winlogin is killin' me!

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

continued from barryco winlogin is chewing up my CPU thread


This is where I am and what I did

did F8 safe mode boot
logged in as admin
ran virtumundoegone or whatever it is (it's really getting late here and I
am about to buy a new laptop!!!!!)
says it found nothing
unzipped winfixerfix as per instructions

ran clean.bat
It did not go online to get files or run any scan
it flashed a black screen for 1/2 sec and beeped at me.

tried wget - same thing no beep

ran getfiles
this ran and downloaded mcafee cmd line scanner files from ftp something

rebooted in safe mode as per instructions
tried clean.bat again
another beep

no HTML file was created so far

ran dosscan to finally got a scan (takes over 1.5 hours!)
found backdoor - BDD trojan and deleted it

got a HTML report this time

rebooted in normal mode and everything seems to work so far

did everything again in mormal mode

scan did not find anything

the clean.bat file and kix or whatever it calls did not scan and create the
HTML file as per instructions, might need to look at that

am I fixed? - stay tuned - thanks everyone for all the help






while scanning my Norton found MHTMLredir.exploit

rebooted in safe mode again
 
From: "mrgumby" <[email protected]>

| continued from barryco winlogin is chewing up my CPU thread
|
| This is where I am and what I did
|
| did F8 safe mode boot
| logged in as admin
| ran virtumundoegone or whatever it is (it's really getting late here and I
| am about to buy a new laptop!!!!!)
| says it found nothing
| unzipped winfixerfix as per instructions
|
| ran clean.bat
| It did not go online to get files or run any scan
| it flashed a black screen for 1/2 sec and beeped at me.
|
| tried wget - same thing no beep
|
| ran getfiles
| this ran and downloaded mcafee cmd line scanner files from ftp something
|
| rebooted in safe mode as per instructions
| tried clean.bat again
| another beep
|
| no HTML file was created so far
|
| ran dosscan to finally got a scan (takes over 1.5 hours!)
| found backdoor - BDD trojan and deleted it
|
| got a HTML report this time
|
| rebooted in normal mode and everything seems to work so far
|
| did everything again in mormal mode
|
| scan did not find anything
|
| the clean.bat file and kix or whatever it calls did not scan and create the
| HTML file as per instructions, might need to look at that
|
| am I fixed? - stay tuned - thanks everyone for all the help
|
| while scanning my Norton found MHTMLredir.exploit
|
| rebooted in safe mode again
|

There was a bug in a recent update of WinFixerFix that caused it to quit prematurely and not
do all that was required.

An updated version has been posted. My appologies for the previous problem !

At least McAfee (ran manually without the specialized Winfixer/Vundo script) found a
"Backdoor. BDD" Trojan -- http://vil.nai.com/vil/content/v_126448.htm

Please download the updated version at the URL --
http://www.ik-cs.com/programs/virtools/WinFixerFix.exe

Execute; WinFixerFix.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }
 
ran "old" winfixe and it found and deleted 8 copies of backdoor -bdd trojan

ran again in normal mode and it found nothing

enjoyed a few brief moments of "normal" operation

I have a weather channel program that gets on the itnernet by itself and
provides local weather on the menu bar. Once that ran the problem was back.

ran fixed winfixerfix program - now that works as per instructions

now it found 353 versions of backdoor -bdd !

looks like another step is needed - is there something that targets backdoor
-bdd?

Thanks again
 
mrgumby said:
ran "old" winfixe and it found and deleted 8 copies of backdoor -bdd trojan

ran again in normal mode and it found nothing

enjoyed a few brief moments of "normal" operation

I have a weather channel program that gets on the itnernet by itself and
provides local weather on the menu bar. Once that ran the problem was back.

ran fixed winfixerfix program - now that works as per instructions

now it found 353 versions of backdoor -bdd !

looks like another step is needed - is there something that targets backdoor
-bdd?

Thanks again
Click to expand...

The answer is obvious - get rid of the crappy weather channel program.

Steve N.
 
