I’ve had a few problems recently that lead me to believe there’s a virus / worm on my computer, but nothings been found yet;
computer is running slower than usual, especially windows media player (video is always jerky for example)
computer randomly shuts down - e.g. I’ll be using the computer (browsing the internet, watching a movie, doesn’t seem to be process specific) and then without warning the computer shuts down (no windows shut down screen, it just goes black). I’ve noticed when I try to run spybot it always shut down in the middle of a scan (maybe triggered by the malware being detected??)
I’ve run a boottime scan with AVAST, which didn’t detect any errors. Microsoft Antispyware didn’t detect anything bad. Hijackthis analysis was fine also.
Also, for some reason my Avast on-going protection (the one that runs in the sys tray) has disappeared but I don’t know how to bring it back.
I’m running Windows XP, SP2.
Zone Alarm Firewall, Avast 4.6 VPS 0541-1
Does anyone have any ideas on what I should do? It seems likely to me that I’ve got some kind of malware on my computer, but I don’t have any definitive proof yet
we really need details rather than just symptoms
, give us a rundown of your system and how long its been installed? are all the cleanable areas (temps)clean?
have you recently done a defrag?
you can check if resident sheild is working in task manager (cntl,alt,del) look for 4 avast related processes.
try running spybot in safe mode.
Sounds more like overheating problem to me, can you check your temperatures?
EDIT:I just saw you have ZA installed, do you have the latest one? Cause some users here reported similar problems since the newest ZA update, aparently going with the previous version solves alot of problems…Just a thought
Before I post the hijack this log, can anyone tell me how to get avast in the sys tray and starting up with Windows again? It doesn’t seem to be doing it …
BTW, my zone alarm is a new-ish version:
ZoneAlarm version:6.0.667.000
TrueVector version:6.0.667.000
Driver version:6.0.667.000
I’ve defragged recently, using executive diskeeper.
Below is the hijackthis log - I anaylsed it online, and it looks ok. Although the “file missing” messages next to the avast processes are a bit disconcerting.
any help much appreciated
How do I check my temperatures?
Logfile of HijackThis v1.99.1
Scan saved at 12:32:54 p.m., on 22/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Just checked my own winlogon.exe and there’s no false positive from avast! or any of the Jotti scanners. Try submitting yours to Jotti and lets see what comes up. Don’t delete the file, because you won’t be able to log in to XP.
I would suggest you install Ewido from www.ewido.net/en.
This good & FREE program "specializes" in the detection
and removal of trojans, worms, dialers, etc .
If computer shutting down randomly so it can be hardware problem too.
Go in bios → pc-health → change/enable temperature warning to 46C or 50C
Go in bios → advanced chipset features → enable S.M.A.R.T.
Go in failsafe mode and wait in few hours if nothing happens so it is malware.
Use few different antivirus cleaning tools. that was recommended above.
And also some online-scanners.
The file that is apparently infected is c:/windows/system32/winlogon.exe
I wanted to submit it to the jotti file check website, but could not even find the file; in fact I can’t even see the System32 folder, which is very odd.
Not being able to view/find such an important folder is strange /…
C:\WINDOWS\system32\winlogon.exe should/could be a legit file… be careful and have your XP CD at hand…
Are you showing hidden files and folders?
To unhide them, open any folder and go to Tools >folder options > View, then scroll down to where it says ‘Hidden files and folders’ and then check/tick the ‘Show hidden files and folders’.
yep, I do have view all files selected, and I can see plenty of folders in the windows directory, but not the system32 one - it’s as if the malware is hiding that folder.
When I do a search for the file winlogon, the only search results that appear are:
winlogon.exe in c:\i386
winlogon.exe in C:\WINDOWS$NtServicePackUninstall$