Tech Support banner

Status
Not open for further replies.
1 - 6 of 6 Posts

·
Registered
Joined
·
2 Posts
Discussion Starter #1
At first I thought this might be a virus, but now I'm really confused as to what it is. I'm giving as much information as I can, because a lot of these results were surprising to me.

- Version of the OS. If Service Packs are installed, mention these too.
Windows XP Home with SP3. HP Pavilion Laptop from early 2005. It can also dual boot.

- If the OS produces an error, either upload a screenshot of the error message (ALT+PrtScrn), or literally quote
the error in your post at the forum (Preferred).
Windows cannot find "logon.exe". Make sure you typed the name correctly and try again..." Then something about locating the file using Search.

- Were there recent crashes that could have caused this problem?
Yes, I tried installing/uninstalling MySQL several times. After the first install, I tried to start up MySQL. However, it prompted for a password, and I entered the MySQL root password. It failed (perhaps I should have entered my Windows password), so I uninstalled it. I reinstalled MySQL, now I get a "Cannot start MySQL service" error. This was because there was still a MySQL service running. I stopped it, but I couldn't get rid of the error, so I cancelled the install. I uninstalled MySQL, but it got stuck at step 2/2 for around 10 minutes, so I clicked cancel. It also crashed Youtube, so I ended up closing my browser (Chrome). The waited another 5 minutes for the uninstall to cancel, but it didn't. I tried to Ctrl + Alt + Delete. It appeared in the Systray but didn't show up after 5 minutes. I restarted, and the system seemed to register that a restart was issue but failed to restart after 1 minute. Then I turned the power off.

- Did you install new software recently? If this is the case: Which software? (Brand, version, build)
Yes. I recently installed an SVN server, TortoiseSVN, cygwin, and Serv-U. I deleted/compressed a lot of files. I defragmented my hard drive a few times. I got a static IP. I managed to boot up successsfully after installing/changing these.
I then installed CCleaner (ran successfully, then uninstalled) and MySQL Community Edition version 5.1.37 for Windows x86 (installed at least twice). I did not boot up successfully after installing these.

- Did you do any of the following:
- Run a scan with an updated anti-virus program?
- Run a scan with an updated anti-Trojan program?
- Run a scan with an updated root kit detection program? (This only for Windows NT, W2K and newer!)
- Run anti-spyware scans with at least two freshly updated anti-spyware programs? (If so, which ones?)
No, computer can't start McAfee Security Center

Other symptoms:
  • My computer normally boots quickly (around 2 minutes), but it is slow now (around 5 minutes). The black Windows XP screen is normal, the blue Starting Windows screen is very slow, and the blue Loading your Personal settings screen was not very fast, but I can't conclusively say that it is slower than it was before. The computer is loud when it reaches the blue Starting Windows screen and subsequently thereafter, until a few minutes after Windows loads.
  • Shortly after my wallpaper appears, the Windows cannot find logon.exe error message appears. This is caused by userinit.exe (I used the command prompt to run userinit.exe and a similar but different error message, cannot find logon.exe or it is not a directory, appears. F:\system32\userinit.exe has not been modified since the day I installed Windows. I read that logon.exe is not a valid program. It is usually winlogon.exe.
  • Explorer and the start menu appear in the old style (Windows classic???). It seems that my user profile hasn't loaded.
  • The computer is slow to respond, and sometimes the CPU sounds like its running very hard.
  • If you open up Task manager, there are about 10-15 fewer processes than normal. Occasionally svchost will start and run at 90-100% for a short length of time (around 1 minute), then stop. Even when svchost is not running and all processes are using 0%, the computer is slow to respond (but not as slow as when svchost is running).
  • I can open some programs, but not all. For example, I can open command prompts, msconfig, Explorer, regedit, Chrome, Notepad, and Launchy (a keystroke launcher). I cannot open McAfee Security Center or cuteFTP. When I open System Restore, it says "System Restore is not protecting your computer." I also cannot install or uninstall programs (Windows says something like Windows Installer is not loaded). I think this is because userinit.exe failed to finish.
  • I cannot Copy/Cut and Paste files or folders.
What I've done:
  • I opened up MSCONFIG to look for viruses. I saw nothing that I didn't recognize.
  • I opened up regedit and looked in Current Users/.../Run and Local machine/.../Run and didn't see anything that I didn't recognize.
  • Starting winlogon.exe does not change the appearance or allow me to run McAfee.
  • I changed my computer to diagnostic startup using MSCONFIG.
    Since I cleaned the registry that day, I imported the backup of the registry from right before I cleaned it and restarted. Same problems.
  • I found that the logon.exe it is looking for is F:\Documents and Settings\[username]\logon.exe, and it is expecting it to be a FOLDER. I created a folder named F:\Documents and Settings\[username]\logon.exe and rebooted. It opens up this folder on startup, but all other problems persist.
  • I downloaded Process Explorer (it didn't require an install, only unzip). When I hover over the process, it shows no information for svchost, only that it was "Generic DLL ...". I clicked Verify, and svchost started running again. After it finished around 1 minute later, the status in Process Explorer said Unable to verify.
  • As mentioned before, I cannot run System Restore or an Antivirus program.
Any information as to the cause of this problem would be much appreciated. Let me know if you need any other info about my system/problems.
Honestly, I'm very confused about what's going on, so any help at all would be wonderful.

Thanks,
Jeffrey
 

·
Team Manager - Networking, Moderator - Hardware
Joined
·
19,845 Posts
You could try running Restore to a save point before this issue occurred. You could also boot from your XP CD and perform a Repair.
 

·
Registered
Joined
·
2 Posts
Discussion Starter #4 (Edited)
Autorun returned HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell, whose value was: explorer.exe logon.exe. I changed it to just explorer.exe and rebooted. The logon.exe problem is fixed.

However, I still cannot open up System Restore, so I can't restore my computer to an earlier point. svchost is still a problem.

System Restore says: System Restore is not able to protect your computer. Please restart your computer, and then run System Restore again.
 

·
Registered
Joined
·
1 Posts
I see that logon.exe is fixed but here is another common fix.

Missing comma after Userinit.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit

value should be "C:\Windows\System32\Userinit.exe,"
 

·
Registered
Joined
·
1 Posts
Ok, I am not sure this is where I need to be asking this question but I am a little desperate at this point. I am an all together noob when it comes to these things so let me explain what has happened in the only terms I know possible.

First off my pc was infected by a rootkit. I didn't know what my anti virus was saying when it said rootkit problem blocked, but as time went on my pc became slower and slower. I think it rebooted itself at night various times. To make a long story short I did nothing because I was completely unaware of what a rootkit was at that particular time and one morning my pc was downloaded with 100's of popups and I took my tower into best buy geek squad.

They saved what I needed to save onto a hard drive and reformatted my pc with a startup disk from hp.

I was recently on isohunt and my pc was attacked by a rootkit just from being on the site. I run avast anti virus and this didn't seem to be able to stop it whatsoever.

My pc became immediately infected with malware/spyware. The desktop changed colors and I went off a friend's advice and downloaded malwarebytes.org to remove the malware.

It removed the threats and my desktop looks the same, but when it rebooted and it started up I saw this familiar message, logon.exe
Windows cannot find 'logon.exe.' Make sure you type the name currently, and then try again. To search for a file, click the start button, and then click search.

I feel I removed the spyware, but that the rootkit is still on my system masking itself when the startup process begins. Now I really am a noob when it comes to this. What is the best and easiest way for me to remove this rootkit?

After I downloaded malwarebytes I downloaded sophos, but was unable to understand the results and what I should actually remove.

Most of the files if not all of them fall under the category not recommended after startup so it doesn't seem like it's a harmful file.

My question is with me being such a noob is there any easy to use program you guys feel target this log.on exe rootkit I could remove myself?

Am I screwed? If you could help me through this I'd really appreciate it.
 
1 - 6 of 6 Posts
Status
Not open for further replies.
Top