could it be that this information was old, i.e from when the machine had started earlier in the day and infact the processes running were ligitamate but had soon finished
my first question is 'who is this user "backup" ??
If he brings up task manager what programs / processess are being run by this user backup?
Zeus is a very hard trojan to remove.. I would suggest that this machine is now not trustworthy and to backup your user data and reload the operating system from scratch.
If he brings up task manager what programs / processess are being run by this user backup?
Zeus is a very hard trojan to remove.. I would suggest that this machine is now not trustworthy and to backup your user data and reload the operating system from scratch.
ASKER
safe mode scans are going off tonight. Question is it safe to run combofix on a truecrypted hard drive , i've also posted the question on the truecrypt forum. Meanwhile how does the logon on screen info get updated
@Delphineous and oldtighthead,
It is adviced NOT to run any virus removal tools in Safe Mode due to various reasons. The one which is MOST IMportant here is mentioned below:
Since it is encrypted disk and in case of system unable to boot, it would be hard to recover the data from it.
I would request you to go through the article below for more information.
Malware Fighting – Best Practices
https://www.experts-exchange.com/Software/Internet_Email/Anti_Spyware/A_6650-Malware-Fighting-Best-Practices.html
Sudeep
It is adviced NOT to run any virus removal tools in Safe Mode due to various reasons. The one which is MOST IMportant here is mentioned below:
Windows File Protection is not on in Safe Mode in Windows 2000/XP/2003 Server so any patched system files e.g. explorer.exe, winlogon.exe, userinit.exe that are deleted by the scanner will not be replaced.
Since it is encrypted disk and in case of system unable to boot, it would be hard to recover the data from it.
I would request you to go through the article below for more information.
Malware Fighting – Best Practices
https://www.experts-exchange.com/Software/Internet_Email/Anti_Spyware/A_6650-Malware-Fighting-Best-Practices.html
Sudeep
ASKER
I am suitably chastised regarding the safe mode scan , when and who suggested escapes me at present, as penance i have read the best practice articles suggested.
The scans on the machine have all come up clean apart from some tracking cookies. So back to the old problem why was the logon screen reporting 6 programs running ?
The scans on the machine have all come up clean apart from some tracking cookies. So back to the old problem why was the logon screen reporting 6 programs running ?
There are many possible reasons why you could have these 6 programs running.. Is this still occurring?
You could still have a trojan on your system. You know your machine has been compromised. Most security professionals would suggest a format and o/s reload since the machine can no longer be trusted.
You could still have a trojan on your system. You know your machine has been compromised. Most security professionals would suggest a format and o/s reload since the machine can no longer be trusted.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Wjhat a useful tool autorun , can't say i understand most of it but , very useful ! I have attached the relevant arn file in case you'd like to have alook at it.
As an aside i was researching the flasksys entry and the experts on spywareremoval back on about running mbam in safe mode......... I believe you guys !
As an aside i was researching the flasksys entry and the experts on spywareremoval back on about running mbam in safe mode......... I believe you guys !
no .arn file.. rename it as *.arn.txt , we will know to rename it to .arn.
ASKER
I'll try again .zip allowed
autorunmd.zip
autorunmd.zip
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thankyou guys for looking at the autorun report , unfortunatley i can't read the screen shot however i change the resolution !.
Would it be fair to say that the machine looks ok from that point of view and that given mbmam and norton have reported the system clean we can mark this one down experience ????
Would it be fair to say that the machine looks ok from that point of view and that given mbmam and norton have reported the system clean we can mark this one down experience ????
You may click on the image and it would zoom to its full size.
Just click start then run type in msconfig click startup tab. Thats all the programs starting when computer boots to os.
Although malwarebytes and Norton have scanned the machine, if they are loaded after virus and malware are launched then the malicious software can hide easily.