Process xxx[winlogon.exe], memory block xxxxxxxxxxx Threat: Win32:Exchanger-M[Trj]
Process xxx[winlogon.exe], memory block xxxxxxxxxxx Threat: Win32:Zlob-RF[Trj]
Process xxx[winlogon.exe], memory block xxxxxxxxxxx Threat: Win32:Renos-TF[Drp]
Boot-time scan is clean. MBAM reports clean. Virus Total Uploader can’t access winlogon process. No other AV running which would cause a false positive.
If I knew of a way of searching this forum, I would have done it. Since there are no files which are reported to be infected, I am at a loss on what to do. I am aware that winlogon loads other processes and that searching through the registry may be the key to resolving this. Any idea on what to do now?
If I knew of a way of searching this forum, I would have done it
[b]search[/b] button in top right corner.... try searching for "memory scan" with quotes
was this a custom scan with “scan memory” selected ?
if so that often give some strange scan results, the forum is full of these… you will see when you search
i recomend using the default quick / full scan with default settings
was this a custom scan with “scan memory” selected ?
Yes, I had everything including memory selected and search of files on drive C
I had been using this custom scan for months but it just started reporting this about 5 days ago when it did find a virus that changed my proxy settings on IE. Avast removed the virus. I removed the IE proxy settings and everything works fine except for these remaining items which continue to be logged. Now I am unsure if there is anything residual I need to work on. Let me know if anyone has any additional ideas.
I will search and see what I can find. I don’t know how I missed the search button unless it wasn’t there before I registered.
Aside from the question of the type of scan and settings which has been asked.
I would like to know what winlogon.exe is doing loading signatures into memory as this process is no security application. Sijce there are many instances of winlogon.exe being a trojan if it isn’t located in the c:\windows\System32\ folder, the legit location.
So we need to know where this winlogon.exe is located, you could check the Process ID the bit you XXXed out in the task manager. If you have Vista or later you can use the view the path for that Process entry. This should show the actual location of that instance of winlogon.exe and if there is any associated hooking to that file (see next paragraph) and by what.
However, as mentioned there are instances where other security applications hook the winlogon.exe file to load their processes, I don’t know if this is the case here.
EDIT: In the Task Manager, View, Select Columns, and select the Command line option.
I had been using this custom scan for months but it just started reporting this about 5 days ago when it did find a virus that changed my proxy settings on IE
well you can let essexboy have a look inside to see if everything is ok.....
To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL log ) save OTL log as ANSI
Essexboy will look at the logs when he arrive here later today…
I ran Spy Emergency, which is a free trojan removal tool (15 day fully working trial) and observed it scanning the several instances of winlogon.exe with the counterparts it was loading and that passed cleanly. Since the computer seems fine and all other virus checks are fine, I am going on the assumption that the Avast memory scan produced a false positive.
Thanks for the help and for pointing me in the right direction. It may be a good idea for those of you involved in problem resolution check out Spy Emergency to see if it would be a good tool.