Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Dr Watson


  • Please log in to reply

#46
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Download the WinloginRemove.zip file and save it to your hard drive (you may want to right click and use Save Target As). Extract WinloginRemove.exe from the ZIP and run it. There is no installer or uninstaller. Simply delete the WinloginRemove.exe file to uninstall.
  • 0

Advertisements


#47
Briansstocks

Briansstocks

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
I was only prompted with the msg

No occurrences of WINLOGIN.EXE were found
  • 0

#48
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Download StartDreck

Unzip to its own folder and start the program:
Press 'Config'
Press 'mark all'

Uncheck the following boxes only:
System/Running Process -> List Modules
System/Drivers -> NT Services
System/Drivers -> NT Kernel- and FS-drivers
Press 'OK'

Press 'Save' and select the location to save the log file (default is the same folder as the application)

Post the log in this thread.
  • 0

#49
Briansstocks

Briansstocks

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
StartDreck (build 2.1.7 public stable) - 2005-04-18 @ 22:20:13 (GMT -05:00)
Platform: Windows XP (Win NT 5.1.2600 Service Pack 2)
Internet Explorer: 6.0.2900.2180
Logged in as Owner at S0028376652

»Registry
»Run Keys
»Current User
»Run
*Skype="C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
»RunOnce
»Default User
»Run
»RunOnce
»Local Machine
»Run
*Symantec NetDriver Monitor=C:\PROGRA~1\SYMNET~1\SNDMon.exe
*Keyboard Preload Check=C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
*ccApp="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
+OptionalComponents
+MSFS
*Installed=1
+MAPI
*Installed=1
*NoChange=1
+MAPI
*Installed=1
*NoChange=1
»RunOnce
»RunServices
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»File Associations (CR)
+.bat
*batfile="%1" %*
+.com
*comfile="%1" %*
+.disabled
*SpybotSD.DisabledFile="C:\Program Files\Spybot - Search & Destroy\blindman.exe" "%1"
+.exe
*exefile="%1" %*
+.hta
*htafile=C:\WINNT\System32\mshta.exe "%1" %*
+.htm
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.html
*htmlfile="C:\Program Files\Internet Explorer\iexplore.exe" -nohome
+.js
*JSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.jse
*JSEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.pif
*piffile="%1" %*
+.reg
*regfile=regedit.exe "%1"
+.scr
*scrfile="%1" /S
+.txt
*txtfile=%SystemRoot%\system32\NOTEPAD.EXE %1
+.vbs
*VBSFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.vbe
*VBEFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsh
*WSHFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.wsf
*WSFFile=%SystemRoot%\System32\WScript.exe "%1" %*
+.lnk
`lnkfile= [key or value does not exist]
»Active Setup (LM)
+Internet Explorer/>{26923b43-4d38-484f-9b9e-de460746276c}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigIE
+Browser Customizations/>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS
*StubPath=RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP
+Outlook Express/>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
*StubPath=%systemroot%\system32\shmgrate.exe OCInstallUserConfigOE
+Themes Setup/{2C7339CF-2B09-4501-B3F3-F3508C9228ED}
*StubPath=%SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
+Microsoft Outlook Express 6/{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install
+NetMeeting 3.01/{44BBA842-CC51-11CF-AAFA-00AA00B6015B}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT
+Internet Explorer/{4b218e3e-bc98-4770-93d3-2731b9329278}
*StubPath=%SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf
+Windows Messenger 4.7/{5945c046-1e7d-11d1-bc44-00c04fd912be}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msmsgs.inf,BLC.QuietInstall.PerUser
+Microsoft Windows Media Player/{6BF52A52-394A-11d3-B153-00C04F79FAA6}
*StubPath=rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub
+Address Book 5/{7790769C-0471-11d2-AF11-00C04FA35D02}
*StubPath="%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install
+Windows Desktop Update/{89820200-ECBD-11cf-8B85-00AA005B4340}
*StubPath=regsvr32.exe /s /n /i:U shell32.dll
+Internet Explorer 6/{89820200-ECBD-11cf-8B85-00AA005B4383}
*StubPath=%SystemRoot%\System32\ie4uinit.exe
+CRLUpdate/{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}
*StubPath=%SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl
»Browser Helper Objects (LM)
»Internet Explorer
»Current User
*Local Page=C:\WINNT\system32\blank.htm
*Search Page=http://www.google.com
*Start Page=http://www.google.com
+SearchUrl
*provider=yaho
*=http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
»Default User
»Local Machine
*Default_Page_URL=http://www.google.com
*Default_Search_URL=http://www.google.com
*Local Page=%SystemRoot%\system32\blank.htm
*Search Bar=
*Search Page=http://www.google.com
*Start Page=http://www.google.com
*CustomizeSearch=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
*SearchAssistant=http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
»ShellServiceObjectDelayLoad (LM)
*PostBootReminder={7849596a-48ea-486e-8937-a2a3009f31a9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*CDBurn={fbeb8a05-beee-4442-804e-409d6c4515e9}
`InprocServer32=%SystemRoot%\system32\SHELL32.dll
*WebCheck={E6FB5E20-DE35-11CF-9C87-00AA005127ED}
`InprocServer32=%SystemRoot%\System32\webcheck.dll
*SysTray={35CEC8A3-2BE6-11D2-8773-92E220524153}
`InprocServer32=C:\WINNT\System32\stobject.dll
»Special NT Values
»Current User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Default User
*Load=
*Run=
*Programs=com exe bat pif cmd
*SHELL=
»Local Machine
*AppInit_DLLs=
*SHELL=Explorer.exe
*Userinit=C:\WINNT\system32\userinit.exe,
»Files
»Autostart Folders
»Current User
*C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini
*C:\Documents and Settings\Owner\Start Menu\Programs\Startup\UCmore XP - The Search Accelerator.lnk
»Default User
*C:\WINNT\system32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
»Local Machine
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MyWebSearch Email Plugin.lnk
*C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
»INI-Files
»WIN.INI\[windows]
*LOAD=
*RUN=
»SYSTEM.INI\[boot]
*SHELL=Explorer.exe
»Text Files
*C:\boot.ini
`[boot loader]
`timeout=30
`default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
`[operating systems]
`multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
*C:\msdos.sys
*C:\WINNT\system32\config.nt
`dos=high, umb
`device=%SystemRoot%\system32\himem.sys
`files=40
*C:\WINNT\system32\autoexec.nt
`@echo off
`lh %SystemRoot%\system32\mscdexnt.exe
`lh %SystemRoot%\system32\redir
`lh %SystemRoot%\system32\dosx
`SET BLASTER=A220 I5 D1 P330 T3
*C:\WINNT\wininit.ini
`[Rename]
`NUL=n
*C:\WINNT\system32\drivers\etc\hosts
`127.0.0.1 localhost
»Program Files
*C:\ntldr
*C:\ntdetect.com
*C:\io.sys
*C:\WINNT\system32\win.com
*C:\WINNT\explorer.exe
»%PATH% Companion Files
+C:\WINNT\system32\ctdrvins.exe
*C:\WINNT\CtDrvIns.exe
+C:\WINNT\system32\hh.exe
*C:\WINNT\hh.exe
+C:\WINNT\system32\notepad.exe
*C:\WINNT\notepad.exe
+C:\WINNT\system32\slrundll.exe
*C:\WINNT\slrundll.exe
+C:\WINNT\system32\taskman.exe
*C:\WINNT\TASKMAN.EXE
+C:\WINNT\system32\winhlp32.exe
*C:\WINNT\winhlp32.exe
»System/Drivers
»VMM32Files (LM)
»%System%\VMM32
»%System%\IOSUBSYS
»Application specific
»MS Office 97/8.0 STARTUP-PATH
»Current User
»Default User
»Local Machine
»ICQ NetDetect
»Current User
»Default User
  • 0

#50
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Please open HJT> Click on the Config button> Click >Misc. Tools > Click > Open Process manager> Highlight “
winlogin.exe
ipxn.exe
“ >Click> Kill process>
Next click the scan button and put a check mark next to the following, close all open windows , Click “ Fix Checked”

O4 - Global Startup: winlogin.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä #·ºÄÖ`I) - Unknown owner - C:\WINNT\ipxn.exe (file missing)


Don't reboot yet,

Click here to download Pocket Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it. Place the following lines (complete paths) in bold in the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those later:

C:\WINNT\System32\shmgrate.exe
C:\WINNT\ipxn.exe
C:\WINNT\system32\win.com

For the files that it either couldn't find or couldn't delete, in the killbox again this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer NO until after you've pasted the last file name, at which time you should answer Yes.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again.

Post back a fresh HJT log and StartDreck log please
  • 0

#51
Briansstocks

Briansstocks

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Winlogin.exe was there the other one wasnt,
After trying to kill winlogin.exe I was prompted with this msg.


The selected process could not be killed.It may have already been closed,or it may be protected by windows.

This process might be a service, which you can stop from the service applet in admin tools
( to load this window, click Start ,Run and enter services.msc)


After trying to follow thr promt,I didnt find any winlogin to try
  • 0

#52
Briansstocks

Briansstocks

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
My bad,neither file you specified was there, what was there is Winlogon
  • 0

#53
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Please Download
Silent Runners
Please create a folder for it please, Then double click on the program, It will save a notebook file in the same folder, Open that, copy, paste the log back to this thread please
  • 0

#54
Briansstocks

Briansstocks

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Well so far none of the links you have provided will open on my infected machine,
So far i have been getting by with putting them on a floppy and transrering them to the infected machine.

I tried everything typing URL going to the site itself transferring to floppy,this time it just wont work

The file that was saved on the floppy was Silent Runners.vbs
VBScript Script File
217.KB


The infected machine will not run it
  • 0

#55
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Sorry, Is Nortons not allowing it to run ? I should have mentioned that it will prevent it from running my bad,,,

If thats the case allow it to run, You may have to disable Norton's for the moment then be sure to enable it
  • 0

Advertisements


#56
Briansstocks

Briansstocks

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Theres no Icon for norton, I cant get it to start to try to shut it down.

How do I disable it?
  • 0

#57
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Is it giving you a prompt, to allow it to run ?
  • 0

#58
Briansstocks

Briansstocks

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
No its not
  • 0

#59
Briansstocks

Briansstocks

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts
Don,

My original problem was not being able to get into my documents.You solved that and Ill never be able to explain how important that was for me.
Unfortunately somehow another problem developed by me not even being able to get online by way of my normal ISP.

I know you have done everything you could and I cant thank you enough for trying but im at a point of another crisis.

I need to fix my computer,the infected one by Monday aftrernoon.With our rate of correspondence im not sure that can happen.I understand my complete lack of basic computers isnt helping.I cant change that.

I work on boats,Monday I go to a boat 200 miles from home and wont be able to do anything in my life or work on my computer till I come home 8 weeks from then.I understand Im only 1 out of 80,000 or so people but I have to make a decision now.

I need my computer working whatever it takes.If this isnt going to happen ,please give me other options.Of course I dont want to turn my hard drive over to anyone but I dont see alot of options at this point.Ive been exploring this route for over a week now.I work 8 weeks at a time and have 4 weeks home.

I dont expect special treatment.I just have ny own needs.

Please advise.

Brian
  • 0

#60
don77

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Brian sorry for it taking me a bit to get back to you,
Lets see if we can run through this again,
First are you able to do a system restore ?
If so find a point prior to us starting, This will likely need us to clean the computer again but lets give it a shot,

Post a fresh HJT log after you have done this,
I know how important your computer is to you, and 8 weeks away from hom can be long time but if we have to wait we can continue when you get back ( hopefully it wont need to come to that)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP