Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Winlogon.exe, rundll.exe & buffer overrrun problem


  • Please log in to reply

#1
lost1979

lost1979

    New Member

  • Member
  • Pip
  • 6 posts
Hi Everybody, i've gota bit of a problem with my computer at the moment and i haven't got a clue where to turn so i came here....i'll start at the beginning:

1) a few weeks ago i got broadband...installed everything a-ok runs a treat. Then i started getting windows popping up and then there would be a warning buffer overrun etc. I'd close all the pop-up windows and the buffer overrun warning and everything would be ok

2) I went out today and accidentally left the ol' broadband connected. I came home to a lot of rundll.exe warning boxes on my screen. Everything else had minimised and i was left with nothing but my desktop picture and these warnings. I closed all the warnings and rebooted thinking that would fix the problem

3) After i rebooted i went to login under my username (my computer has two...one for me and one for my wife) and it took ages to login and then a warning came up about the winlogin.exe file (I can't remember the exact wording which sucks as i thought it wasnt important). I hit ok and the computer rebooted. Same thing happened when i tried to get in under my username again. When i login under my wifes username though it's ok to an extent...

Can anybody help? i'm desperate......i can only login under my wifes username as when i login under my own it simply goes to the backdrop photograph that i have there...

Any help is appreciated :tazz:


Regards

D
  • 0

Advertisements


#2
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
Please go to the malware forum and follow the instructions at the top....Especially the CLICK HERE .

That will give you several steps that will help you clean up 70 percent of all problems by yourself. If at the end of the process you are still having difficulty--and you may not be-- then post a hijackthis log in THAT forum.

If you are still having problems after getting a clean bill of health from the malware expert, please return to this thread.
  • 0

#3
lost1979

lost1979

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
No worries, i will try that, thank you for your help
  • 0

#4
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
I can tell you that almost certainly you have a file called winlogon.exe in your startup folder, as I ran into this trojan the other day and it does almost exactly as you describe.

If you have it, though, you have a lot of other crap, too.

I cannot recall if this thing infects a user profile or all users....you have a STARTUP folder for each profile and one for ALL USERS....check for the existance of winlogon.exe in those folders and remove it ....BUT ONLY THOSE FOLDERS.

winlogon.exe is a legitimate windows file in c:\windows\system32 folder and removing that one will kill your PC
  • 0

#5
lost1979

lost1979

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thanks Gerryf,

I just did a search for winlogon.exe and found that i have 3 of them so far:

1) WINLOGON.EXE-32C57D49.pf in C:\WINDOWS\Prefetch

2) Winlogon.exe in C:\WINDOWS\SYSTEM32 (This is the one that is supposed to be there)

3) Winlogon.exe in C:\WINDOWS\ServicePackFile\i386

I'm just running through the other recommendations in the Malaware forum at the moment...

Thanks again

D
  • 0

#6
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
all of those are ok--do not remove them
  • 0

#7
lost1979

lost1979

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Just found another:

4) C:\WINDOWS\$NtServicePackUninstall$

that's the last one...
  • 0

#8
gerryf

gerryf

    Retired Staff

  • Retired Staff
  • 11,365 posts
no, that's OK too...perhaps not the same infection I ran into the other day, but still follow the steps on malware removal and if you get a clean bill of health, report back
  • 0

#9
lost1979

lost1979

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Gerryf, just about to go to bed as it's almost 1am here in Oz.....will leave the scans running over night and report back in the morning. So far everything is clean although Ewido has come up with a few hits....

Thanks for your help thus far

D
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP