Hey all,

I've been a supporter of Spybot S&D and have been using the program for a long time now. Great work to all those involved.


Getting down to the problem at hand...

2 days ago, I finished building my brother's new pc. I installed Windows XP along with all the patches and service packs. I then installed the correct drivers and such, along with Zonealarm Pro Security Suite, updated, rebooted, and such. Yesterday, when my brother got home, he turns on his new system, puts his various backed up files onto his new hard drive, then proceeds to reboot his computer.

This is where the headaches and trouble begins.

After POST, the usual Windows XP loading screen (w/ the scrolly bar thingy), it would attempt to bring him to the Windows Logon screen, but an error screen pops up that says: "Windows wasn't able to load winlogon.dll, please contact your system administrator if this problem persists." Seeing how he is the sysadmin, I went ahead and hit the reset key on the front of his system. It goes through the process and once again the same error message pops up.

This immediately set off several alarms bells in my head, and has me worried, frustrated, and pissed to the point where I'm loosing serious sleep over this problem.

So then I figure, I'll just reformat, and install Windows again with all patches and packs. So that was yesterday.

About 5 hours ago, I got a call from my brother (while I was traveling home), that his system once again had the same error. I instructed him to do a Windows Repair (from the blue screen not command prompt). Since the Repair, I have not seen that error pop-up, but common programs such as IE, Firefox, and such has been constantly crashing or hanging up. Also when I have the C:\Windows\System32\ folder open and have winlogon.dll selected, I instantly get a continuous pop-up window that says that Windows has detected several of its key components missing and replaced with unidentifyable duplicates. It gives me the option of OK to let Windows extract and replace those "key files" from a path that does not exist and also has something like this: "folder\folder_name/file" towards the end of the path. That seems too much of a random typo, so I clicked the red "X". A new window pops up asking if I'm sure I want to not fix the files, I click YES. The pop-up window goes away, then reappears about 5 seconds later.

I have run Ewido in Safe-Mode (w/ log file), and HijackThis v1.99.1 (w/ log file). I will post a reply with both log files. Right now I need to go over to his system to make the log post, because I'm afraid that this problem is occuring on another system as well. I'm trying my best to quarantine his system from the network by unplugging his ethernet connection when internet access is not needed.

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:07:38 PM 9/25/2006

+ Scan result:



HKLM\SOFTWARE\Classes\CLSID\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
C:\Documents and Settings\OMNI God\My Documents\save\TRAINER.EXE -> Logger.Banker : Cleaned with backup (quarantined).


::Report end





Logfile of HijackThis v1.99.1
Scan saved at 10:54:53 PM, on 9/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\OMNI God\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\Downloaded Program Files\CopernicMeta.dll/SearchBar_htm
R3 - URLSearchHook: (no name) - {DE09D68E-0488-4DF0-BD46-5BF35F2D1F2A} - C:\WINDOWS\DOWNLO~1\COPERN~1.DLL
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: Copernic Meta - {F79AD27F-8140-4E33-8B1D-C4FC6B663CCA} - C:\WINDOWS\Downloaded Program Files\CopernicMeta.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\RunOnce: [SpySweeperUninstallSurvey] http://products.webroot.com/disp0201.php?pc=64021&rc=1&ps=T&oc=33&mjv=5&mnv=0&bld=1608&cd=&dcc=&drc=&mo=&sid=&lang=en&loc=USA&opi=2&omj=5&omn=1&rsc=
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search Using Copernic Meta - res://C:\WINDOWS\Downloaded Program Files\CopernicMeta.dll/HTML/SearchExt
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: Copernic Meta - file://C:\DOCUME~1\OMNIGO~1\LOCALS~1\Temp\CopernicMeta0000.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1159072317493
O16 - DPF: {B6B14E82-E23B-48DE-BFFF-876EC90D9B96} - file://C:\DOCUME~1\OMNIGO~1\LOCALS~1\Temp\CopernicMetaInstall0000.cab
O18 - Protocol: copernicmeta - {9B46B30C-CB70-4551-9806-3238CC816A55} - C:\WINDOWS\DOWNLO~1\COPERN~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



I hope this will help with any diagnosis of the situation and possible solutions.

I have not continued the Windows Update process since, the next updates will require me to restart the computer. I'm afraid if I do, I will encounter that error once again.

And if I do, I'm left with another reformating of his system and a fresh install of Windows all over again.

I'm also afraid this might be a serious rootkit, the ones that survive reformatting.

I also did another virus scan using AVAST v4 on bootup, and it did find a trojan that was in one of my brother's backed up files (from his last system) and I promptly deleted it.

The system will not boot into Windows normally anymore. Although I am able to get into Safe Mode without a hitch.

I tested out my theory that this "virus" is not just a normal virus but a rootkit.

I have already done a reformat, installed Windows, and all service packs and updates. During the update process I had ZoneAlarm Pro running, along with AVAST v4 with resident scanner active and settings set to High. It seems whatever was loaded onto the hard drive the first time around has survived several reformats. I just got the "winlogon.dll could not be loaded" error.

I'm in need of serious assistance in removing this virus/rootkit.

Hi Acreo
My first thought was to suggest deleting your brothers backups, then reformat and install windows again that way he cannot put the infection back
Other than that all i can suggest it multiple online scan and posting a report from each, panda and kavspersky are good with reports.

The next time you go through format and install the first thing that should be done is install an antivirus program, third party firewall to, even before getting windows updates.

Well so far, this reformat has gone off without a hitch. Before this reformat, I had used every virus scanner (in system and online) and none of them detected anything.

So far that error or any other programs crashing has not occured. I've decided on a two week probation period to see if anything crops up on this system. But I believe this past reformat has gotten rid of whatever it was that was plagueing his system.

It seems I have spoken too soon. Winlogon.dll error popped up when my brother tried booting into Windows again. He can use Safe Mode for now, but for how long I don't know. None of the virus scanners have turned up anything. I can't decipher the hijackthis log, spybot S&D didn't turn up anything either, adware didn't turn up anything. As far as I'm concerned, everything that I've run to determine where the problem exists and how to fix it tells me that there is nothing wrong with his system, but that winlogon.dll keeps popping up.

Quote the error word for word and mention when in the startup process it happens.

Your pcs are networked ? how many ?

4 systems are networked together. My other three systems are fine, no viruses or anything wrong with them. His system is the only one experiencing this repeating occuring problem.

The title of the window is: "winlogon.exe - Bad Image"
The error message is: "The application or DLL C:\\WINDOWS\system32odbcint.dll is not a valid Windows image. Please check this against your installation diskette."

Thats a windows file. so it sounds like either the cd you used to install is scratched or perhaps there are bad sectors on the drive, have you ran chkdsk on it latley ?

Start > Run > type in cmd
At the command prompt type in
chkdsk C: /r
or whichever drive you want to check > Enter
Accept the message that chkdsk will run at the next reboot.
Restart your PC
Then run Disk Defragmenter
Start > Programs > Accessories > System Tools >Disk Defragmenter

This topic has been closed to prevent others with similar issues posting in it.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.