HELP PLEASE! Rootkit Hidden Process - winlogin.exe

Avast just warned me about a virus. I chose “Ignore” and then it asked if I wanted to reboot and have the computer scanned. I did, and it came up with a virus detection in:

Windows\System32\winlogin.exe
Rootkit Hidden Process

I picked “put in chest” and then when it told me that this was a windows program, was I sure I wanted to do that, I canceled the scan. I was afraid to fix it because of where it is, and that Windows might not work if I did (especially after Avast “said” what it did about am I sure I want to do that (put it in the chest) because it’s in Windows.

WHAT SHOULD I DO? (If you get the sense i’m panicking here, you’re right.) I use my computer all day, every day. (I did just back everything up.)

Pam

EDIT: In reading answers to questions in this forum, I have to admit I don’t completely understand a lot of them. I’m not extremely computer savvy. So, please take it easy on me!!

Is it winlogin.exe or winlogon.exe?
That makes a world of difference: winlogon.exe is legal and belongs to windows, whereas winlogin.exe is rogue and can (should) be get rid of.

Thanks
Vlk

IF I copied it down correctly, its “in”----winlogin.exe I was afraid getting rid of it might mess up logging in, but with my slim knowledge, and seeing your answer that there is a winlogON and a winlogIN, putting winlogIN in the chest is okay?

Again, please forgive my obvious ignorance. I have been very fortunate in that I have NEVER had a virus or malware problem before. (Used Symantic for years, but switched to Avast a year or so ago.)

I’m running Spybot now, too.

THANK YOU!

Hi, PamJ. It appears you have a worm.

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RPCSDBOT.A&VSect=T

I recommend Trend Micro Housecall (On-Demand only).

As avast! detects this, run a scan again and allow avast! to put winlogin.exe in the chest.

FreewheelinFrank, thank you! That’s what I had originally selected to do, but when the statement came up,something like: Are you sure you want to do this because it’s connected with windows–I chickened out and didn’t do it (was afraid I wouldn’t be able to start windows at all).

All my data is backed up at least. Whenever I get a new computer, though, I’m getting something to back up (or is copy?) my harddrive. Any suggestions on that?

Again, THANKS FreewheelinFrank!

Pam

As Vlk said, winlogin.exe is a phoney and can be deleted. You were wise to check it out first, but malware does put files into the Windows folder.

This is more because of its location in a system folder so it is advising caution (which you have now exercised) as it can’t confirm with 100% certainty if it is actually a windows system file, though in this case it would seem not.

This is a common trick to place malicious files in the system folders and to name them very like regular system files, to scare the pants off you to stop you dealing with it.

To be able to place files in the system folders it requires administrator privileges and malware inherits the privileges of the account being used. So if you can use an account without admin privileges it makes life harder for malware as it limits the potential for damage.

If you can’t do that you should consider DropMyRights see, Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP. Check Bob’s, setup instructions and importantly the dropmyrights.msi file needed as MS have now cleared the original link.

DavidR, thanks for the info. Yep, scared the pants off me from doing anything with it!

I’ll check into not using an admin account. It’s my home office computer. I’ve been using another computer in the house for Internet stuff today. Went in to My Computer, I found winlongIn and winlogOn sitting right next to each other in that System 32 folder. After I get some more work done, I’ll shut my computer off and stick that pesky critter in the chest. !avast shows the warning shortly after getting to the desktop after turning the computer on.

Excuse my ignorance, but how does Malware get on your computer? Can it get there just by being connected to the Internet, or do you have to download something? And I have !avast running, but I guess there are just some things that can’t be blocked.

Thanks again, everybody. Think I’ll start hanging around here a bit more. Some very educational information.

There really are too many potential entry points to cover in one post.
Read so How did I get infected in the first place? and follow the advice. This is now an old article last updated in February but I think you will get the picture.

The alert you are getting it on is the anti-rootkit scan, so this malware is potentially more serious as if it is a rootkit then its purpose is usually to hide some other malware, so the sooner you get rid of it the better and then do a full scan or schedule a boot time scan. Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, ‘Schedule boot-time scan…’ Or see http://www.digitalred.com/avast-boot-time.php.

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

  1. SUPERantispyware On-Demand only in free version.
  2. MalwareBytes Anti-Malware freeware version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

the exact detection (not only the behavior based one) for this nasty will be released very soon… i’m quite sure that this file is a piece of malware, which tries to hide under the name similar to common windows file name…

The only thing I’ve downloaded recently is a newer version of a freeware program I use daily—Express Scribe transcription software from NCH. I just updated that program yesterday, and got the warning on the malware this morning. Don’t see anything on their site or forums indicating anyone having a virus or malware problem after downloading the newest version. Didn’t see anything when I Googled looking for a connection either. (Although come to think about it, I do think FireFox updated a few days ago.)

I just now found this transcription software on a few other sites that guarantee it’s free from viruses, malware, etc., Might delete the one I have and download again from one of these other sites (download3K, Softpedia). Good idea? Bad? Doesn’t matter? LOL

Can you download the .exe file for a program and then check that before actually installing? For some reason, I thought that was done automatically.

So, after I do the scan where I put this malware rootkit thingy in the chest, I do another scan? Just go into !avast and request a scan?

DavidR, This SUPERAntiSpyware is something different from !avast, I take it. Again, excuse my ignorance, but is #2 different from #1? And I guess the SUPERAntiSpyware creates a log and then asks if you want to report the findings? Sorry, I’m a little confused here between the #1 adn #2. (I know you probably get tired of explaining these things over and over to different people!)

You guys sure have been a lot of help!

SAS is different to avast as is MBAM (#1 and #2), they are specialist anti-spyware applications and their combined signatures might well sniff out something else (don’t worry about tracking cookies a minor privacy issue). This multiple application approach to your security will give an improved detection rate, you will see them both in my signature of what I use on my system.

The free versions are also on-demand only, not resident, meaning unlike avast they don’t run in the background scanning files as they are accessed (an on-access scanner).

This is so odd. I did the scan when the warning came up. It found several things related to “mywebsearch,” which I put in the chest, but it didn’t bring up the one thing it warned me abou–the rootkit winlogin thing. So, I went in and am doing a thorough scan on the windows/system32 folder, since I know that’s where it is.

Is it possible to put something in the chest manually?

Has anyone have had avast warn them about something, and then have it not show up in a scan?

(Hope this makes sense–it’s after 3:30 a.m. and I’m falling asleep!)

Thanks!

as mentioned above - wait for the exact detection… standard on-demand scanner and antirootkit module are different parts of avast… there’s no defined relation between scanner and antirootkit detections, because each one uses another detection techniques… antirootkit module is based on behavioral detections and we don’t want to start killing detected files without having seen them… so there’s a default option to submit the file to our viruslab and let us analyse it… once the file is considered as really malicious, the exact detection is added and the malware can be cleaned with avast on-demand scanner… it’s safe from our point of view, cause the hot-headed deletion of anything found can do a lot of harm…

Maxx-original, Less than ten minutes after I get into Windows, avast gives me a suspicious file warning that this rootkit has been detected. It gives me the choice of deleting, or ignoring. When I choose “ignore”, it then warns me that it’s dangerous to work with a virus in the operating memory,and suggests I let avast do a scan during the boot phase. If I choose “yes,” then the computer reboots and goes into an avast scan.

When I did the scan because of this warning for the first time yesterday, it found this item. I didn’t put it in the chest at the time, because I didn’t know what I was doing (see prevous posts of mine)–and came running here! Last night, I went through the process in the above paragraph of this post three times, and avast never found the offending file during the boot scan, even though it warned me about it each time before I selected to do the boot scan. (Found a couple other things, though, including one other rootkit related to mywebsearch, and a webex thiing.)

I tried doing a “thorough scan” on the windows/system32 file itself, and it came up with nothing.

DavidR, should I now just try those two programs you suggested?

If everything else fails, should I choose “delete” instead of ignore? I realize that’s really a no-no, because if there’s some small chance it’s not a virus/malware, I’ll be in trouble. (I do see the suspicios winlogIN file sitting right along side the MS winlogON in Sys32).

The only scan I haven’t done is when you opean avast, it automatically does a memory scan, but I’ve been stopping that scan so I can go right into the program. Is this scan different than other scans I’ve had avast do?

Anyone ever have avast continually give a warning about something, and then not find it so it can be put in the chest?

It doesn’t appear I can move the offending file to the chest manually, as the instructions for moving files into the “user files,” appear to say you have to open the file to do it, which of course I can’t do (doesn’t make sense to me, so maybe I’m reading the instructions on how to do it incorrectly).

Thanks!

Deletion as Maxx said isn’t a very good option as you effectively have none left.

But if this file can be found on your system you could have it analysed at: VirusTotal - Multi engine on-line virus scanner and report the findings here. However by its nature this file is likely to be hidden as per the anti-rootkit scan (happens 8 minutes after boot) it is hiding from view.

  • Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, see image. This however may not reveal a file hidden from the system.

As for the other two applications I personally would run them, they too have option to quarantine, etc.

PamJ: that’s exactly what i’m talking about… antirootkit detection goes another way than the scanner detection (antirootkit could be more proactive)… you have been notified about the infection and the file was sent to us (if you haven’t unchecked the default option)… the exact detection for avast scanner should be released soon (maybe today)…

Ah, now I think I see. The detection of the rookit works differntly than the scan(ner)doesn–any scan–which explains why it’s detecting it, but doesn’t see it during the scan! And the detection of this rootkit thing by the scan(ner) is what you mentioned should be released soon.

Yes, Maxx, that option to send to avast is checked. If it sends it every time the warning comes up, you probably have received it about 5 or 6 times by now. (Sorry!) (Didn’t know if maybe a log was kept of things sent to avast, so when/if it comes up again, it won’t send a duplicate.)

Again, please excuse my ignorance on some of this stuff. I am learning, though!

DavidR, you are a genius! The hidden files option was already set to disable (meaning the files aren’t hidden), but I did have to change the protected system files so they wouldn’t be hidden. I was going to do a boot-time scan, but had a few questions about it (which I’ll post later in another thread), so I decided to try the simple way first, and just did a thorough scan on the sys32 folder. (Doing this scan before “unhiding” the system files didn’t find anything.)

THIS time the scan found it, and I was able to move it into the chest. Now I can breathe a little easier while I learn a bunch more, get some more security on my system, and run some of those other AV programs you mentioned to get things as clean as possible.

Thank YOU!