Is "C:\Windows\system32\winlogon.exe" a real/false virus or infected file?

Viruses and worms
1

This is actually on my wife’s HP desktop computer. Whenever it boots lately, a popup comes up stating that Avast has blocked a trojan and lists that winlogon.exe as the bad boy. What do I do about fixing it? Its always the same file, so I doubt that its going into the virus vault… it must be a file that windows needs to run. She’s running Windows XP with all the latest service packs. I believe we’ve got the auto-update engaged so any patches from MicroSoft should have been applied.

2

You don’t say what the malware name is and that helps us to determine what the problem is ?

This file and a number of others are targets of malware and code can be injected into it or replaced, whatever you do don’t remove it or your system could become an expensive paperweight.

Even though it is infected the system still runs and this will require specialist malware removal help to resolve. Essentially the underlying infection needs to be dealt with before this file can be replaced with a clean copy.

3

Hi it may be an infected system file which is why Avast does not want to delete it

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

4

Thanks essexboy for joining the topic.

5

Thats what I be here for ;D

6

Now all we need is drgrafix to come back.

7

David/Essexboy… LOL, I promise I’ll be back. This is my wife’s PC (I use a mac) and I have to find the “opprotune” time to get on it and try to fix what may or may not be wrong. She is a total novice so I get tons of false alarms. She’ll be bck on in a few minutes so it’ll have to wait a little longer. I will follow your great instructions and report back.

Edit: OK, I was able to do the scan so I’ll attach the two files for your perusal. -M

Regards… Mike

8

Definitely infected

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Files ipconfig /flushdns /c C:\WINDOWS\explorer.exe|C:\WINDOWS\ServicePackFiles\i386\explorer.exe /replace C:\WINDOWS\system32\winlogon.exe|C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe /replace

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

9

I know a lot of time has passed since I last posted on this topic, and I apologize for not following up. :-\ I have occasionally been plugging away at this problem and I think I have it minimized (whatever that means LOL) to the point where she is no longer getting repeated popups warning about trojans or whatever. I did a scan with Malware bytes and came up clean, and then did a subsequent full scan with Avast last night and it showed 14 corrupted files. Amazingly the machine still runs and she’s not complaining but I’m wondering about those “unrepairable” files that can’t be deleted. She’s running XP Pro with SP3 and the firewall is on as is automatic updates (finally).

So I’m wondering if I can either fix XP Pro or would it be best to go out and buy W7 and upgrade? I’m thinking W7 would have better support and might replace all those corrupted Windows files maybe/maybe not? Looking for some advice on that aspect.

Since time has passed, I did another scan and tried to attached the (updated) results for perusal and further instructions, but for some reason when I try to attach, it goes back to the old files, plus the scan is not generating the extras.txt file so I deleted both and will try again.

As always… Thanks for the help. I have some time over the next few days and access to this computer, so I’d like to fix it right.

OK, I tried four times now, and because I can’t use windows explorer, the browse function can’t find where the files OTL.txt and Extras.txt are stored. So when I go to Recent Documents and see the files, highlight them… I’m told to browse for them. Can’t click and save to my desktop. Also can’t figure out how to set up the output of OTL so it saves the text files in a place were they are really available.

10

That is because explorer is probably still infected

Did you manage to download and run combofix ?

11

I did download it but haven’t run it yet. Should I run it without being able to give you those txt files? Got a crazy weekend, granddaughter’s birthday tomorrow and then Monday I’m helping my daughter move. How long does combofix take to do its thing, I should be able to squeeze it in between tonight and noon tomorrow. Do I need to do anything special or save any special logs?

12

It doesn’t take long to run it and you only need ComboFix to run it. Go ahead and do it as it won’t take too long. Thank you.

13

It took a couple of passes actually… but I was finally able to run ComboFix! I will attach the log file for examination.

14
That is because explorer is probably still infected

Now does not :smiley:
Could he is be much harder ;D

15

Methinks a result

Are you experiencing any further problems ?

16

Everything seems normal, but should I run a scan with MW Bytes and/or Avast! to prove it out?

17

It is always worthwhile doing that just for peace of mind

18

Ran the MW Bytes scan and all was well. No malicious items reported. Then ran the Avast! quick scan and it reported three (3) high severity infected files;

Two (2) were listed as C:…\A0035733.exe and A0035734.exe Threat: Win32:patched-RP [Trj]
One (1) was listed as C:.…\A0035750.exe Threat: Win32:Bamital-AO

I don’t know how to find the latest Avast Logs or I would attach them. I put the three infected files in the vault since I wasn’t able t “repair” them. I’m running another scan to see if it comes up clean.

So am I 100% free and clear or is there still something trying to screw this machine up? BTW. thanks so much for the help guys!

19

OK they are in your restore points flush them to remove

Or I could do that for you

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [purity] [emptytemp] [EMPTYFLASH] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

20

Hey EssexBoy! Thanks so much for all your help! Ran your little “script” in OTL last night, then ran an AVAST! quick scan overnight to confirm that there were no more corrupted or infected files.

Started going through this computer and deleted any unused and unnecessary files (there were a few never used since 2006 LOL) and now I’m doing a disk defrag for good measure. I’m going to try an tutor the wife to update/run Malware Bytes at least weekly. BTW, should I try the latest Avast Beta?

I myself use a combination of my iMac and a Shuttle PC. The Shuttle is currently running Vista (don’t ask) and I’m using Panda Cloud… but after my experience here, I am going to switch over to Avast! if for nothing else… just knowing what a great bunch of volunteer folks you guys are.

Thanks again, and I hope we don’t see any more Trojans trying to get into her computer!

Best Regards… Mike