DPChallenge: A Digital Photography Contest You are not logged in. (log in or register
 

DPChallenge Forums >> General Discussion >> Located Virus... Now What? 0,o
Pages:  
Showing posts 1 - 20 of 20, (reverse)
AuthorThread
10/30/2009 11:59:16 PM · #1
My computer was recently diagnosed with a virus that has infected my system32 Windows XP Service Pack 2 file, "Winlogon.exe" It would be simple to remove, but winlogon.exe is required for Windows XP to start, so I'm caught between a rock and a hard place...

My first suspicions started when I located some folders taking up quite a bit of space on my D: (the operating system is installed on C:) they were titled "windows outlook," "windows NT," "msn gaming zone" and others. All of witch are files commonly found on the default drive of a Windows XP computer. When I deleted them, they came back after a reboot of my computer. So I did some research and found out that every time I re-booted "winlogon.exe" was re-creating the files. Being somewhat of a computer-guru, I knew that winlogon.exe was a part of the Windows operating system, could not be deleted, and shouldn't be creating folders on my computer at start up. All this evidence points to the fact that winlogon.exe was infected. And sure enough, after a post on "bleeping-computer" I found out that I had a virus that had infected "winlogon.exe"

Now I don't know what to do, I can't delete the file because then my computer will no longer start up. And I can't replace the file because with the original it's always in-use, and cannot be modified. In addition, it's screwing with my entire computer setup, running process that should've exist. Re-directing em to webpages on start up, and taking up a whopping 30gb on my D-drive.

What can I do? Thanks in advance!

- Coleman Gariety

Message edited by author 2009-12-28 19:35:26.
10/31/2009 12:11:49 AM · #2
Are you running any virus software like McAfee?

Edit: I see you logged of. If you are not running antivirus software download one of the many free versions out there and do a scan of your computer. That should help you resolve the problem. I believe this is a known virus that disguises itself using the name winlogon.exe.

Message edited by author 2009-10-31 00:21:08.
10/31/2009 12:22:06 AM · #3
You can replace it with a clean version (assuming you have a clean version of it) by booting into another OS. For example, make a Linux Live CD, and boot off that. It might be replaceable if you boot up in safe mode, but probably not.
10/31/2009 12:36:10 AM · #4
Originally posted by oscarthepig:

You can replace it with a clean version (assuming you have a clean version of it) by booting into another OS. For example, make a Linux Live CD, and boot off that. It might be replaceable if you boot up in safe mode, but probably not.


Yes but before he does that he should make sure that the file is actually infected and it is not just a dup file with that name.

It should be an easy fix if you run a current antivirus software program.

Message edited by author 2009-10-31 00:36:33.
10/31/2009 01:44:05 AM · #5
Originally posted by jbsmithana:

Originally posted by oscarthepig:

You can replace it with a clean version (assuming you have a clean version of it) by booting into another OS. For example, make a Linux Live CD, and boot off that. It might be replaceable if you boot up in safe mode, but probably not.


Yes but before he does that he should make sure that the file is actually infected and it is not just a dup file with that name.

It should be an easy fix if you run a current antivirus software program.


I've confirmed the virus is infected. As I said, the dupe files were placed on my D: drive, the virus was attempting to emulate folders that are commonly found in the windows/documents and settings folder. I used the registry editor to figure out what program was holding those files form being deleted. It was "winlogon.exe"... To double check this, I opened the file up in Metapad, and used a plug-in to decode the MS-DOS text code. I found changes that were made to the file to prevent me from ending it through the command-line, something the original file was not made to do. "bleeping computer" gave me the symptoms, and I found them as an exact match!

