Winlogin.exe Error

Welcome to Majorgeeks!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.


​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • 
    [*]runkeys.txt - the log from GetRunKey.bat
    [*]newfiles.txt - the log from ShowNew.bat
  • CounterSpy - ONLY IF you were not able to run Windows Defender
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Choose the download from below that is appropriate for your Windows Version and run it:

For Windows XP Pro: download and run XPproFix
For Windows XP Home: download and run XPHomeFix
For Windows 2000: download and run: W2KFix

Then try running GetRunKey again ALSO MAKE SURE you extracted ALL the files from the ZIP file, otherwise you will get a blank log.

Don't worry about MyWay, we will get rid of it later.

Start by downloading two tools we will need

- Process Explorer

- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of gbeabwcb.dll once and then click the kill button. After you have killed all of the gbeabwcb.dll under winlogon click ok. (If you do not find the dll, just continue on.)



Next double click on explorer.exe and again click once on each instance of gbeabwcb.dll and kill it. (If you do not find the dll, just continue on.)

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.shareware.us/srchasst.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O20 - Winlogon Notify: gbeabwcb - C:\WINDOWS\SYSTEM32\gbeabwcb.dll
O20 - Winlogon Notify: jkklk - C:\WINDOWS\system32\jkklk.dll (file missing)


After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
Now back on Killbox's main window, Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\WINDOWS\SYSTEM32\kfiyldri.exe
C:\WINDOWS\SYSTEM32\pqgcsnvg.exe
C:\WINDOWS\SYSTEM32\xuxuvfme.exe
C:\WINDOWS\SYSTEM32\gbeabwcb.dll
C:\WINDOWS\SYSTEM32\klkkj.ini2
C:\WINDOWS\Temp\1.tmp

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Also delete all files in the below folder except ones from the current date (Windows will not let you delete the files from the current day).
C:\Documents and Settings\David & Michelle\Local Settings\Temp\

Now attach a new HJT log and tell me how the steps went.

Also download the newest version (just updated) of ShowNew and attach a new log from ShowNew.

Make sure you tell me how things are working now!

 

Are you sure you extracted ALL files from the ZIP file? Where did you extract it too? Tell me what files you see in the folder with GetRunKey.bat

Typically you will not spread infections accross the network unless you are file sharing on the PCs. It never hurts to check though!

Okay you're clean but we have a couple things to do!

First have HJT fix the below left over which has been removed:
O20 - Winlogon Notify: gbeabwcb - gbeabwcb.dll (file missing)


Now install the current version of Sun Java from: Sun Java Runtime Environment

Then uninstall the below software using Add/Remove programs:
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Notifier
Viewpoint Media Player

Now, if you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

We will get to these later! First I want to figure out why GetRunKey will not run.

Click Start, Run and enter cmd in the box and click OK. This will open a command prompt windows. In this window enter the below commands.

cd "C:\Software Removal Tools\GetRunKey"
getrunkey

What happens? Tell me if you are seeing any error messages and tell me exactly what they say. I have a feeling that your registry editor (regedit.exe) is corrupted or missing.

If the above still gives an error or yields a basically blank log, in that command prompt window enter regedit and hit enter. What happens?

Now try installing this Your Uninstaller! 2006 and use it to uninstall some of the items you are having problems uninstalling. Tell me the results.

 

Try using the below attached version of GetRunKey2.zip. The file to run is GetRunKey2.bat

Extract it into the same folder as the previous version.
Run it from the command prompt just like last time. Tell me what happens.

 

Okay from the command prompt while in the folder where you have put GetRunKey, type grep -V and hit enter.

Do you see the below text?

 

Okay download the attach new version and overwrite the previous version with it.

Extract the GetRunKey2.bat file to overwrite the previous batch file too.

After it runs, close the runkeys.txt notepad window that opens. Then look for this file C:\GRKdebug.txt
Upload this file here as an attachment.


Note: your system appears to be free from malware but it is troublesome that GetRunKey will not produce an output on your system. You are in effect helping me troubleshoot the reason. This has run thus far on a few hundred PCs without incident (other than when the XPproFix was needed or if all files were not extracted).

 

Sorry about that Michelle! I was in a rush (I was late for a meeting) and I forgot to actually attach the new version. I'm attaching it now to this message. Please use it and then upload that GRKdebug.txt file I requested.

Yes you are helping. The only real way we can make sure our programs always run properly is to test them on as many PCs as possible. I have run this on so many PCs that it is hard to imagine why it is not running. The only thing I can think of is some kind of conflict with a file or process name with somethings on your PC. The log from Shownew reveals that GetRunKey is getting pretty far into the program because I can see all the temp files created while GetRunKey is collecting data. The trouble is that it never completes. I'm trying to narrow in on exactly where it is dying before that message prints on your screen. So this new version will not fix that problem (not yet) but the GRKdebug file should give me a feeling for where it gets too.

Thanks for helping debug this. I cannot debug it anywhere else since it runs on every PC and every Windows OS I have tried.

 

Okay thanks! That's a start! Now repeat with this attachment and then again upload the GRKdebug.txt file.

Again I still expect the same error message because I'm not fixing anything yet. I'm just trying to locate the exact point where it is failing. It does not make any sense right now based on what the last GRKdebug.txt file indicated.

 

Why thank you! I don't really work in this field but I do use PCs for work. I'm a Research & Development Engineer.


Okay let's give this new attachment a try.

This time in addition to C:\GRKdebug.txt also locate the below file and attach it too:

C:\xtemp100.txt

 

From the command prompt window enter the below command and tell me what you get:

echo %TEMP%


Also run this new version of GetRunKey2.bat and attach the GRKdebug.txt log and the xtemp100.txt log (if it is found).

 

Okay! This reveals the problem! Something in your Windows XP environment is not setup properly. It should have shown something like:

C:\DOCUME~1\username\LOCALS~1\Temp

where username is user user login account name. The real full path is
C:\Documents and Settings\username\Local Settings\Temp

We need to figure out how to get this setup properly.

What is your user account name?

 

To Fix the TEMP Environment variable

1. Right-click My Computer and select Properties.
2. Select the Advanced tab.
3. Click the Environment Variables button.
4. In the User variables for usernamearea, If the TEMP variable exists, select TEMP (by clicking on it) and click the Edit button and change it to C:\Documents and Settings\username\Local Settings\Temp
5. If the TEMP variable does not exist, click New and set the below
   • Variable name: TEMP
   • Variable value: C:\Documents and Settings\username\Local Settings\Temp
6. Then click OK.
7. Then click OK again to close the Environment Variable window
8. Then click OK to close the System Properties window
9. Now Reboot your PC for the change to take effect.

After reboot, try running the original GetRunKey.bat program and tell me what happens!

 

from the command prompt if you enter the below, what do you get:

echo %username%

 

Make sure you tell me the exact output with any spaces or punctuation....etc.

 

Well I deleted that other info right now since we really need to know the full user account name first.

Sounds like your environment variable are all messed up!

 

From a command prompt enter the below:

set > c:\env.txt


Then locate the c:\env.txt file and upload it here as an attachment!

I think the user account name is why you got the strange message with & was unexpected at this time
You have an & in your user account name and it is not really valid to have this. When the system got to the & in your account name it barfed!

 

You need to change this:

TEMP=C:\Documents and Settings\username\Local Settings\Temp

to

TEMP=C:\Documents and Settings\David & Michelle\Local Settings\Temp

 

Well user accounts can have their names changed via Control Panel ---> User Accounts . But I'm not 100% sure of the impact on anything else you have setup with your account when the name changes. It is really rather stupid of Windows to allow the character in there to begin with because of problems like we are seeing here where GetRunKey would fail and so would even echoing your %username% and %TEMP% environment variables. All this just due to the &. If you put "" around the echo it will probably work OK!

Try echo "%username%"
The only problem is that now the quotes are also echoed. So you will probably see

"David & Michelle"

 

I just checked! Changing the user account name will only change the loging ID and will not resolve the environment problems! They will still show with the & in them and nothing will change as far as that goes. I'm not sure there is a fix for this. I can make a change to GetRunKey.bat to bypass this potential illegal user name problems that cause a problem due to the TEMP environment variable that I was looking at to detect possible malware; however, I would expect that this could represent problems in more places than just my simple batch file scanner.

You need to fix the TEMP environment variable. In your last attachment you showed

TEMP=TEMP=C:\Documents and Settings\David & Michelle\Local Settings\Temp

The extra TEMP= must be removed.

 

If you have not had any problems up to now, I would not worry about it. But just be aware of a potential problem. If you even see that strange message again with the & in it, it should ring a bell as to what the problem is.

Yes you have it correct now.

No! It will not run with that type of username. It will always die at that point. As of yet, I cannot find any work around for a non-valid user name. At least not when used at a command prompt or in an batch file using the Windows environment variables.

For now I would just say we are done. Your malware was fixed (quite awhile ago) but wanted to make sure there was no malware causing a problem that made GetRunKeys fail. Now we know the reason and I thank you for the help in debugging this.

 

As I expected but we cannot use the quotes in my GetRunKey program because your file paths and environment variables do not have quotes in them and thus what I'm looking for would never be found even though the program would run to completion.

Yes it is MSconfig. Just select Normal Startup in the System Config Utility window. Then reboot and see if everything it okay.

 

Yes you did! You helped me understand where the problem was! We found out that it was not malware or a bug in GetRunKey, but rather an unfortunate choice of user name that Windows also unfortunately allowed you to use.