[Resolved] backdoor.hazzer found in winlogon.exe

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

kingpin123

Thread Starter
Joined
Sep 5, 2003
Messages
6
Norton Anti-Virus found this virus in my winlogin.exe. Was not surprised to find that it could not repair, quarantine (except in safe-mode), nor delete. I realize this is a critical process.

Now here's the problem. Went to Symantec website, followed their instructions using "regedit" command in run from start menu. Was told to go to:

HKey_Local_Machine\Software\Microsoft\Windows\Current Version\Run and I would find "Winlogon"=<path to trojan>

and delete the latter, an extension added by the virus.

Extension was not there. As stated earlier, was able to quarantine in safe-mode, which I then sent to Symantec using their submit option. I explained to them that their program was unable to repair file, asked them to repair and e-mail back. Am awaiting a (human) reply. Trying to remain patient, as I have no desire for there requested $29.95 for one-time consulting.

Question: Where can I download a back-up copy of "winlogin.exe". Using Windows XP Home

Also, if downloded, can I then go back into safe-mode, quarantine the infected file and install the new? With no problems.

Any help or same experience with this would be greatly appreciated.

"Drink lot's, stay sober." he he
 
Joined
Dec 9, 2000
Messages
45,855
Was the copy of winlogon.exe that was "quarantined" in the c:\windows\system32 folder? This is the one that Windows XP normally loads. If it was quarantined, it is not being used anyway. If you currently have a copy of winlogon.exe there, you don't need to do anything, and you can have NAV delete the infected (bogus) copy in its Quarantine folder.

I suspect the bogus file was running from the "windows" folder, not system32. Was it?

In any case if you have cab files on the drive (c:\I386) you should have a copy of winlogon.exe there

If you see only winlogon.ex_ this is a compressed file that needs to be expanded first. I'll give you instructions if necessary.

As a matter of fact Windows file protection should automatically replace the file for you if it looks for it and can't find it.
 

kingpin123

Thread Starter
Joined
Sep 5, 2003
Messages
6
No, it was in the windows folder. And all of a sudden I had two winlogin.exe running in task manager as opposed to one in safe-mode. The second being the bogus you mentioned.

Gonna go back to safe-mode and have Norton delete the bogus file in windows folder. Let it give itself a whirl.

Thanx for fast reply.
 
Joined
Dec 9, 2000
Messages
45,855
I see. You should be fine. But if you don't remove the registry entry (which could be done with either HijackThis or regedit) you may get a file missing message on restart.
 

kingpin123

Thread Starter
Joined
Sep 5, 2003
Messages
6
Done deal. Bogus file is gone, restart as normal was a-ok!

Now fluster free. Thanx a bunch!!!
 

kingpin123

Thread Starter
Joined
Sep 5, 2003
Messages
6
Downloaded and ran WinloginRemove.exe, no occurrences found.

Good deal, thanx all!!!
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top