Help! Winlogon.exe problem

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

dimotorsports - 28 Oct 2006 00:33 GMT

Hey all,

I visited a site a couple weeks ago that ran a script on my machine. My
antivirus caught it (Norton) and quarentined the virus (tannick.b). I thought
all was good until I started my pc the next day and received a XP error
stating "Winlogon.exe encountered a problem and must be shut down",
additionally IE would crash after 1 to 2 minutes of use and my home page had
been changed. I ran Spybot Search and Destroy, Win ASO registry optimiszer,
CW shredder, Browser Hijack Retaliator, and Pest Patrol. The registry has
been cleaned and corrected, spy/adware removed, virus quarentined, and IE no
longer crashes. However, each time my machine starts, the "Winlogon.exe
encountered a problem and must be shut down" message is displayed. The
machine appears to run fine but now restarts with the shut down option from
the start menu. Once the machine has restarted, you can shut down from the
logon menu. I ran Hijack This and generated a log, can someone look over this
log and help me find the resolution to this problem. The log is listed below.

HELP!
Thanks,
Byron

Logfile of HijackThis v1.99.1
Scan saved at 7:18:02 PM, on 10/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\gegstcbq.exe
C:\Program Files\Zamaan's Software\Browser Hijack Retaliator 4.5\BHR.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\iesniff.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\MICROS~3\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\DOCUME~1\Byron\LOCALS~1\Temp\Temporary Directory 1 for hijackthis[1].zip\
HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
www.distreetwear.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft
Internet Explorer
O2 - BHO: (no name) - {512D86E8-A1C6-4041-A5BF-742FDABBD9C0} - C:\WINDOWS\
system32\gkzuidzgua.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\
Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN
Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\
Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.
dll
O2 - BHO: (no name) - {CB01578B-DB60-4AC3-BB8C-DC654985F59c} - C:\WINDOWS\
system32\gkzuidzgua.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\
MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\
jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\
zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -
atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\
realsched.exe" -osboot
O4 - HKLM\..\Run: [gegstcbq] C:\WINDOWS\system32\gegstcbq.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BHR] C:\Program Files\Zamaan's Software\Browser Hijack
Retaliator 4.5\BHR.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ChkDisk] C:\WINDOWS\system32\iesniff.exe
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security
Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security
Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\RunOnce: [eISS_licreg] "C:\Program Files\CA\eTrust Internet
Security Suite\licreg.exe" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe"
/background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [gegstcbq] C:\WINDOWS\system32\gegstcbq.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common
Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\
Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\
Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\
MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\
Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site
.cab?1126145496186

O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media
Upload) - http://www.vzwpix.com/activex/VerizonWirelessUploadControl.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\
MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: instcat - C:\WINDOWS\SYSTEM32\instcat.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\
defwatch.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\
WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec
Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\
WINDOWS\system32\ZoneLabs\vsmon.exe

Reply to this Message

dimotorsports - 28 Oct 2006 01:22 GMT

I copied the winlogon.exe file from the 1386 folder and renamed the one in
sys32, then pasted the one from the i386 folder. After restarting, the same
error occured. "Winlogon.exe encountered a problem and needed to close". I
viewed the error report and it stated:
Error signature
szAppName: winlogon.exe szAppVer: 0.0.0.0 szModName: unknown
szMod Ver: 0.0.0.0 offset: 3bf22d96

The technical information stated:
The following files will be included in this error report:
C:\DOCUME~1\Byron\LOCALS~1\TempWER40b8.dir00\winlogo.exe.mdmp
C:\DOCUME~1\Byron\LOCALS~1\TempWER40b8.dir00\appcompat.txt

I don't know if this helps anyone, but I thought I'd pass it along.
Thanks,
Byron

>Hey all,
>
[quoted text clipped - 142 lines]
>O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\
>WINDOWS\system32\ZoneLabs\vsmon.exe

Reply to this Message

Frank Saunders, MS-MVP OE/WM - 28 Oct 2006 14:08 GMT

>I copied the winlogon.exe file from the 1386 folder and renamed the one in
> sys32, then pasted the one from the i386 folder. After restarting, the
[quoted text clipped - 41 lines]
>>Thanks,
>>Byron

Unless your computer is very different than any other I've seen, there is no
Winlogon.exe in the I386 folder. There IS a Winlogon.ex_

You cannot just copy it and rename it. You have to expand it. It is a
compressed version of the EXE and has to be uncompressed.

expand <path_to_it>\winlogon.ex_ c:\Windows\System32\Winlogon.exe

Note: I am assuming that you are using WinXP and chose to post in a Win98
newsgroup for some reason of your own.

Signature

Frank Saunders, MS-MVP OE/WM
http://www.fjsmjs.com
Answer in newsgroup. Don't send mail.

Reply to this Message

dimotorsports - 29 Oct 2006 16:31 GMT

posted in 98 by accident.
reposted in XP.
Thanks for the info though.

Ever seen this issue?
Byron

>>I copied the winlogon.exe file from the 1386 folder and renamed the one in
>> sys32, then pasted the one from the i386 folder. After restarting, the
[quoted text clipped - 12 lines]
>Note: I am assuming that you are using WinXP and chose to post in a Win98
>newsgroup for some reason of your own.

Reply to this Message

dimotorsports - 29 Oct 2006 16:36 GMT

Frank,
How do I expand this file?

expand C:\WINDOWS\ServicePackFiles\i386\winlogon.ex_ c:\Windows\System32\
Winlogon.exe

Reply to this Message

Gary S. Terhune - 29 Oct 2006 18:16 GMT

See:
http://support.microsoft.com/kb/129605/en-us

Signature

Gary S. Terhune
MS-MVP Shell/User
http://grystmill.com/articles/cleanboot.htm
http://grystmill.com/articles/security.htm

> Frank,
> How do I expand this file?
[quoted text clipped - 20 lines]
>>Note: I am assuming that you are using WinXP and chose to post in a Win98
>>newsgroup for some reason of your own.

Reply to this Message