Winlogon.exe

What is it and how is it called? All I had was a call to Internet Explorer.

Did you look at the Autoexec.bat file ?

 

No! I would need to know the actual real file name. What you gave was just the name of the Shortcut on your Desktop. You need to know the filename and parameters used to call it.

Normally you can right click the shortcut and select Properties and then look at the Target info. This gives you the command that it calls.

I have to call it a night! My eyes are dying!

 

Try this Autoexec.bat and see if it works.

 

I'm not sure how to have a bat file make multiple calls to run different processes. It is waiting for the first program/process called to be terminated before starting the second one. I was thinking of making multiple batch files and calling the additional .bat files from autoexec.bat but the same problems will occur.

Yes will will have to think about this more tomorrow. Perhaps if you are brave, you can find out what happens after a reboot. Good Night to you! Good morning to me!

 

Try extracting all the files from the new attach Autoexec.zip. There are 5 files. Autoexec.bat which Starts the 4 other batch files.

StartAcad.bat - to start Autocad
StartConn.bat - to start your connection
StartExp.bat - to start a Windows Explorer session
StartIE.bat - to start Inernet Explorer


Have you been courageous enough to try rebooting!

 

I'm back know! Had some major issues around the house that had to be worked on. Still not done but I cannot continue on them until tomorrow.

As far as ideas.....there are only three:

1. Reboot and let's see what happens. Do you have internet access from another PC?
2. Don't logoff or reboot but switch to another user account (if there is another) and see how it works.
3. Reinstall the infection back to what it was (as close as we can) to see if that brings back the ability to run programs. I don't like this choice since it defeats the whole idea of removing the malware and we would be right back were we started. In addition, it may not even change any of the current problems and could just compound them due to the problems the infection was causing.

 

No! I will be around now to help! Have a lot of other threads backed up too so I will be busier than last night when I was spending a lot of time with you and writing that FIxAutex removal tool. Thus my answers will have more lag time in between.

I would do 1. I don't think installing or running another shell at this time would be a good idea. You need to be sure you are clean before trying to introduce new software. It could just make things worse.

Things we recommend are all in the below:

How to Protect yourself from malware!


The most important items to have in place before connecting to the internet are:

1) antivirus

2) software firewall

3) antispyware with realtime blocking

4) additional layered protection from SpywareBlaster & Spybot ( with SDHelper and Immunization )

 

Good! Don't forget to backup your Favorites folder for each browser you use. And obviously all your data files for Autocad....etc.

 

Maybe we will be lucky and a reboot may just fix things!

 

Attach new logs from GetRunKey, ShowNew, and HijackThis (if possible) and after getting these 3 attach a new log from FixAutex.bat

 

None of the bad files came back. We just still have one entry left in the registry that we apparently did not fix last nigh and there is one item trying to load with Windows Explorer from System.ini. Attach a copy of your c:\windows\system.ini file here. You will need to put it into a ZIP file. Just for the heck of it, also put a copy of C:\windows\win.ini into the ZIP file.

Also do the below!

Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

 

Try downloading exefix_xp.com utility and save to Desktop. Double-click the file to run it. This utility fixes the exefile association in the registry automatically. Then reboot and see if there is any change.

If still having problems, try running the procedure in the below links too (reboot after trying each one):

1. You receive an error message when you try to start a program that has an .exe file name extension
2. You Are Unable to Start a Program with an .exe File Extension
3. You Cannot Start Programs (.exe Files) When Your Computer Is Infected with the SirCam Virus

 

Great! How does it look now after reboot?

We need to fix another item in your HJT log. The F2 line with the reference to the infection where explorer.exe 1 exists.

 

You can now delete the lines I put into your autoexec.bat file since you will not need them to automatically load at startup. You can also delete the below unnecessary files.

StartAcad.bat
StartConn.bat
StartExp.bat
StartIE.bat

Do the above now before continuing.

That's because of the below line which I was mentioning in my last message:

F2 - REG:system.ini: Shell=Explorer.exe 1

I was rushed for time before (still got a load of work around the house that I'm doing). Just stopped back in now while having something to eat.

See if you can fix the above line with HijackThis. Make sure you close any browser windows before click Fix checked. After fixing this line. Quickly take a look at a new HJT log and make sure it is really gone. If not, tell me. If it is gone, then reboot and make sure it is still gone and that you no longer get the error message.

I had a pretty good feeling that we needed to do that reboot the other night before we could completely fix all the remaining issues that occurred due to the W32.Autex.C malware. But I did not want to risk you not being able to get the AutoCad work done. The fix for the EXE problem I had done much earlier was the same basic fix. It did not work previously because the reboot was needed after the Autex infection removal.

Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
4. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. You can also delete any other files we were using to fix your infection (most are in the ShowNew folder I assume).
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

Did the F2 line go away permanently?

You're welcome. I'm happy we got this al resolved and no reinstall was needed!

That's up to you. It is a useful tool for doing registry backups and restores. If you don't think you need or will use it then delete it. But consider this, if you had a registry backup from the day before the trojan hit, a registry restore may have completely disabled the trojan and then the files introduced by it could have been simply deleted.

 

You're welcome! Yes you can add a link to www.majorgeeks.com and recommend that people check out the Support Forums!