Two days ago, I linked to an adult website, and it began opening dozens and dozens of windows simultaneously. Now, my homepage gets reset to teen-biz.com....or something like that. Win Min does not respond upon shut down. I have run ad-aware and removed unwanted files, I've removed cookies, removed unwanted favorites, reset web page - no help, it pops back up to teen-biz when the computer is restarted.

After doing some research and running hijack this I found the problem, but am unable to remove the file.

I tried to drag it to the desktop and delete it there, but cannot move the file. I also cannot delete it from it's current location. It is not marked as read only...but as indexed. I think I need to remove it in DOS but don't know how.

The file is in C:\Documents and Setting\All Users\Start Menu\Programs\Startup. Its called winlogon and was created at the same time I started having the problem.

I also have three other winlogon's...all created or modified over a year ago. I am running XP, and have XPSP1, incase this is relevant somehow. Can someone PLEASE help me remove this file.

Read Me and make sure you update either/both products before using them.

Also go and download Cwshredder

KTTD

I already ran Ad-Aware, and deleted all relevant files. Also ran hijackthis: here are the results:

Logfile of HijackThis v1.97.7
Scan saved at 10:17:05 AM, on 12/12/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Online Services\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
C:\Documents and Settings\Erin C. Eberhardt\Start Menu\Programs\Startup\msstask.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\unzipped\hijackthis[1]\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://teen-biz.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://teen-biz.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://teen-biz.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://teen-biz.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dellnet.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [dlder] C:\WINDOWS\explorer\Explorer.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [SSRunScript] "C:\Program Files\Support.com\Charter\bin\SSRunScript.exe" /script "C:\Program Files\Support.com\Charter\vbs\verifyconnection.vbs" /args //b startupdelay
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Online Services\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: msstask.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: winlogon.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

forgot to say I ran cwshredder also....deleted a file CWS.Alfasearch, updated 4 infected IE regisrrty values

I have to much of a headache to look at a logfile right now but someone will come along and check it out, give it time though.

KTTD

Run HijackThis again and place a check in the box next to the following items. Next, close all browser Windows, and have HT 'fix checked'.

You Must restart your computer when you're done.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://teen-biz.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://teen-biz.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://teen-biz.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://teen-biz.com/

O4 - HKLM\..\Run: [dlder] C:\WINDOWS\explorer\Explorer.exe
O4 - Global Startup: winlogon.exe

After restarting delete: C:\WINDOWS\explorer\Explorer.exe

***Note: Do not delete C:\WINDOWS\Explorer.EXE

HJT will not let me delete O4 - Global Startup: winlogon.exe, says unable to delete file, may be in use, go to task manger to shut down the program. Task manager will not let me shut down....critical system process.

Where do I go from here?

Hi Erin,
Boot into safe mode and delete
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe

Thanks Tom - you're great! Boy are those things a pain in the butt.!

I have the same problem except winlogon is located in the system32 folder, and even in safe mode i can't delete it, please email me with help @ kakashi420@yahoo.com

How can I delete the CFD.exe?
When I open processes I can see it runing, but HJT does not find it.