winlogin.exe popup at startup

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

valley

Thread Starter
Joined
Nov 16, 2002
Messages
19,134
"Windows cannot find winlogin.exe".......it pops up every time I boot up. I just click 'ok' and it goes away. I think it is a leftover bug from the blaster worm. Everything else is running smoothly but the box is a nuisance. And idea how to get rid of it?
 

valley

Thread Starter
Joined
Nov 16, 2002
Messages
19,134
Originally posted by KeithKman:
If I am not mistaking, winlogin.exe is the box that ops up after Win XP loads so you can sign in. Maybe try searching google.com to find the file.
excellent! I will do that right now. Thanks Keith :)
 
Joined
Jul 26, 2002
Messages
46,331
Hi Val

The winlogin.exe is not the valid windows file which is winlogon.exe. Winlogin.exe is viral.

See here:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RPCSDBOT.A&VSect=T

It might be a good idea to post a Hijack this log. It sounds like the winlogin.exe file has already been deleted but the Run entry in the registry is still there and trying to load and of course the file cannot be found. HJT will easily idendtify that reg key and will remove it.

http://www.tomcoyote.org/hjt/
 

valley

Thread Starter
Joined
Nov 16, 2002
Messages
19,134
Originally posted by flrman1:
It might be a good idea to post a Hijack this log. It sounds like the winlogin.exe file has already been deleted but the Run entry in the registry is still there and trying to load and of course the file cannot be found. HJT will easily idendtify that reg key and will remove it.

http://www.tomcoyote.org/hjt/
Hi Mark! Long time no see! :)

I tried to solve this on my own once before but I got too nervous about how to fix it on my own so I just left it alone since it wasnt hurting anything. The HijackThis thing-a-ma-jigger sounds perfect! ;) I'm D/L'ing it now.

And thanks Keith for those links. Some good information there too. :)
 

valley

Thread Starter
Joined
Nov 16, 2002
Messages
19,134
lol....ok, I am still nervous about deleting these. Can someone assure me that they are not neccessary and thats its ok to go ahead and get rid of them?

These are the two that HJT gave me:

system.ini: Shell=explorer.exe winlogin.exe
and
REG:system.ini: Shell=explorer.exe winlogin.exe


Do I get rid of them both?
 

valley

Thread Starter
Joined
Nov 16, 2002
Messages
19,134
k...thanks....doing so right now. Will let you know.
 
Joined
Jul 26, 2002
Messages
46,331
Also it might be a good idea to post the HJT log here to see if there's anything else lurking in the shadows.
 

valley

Thread Starter
Joined
Nov 16, 2002
Messages
19,134
Originally posted by flrman1:
Also it might be a good idea to post the HJT log here to see if there's anything else lurking in the shadows.
cool...here ya go....this stuff looks like a bunch of junk.

Logfile of HijackThis v1.97.2
Scan saved at 1:16:51 PM, on 9/18/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\CallWave\IAM.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\USA Datanet Internet Portal\Netsurf.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\valley\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.usadatanet.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.kazaa-lite.ws/results.php?show=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kazaa-lite.ws/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.usadatanet.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.kazaa-lite.ws/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.kazaa-lite.ws/
F0 - system.ini: Shell=explorer.exe winlogin.exe
F2 - REG:system.ini: Shell=explorer.exe winlogin.exe
O1 - Hosts: 64.200.25.145 gator.com #cooklop
O1 - Hosts: 64.200.25.145 www.gator.com #cooklop
O1 - Hosts: 64.200.25.145 doubleclick.net #cooklop
O1 - Hosts: 64.200.25.145 www.doubleclick.net #cooklop
O1 - Hosts: 64.200.25.145 tripod.com #cooklop
O1 - Hosts: 64.200.25.145 www.tripod.com #cooklop
O1 - Hosts: 64.200.25.145 adultfriendfinder.com #cooklop
O1 - Hosts: 64.200.25.145 www.adultfriendfinder.com #cooklop
O1 - Hosts: 64.200.25.145 cj.com #cooklop
O1 - Hosts: 64.200.25.145 www.cj.com #cooklop
O1 - Hosts: 64.200.25.145 paypopup.com #cooklop
 

valley

Thread Starter
Joined
Nov 16, 2002
Messages
19,134
woops...all of that stuff at the beginning wasnt in the HJT window. The list really starts where the R1 is....course you prolly already know that, lol.
 
Joined
Jul 26, 2002
Messages
46,331
Val that's only about half the log. Please try again and be sure and get the whole thing as I see about a dozen baddies just in that part.
 

valley

Thread Starter
Joined
Nov 16, 2002
Messages
19,134
ok...try this:

Logfile of HijackThis v1.97.2
Scan saved at 1:24:50 PM, on 9/18/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\CallWave\IAM.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\USA Datanet Internet Portal\Netsurf.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\valley\Local Settings\Temp\Temporary Directory 2 for hijackthis[1].zip\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.usadatanet.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.kazaa-lite.ws/results.php?show=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.kazaa-lite.ws/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.usadatanet.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.kazaa-lite.ws/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.kazaa-lite.ws/
O1 - Hosts: 64.200.25.145 gator.com #cooklop
O1 - Hosts: 64.200.25.145 www.gator.com #cooklop
O1 - Hosts: 64.200.25.145 doubleclick.net #cooklop
O1 - Hosts: 64.200.25.145 www.doubleclick.net #cooklop
O1 - Hosts: 64.200.25.145 tripod.com #cooklop
O1 - Hosts: 64.200.25.145 www.tripod.com #cooklop
O1 - Hosts: 64.200.25.145 adultfriendfinder.com #cooklop
O1 - Hosts: 64.200.25.145 www.adultfriendfinder.com #cooklop
O1 - Hosts: 64.200.25.145 cj.com #cooklop
O1 - Hosts: 64.200.25.145 www.cj.com #cooklop
O1 - Hosts: 64.200.25.145 paypopup.com #cooklop
O1 - Hosts: 64.200.25.145 www.paypopup.com #cooklop
O1 - Hosts: 64.200.25.145 thehun.net #cooklop
O1 - Hosts: 64.200.25.145 www.thehun.net #cooklop
O1 - Hosts: 64.200.25.145 worldsex.com #cooklop
O1 - Hosts: 64.200.25.145 www.worldsex.com #cooklop
O1 - Hosts: 64.200.25.145 free6.com #cooklop
O1 - Hosts: 64.200.25.145 www.free6.com #cooklop
O1 - Hosts: 64.200.25.145 trafficmp.com #cooklop
O1 - Hosts: 64.200.25.145 www.trafficmp.com #cooklop
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C:\Program Files\NavExcel\NavHelper\v2.0.4\NHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [OneTouch Monitor] C:\Program Files\Visioneer OneTouch\OneTouchMon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6EAED021-679F-4531-AB43-56A5E54DA833}: NameServer = 66.218.0.2 66.218.0.3

That look any better?
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top