1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

[Resolved] backdoor.hazzer found in winlogon.exe

Discussion in 'Virus & Other Malware Removal' started by kingpin123, Oct 4, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. kingpin123

    kingpin123 Thread Starter

    Joined:
    Sep 5, 2003
    Messages:
    6
    Norton Anti-Virus found this virus in my winlogin.exe. Was not surprised to find that it could not repair, quarantine (except in safe-mode), nor delete. I realize this is a critical process.

    Now here's the problem. Went to Symantec website, followed their instructions using "regedit" command in run from start menu. Was told to go to:

    HKey_Local_Machine\Software\Microsoft\Windows\Current Version\Run and I would find "Winlogon"=<path to trojan>

    and delete the latter, an extension added by the virus.

    Extension was not there. As stated earlier, was able to quarantine in safe-mode, which I then sent to Symantec using their submit option. I explained to them that their program was unable to repair file, asked them to repair and e-mail back. Am awaiting a (human) reply. Trying to remain patient, as I have no desire for there requested $29.95 for one-time consulting.

    Question: Where can I download a back-up copy of "winlogin.exe". Using Windows XP Home

    Also, if downloded, can I then go back into safe-mode, quarantine the infected file and install the new? With no problems.

    Any help or same experience with this would be greatly appreciated.

    "Drink lot's, stay sober." he he
     
  2. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    Was the copy of winlogon.exe that was "quarantined" in the c:\windows\system32 folder? This is the one that Windows XP normally loads. If it was quarantined, it is not being used anyway. If you currently have a copy of winlogon.exe there, you don't need to do anything, and you can have NAV delete the infected (bogus) copy in its Quarantine folder.

    I suspect the bogus file was running from the "windows" folder, not system32. Was it?

    In any case if you have cab files on the drive (c:\I386) you should have a copy of winlogon.exe there

    If you see only winlogon.ex_ this is a compressed file that needs to be expanded first. I'll give you instructions if necessary.

    As a matter of fact Windows file protection should automatically replace the file for you if it looks for it and can't find it.
     
  3. kingpin123

    kingpin123 Thread Starter

    Joined:
    Sep 5, 2003
    Messages:
    6
    No, it was in the windows folder. And all of a sudden I had two winlogin.exe running in task manager as opposed to one in safe-mode. The second being the bogus you mentioned.

    Gonna go back to safe-mode and have Norton delete the bogus file in windows folder. Let it give itself a whirl.

    Thanx for fast reply.
     
  4. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
    I see. You should be fine. But if you don't remove the registry entry (which could be done with either HijackThis or regedit) you may get a file missing message on restart.
     
  5. kingpin123

    kingpin123 Thread Starter

    Joined:
    Sep 5, 2003
    Messages:
    6
    Done deal. Bogus file is gone, restart as normal was a-ok!

    Now fluster free. Thanx a bunch!!!
     
  6. VirtualMe

    VirtualMe

    Joined:
    Sep 27, 2002
    Messages:
    867
  7. Rollin' Rog

    Rollin' Rog

    Joined:
    Dec 9, 2000
    Messages:
    45,855
  8. kingpin123

    kingpin123 Thread Starter

    Joined:
    Sep 5, 2003
    Messages:
    6
    Downloaded and ran WinloginRemove.exe, no occurrences found.

    Good deal, thanx all!!!
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/169404

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice