StuartOrd
asked on
Computer froze then fails to restart - winlogon / MSVCP71.dll problem
Hi experts,
My computer just froze and was CPU=100%, not even the mouse responding. I switched off and on, but it got past the Windows is loading screen and failed to get to the logon screen. I get a message "Winlogon.exe - unable to locate a component .... MSVCP71.dll not found"
This computer isrunning on XP home, SP2
I can boot up in safe mode, and I searched for this file. I've got at least 10 copies of it in various places, including on the root C:\
However it still won't start normally.
Any ideas please?
Panic - it's stopping me working on a deadline project!
Thanks
Stuart
My computer just froze and was CPU=100%, not even the mouse responding. I switched off and on, but it got past the Windows is loading screen and failed to get to the logon screen. I get a message "Winlogon.exe - unable to locate a component .... MSVCP71.dll not found"
This computer isrunning on XP home, SP2
I can boot up in safe mode, and I searched for this file. I've got at least 10 copies of it in various places, including on the root C:\
However it still won't start normally.
Any ideas please?
Panic - it's stopping me working on a deadline project!
Thanks
Stuart
ASKER
Hi,
Thanks! Here it is:
Logfile of HijackThis v1.99.1
Scan saved at 15:14:51, on 17/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis 1.99.1\HijackThis.exe
R1 - HKCU\Software\Microsoft\In ternet Explorer\Main,Search Bar = res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll /INTEGRATI ON_BAND_SE ARCHBAR_HT ML
R0 - HKCU\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\In ternet Explorer\Main,Default_Page _URL = http://www.dell.co.uk/myway
R0 - HKLM\Software\Microsoft\In ternet Explorer\Main,Start Page = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\In ternet Connection Wizard,ShellNext = http://www.dell.co.uk/myway
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.d ll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E 2544C21A09 F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-1 7DF180C71A C} - C:\PROGRA~1\SPYWAR~1\tools \iesdpb.dl l
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-9 05236F6F65 5} - (no file)
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-3 42DD80FA53 E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFR E~1\avgcc. exe " /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon .exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3 \OFFICE11\ EXCEL.EXE/ 3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\j2re1.4.2_03\bi n\npjpi142 _03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\Program Files\Java\j2re1.4.2_03\bi n\npjpi142 _03.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8 D3605EFC08 4} - C:\PROGRA~1\COPERN~2\COPER N~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8 D3605EFC08 4} - C:\PROGRA~1\COPERN~2\COPER N~1.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4 C56B4E14E8 4} - C:\PROGRA~1\SPYWAR~1\tools \iesdpb.dl l
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-0 0C04FAE2D4 F} - C:\PROGRA~1\MI3AA1~1\INetR epl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-0 0C04FAE2D4 F} - C:\PROGRA~1\MI3AA1~1\INetR epl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-0 0C04FAE2D4 F} - C:\PROGRA~1\MI3AA1~1\INetR epl.dll
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-4 45F4F58CE6 E} - C:\PROGRA~1\COPERN~2\COPER N~1.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3 C9C571A826 3} - C:\PROGRA~1\MICROS~3\OFFIC E11\REFIEB AR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0 0C0F0318AF E} - C:\WINDOWS\system32\Shdocv w.dll
O9 - Extra button: Start EasyFreeWebCam - {ECC5777A-6E88-BFCE-13CE-8 1F134789E8 B} - C:\WINDOWS\system32\shdocv w.dll
O9 - Extra 'Tools' menuitem: &EasyFreeWebCam - {ECC5777A-6E88-BFCE-13CE-8 1F134789E8 B} - C:\WINDOWS\system32\shdocv w.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C 7C580BBF70 0} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0 020182C144 6} (IntraLaunch.MainControl) -
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B 5AE0DC75AC 9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-0 0C04F8EC29 4} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8 E305202313 F} - "C:\PROGRA~1\MSNMES~1\msgr app.dll" (file missing)
O20 - AppInit_DLLs: Interceptor.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsr vc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog on.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE ~1\avgamsv r.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE ~1\avgupsv c.exe
Thanks! Here it is:
Logfile of HijackThis v1.99.1
Scan saved at 15:14:51, on 17/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\svchos
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis 1.99.1\HijackThis.exe
R1 - HKCU\Software\Microsoft\In
R0 - HKCU\Software\Microsoft\In
R1 - HKLM\Software\Microsoft\In
R0 - HKLM\Software\Microsoft\In
R1 - HKCU\Software\Microsoft\In
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-1
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-9
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-3
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFR
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-0
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-0
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-0
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-4
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-0
O9 - Extra button: Start EasyFreeWebCam - {ECC5777A-6E88-BFCE-13CE-8
O9 - Extra 'Tools' menuitem: &EasyFreeWebCam - {ECC5777A-6E88-BFCE-13CE-8
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {17492023-C23A-453E-A040-C
O16 - DPF: {AE9DCB17-F804-11D2-A44A-0
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-0
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8
O20 - AppInit_DLLs: Interceptor.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsr
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLog
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry, I read your reply too quickly. I've pasted it and analysed it - having problems seeing the website address of the reslt but I thnk this is it:
http://www.hijackthis.de/#anl
Stuart
http://www.hijackthis.de/#anl
Stuart
delete this O20 - AppInit_DLLs: Interceptor.dll in hijack this then delete Interceptor.dll from your system32
>>delete this O20 - AppInit_DLLs: Interceptor.dll in hijack this then delete Interceptor.dll from your system32<<
I'll advise against it, do not delete it, it belongs to SpyCatcher.
Sorry, but nothing shows in your HJT log.
Would you mind running more diagnostic tools?
1. Please download Silent Runners.
http://www.silentrunners.org/Silent%20Runners.vbs
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and upload the logfile created, go here and paste your log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
2. Download and save blacklight to your desktop.
http://www.f-secure.com/blacklight/try.shtml
Doubleclick blbeta.exe, accept the agreement, click scan > next.
You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.
I'll advise against it, do not delete it, it belongs to SpyCatcher.
Sorry, but nothing shows in your HJT log.
Would you mind running more diagnostic tools?
1. Please download Silent Runners.
http://www.silentrunners.org/Silent%20Runners.vbs
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and upload the logfile created, go here and paste your log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
2. Download and save blacklight to your desktop.
http://www.f-secure.com/blacklight/try.shtml
Doubleclick blbeta.exe, accept the agreement, click scan > next.
You'll see a list of all the items it found. There will also be a log on your desktop with the name fsbl.xxxxxxx.log (where xxxxxxx represents numbers). The application finds both bad files and legitimate ones such as "wbemtest.exe", so don't choose the rename option yet! Copy and paste the log it generated in your next reply.
ASKER
OK, doing that
S
S
ASKER
Blacklight won't work in safe mode
what component can windows login not find I that file has something to do with .NET framework what was the exact component did it say
Still no clue sorry, Silent runners log didn't show anything.
Yeah, I forgot about Blacklight and safe mode.
Can I look into your winlogon key?
regedit /e c:\bad.txt "HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows NT\CurrentVersion\Winlogon \Notify"
start c:\bad.txt
Copy and paste the above text into Notepad.
Save this text as Look.bat Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on the "Look.bat" after it flashes, copy and post the contents of the txt file.
Don't know if Rootkit Revealer wil show something:
http://www.sysinternals.com/files/rootkitrevealer.zip
Unzip it to it own folder or to your desktop.
Run RootkitRevealer.exe and scan your system. When the scan is complete click on File, Save, and save the log file. Post the log here.
In order to minimize RKR log being polluted with legit data run RootkitRevealer on an idle system.
Yeah, I forgot about Blacklight and safe mode.
Can I look into your winlogon key?
regedit /e c:\bad.txt "HKEY_LOCAL_MACHINE\SOFTWA
start c:\bad.txt
Copy and paste the above text into Notepad.
Save this text as Look.bat Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.
Double-click on the "Look.bat" after it flashes, copy and post the contents of the txt file.
Don't know if Rootkit Revealer wil show something:
http://www.sysinternals.com/files/rootkitrevealer.zip
Unzip it to it own folder or to your desktop.
Run RootkitRevealer.exe and scan your system. When the scan is complete click on File, Save, and save the log file. Post the log here.
In order to minimize RKR log being polluted with legit data run RootkitRevealer on an idle system.
ASKER
OK, first part....
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows NT\CurrentVersion\Winlogon \Notify]
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows NT\CurrentVersion\Winlogon \Notify\cr ypt32chain ]
"Asynchronous"=dword:00000 000
"Impersonate"=dword:000000 00
"DllName"=hex(2):63,00,72, 00,79,00,7 0,00,74,00 ,33,00,32, 00,2e,00,6 4,00,6c,00 ,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEv ent"
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows NT\CurrentVersion\Winlogon \Notify\cr yptnet]
"Asynchronous"=dword:00000 000
"Impersonate"=dword:000000 00
"DllName"=hex(2):63,00,72, 00,79,00,7 0,00,74,00 ,6e,00,65, 00,74,00,2 e,00,64,00 ,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogof fEvent"
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows NT\CurrentVersion\Winlogon \Notify\cs cdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEven t"
"Logoff"="WinlogonLogoffEv ent"
"ScreenSaver"="WinlogonScr eenSaverEv ent"
"Startup"="WinlogonStartup Event"
"Shutdown"="WinlogonShutdo wnEvent"
"StartShell"="WinlogonStar tShellEven t"
"Impersonate"=dword:000000 00
"Asynchronous"=dword:00000 001
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows NT\CurrentVersion\Winlogon \Notify\ig fxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000 001
"Impersonate"=dword:000000 01
"Unlock"="WinlogonUnlockEv ent"
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows NT\CurrentVersion\Winlogon \Notify\Sc CertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertPro p"
"Logoff"="SCardStopCertPro p"
"Lock"="SCardSuspendCertPr op"
"Unlock"="SCardResumeCertP rop"
"Enabled"=dword:00000001
"Impersonate"=dword:000000 01
"Asynchronous"=dword:00000 001
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows NT\CurrentVersion\Winlogon \Notify\Sc hedule]
"Asynchronous"=dword:00000 000
"DllName"=hex(2):77,00,6c, 00,6e,00,6 f,00,74,00 ,69,00,66, 00,79,00,2 e,00,64,00 ,\
6c,00,6c,00,00,00
"Impersonate"=dword:000000 00
"StartShell"="SchedStartSh ell"
"Logoff"="SchedEventLogOff "
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows NT\CurrentVersion\Winlogon \Notify\sc lgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:000000 00
"Asynchronous"=dword:00000 001
"DllName"=hex(2):73,00,63, 00,6c,00,6 7,00,6e,00 ,74,00,66, 00,79,00,2 e,00,64,00 ,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows NT\CurrentVersion\Winlogon \Notify\Se nsLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensSt artScreenS averEvent"
"StopScreenSaver"="SensSto pScreenSav erEvent"
"Startup"="SensStartupEven t"
"Shutdown"="SensShutdownEv ent"
"StartShell"="SensStartShe llEvent"
"PostShell"="SensPostShell Event"
"Disconnect"="SensDisconne ctEvent"
"Reconnect"="SensReconnect Event"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:000000 01
"Asynchronous"=dword:00000 001
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows NT\CurrentVersion\Winlogon \Notify\te rmsrv]
"Asynchronous"=dword:00000 000
"DllName"=hex(2):77,00,6c, 00,6e,00,6 f,00,74,00 ,69,00,66, 00,79,00,2 e,00,64,00 ,\
6c,00,6c,00,00,00
"Impersonate"=dword:000000 00
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostSh ell"
"Shutdown"="TSEventShutdow n"
"StartShell"="TSEventStart Shell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconn ect"
"Disconnect"="TSEventDisco nnect"
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows NT\CurrentVersion\Winlogon \Notify\Wg aLogon]
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdow n"
"StartScreenSaver"="WLEven tStartScre enSaver"
"StopScreenSaver"="WLEvent StopScreen Saver"
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStart Shell"
"PostShell"="WLEventPostSh ell"
"Disconnect"="WLEventDisco nnect"
"Reconnect"="WLEventReconn ect"
"Impersonate"=dword:000000 01
"Asynchronous"=dword:00000 000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67, 00,61,00,4 c,00,6f,00 ,67,00,6f, 00,6e,00,2 e,00,64,00 ,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows NT\CurrentVersion\Winlogon \Notify\Wg aLogon\Set tings]
"Data"=hex:01,00,00,00,d0, 8c,9d,df,0 1,15,d1,11 ,8c,7a,00, c0,4f,c2,9 7,eb,01,00 ,\
00,00,d0,51,51,fd,94,7b,a6 ,41,a8,d0, 41,b7,87,9 2,28,89,04 ,00,00,00, 04,00,00,\
00,53,00,00,00,03,66,00,00 ,a8,00,00, 00,10,00,0 0,00,63,d4 ,ee,4c,29, a4,91,80,\
71,fe,48,f5,19,d9,96,3d,00 ,00,00,00, 04,80,00,0 0,a0,00,00 ,00,10,00, 00,00,c3,\
11,8a,4d,c9,80,49,53,52,87 ,03,f1,a3, 50,30,9d,2 0,00,00,00 ,29,a3,9e, 4a,9e,be,\
f7,ab,5b,48,78,f1,dc,18,c5 ,ca,45,98, 87,8a,5c,7 e,86,77,55 ,96,0c,bc, 85,bb,64,\
6d,14,00,00,00,4b,25,c0,b5 ,e5,e8,48, 1c,e9,29,8 a,0f,b7,12 ,ad,80,a0, bb,aa,f4
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows NT\CurrentVersion\Winlogon \Notify\wl balloon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExp iredNotifi cationEven t"
"Logoff"="UnregisterTicket ExpiredNot ificationE vent"
"Impersonate"=dword:000000 01
"Asynchronous"=dword:00000 001
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWA
[HKEY_LOCAL_MACHINE\SOFTWA
"Asynchronous"=dword:00000
"Impersonate"=dword:000000
"DllName"=hex(2):63,00,72,
6c,00,00,00
"Logoff"="ChainWlxLogoffEv
[HKEY_LOCAL_MACHINE\SOFTWA
"Asynchronous"=dword:00000
"Impersonate"=dword:000000
"DllName"=hex(2):63,00,72,
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogof
[HKEY_LOCAL_MACHINE\SOFTWA
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEven
"Logoff"="WinlogonLogoffEv
"ScreenSaver"="WinlogonScr
"Startup"="WinlogonStartup
"Shutdown"="WinlogonShutdo
"StartShell"="WinlogonStar
"Impersonate"=dword:000000
"Asynchronous"=dword:00000
[HKEY_LOCAL_MACHINE\SOFTWA
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000
"Impersonate"=dword:000000
"Unlock"="WinlogonUnlockEv
[HKEY_LOCAL_MACHINE\SOFTWA
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertPro
"Logoff"="SCardStopCertPro
"Lock"="SCardSuspendCertPr
"Unlock"="SCardResumeCertP
"Enabled"=dword:00000001
"Impersonate"=dword:000000
"Asynchronous"=dword:00000
[HKEY_LOCAL_MACHINE\SOFTWA
"Asynchronous"=dword:00000
"DllName"=hex(2):77,00,6c,
6c,00,6c,00,00,00
"Impersonate"=dword:000000
"StartShell"="SchedStartSh
"Logoff"="SchedEventLogOff
[HKEY_LOCAL_MACHINE\SOFTWA
"Logoff"="WLEventLogoff"
"Impersonate"=dword:000000
"Asynchronous"=dword:00000
"DllName"=hex(2):73,00,63,
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWA
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensSt
"StopScreenSaver"="SensSto
"Startup"="SensStartupEven
"Shutdown"="SensShutdownEv
"StartShell"="SensStartShe
"PostShell"="SensPostShell
"Disconnect"="SensDisconne
"Reconnect"="SensReconnect
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:000000
"Asynchronous"=dword:00000
[HKEY_LOCAL_MACHINE\SOFTWA
"Asynchronous"=dword:00000
"DllName"=hex(2):77,00,6c,
6c,00,6c,00,00,00
"Impersonate"=dword:000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostSh
"Shutdown"="TSEventShutdow
"StartShell"="TSEventStart
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconn
"Disconnect"="TSEventDisco
[HKEY_LOCAL_MACHINE\SOFTWA
"Logon"="WLEventLogon"
"Logoff"="WLEventLogoff"
"Startup"="WLEventStartup"
"Shutdown"="WLEventShutdow
"StartScreenSaver"="WLEven
"StopScreenSaver"="WLEvent
"Lock"="WLEventLock"
"Unlock"="WLEventUnlock"
"StartShell"="WLEventStart
"PostShell"="WLEventPostSh
"Disconnect"="WLEventDisco
"Reconnect"="WLEventReconn
"Impersonate"=dword:000000
"Asynchronous"=dword:00000
"SafeMode"=dword:00000001
"MaxWait"=dword:ffffffff
"DllName"=hex(2):57,00,67,
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWA
"Data"=hex:01,00,00,00,d0,
00,00,d0,51,51,fd,94,7b,a6
00,53,00,00,00,03,66,00,00
71,fe,48,f5,19,d9,96,3d,00
11,8a,4d,c9,80,49,53,52,87
f7,ab,5b,48,78,f1,dc,18,c5
6d,14,00,00,00,4b,25,c0,b5
[HKEY_LOCAL_MACHINE\SOFTWA
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExp
"Logoff"="UnregisterTicket
"Impersonate"=dword:000000
"Asynchronous"=dword:00000
ASKER
Sorry, rootkitrevealer also won't work in safe mode
ASKER
I've got an image of this machine taken a few weeks ago and I've been able to copy all the work directories to external HDD so if push comes to shove I'll restore the image and then copy back the files. It's a bit of a pain but if we can't see a solution I'll have to do that. What do you think is the best course?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK thanks very much for trying.
I've got to throw in the towel and install an image. A similar problem happened a month or two ago, except it just logged itself off immediately after logging on. I now backup mor efrequently!!
Stuart
I've got to throw in the towel and install an image. A similar problem happened a month or two ago, except it just logged itself off immediately after logging on. I now backup mor efrequently!!
Stuart
ASKER
Back again with old image. Thanks agin for your help.
Please download HijackThis
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.
Notepad will also open, copy its contents and paste it to either these sites:
http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:
Or paste the log at --> http://www.hijackthis.de/
and click "Analyse", click "Save". Post the link to the saved list here.