Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winlogon.exe Found Where It Shouldn't Be Found


  • Please log in to reply
4 replies to this topic

#1 scratcher

scratcher

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:04 AM

Posted 08 November 2006 - 07:44 AM

I recently uninstalled the a-squared Free Anti-Trojan program because I found that, after a complete scan in which it found 3 tracking cookies, it either wouldn't or couldn't delete them so I had to use CCleaner to do the job.

Today I installed an updated version of a-squared Free - version 2.1.0.5 - in the hope that it would do better but the same thing happened. This time it found 2 instances of winlogon.exe in WINNT:

a-squared Free - Version 2.1

Scan settings:

Objects: Memory, Traces, Cookies, C:\, D:\
Scan archives: On
Heuristics: On
ADS Scan: On

Scan start: 11/8/2006 6:09:03 PM

C:\WINNT\ServicePackFiles\i386\winlogon.exe detected: Trojan.Win32.Patched.e

D:\X-WINNT2\ServicePackFiles\i386\winlogon.exe detected: Trojan.Win32.Patched.e


So far as I understand, winlogon.exe is fine if it's where it's supposed to be - in System32 - but is a Trojan if found anywhere else.

But once again, after the scan finished, a-squared Free would neither delete nor quarantine these files.

Not only that, but in running a Windows search for 'winlogon.exe' I discovered two more instances of it in another part of WINNT which a-squared Free had failed to spot and so I manually moved all four into quarantine and wiped them myself.

Am I in the clear now?

* HP Pavilion dv7 *  2.20 gigahertz AMD Phenom II N850 Triple-Core *  4.0 GB RAM  *  Windows 7 Home Premium (x64) *   Firefox 3.6.17 * Thunderbird 3.1.11 *  Comodo Firewall  *  Malwarebytes' Anti-Malware 1.50.1 Pro *  avast! Free Anti-Virus 2014.9.0.2007  *  Erunt  *


BC AdBot (Login to Remove)

 


#2 fozzie

fozzie

    aut viam inveniam aut faciam


  • Members
  • 3,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ossendrecht/The Netherlands
  • