Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

At startup faced with message winlogon.exe not found


  • This topic is locked This topic is locked
13 replies to this topic

#1 Winnick

Winnick

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:16 AM

Posted 31 January 2009 - 10:09 AM

Hi Guys,

this issue has been bugging me for a while, that whenever I start up my system it tells me that this file cannot be found.

Full error message: "windows cannot find 'c:\windows\winlogon.exe' make sure you typed the name correct, then try again" etc.

I've tried with Spybot and Ad-aware scannings but found nothing, so I thought I'd give you guys a shout see if you can see something in this DDS log

Thanks for any help you can provide me with

DDS (Ver_09-01-19.01) - NTFSx86
Run by CaZ at 16:03:47,34 on 31-01-2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.3.1252.45.1033.18.2046.1442 [GMT 1:00]

AV: avast! antivirus 4.8.1296 [VPS 090130-0] *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ASUS\AASP\1.00.12\aaCenter.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\CaZ\Local Settings\Temporary Internet Files\Content.IE5\MG26U7WQ\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uWinlogon: Shell=Explorer.exe c:\windows\winlogon.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: {bc044271-af64-4701-93eb-084133297c5e} - c:\windows\system32\efcCtrpn.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [DAEMON Tools Pro Agent] "c:\program files\daemon tools pro\DTProAgent.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [AsusServiceProvider] c:\program files\asus\aasp\1.00.12\aaCenter.exe
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\asuswi~1.lnk - c:\program files\asus wifi-ap solo\RtWLan.exe
uPolicies-explorer: NoSMHelp = 01000000
uPolicies-explorer: NoActiveDesktop = 01000000
uPolicies-explorer: NoSMMyDocs = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1210198169600
DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} - hxxp://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1210198151801
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} - hxxps://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: Antiwpa - antiwpa.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: ssqNFyVO - ssqNFyVO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
LSA: Authentication Packages = msv1_0 c:\windows\system32\efcCtrpn

================= FIREFOX ===================

FF - ProfilePath -

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-1-31 64160]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-5-10 111184]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2007-7-20 84992]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2008-5-10 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2008-5-10 352920]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2008-5-7 332928]
R3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2008-5-7 13532]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-5-10 20560]
R4 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2008-5-10 155160]
R4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 950096]

============== File Associations ===============

regfile=regedit.exe "%1" %*
scrfile="%1" %*

=============== Created Last 30 ================

2009-01-31 13:08 <DIR> --d----- c:\program files\Trend Micro
2009-01-31 13:04 15,688 a------- c:\windows\system32\lsdelete.exe
2009-01-31 12:46 64,160 a------- c:\windows\system32\drivers\Lbd.sys
2009-01-31 12:45 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-01-31 12:45 <DIR> --d----- c:\program files\Lavasoft
2009-01-14 17:49 <DIR> --d----- c:\documents and settings\caz\WINDOWS
2009-01-06 20:10 <DIR> --d----- c:\windows\system32\appmgmt

==================== Find3M ====================

2009-01-06 19:43 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-05-10 09:24 16,384 a--sh--- c:\windows\system32\config\systemprofile\cookies\index.dat
2008-05-10 09:24 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\index.dat
2008-05-07 22:54 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008050720080508\index.dat
2008-05-10 09:24 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051020080511\index.dat
2008-05-10 09:24 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 16:04:15,37 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:16 AM

Posted 08 February 2009 - 03:17 PM

Hello, Winnick
:thumbup2: to BleepingComputer.com

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:
  • In the meantime, please refrain from making any changes to your computer.
  • Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Finally, please reply using the Posted Image button in the lower left hand corner of your screen.
We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it's author: Posted Image

How to run ComboFix:
  • Please download ComboFix from one of the following mirrors, and save it to your desktop.
  • Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
  • Double click Posted Image on your desktop.
  • Read and accept (Press Yes) to the disclaimer.
  • For Windows XP Systems: Install the Recovery Console:
    • If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
    • When prompted to accept the EULA, press OK.
    • Accept Microsoft's EULA (Press Yes).
    • When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
  • ComboFix will run. Simply wait for it to finish.
  • When it finishes, ComboFix will produce a log. Please post that log in your next reply here :step4:
NOTE: If ComboFix will not run, please rename it to GlobRemover.exe and try again!

