Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

winlogon infected, redirect virus, ransomeware and misuse of combofix


  • Please log in to reply
1 reply to this topic

#1 Spiku

Spiku

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 22 August 2010 - 01:57 PM

Bit convoluted, but here goes: Windows XP sp3

I've been playing a few games which give false positives to anti-virus programs, to which I had made exceptions. However, I recently reinstalled a few, and for ease of doing so had made the rather stupid mistake of removing AVG whilst I did so.

In the intervening period; my girlfriend had accessed some website for streaming video recommended by people at her work place (where of course all the computers are in the sthuck); in doing so my computer was infected with one of the false anti-virus malware which popped up constant alerts, disabled taskmanager and generally didn't allow me to do anything. Luckily I could still run task manager from start > run, and I disabled a number of unrecognised processes, and opened up msconfig to make sure to remove a few of the new "on start up" additions (like the antivirus doctor malware that had been installed). Unfortunately I accepted the restart dialog from doing this, instead of using the period of relative safety to get help or reinstall virus scanners or run some malware removal.

On restart some of the malware returned; and opening websites caused me to be fronted with a page suggesting that my "antivirus program" (read: ransomware) was protecting me from accessing the website because it is infected, and attempting to cojole me into paying for their services. In short order I worked out that this was being done with changing my proxy settings and directing me back to my own computer, changing the setting to no proxy would be set back to this proxy as soon as I saved changes and used the same window.

By saving changes, and opening a -new- session window, I was able to browse to one page before it reset proxy settings, so I'd set them back, open a new page, copy the link from the last address so I could slowly progress; grabbing myself malwarebytes and running this. It cleared up a fair amount, and in the meantime I had popped open IRC for some advice.

Anti-virus programs I attempted to run would be shut down with a security message from the ransomware, task manager could no longer be run, and malwarebytes was blocked. Someone on IRC sent me Combofix, and was running through how to use this; it started despite everything else being closed, however, it seems this was bad advice in the end, and it was somewhat too thorough.

After the restart, my computer was able to log in, and the ransomware would not start; however after about 5 seconds, it would crash; icons not fully loaded, and the start menu/toolbar looking like a windows 95 one. After two such restarts, and the same restart happening in safe mode; I found that if I opened task manger in that space of time, I would get a "winlogon.exe" error of some description, and the computer started up as usual, though only semi functional.

In my attempts to look for help; I found that any time I used google, I would be redireted to a random site if I did not use "open in new tab". I took this time to reinstall AVG and look up some advice; mostly sites suggested DO NOT USE COMBOFIX WITHOUT SOMEONE TO EXPLAIN IT, which made me wince. I can't remember the exact details after this point, I just know at some point the machine got shut down, and from then on it could not start in normal or safe mode, chkdsk /r and /p didn't help anything which was the extent of my ability to attempt to resolve the issue, and I eventually had to make a sp3 slipstream disk and install a second installation of windows xp just so I could salvage files and get some advice.

I know for sure that winlogon.exe must be infected, but I do not know where to go from there. Any advice would be very much appreciated.

Edited by Spiku, 22 August 2010 - 01:58 PM.


BC AdBot (Login to Remove)

 


#2 Spiku

Spiku
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:44 AM

Posted 28 August 2010 - 05:18 PM

Just a bump, I'd love to have some sort of help here. I recently tried using a slipstream sp3 cd to repair installation, but I don't get that option =(




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users