Page 1 of 2 12 LastLast
Results 1 to 20 of 24
  1.    #1  
    I know this is not a Windows forum, but with all the smart ones here figured cant hurt to cast a wide net for this issue.

    My desktop WinXP machine has been infected with a really nasty nasty trogan. It seems to be embedded in the windowslogon.exe and even when I copy a clean copy over it, kill the process an reboot, its Baaaccckkk.

    I have Vipre AV and Malware bytes running and scanning all the time, yet this bugger still somehow got it.

    I spent 2 hours on a remote session with a malware expert who also could NOT get this F^%^%%R to go away..

    Anyone have any ideas for this, its really Pi55ing me OFF!
    I have always been a "Phone" person. My love of "Phones" started at an early age. Avatar to the left, is circa 1952, see the sparkle in my lil toddler eyes
    Cell History: Bag Phone, Brick Phone, Various Micro Tacs, Treo's, Centro, the PRE!


    I Pre

  2. irateb's Avatar
    Posts
    257 Posts
    Global Posts
    269 Global Posts
    #2  
    My usual fix on people's computers is Combofix, followed MalwareBytes Anti-Malware, then SpyBot Search and Destroy, and then whatever AV they're running, or Avast if they don't have one. Combofix will usually get you to where you can get other things running. If it's really bad, you may need to run it in safe mode. Good luck!
  3. #3  
    There is no valid windows file called "windowslogon.exe" (google it), that is the malware. There are many malware cleaners that can be put on a boot disk so that you can restart, then scan the file system before Windows boots up. Find one of these and use it.
    Pet Peave: When people use photographs of themselves as Avatars. There's something unsettling about their big faces staring back at me in the forums. . . . Maybe I'm just paranoid.
  4. #4  
    usually you can find a specific removal tool on mcafee or norton web sites for the nastier malware.
  5. #5  
    boot into safe mode by pressing F8 a few times while it's booting up... THEN run those programs.... at least get it to a point where you can back up all major pictures/videos/music/docs (now is as good a time as any to do this).. but first run malware bytes in safe mode.. then run spybot in safe mode..
  6. #6  
    Save data to jump drive....format C: usually takes as long as all the troubleshooting in my experience.
  7. #7  
    another trick I sometime use for hard cases like this is to remove the "bad" drive and put it on another system (a fully updated but non-critical laptop or PC) as a the second system's 'e' drive.

    The 2nd system is usually able to scan and clean the "bad" drive.

    You then return the cleaned "bad" drive to its original location.

    (warning -- this might be a bit too complicated for you without some local help)
    755P Sprint SERO (upgraded from unlocked GSM 650 on T-Mobile)
  8. groovy's Avatar
    Posts
    941 Posts
    Global Posts
    955 Global Posts
    #8  
    I second MalwareBytes and Superantispyware. They're both free though they're not technically antiviruses. You might also try downloading Windows Malicious Software Removal Tool. Also, turning off Windows System Restore is usually recommended too since viruses can hide there.

    EDIT: I missed that you already ran MalwareBytes. I'd try disabling restore.
    Last edited by groovy; 08/17/2010 at 10:55 PM.
  9.    #9  
    OK gonna try to comment on all the ideas here.

    First as always I LOVE this community, soooo many smart people here willing to help, so for that I thank you sooo much.

    Umm sorry, my typo its not windowslogon.exe, its winlogon.exe and it is an actual file, and process, it lives in windows\system32, there is a spare copy in either the i386 dir or the servicepacks\
    i386 dir. I have this file on every computer in my house, and it is also a process that if you kill, on any clean PC it shuts it right down to BSOD. ON my hosed system, the one that is infected,

    What I have done already:

    1. Ran Malwarebytes in both normal and safe mode. It does not find it
    2. Run deep scan in Vipre, shuts the system down when it finds it
    3. Run Vipre selective scan, if scanning processes, it shuts it down, when scanning files and folders it runs all the way thru, and finds this as a Trojan, and tells me where it is, c:\windows\system32\winlogon.exe
    4. In both normal mode, safe mode, and safe mode command prompt mode, have copied the clean file over the bad one, but on reboot its bad again (I verified its "badness" by uploading it to http://www.virustotal.com/. When I use that site to check my good copy, it comes up clean, but on reboot, its infected again
    5. Have copied the clean one, then killed the process, with an advanced process explorer (you cant kill this process with nomral task manager process mgr), rebooted, on reboot re infected.
    6. Have deleted the file via command line safe mode, rebooted with a Windows Live CD, copied a clean file, rebooted, up reboot, reinfected

    I am pretty technical so all that was said here was not over my head, or too complicated. Barye, are you saying to physically remove the drive, and put that on another system as a slave drive to scan? I can do that, just not sure I want to, but wil keep the idea in mind.

    I wil have to look for Combo fix and a windows removal tool. I have had "bugs" before but never one that was soo pesky it just keeps regenerating itself.

    I know these are my own fault sorta, with some of the stuff I ummm "acquire" from cyberspace, but have been doing this for years and never had such problems. Im now looking for a used cheap laptop to only use for DL stuff, that I can easily reformat if needed. Its a HUGE pain with my main Desktop as I have tons of stuff installed that is always a PITA to re install and remember everythng I have to reinstall. My data is always backed up to my 1TB external drive, so thats not a problem,.

    Ugghhhh well thanks for the help and ideas guy.. Im gonna try some..
    I have always been a "Phone" person. My love of "Phones" started at an early age. Avatar to the left, is circa 1952, see the sparkle in my lil toddler eyes
    Cell History: Bag Phone, Brick Phone, Various Micro Tacs, Treo's, Centro, the PRE!


    I Pre

  10. #10  
    A hammer usually fixes a problem such as this when it happens to me.
  11. #11  
    Quote Originally Posted by dianehelen View Post

    ... I am pretty technical so all that was said here was not over my head, or too complicated. BARYE, are you saying to physically remove the drive, and put that on another system as a slave drive to scan? I can do that, just not sure I want to, but wil keep the idea in mind.
    ...
    yes -- physically put the bad drive on another up to date. properly virus protected machine as a slave -- a non-booting drive. Even better and easier would be to adapt the bad drive to USB and attach it to the good machine to be scanned.

    AVG, malwarebytes (or other anti-virus, anti-spyware) should find and delete the bad files.

    In almost every case this works.

    I have access to many machines -- so to be safe I ideally use a PC that is quarantined from the network and without data on it they I care about -- in the unlikely event that the virus infects the master drive of the "good" computer.

    This is by far the easiest and most likely to succeed process.
    Last edited by BARYE; 08/18/2010 at 10:30 AM.
    755P Sprint SERO (upgraded from unlocked GSM 650 on T-Mobile)
  12. #12  
    Format all hard drives. Install Linux?

    Seriously, however: stop relying on antivirus rather than your own intelligence to avoid being owned. You don't even need the linux piece. Just stop using IE and outlook, and use firefox with adblock plus and noscript. Adblock plus will actually stop the majority of the infection vector. Being intelligent about where you browse, what you download, and what you run is the rest of it. Software cannot fix that problem.

    Viruses, Trojans, and malware in general are an end user problem, not a technology problem. Antivirus can't help. If malware is already on your machine, it's game over. The exception is worms. But even then, that's what hardware firewalls are for. They stop it from hitting you directly, and you keep your systems up to date on patches and such (Microsoft actually makes this piece pretty easy these days).

    Again,
    the main vectors for infection are web browsing and email. Antivirus won't stop you from doing bad things to yourself. You need to pay attention to what you are doing and stop relying on some magic software to save you from the big bad Internet.
    : (){:|:&};:
  13.    #13  
    @knobbysideup , thanks for the info, dont need the lecture on how to use the internet, have a linux box I use for some stuff, but I still do need windows for many things I do.

    Malware can get into any machine at any time, regardless of how much safe surfing you do.

    Im really only looking for additional steps I may try that I have missed.

    Thanks everybody else for all the suggestions. Been trying some, still cant get it go be gone.. But will keep tryin
    I have always been a "Phone" person. My love of "Phones" started at an early age. Avatar to the left, is circa 1952, see the sparkle in my lil toddler eyes
    Cell History: Bag Phone, Brick Phone, Various Micro Tacs, Treo's, Centro, the PRE!


    I Pre

  14. #14  
    Here's what I did for my gf's computer (hit hard by the SmitFraud trojan a while back):

    Head over to the TechSupportGuy forums and post there. They will have you run and post a copy of your HijackThis report and walk you through a step by step removal process.
  15.    #15  
    Thanks Newman, I forgot about that forum. I actually AM a member there, and dont know why it skipped my mind. (must be another old age thing). Just posted there, lets see if those smart dudes can help.

    I wonder if I can call Obi Wan Kanobe
    I have always been a "Phone" person. My love of "Phones" started at an early age. Avatar to the left, is circa 1952, see the sparkle in my lil toddler eyes
    Cell History: Bag Phone, Brick Phone, Various Micro Tacs, Treo's, Centro, the PRE!


    I Pre

  16. #16  
    I'm sure you've done these steps, this is my general procedure. If it keeps coming back then the bad winlogon is the symptom, not the problem.

    Disable any startup programs and unnecessary services - don't forget the run, runonce registry entries, remove the computer from the network, remove any usb or flash drives, cd's dvd's. As others have said, disable system restore, then run your tools again. Make sure you have them search all files not just the default extensions. Once clean reboot without the network to make sure it's not coming from an external source.
  17.    #17  
    yep, already running in msconfig no start up mode, and no unnec. services..

    I have checked the rest of the machines on the network, and none have the issue.

    hmm what I have not done, is disable system restore.. guess thats worth a try...

    thanks oh and thanks for groovy on that idea too..
    I have always been a "Phone" person. My love of "Phones" started at an early age. Avatar to the left, is circa 1952, see the sparkle in my lil toddler eyes
    Cell History: Bag Phone, Brick Phone, Various Micro Tacs, Treo's, Centro, the PRE!


    I Pre

  18. #18  
    So, probably there's a file or registry setting or root kit that keeps re-infecting you. You could estimate the time of original infection, then do a file search for files modified at that time and maybe identify a file or script that keeps re-infecting you, usually in \Windows\System32 or in \Windows\Temp. But I had a similar problem once and ComboFix fixed it.
    Pet Peave: When people use photographs of themselves as Avatars. There's something unsettling about their big faces staring back at me in the forums. . . . Maybe I'm just paranoid.
  19. eps1lon3's Avatar
    Posts
    97 Posts
    Global Posts
    141 Global Posts
    #19  
    May I suggest a less task intensive solution?

    Since you have all of your data backed up already, just reformat? It saves time for you. I'm sure you have better things to do than wage war against a virus.
  20. groovy's Avatar
    Posts
    941 Posts
    Global Posts
    955 Global Posts
    #20  
    Quote Originally Posted by dianehelen View Post
    yep, already running in msconfig no start up mode, and no unnec. services..

    I have checked the rest of the machines on the network, and none have the issue.

    hmm what I have not done, is disable system restore.. guess thats worth a try...

    thanks oh and thanks for groovy on that idea too..
    No problem. Just make sure you have a current backup of your files. And, scan that back up just in case the infection was caused by, or infected, one of those files.
Page 1 of 2 12 LastLast

Posting Permissions