In your next reply, please include the following:
  • ComboFix.txt

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 Winnick

Winnick
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:16 AM

Posted 10 February 2009 - 12:48 PM

Hi Billy,

thanks for taking the time.

However, after running the ComboFix I'm now unable to login to my computer as it's suddently requirering activation and when i try, it tells me that's already been done. I have no access from safemode or standard startup
So a reinstall seems to be the order of the day...

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:16 AM

Posted 10 February 2009 - 06:32 PM

Did you install the recovery console? If so, than we can still attempt recovery of the system....

Also, if you have a clean machine with which you can burn an ISO file, we can recover that way as well.

Unless you truly wish to format?

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:16 AM

Posted 10 February 2009 - 06:46 PM

I ran down the cause of the problem:
Notify: Antiwpa - antiwpa.dll <-- Windows Activation Bypasser

CF disables the bypass.

You'll need to get a legitimate copy of windows for this. On the other hand, we may be able to restore the file, but you still need to get a legitimate copy.


Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#6 Winnick

Winnick
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:16 AM

Posted 11 February 2009 - 09:22 AM

Quote:
"CF disables the bypass."

I figuered that was the case - the solution is just temporary as I've moved to Hungary

I did install the recovery console - if you can guide me, that would be appreciated

/Winnick

Edited by Winnick, 11 February 2009 - 02:01 PM.


#7 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:16 AM

Posted 11 February 2009 - 05:36 PM

Please reboot into the recovery console by selecting it from the list of boot options.

Then select your current operating system partition, and enter the administrative password (if you have one).

Next, enter the following commands:

set allowallpaths=true
COPY C:\qoobox\quarantine\c\windows\system32\antiwpa.dll C:\windows\System32\antiwpa.dll
cd erdnt
cd hiv-backup
batch erdnt.con
exit

This will restore the antiwpa file as well as restore a backup copy of the windows registry.

Hope that helps,
Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#8 Winnick

Winnick
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:16 AM

Posted 12 February 2009 - 04:21 AM

If I remember correctly - then the SET command is not available in the Recovery Console pr default. But I will check when I get home from work and give you an update.

thanks

/Winnick

#9 Winnick

Winnick
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:16 AM

Posted 13 February 2009 - 02:02 AM

SET command worked fine, but it cannot find the file with the copy command.
I went and checked the path and the folder C:\qoobox\quarantine\c\ is empty - there is no windows folder inside that to copy from

#10 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:16 AM

Posted 13 February 2009 - 05:43 PM

Go ahead and proceed with the cd and batch erdnt.con instructions. :thumbup2:

Appears it left the file alone then, but we need to revert the registry to it's state before CF ran.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#11 Winnick

Winnick
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:16 AM

Posted 14 February 2009 - 07:43 AM

alright, mission accomplished :thumbup2:

I've included the only combofix.txt I could find

Attached Files



#12 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:16 AM

Posted 14 February 2009 - 05:44 PM

Hello, Winnick
At this point I would format and reinstall the machine. The messages you're getting are caused by the crack you have installed -- it is a hack which disables functions of Winlogon.

At least now though you can backup your data.

I'll attempt to clean this machine but I make no guarantees on machines which are illegitimate. When the system files themselves are modified such recoveries are iffy.

What would you like to do?

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#13 Winnick

Winnick
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:16 AM

Posted 15 February 2009 - 08:24 AM

Billy,

I appreciate your help already - if it's too much hassle - I'll just leave it as it is. It will be about another month until my stuff arrives so I can do a proper reinstallation - and I can live this inconvenience until then.

So it's your call - if you want to give it a shot, I'm at your disposal - if not I can understand that :-)

/Winnick

#14 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,304 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:01:16 AM

Posted 16 February 2009 - 05:29 PM

Hello, Winnick
Alright... at this point we'll just assume you're format/Reinstalling. Fixing a cracked copy of windows like this is almost impossible... and would require you to purchase a copy of windows to fix it.

Since this issue appears resolved, this topic has been closed.

If you need this topic reopened, please send me or another moderator a PM.

Everyone else please begin a new topic.

BillyIII
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users