1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

winlogin.exe popup at startup

Discussion in 'Windows XP' started by valley, Sep 18, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. valley

    valley Thread Starter

    Joined:
    Nov 16, 2002
    Messages:
    19,134
    "Windows cannot find winlogin.exe".......it pops up every time I boot up. I just click 'ok' and it goes away. I think it is a leftover bug from the blaster worm. Everything else is running smoothly but the box is a nuisance. And idea how to get rid of it?
     
  2. KeithKman

    KeithKman

    Joined:
    Dec 28, 2002
    Messages:
    1,983
  3. valley

    valley Thread Starter

    Joined:
    Nov 16, 2002
    Messages:
    19,134
    excellent! I will do that right now. Thanks Keith :)
     
  4. KeithKman

    KeithKman

    Joined:
    Dec 28, 2002
    Messages:
    1,983
    I edited my post ;)

    Take a look...
     
  5. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Hi Val

    The winlogin.exe is not the valid windows file which is winlogon.exe. Winlogin.exe is viral.

    See here:
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RPCSDBOT.A&VSect=T

    It might be a good idea to post a Hijack this log. It sounds like the winlogin.exe file has already been deleted but the Run entry in the registry is still there and trying to load and of course the file cannot be found. HJT will easily idendtify that reg key and will remove it.

    http://www.tomcoyote.org/hjt/
     
  6. valley

    valley Thread Starter

    Joined:
    Nov 16, 2002
    Messages:
    19,134
    Hi Mark! Long time no see! :)

    I tried to solve this on my own once before but I got too nervous about how to fix it on my own so I just left it alone since it wasnt hurting anything. The HijackThis thing-a-ma-jigger sounds perfect! ;) I'm D/L'ing it now.

    And thanks Keith for those links. Some good information there too. :)
     
  7. valley

    valley Thread Starter

    Joined:
    Nov 16, 2002
    Messages:
    19,134
    lol....ok, I am still nervous about deleting these. Can someone assure me that they are not neccessary and thats its ok to go ahead and get rid of them?

    These are the two that HJT gave me:

    system.ini: Shell=explorer.exe winlogin.exe
    and
    REG:system.ini: Shell=explorer.exe winlogin.exe


    Do I get rid of them both?
     
  8. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Yes have HJT fix both of those and then restart.
     
  9. valley

    valley Thread Starter

    Joined:
    Nov 16, 2002
    Messages:
    19,134
    k...thanks....doing so right now. Will let you know.
     
  10. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Also it might be a good idea to post the HJT log here to see if there's anything else lurking in the shadows.
     
  11. valley

    valley Thread Starter

    Joined:
    Nov 16, 2002
    Messages:
    19,134
    cool...here ya go....this stuff looks like a bunch of junk.

    Logfile of HijackThis v1.97.2
    Scan saved at 1:16:51 PM, on 9/18/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Yahoo!\Messenger\ypager.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\CallWave\IAM.exe
    C:\PROGRA~1\INCRED~1\bin\IMApp.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\USA Datanet Internet Portal\Netsurf.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\valley\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.usadatanet.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.kazaa-lite.ws/results.php?show=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kazaa-lite.ws/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.usadatanet.net
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.kazaa-lite.ws/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.kazaa-lite.ws/
    F0 - system.ini: Shell=explorer.exe winlogin.exe
    F2 - REG:system.ini: Shell=explorer.exe winlogin.exe
    O1 - Hosts: 64.200.25.145 gator.com #cooklop
    O1 - Hosts: 64.200.25.145 www.gator.com #cooklop
    O1 - Hosts: 64.200.25.145 doubleclick.net #cooklop
    O1 - Hosts: 64.200.25.145 www.doubleclick.net #cooklop
    O1 - Hosts: 64.200.25.145 tripod.com #cooklop
    O1 - Hosts: 64.200.25.145 www.tripod.com #cooklop
    O1 - Hosts: 64.200.25.145 adultfriendfinder.com #cooklop
    O1 - Hosts: 64.200.25.145 www.adultfriendfinder.com #cooklop
    O1 - Hosts: 64.200.25.145 cj.com #cooklop
    O1 - Hosts: 64.200.25.145 www.cj.com #cooklop
    O1 - Hosts: 64.200.25.145 paypopup.com #cooklop
     
  12. valley

    valley Thread Starter

    Joined:
    Nov 16, 2002
    Messages:
    19,134
    woops...all of that stuff at the beginning wasnt in the HJT window. The list really starts where the R1 is....course you prolly already know that, lol.
     
  13. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Val that's only about half the log. Please try again and be sure and get the whole thing as I see about a dozen baddies just in that part.
     
  14. valley

    valley Thread Starter

    Joined:
    Nov 16, 2002
    Messages:
    19,134
    ok...just a sec
     
  15. valley

    valley Thread Starter

    Joined:
    Nov 16, 2002
    Messages:
    19,134
    ok...try this:

    Logfile of HijackThis v1.97.2
    Scan saved at 1:24:50 PM, on 9/18/2003
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Yahoo!\Messenger\ypager.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\CallWave\IAM.exe
    C:\PROGRA~1\INCRED~1\bin\IMApp.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\USA Datanet Internet Portal\Netsurf.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\valley\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.usadatanet.net
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.kazaa-lite.ws/results.php?show=
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kazaa-lite.ws/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.usadatanet.net
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.kazaa-lite.ws/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.kazaa-lite.ws/
    O1 - Hosts: 64.200.25.145 gator.com #cooklop
    O1 - Hosts: 64.200.25.145 www.gator.com #cooklop
    O1 - Hosts: 64.200.25.145 doubleclick.net #cooklop
    O1 - Hosts: 64.200.25.145 www.doubleclick.net #cooklop
    O1 - Hosts: 64.200.25.145 tripod.com #cooklop
    O1 - Hosts: 64.200.25.145 www.tripod.com #cooklop
    O1 - Hosts: 64.200.25.145 adultfriendfinder.com #cooklop
    O1 - Hosts: 64.200.25.145 www.adultfriendfinder.com #cooklop
    O1 - Hosts: 64.200.25.145 cj.com #cooklop
    O1 - Hosts: 64.200.25.145 www.cj.com #cooklop
    O1 - Hosts: 64.200.25.145 paypopup.com #cooklop
    O1 - Hosts: 64.200.25.145 www.paypopup.com #cooklop
    O1 - Hosts: 64.200.25.145 thehun.net #cooklop
    O1 - Hosts: 64.200.25.145 www.thehun.net #cooklop
    O1 - Hosts: 64.200.25.145 worldsex.com #cooklop
    O1 - Hosts: 64.200.25.145 www.worldsex.com #cooklop
    O1 - Hosts: 64.200.25.145 free6.com #cooklop
    O1 - Hosts: 64.200.25.145 www.free6.com #cooklop
    O1 - Hosts: 64.200.25.145 trafficmp.com #cooklop
    O1 - Hosts: 64.200.25.145 www.trafficmp.com #cooklop
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C:\Program Files\NavExcel\NavHelper\v2.0.4\NHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
    O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
    O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Startup: PowerReg Scheduler.exe
    O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
    O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{6EAED021-679F-4531-AB43-56A5E54DA833}: NameServer = 66.218.0.2 66.218.0.3

    That look any better?
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/165691

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice