Hey, my avast said my winlogon.exe was a trojan… listened to it and moved it to chest… whoops…
anyway, re-installing windows right now, but any idea why it happened?
That is odd. “C:\WINDOWS\system32\winlogon.exe” should be locked by Windows, even in Safe Mode!
Was this the location? There are some worms that masquerade as legitimate Windows files.
Yeah… re-install finished, but I’ll put up the log from the check…
6/18/2007 3:44:16 PM SYSTEM 1472 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\system32\winlogon.exe” file.
6/18/2007 3:44:32 PM SYSTEM 1472 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\system32\dllcache\winlogon.exe” file.
6/18/2007 4:09:13 PM user 2924 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\WINDOWS\Temp_avast4_\unp35277147.tmp” file.
6/18/2007 4:13:37 PM user 2924 Sign of “Win32:Trojan-gen. {UPX!}” has been found in “C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\4HEVGHQF\eds[1].php” file.
6/18/2007 4:14:24 PM user 2924 Sign of “Win32:Tiny-HL [Trj]” has been found in “C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\SPYBGPM3\qafwrm[1].htm” file.
6/18/2007 4:15:02 PM user 2924 Sign of “Win32:Agent-HXU [Trj]” has been found in “C:\avenger\backup.zip\avenger\xpdx.sys” file.
6/18/2007 4:33:27 PM user 2924 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\Programs\avenger\avenger.exe” file.
6/18/2007 4:34:11 PM user 2924 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\Programs\avenger\avenger.zip\avenger.exe” file.
6/18/2007 4:35:45 PM user 2924 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\System Volume Information_restore{081F016F-11E5-4C3D-9CBE-7446313B55E3}\RP1\A0000004.exe” file.
6/18/2007 4:35:51 PM user 2924 Sign of “Win32:Trojan-gen. {Other}” has been found in “C:\System Volume Information_restore{081F016F-11E5-4C3D-9CBE-7446313B55E3}\RP1\A0000012.exe” file.
6/18/2007 4:35:56 PM user 2924 Sign of “Win32:Agent-HKG [Trj]” has been found in “C:\System Volume Information_restore{081F016F-11E5-4C3D-9CBE-7446313B55E3}\RP1\A0000033.dll” file.
6/18/2007 4:36:00 PM user 2924 Sign of “Win32:Agent-HKG [Trj]” has been found in “C:\System Volume Information_restore{081F016F-11E5-4C3D-9CBE-7446313B55E3}\RP1\A0000034.dll” file.
I downloaded something dodgy a few weeks back, had to used avenger to get rid of some file called xpdx.sys… Ran a scan after that and everything was ok until now.
This file is necessary for correct booting the computer.
Is it into the Chest right now?
Is there a ‘new’ file in the same location after reinstalling Windows (over the old installation I suppose)?
If you disable System Restore and then Enable again, the infected points (and files) will be cleaned.
I have a problem with winlogon.exe too. When my Avast is running this process takes 30-60% of my CPU.When i turn off Avast the process stays at 0%.Why is that? I reinstalled the Windows and now Avast says that some DLLs in my C\Windows\system32\ are trojans and sometimes my PC restarts when Avast is on. :‘( :’(