From: "mrgumby" <[email protected]>

| ran "old" winfixe and it found and deleted 8 copies of backdoor -bdd trojan
|
| ran again in normal mode and it found nothing
|
| enjoyed a few brief moments of "normal" operation
|
| I have a weather channel program that gets on the itnernet by itself and
| provides local weather on the menu bar. Once that ran the problem was back.
|
| ran fixed winfixerfix program - now that works as per instructions
|
| now it found 353 versions of backdoor -bdd !
|
| looks like another step is needed - is there something that targets backdoor
| -bdd?
|
| Thanks again

I have updated the tool to also get certain aspects of the following Trojan.
"Backdoor. BDD" Trojan -- http://vil.nai.com/vil/content/v_126448.htm

I suggest that the "...weather channel program..." mentioned be removed immediately !

Please download the updated version at the URL --
http://www.ik-cs.com/programs/virtools/WinFixerFix.exe

Execute; WinFixerFix.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

* * * Please report back your results * * *
 
Already dumped the weather program.

The steps I have taken get me working for a short while and then the problem
returns. I will try some more stuff tonight

FYI I turned off System Restore as part of this virus-ridding excersize. At
what point would it be recommended to turn it back on?

Thanks again all for the help.
 
From: "mrgumby" <[email protected]>

| Already dumped the weather program.
|
| The steps I have taken get me working for a short while and then the problem
| returns. I will try some more stuff tonight
|
| FYI I turned off System Restore as part of this virus-ridding excersize. At
| what point would it be recommended to turn it back on?
|
| Thanks again all for the help.

It should only be re-enabled once the system is surely been deemed clean for a couple of
days at least.

Did you see my post indicating that I updated WinFixerFix specifically for the "Backdoor.
BDD" Trojan ?

I'd like you to download it again and run that scanner again.


* * * Please report back your results * * *
 
finally got a chance to get back on this.

ran the new winfixit with backdoor detector. Didn't say it found anything,
everything seemed to be fixed, got up in normal mode. Ran winfixit again,
found nothing. Ran Norton antivirus corporate edition, got through that
without finding anything got on internet everthing seemed OK.

rebooted in normal mode again and the problem (or a new one) is back.
I can go into safe mode run winfixit again and it doesn't help anymore.

here's what it does
boots up in in normal mode, window XP screen comes up, goes to logon screen
, select user, type in password and it says loading your personal settings,
no windows signon jingle, about 20 sec later, desktop background shows up,
and nothing else. hard disk access light is active, so something is going on
- any ideas?
 
From: "mrgumby" <[email protected]>

| finally got a chance to get back on this.
|
| ran the new winfixit with backdoor detector. Didn't say it found anything,
| everything seemed to be fixed, got up in normal mode. Ran winfixit again,
| found nothing. Ran Norton antivirus corporate edition, got through that
| without finding anything got on internet everthing seemed OK.
|
| rebooted in normal mode again and the problem (or a new one) is back.
| I can go into safe mode run winfixit again and it doesn't help anymore.
|
| here's what it does
| boots up in in normal mode, window XP screen comes up, goes to logon screen
| , select user, type in password and it says loading your personal settings,
| no windows signon jingle, about 20 sec later, desktop background shows up,
| and nothing else. hard disk access light is active, so something is going on
| - any ideas?
|

The McAfee HTML Log file had nothing to report ?
C:\mcafee\ScanReport.HTML

Go through all of the following.

For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

* SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon
http://www.definitivesolutions.com/bhodemon.htm

For viral malware...
{ The Mcafee module is redundant to the McAfee scanner in the WinFixerFix utility }

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *
 
Hi Dave - thanks for staying with me on this

The last several scans with winfixit did not find backdor. Mcafee did not
report finding anything. It appears to be gone.

Started down the path with lavasoft. It has found 13 items. Am downoading
the rest now.

mrG

David H. Lipman said:
From: "mrgumby" <[email protected]>

| finally got a chance to get back on this.
|
| ran the new winfixit with backdoor detector. Didn't say it found anything,
| everything seemed to be fixed, got up in normal mode. Ran winfixit again,
| found nothing. Ran Norton antivirus corporate edition, got through that
| without finding anything got on internet everthing seemed OK.
|
| rebooted in normal mode again and the problem (or a new one) is back.
| I can go into safe mode run winfixit again and it doesn't help anymore.
|
| here's what it does
| boots up in in normal mode, window XP screen comes up, goes to logon screen
| , select user, type in password and it says loading your personal settings,
| no windows signon jingle, about 20 sec later, desktop background shows up,
| and nothing else. hard disk access light is active, so something is going on
| - any ideas?
|

The McAfee HTML Log file had nothing to report ?
C:\mcafee\ScanReport.HTML

Go through all of the following.

For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

* SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon
http://www.definitivesolutions.com/bhodemon.htm

For viral malware...
{ The Mcafee module is redundant to the McAfee scanner in the WinFixerFix utility }

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *
Click to expand...
 
ran adaware found 13 items
ran spybot found 91 items including something called window security center
antivirusoverride and a bunch of wwwcoolsearch items
ran bhodemon - he is down due to a house fire it did not find anything

still wont get past loading personal setings.

will rescan with mcaffed and try all again.

mrG


mrgumby said:
Hi Dave - thanks for staying with me on this

The last several scans with winfixit did not find backdor. Mcafee did not
report finding anything. It appears to be gone.

Started down the path with lavasoft. It has found 13 items. Am downoading
the rest now.

mrG

David H. Lipman said:
From: "mrgumby" <[email protected]>

| finally got a chance to get back on this.
|
| ran the new winfixit with backdoor detector. Didn't say it found anything,
| everything seemed to be fixed, got up in normal mode. Ran winfixit again,
| found nothing. Ran Norton antivirus corporate edition, got through that
| without finding anything got on internet everthing seemed OK.
|
| rebooted in normal mode again and the problem (or a new one) is back.
| I can go into safe mode run winfixit again and it doesn't help anymore.
|
| here's what it does
| boots up in in normal mode, window XP screen comes up, goes to logon screen
| , select user, type in password and it says loading your personal settings,
| no windows signon jingle, about 20 sec later, desktop background shows up,
| and nothing else. hard disk access light is active, so something is going on
| - any ideas?
|

The McAfee HTML Log file had nothing to report ?
C:\mcafee\ScanReport.HTML

Go through all of the following.

For non-viral malware...

Please download, install and update the following software...

* Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

* SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

I also suggest downloading, installing and updating BHODemon for any Browser Helper Objects
that may be on the PC.

* BHODemon
http://www.definitivesolutions.com/bhodemon.htm

For viral malware...
{ The Mcafee module is redundant to the McAfee scanner in the WinFixerFix utility }

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm


* * * Please report back your results * * *
Click to expand...
Click to expand...
 
From: "mrgumby" <[email protected]>

|
| ran adaware found 13 items
| ran spybot found 91 items including something called window security center
| antivirusoverride and a bunch of wwwcoolsearch items
| ran bhodemon - he is down due to a house fire it did not find anything
|
| still wont get past loading personal setings.
|
| will rescan with mcaffed and try all again.
|
| mrG

I did state...

For viral malware...
{ The Mcafee module is redundant to the McAfee scanner in the WinFixerFix utility }

* Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

So I want you to run one of the modules OTHER than McAfee sice the McAfee module in the
above is redundant to the WinFixerFix utility.
 
David the AV-CLS program does not work for me. It keeps going to a system
shutdown screen and saying the spohos or Kaprinski (or whatever name) scanner
files cannot be found and to reboot in normal mode to get the files. I cannot
boot in normal mode, so I cannot get the files. the Mcaffe tool works because
I already have the scanner files. Idisabled firewall and no change. I had to
use getfiles to get Mcafee to work.

Thanks
 
From: "mrgumby" <[email protected]>

| David the AV-CLS program does not work for me. It keeps going to a system
| shutdown screen and saying the spohos or Kaprinski (or whatever name) scanner
| files cannot be found and to reboot in normal mode to get the files. I cannot
| boot in normal mode, so I cannot get the files. the Mcaffe tool works because
| I already have the scanner files. Idisabled firewall and no change. I had to
| use getfiles to get Mcafee to work.
|
| Thanks

If you can not get into Normal Mode then a Repair Install may need to be performed.
 
To fix your problem you need to run hijackthis and post your log file to
this group just click on the link. No
registration required. You have had this problem way too long please follow
the instructions if you want your problem fixed.
 
You must log in or register to reply here.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Winlogin 4
Windows 7 Computer wont load 6
Boot-up problem related with safe mode? 3
windows xp locks up 9
After running spyware - XP won't let me boot - keeps logging out 46
Please Help! Virus? Avast, Firefox, Windows update quit working 4
Won't Load, What Next? 4
Help! Will not run any safemode! 3

Back
Top