Avatar of oldtighthead
oldtighthead
Flag for United Kingdom of Great Britain and Northern Ireland asked on

Windows XP logon on screen messages

A friend of mine has had his xp hiijacked by Zeus before so now he monitors quite closely. He noticed the other day that a user "backup" had 6 programs running next to its' icon at the logon screen. Upon logging on he couldn't see any applications running at all. I've run a full malware ( malwarebytes) and Norton scan on the machine with nothing amiss. There are a least 6 "update" type processes that will run from time to time  but again i couldn't see anything amiss using msconfig. SOO the question is when and how does the logon on screen update it's running programs infomation , could it be that this information was old, i.e from when the machine had started earlier in the day and infact the processes running were ligitamate but had soon finished
Windows XP

Avatar of undefined
Last Comment
joinaunion

8/22/2022 - Mon
Delphineous Silverwing

If Windows updates and windows backup are enabled to run automatically, it is possible these are legitimate processes.  However it isn't a bad idea to boot into safe mode and run ComboFix - http://www.bleepingcomputer.com/combofix/

Although malwarebytes and Norton have scanned the machine, if they are loaded after virus and malware are launched then the malicious software can hide easily.
David Johnson, CD

my first question is 'who is this user "backup" ??
If he brings up task manager what programs / processess are being run by this user backup?

Zeus is a very hard trojan to remove.. I would suggest that this machine is now not trustworthy and to backup your user data and reload the operating system from scratch.
oldtighthead

ASKER
safe mode scans are going off tonight. Question is it safe to run combofix on a truecrypted hard drive , i've also posted the question on the truecrypt forum. Meanwhile how does the logon on screen info get updated
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Sudeep Sharma

@Delphineous and oldtighthead,

It is adviced NOT to run any virus removal tools in Safe Mode due to various reasons. The one which is MOST IMportant here is mentioned below:

Windows File Protection is not on in Safe Mode in Windows 2000/XP/2003 Server so any patched system files e.g. explorer.exe, winlogon.exe, userinit.exe that are deleted by the scanner will not be replaced.

Since it is encrypted disk and in case of system unable to boot, it would be hard to recover the data from it.

I would request you to go through the article below for more information.
Malware Fighting – Best Practices
https://www.experts-exchange.com/Software/Internet_Email/Anti_Spyware/A_6650-Malware-Fighting-Best-Practices.html

Sudeep
oldtighthead

ASKER
I am suitably chastised regarding the safe mode scan , when and who suggested escapes me at present, as penance i have read the best practice articles suggested.
The scans on the machine have all come up clean apart from some tracking cookies. So back to the old problem why was the logon screen reporting 6 programs running ?
David Johnson, CD

There are many possible reasons why you could have these 6 programs running..  Is this still occurring?

You could still have a trojan on your system. You know your machine has been compromised. Most security professionals would suggest a format and o/s reload since the machine can no longer be trusted.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
Sudeep Sharma

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
oldtighthead

ASKER
Wjhat a useful tool autorun , can't say i understand most of it but , very useful ! I have attached the relevant arn file in case you'd like to have alook at it.
As an aside i was researching the flasksys entry and the experts on spywareremoval back on about running mbam in safe mode......... I believe you guys !
David Johnson, CD

no .arn file.. rename it as *.arn.txt , we will know to rename it to .arn.
oldtighthead

ASKER
I'll try again .zip allowed
autorunmd.zip
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
oldtighthead

ASKER
Thankyou guys for looking at the autorun report , unfortunatley i can't read the screen shot however i change the resolution !.
Would it be fair to say that the machine looks ok from that point of view and that given mbmam and norton have reported the system clean we can mark this one down experience ????
Sudeep Sharma

You may click on the image and it would zoom to its full size.
joinaunion

Just click start then run type in msconfig click startup tab. Thats all the programs starting when computer boots to os.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.