I am without doubt, sure that my "winlogon.exe" is infected, I just need to know how to restore it to it's original state.
10/31/2009 02:26:32 AM · #6
This may sound very simplistic to some but when I have an infected original O/S file (client PC's) I rip out the HDD, slap it into another uninfected fully legal AV AS AM PC, copy the uninfected PC's file over the infected one, shutdown and return the drive back to its host... HOWEVER dont forget that you got infected SOMEHOW. Chances are that either on reboot or very soon thereafter that PC will get reinfected. Get legal and get a good AV/S/M product.
10/31/2009 04:36:35 AM · #7
Some malware puts it's roots in deep. If none of the previous suggestions help, then the scorched earth approach may be required. Wipe the drive and reinstall your operating system. It is the only way of knowing for certain you got it. Even then, there is the possibility that some data files are infected.

Some things you can do to secure your system in the future:
-Use the Firefox browser, with the NoScript extension

-Install a custom hosts file to block known advertising and malware sites. This has an added benefit of speeding up loading of web pages slightly, because your computer does not waste time retrieving advertising and other stuff from thrid party sites.

Use a decent antivirus. I am partial to Antivir and AVG. Both are free and highly rated by sources I trust.

Since you said you are somewhat of a computer guru, then you are probably already taking similar precautions, and that probably was not much help.

Message edited by author 2009-10-31 04:41:07.
10/31/2009 04:38:00 AM · #8
if i were you i would probable just backup and format, as troublesome as that may sound, a fresh windows every once in a while is good for the computers soul ;P
10/31/2009 11:53:40 AM · #9
Run an antivirus program (try the free version of AVG) to identify the bug. AVG may be able to remove it, but if not, you can Google for instructions on how to do so if you know what you're dealing with. Almost any virus can be dealt with, given the proper approach.
Just as important as getting rid of the current bug is finding out why you are vulnerable. I take it this is an XP machine? XP is certainly not the most secure OS in the marketplace, but with good practice you should almost never be infected. Good practice includes:
- Running your internet connection through a router with a hardware firewall (stateful packet inspection and NAT to obfuscate your internal network and protect from malicious content within data packets)
- Changing the default newtwork name, password, etc. on your router, and using secured wireless access if you use wireless.
- Running anti-virus on the machine, with regular updating of the virus database
- Removing Administrator privileges from the account you regularly use (use a different account when you need to administrate the machine). This step should really not be necessary, however it is a good extra step, if at times inconvenient.
- Practicing "safe surfing" by avoiding sites that are likely to harbor malware/viruses
11/02/2009 12:47:17 AM · #10
...cracked the case! Here's how I did it:

1. Copied clean version of "winlogon.exe" from un-infected Windows XP computer. Onto a floppy disk.
2. Made a Windows 98 boot diskette from my friends old computer by copying system start-up files from
"C:\Windows\system32"
3. Deleted fake application files form the 'D' drive that the infected winlogon.exe creates on start-up just incase they try to re-create winlogon.exe
4. Turned off computer
5. Ran ScanDisk (from Win98 boot-diskette) to locate bad entry sectors in "system32" folder, proving the only infected file left was "winlogon.exe" now it was simple.
6. Use Win98 start-up diskette to boot into Win98 command line
7. Remove Win98 boot floppy
8. Insert floppy diskette containing clean version of "winlogon.exe" (so when we restart, widnows doesn't boot win98 command line)
9. Navigate to the "system32" folder through Win98 command line (that was hell for someone used to the WinXP Command Prompt)
10. Used command "attrib -r -a -s -h winlogon.exe" to remove any Windows attributes protecting the file
11. Use command "del winlogon.exe" to delete winlogon.exe
12. Use command "restart" to restart computer without "winlogon.exe" Brings up BSOD (blue screen of death) because windows can't start without winlogon.exe (this is done so windows doesn't know "winlogon.exe" ever existed)
13. Put in Win98 floppy to enter command line once again
14. Navigate to floppy diskette containing clean version of "winlogon.exe"
15. Use command "xcopy winlogon.exe C:\Windows\system32"
16. Navigate to "%root%\Windows\system32" folder, where you just pasted the clean version of "winlogon.exe" over top of the infected one that is now gone forever.
17. Use command "attrib +a +r +s +h winlogon.exe" so Windows recognizes the new file as it's own when you boot up teh computer. (sometimes it wont with system files unless attributes are restored)
18. Remove Win98 floppy
19. Re-boot computer
20. Watch as Windows XP is returned to normal...

And I formatted all my floppys just in case the services Trojan has a tag-along file.
That was way too complex...
11/02/2009 12:50:20 AM · #11
You still have floppy disks around? Be on your guard. You can never be 100% certain that you got all of it.
11/02/2009 12:52:39 AM · #12
Originally posted by Yo_Spiff:

You still have floppy disks around? Be on your guard. You can never be 100% certain that you got all of it.


1. Floppy disk come in handy because CD's aren't recognized in Win98 command line as actual drives. So you either have to emulate it or use a floppy.

2. I ran a scan with Prevx, AVG, and one other forgot the name.
11/02/2009 01:42:44 AM · #13
You might want to look up "bartpe" on google. You can create a pre-install disk for your computer. It will allow you to stream the latest service packs into the cd. Your favorite spyware/malware/virus software can be included. Many config files available on the bartpe website to help you custom design a bootdisk for your XP machine. You can even boot off a thumbdrive if your computer is a fairly new one. When this happens again you simply put the cd or DVD or thumbdrive into your computers drive or USB slot and boot from it. The virus/malware/rootkit lives on the harddrive so it will be isolated as the machine will be running from the cd/dvd and using the ram. It runs a little slow but is a real lifesaver when you run into a problem like you encountered. I never run my malware/rootkit detectors from the hard drive any more. I boot into BartPe so the bugs don't stand a chance.
11/02/2009 08:53:42 PM · #14
Originally posted by FireBird:

You might want to look up "bartpe" on google. You can create a pre-install disk for your computer. It will allow you to stream the latest service packs into the cd. Your favorite spyware/malware/virus software can be included. Many config files available on the bartpe website to help you custom design a bootdisk for your XP machine. You can even boot off a thumbdrive if your computer is a fairly new one. When this happens again you simply put the cd or DVD or thumbdrive into your computers drive or USB slot and boot from it. The virus/malware/rootkit lives on the harddrive so it will be isolated as the machine will be running from the cd/dvd and using the ram. It runs a little slow but is a real lifesaver when you run into a problem like you encountered. I never run my malware/rootkit detectors from the hard drive any more. I boot into BartPe so the bugs don't stand a chance.


Thanks so much! That was very helpful! I'll check it out...
Once again, thanx all!
11/02/2009 09:40:05 PM · #15
Holy cow, all that made me a bit dizzy and somewhat sick to my stomach. I too have found I need to wipe and start fresh from time to time.

Message edited by author 2009-11-02 21:51:47.
11/02/2009 09:44:50 PM · #16
easy:

go and download AVG. Run AVG.

Then:

go and download Malware Bytes. Run Malware Bytes.

Problem = solved.
11/02/2009 10:01:27 PM · #17
I usually format my computer when i have problems like that.
11/03/2009 12:48:26 AM · #18
Originally posted by ColemanGariety:

...cracked the case! Here's how I did it:

1. Copied clean version of "winlogon.exe" from un-infected Windows XP computer. Onto a floppy disk.
2. Made a Windows 98 boot diskette from my friends old computer by copying system start-up files from
"C:\Windows\system32"
3. Deleted fake application files form the 'D' drive that the infected winlogon.exe creates on start-up just incase they try to re-create winlogon.exe
4. Turned off computer
5. Ran ScanDisk (from Win98 boot-diskette) to locate bad entry sectors in "system32" folder, proving the only infected file left was "winlogon.exe" now it was simple.
6. Use Win98 start-up diskette to boot into Win98 command line
7. Remove Win98 boot floppy
8. Insert floppy diskette containing clean version of "winlogon.exe" (so when we restart, widnows doesn't boot win98 command line)
9. Navigate to the "system32" folder through Win98 command line (that was hell for someone used to the WinXP Command Prompt)
10. Used command "attrib -r -a -s -h winlogon.exe" to remove any Windows attributes protecting the file
11. Use command "del winlogon.exe" to delete winlogon.exe
12. Use command "restart" to restart computer without "winlogon.exe" Brings up BSOD (blue screen of death) because windows can't start without winlogon.exe (this is done so windows doesn't know "winlogon.exe" ever existed)
13. Put in Win98 floppy to enter command line once again
14. Navigate to floppy diskette containing clean version of "winlogon.exe"
15. Use command "xcopy winlogon.exe C:\Windows\system32"
16. Navigate to "%root%\Windows\system32" folder, where you just pasted the clean version of "winlogon.exe" over top of the infected one that is now gone forever.
17. Use command "attrib +a +r +s +h winlogon.exe" so Windows recognizes the new file as it's own when you boot up teh computer. (sometimes it wont with system files unless attributes are restored)
18. Remove Win98 floppy
19. Re-boot computer
20. Watch as Windows XP is returned to normal...

And I formatted all my floppys just in case the services Trojan has a tag-along file.
That was way too complex...


Seems a bit much but then again you likely learned a few things along the way.

Message edited by author 2009-11-03 00:49:43.
11/03/2009 09:11:28 AM · #19
The last time my computer got a virus for certain (which was somewhere around 2001), I did the scorched earth fix and just wiped and reinstalled. Then I got serious with securing my system.
11/03/2009 09:28:12 AM · #20
Originally posted by jbsmithana:

Originally posted by ColemanGariety:

...cracked the case! Here's how I did it:

1. Copied clean version of "winlogon.exe" from un-infected Windows XP computer. Onto a floppy disk.
2. Made a Windows 98 boot diskette from my friends old computer by copying system start-up files from
"C:\Windows\system32"
3. Deleted fake application files form the 'D' drive that the infected winlogon.exe creates on start-up just incase they try to re-create winlogon.exe
4. Turned off computer
5. Ran ScanDisk (from Win98 boot-diskette) to locate bad entry sectors in "system32" folder, proving the only infected file left was "winlogon.exe" now it was simple.
6. Use Win98 start-up diskette to boot into Win98 command line
7. Remove Win98 boot floppy
8. Insert floppy diskette containing clean version of "winlogon.exe" (so when we restart, widnows doesn't boot win98 command line)
9. Navigate to the "system32" folder through Win98 command line (that was hell for someone used to the WinXP Command Prompt)
10. Used command "attrib -r -a -s -h winlogon.exe" to remove any Windows attributes protecting the file
11. Use command "del winlogon.exe" to delete winlogon.exe
12. Use command "restart" to restart computer without "winlogon.exe" Brings up BSOD (blue screen of death) because windows can't start without winlogon.exe (this is done so windows doesn't know "winlogon.exe" ever existed)
13. Put in Win98 floppy to enter command line once again
14. Navigate to floppy diskette containing clean version of "winlogon.exe"
15. Use command "xcopy winlogon.exe C:\Windows\system32"
16. Navigate to "%root%\Windows\system32" folder, where you just pasted the clean version of "winlogon.exe" over top of the infected one that is now gone forever.
17. Use command "attrib +a +r +s +h winlogon.exe" so Windows recognizes the new file as it's own when you boot up teh computer. (sometimes it wont with system files unless attributes are restored)
18. Remove Win98 floppy
19. Re-boot computer
20. Watch as Windows XP is returned to normal...

And I formatted all my floppys just in case the services Trojan has a tag-along file.
That was way too complex...


Seems a bit much but then again you likely learned a few things along the way.


What is this "floppy disk" you refer to? ;-)
Pages:  
Current Server Time: 08/03/2021 03:18:54 PM

Please log in or register to post to the forums.


Home - Challenges - Community - League - Photos - Cameras - Lenses - Learn - Prints! - Help - Terms of Use - Privacy - Top ^
DPChallenge, and website content and design, Copyright © 2001-2021 Challenging Technologies, LLC.
All digital photo copyrights belong to the photographers and may not be used without permission.
Proudly hosted by Sargasso Networks. Current Server Time: 08/03/2021 03:18:54 PM EDT.