Winlogon pb seems gone, but CPU still goes crazy

Hi all,

First, thanks for dedicating some of your precious time and eperience to clueless guys like me!

Here's a brief account of what happened and what I did:

-For a long time i had a "found hardware(or was it monitor) error" when booting, I just had to choose F1 and everything was going fine. This lasted for 1 or two years.
-Recently more and more applications crashed. I thought it might be because of the above, so I cleaned two fans inside the comp, they needed it badly.
-It solved the above error, but apps kept crashing.
-The first app message was (generaly?) winlogon.exe (i also saw winlogin.exe, sometimes).
-It went to a point where my computer would shutoff by itself after a few seconds only....
(- Something that may have played a role(?): I had SpySweeper trial for a couple of couple of weeks, before the serious troubles began.)


-I came to Major Geeks and followed the steps I could (some more than once) and a few others.
--couldn t run spyrobot: the .exe file was not found. this happened with ZoneAlarm too, so i installed Outpost (I was on IE firewall before).
--not on safe mode
--before that I ran the anti NetSky something virus app (i read it dealt with some corrupted winlogon) but it didn t help: said it found nothing.
--ran panda scan before bitdefender because at that point i could make bitdefender work.
-Things went a bit better: first, it crashed only when i connected to the net (it minimized my travekls to the internet cafe...), and the only (visible) error left was Winlogon.exe

-ran VundoFix too coz I saw "winfixer" in a url listed byCounterspy'PC experts section. Didn t run properly.
-ran Smitfraud
-a couple other online scans
-ran ewido in safe mode. after that, winlogon.exe error disappeared.

But...my CPU still goes crazy: from 100% to 50 back to 100 down to 7 up to 100 down to 80 and so on....
And the pc can get slow.

So there s still somtething wrong, but i don t know what.

I run a Sony Vaio:
XP Home Edition 2002 Japanese edition, SP2 dled (but couldn t run Defender so used COunterspy).
intel celeron 1.2Ghz, 224 MB RAM

Sorry for my english; if I didn t give enough info please let me know,

And big thanks in advance for your help!



Oops, as I upload the logs, I don t find the panda and bitdefender logs, so i m running them again (i ve launched bitdefender) and i will post their logs as soon as it s done (bitdefender says it will take 2h30 for the ~80000 files...). I will also join a new HJT log.

 

Now 5 hours to go for bitdefender, and after that there s panda..( that will take one more day (

Does HJT give any indication of steps i could take right now, by any chance?

 

Ok, then, I ll wait...6h30, now! Hopefully bitdefender will be done by Christmas!

Yes, it's a Japanese PC (Sony Vaio PCV-W101A), and Windows XP is all in Japanese. The strange symbols are Japanese characters not supported by HJT(/the OS/the html reader), I suppose.

I have many English based applications running on it, and it hasn t caused any problems (that I've noticed).

 

Ok,

i/ bitdefender is done, panda as well and i have ran HJT after that.

FYI:
i have reinstalled a program called interbankfx metatrader, and the install needs a reboot to be completed.
i have installed and run Adia. it caused the screen to go black for a seconds, and stalled bitdefender for a couple of minutes.
I had a webradio on, and browsed the net; in case this information shows on HJT log and causes confusion.

ii/ about zonealarm: yes, the .exe is NOT there. When I wanted to rum this firewall, it was saying "cannot find .exe file, browsing..." or so. I uninstalled it and installed Outpost instead.
here are the 3 files remaining in the above ZoneLabs folder:
dbghelp.dll
vsdb.dll
an XML file: ZLCommDB

What should I do about this: leave it? uninstall Outpost and try to reinstall ZoneAlarm instead? or..?


Ready for action

 

Hi Chaslang,

thanks for all the instructions.

let me describe what I did and what happened

>>Are you running Task Manager all the time? Why? I have seen it in both of you HJT logs:
C:\WINDOWS\system32\taskmgr.exe

This should not be running when using HJT.

>I entered taskmgr.exe in Run, and when the window opened I did File/exit


>>It was a bad idea to install anything else while trying to fix malware problems. Is the below line related to the stuff you installed. It looks a lot like malware the way it is running and where it is running from.
O4 - HKCU\..\RunOnce: [gi667814265] "C:\DOCUME~1\user\LOCALS~1\Temp\giL3NOHK.exe" /resume:"C:\DOCUME~1\user\LOCALS~1\Temp\28L3NJC5" /exename:"C:\Program Files\ibsetup4.exe"

>Ok, I won't do it again
This program is a trading software used by many brokers. I use this version as well as an other broker s version of it. Both have not run great recently, and i ve not been the only one to report it. At any rate, it s a russian commercial application, ib is ibfx, an american retail broker. I thought it was running from ProgramFiles though, but i guess the last time i installed it it was from that folder.
It receives live update of quotes, so there s a near constant stream of incoming data.
Their last build -about 2 weeks ago- seems to cause some problems to some, including me, but i rather doubt this was the cause of my problems.

Something I forgot to say earlier: i installed and started using FireFox a couple of weeks ago.


>>I am not sure what these below O4 lines are for but they seem to be malware. If you know they are not malware then leave them out of the below fixes:
O4 - HKLM\..\Run: [winu2^:ù\¨rÇ^] C:\WINDOWS\System32\winu2^:ù\¨rÇ^
O4 - HKLM\..\RunServices: [winu2^:ù\¨rÇ^] C:\WINDOWS\System32\winu2^:ù\¨rÇ^
O4 - HKLM\..\RunServices: [winu2^] ù\¨rÇ^:C:\WINDOWS\System32\winu2^:ù\¨r
O4 - HKCU\..\RunServices: [winu2^:ù\¨rÇ^] C:\WINDOWS\System32\winu2^:ù\¨rÇ^

>Idon t know. the characters appear the same way in my HJT logs. There is not such folder (hidden or not) nor files. The only files with jpaanese characters in windows/system32 are:
- a supposedly microsoft lens screen saver
- a "channel" file, probably for tune in pc tv or something. both are very small, i took screenshots of both but unfortunately i can t upload them-see below



>>Okay....now on to the fixes!

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to TrueVector Internet Monitor[/B... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

> The only problem i had was here. The only button i could press was "Start", and when i pressed there was a message saying "error 2 something". I couldn t change Strart Up to Disable (nor to manual), and i could press "apply nor "OK": a message was saying "access denied" or something. (i say or something because it s in IT japanese language....)


>>Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

vsmon

If you receive any error messages just ignore them and continue.

>I got one message and continued.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

>I don t remember it saying "reboot"

>>Now copy the bold text below to no
tepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure viewing of hidden files is enabled (per the tutorial).

Some of the lines below may no longer appear in HJT due to the above fixes. That's okay just ignore and continue.
Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [winu2^:ù\¨rÇ^] C:\WINDOWS\System32\winu2^:ù\¨rÇ^
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [winu2^:ù\¨rÇ^] C:\WINDOWS\System32\winu2^:ù\¨rÇ^
O4 - HKLM\..\RunServices: [winu2^] ù\¨rÇ^:C:\WINDOWS\System32\winu2^:ù\¨r
O4 - HKCU\..\RunServices: [winu2^:ù\¨rÇ^] C:\WINDOWS\System32\winu2^:ù\¨rÇ^
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe (file missing)
O20 - Winlogon Notify: ldr64 - ldr64.dll (file missing)
O20 - Winlogon Notify: sloader64 - C:\WINDOWS\SYSTEM32\sloader64.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)

After clicking Fix, exit HJT.

>The only 2 lines that weren t there were 2 of the last 3:
-020 ldr64
-020 sloader64

>>Boot into safe mode and use Windows Explorer to delete:
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\FI0OR097\js[1].htm
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\RYF1BTL8\op[1].htm
C:\WINDOWS\system32\ZoneLabs <-- the whole folder
C:\WINDOWS\system32\sloader64.dll
C:\WINDOWS\system32\ldr64.dll
C:\WINDOWS\System32\winu2 <-- again I'm not sure what this real folder or file name is since it appears corrupted in the English character translation. If you know that this is not bad, do not delete it.

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.[/QUOTE]

>
The big problem occured there
>>Boot into safe mode and use Windows Explorer to delete:

For the 1st time, i used Run to reboot in safe mode (before i always used F8).
In a word: it didn t work properly and now I can t reboot at all.
I tried reboot mood, VGA mode, debug mode, safe and command, reverse to previous coorect settings etc.,none work.

Once I had this message:

A problem has been detected and windows has been shut down to prevent damage to your computer.

If this the 1st time you ve seen this stop error scree, restart your computer. if this screen appears again, follow these steps:

Check for viruses on your computer.Remove any newly installed hard drives or hard drive controllers.Check your hard drive to make sure it is properly configured and terminated. run chdsk /f to check for hard drive corruption, and then restart your computer.

technical information:
***STOP: 0x0000007B (0xFA2C7528, 0xC0000034, 0x00000000, 0x00000000).



Of course i can t do anything so i couldn t do what the message suggested.

So here i am back in the internet cafe. I guess the pb is due either to TrueVector either to HJT fixing of of the strange system32/Winu files.

I have a pcmia card (256mb flash). maybe it can of help to somehow take control of the pc at booting.
I have sony vaio system recovery (2 c) and application (2cd). I don t know if it inlcudes windows xp. anyway, i d rather come to this end, if possible....
(Note: i ran the first system recovery cd. it loadad loaded. when asked if i wanted to procedd(and loose all data...) (or choose customize), i said cancel.)

To sum up the current situation: I can't boot my pc. :-(

What should I do? ANy further instruction or advice GREATLY appreciated!!

copernic

(ps: it s a detail, but i m in japan, gmt plus 9, now 5pm)

 

>>I have no idea why any of what you were able to do would cause a problem booting your PC. You never even got to the point of deleting any files.

Yes. Maybe the phantom winu folder is related to some SONY programs that are necessary to start Windows.

--
>>Can you boot in safe mode (any form of safe mode - like safe mode with command prompt)?

No, I can't boot in any mode; I tried them all.

--
>>Are you saying all you have are recovery CDs and you do not have a bootable WinXP SP2 CD?

That's right.

--
>>If so, this is another case of PC vendors screwing end users. Everyone who has a legally pruchased PC needs a bootable CD for their OS for cases just like this (and a bunch of other reasons).

It is a PC with Windows installed that I bought at well know vendor in Japan. The reason I don't have the OS bootable CD is, that it was a 2nd hand PC, and the original owner of the cd must have kept it for himself...well, the explanation still leaves me screwed up...

--
>>Can you borrow a WinXP SP2 CD from someone?

I'll find someone...

--
>>How much important personal data do you have on this PC?[/QUOTE]

No crucial ie business data, but nearly 20 GB worth of personnal data, including some study and projects files ie non entertainment stuff. So, nothing vital, but there s quite some work gone. The only thing I won't lose is my music files, that I pulled out the PC and put all in my MP3 player last month. Better than nothing, but trivial.


So it won't happen twice: it's time consuming and boring, but from now on I'll make backups.

But for the moment, I have 2 options:
1)Run the recovery CDs
2)install Windows (or any other OS) from scratch, just as if my PC was a box with 0 software inside.

or

3) Find an OS bootable CD.

correct?

 

Here s what I ve done, and this time I've been lucky:
- I ran the System Recovery CDs from Sony, and luckily, they contained Windows XP!!! So this problem is solved.
I've been inspired enough not to request a full recovery, but in the custom menu I chose the first choice, which seems to affect only c:/, not D:/, as opposed to the other choices which seem to partition everything; well that s what i understood from the exlanations in japanese..
So I lost the data on drive C: (14 GB in total but lots of it was software) but I still have my ~26 GB in D drive . It seems pretty much settled.
The CPU behaves. I have NAV2002 (part of Sony's Application Recovery CDs) and Zone Alarm running

(It's history now, but (because this computer is a hybrid between a laptop and a desktop?), the harddrive didn t seem to be removable).

I ll go through the thread "Prevent yourself from Malware" now and let you know what happens within a week.

Thanks for your time and help!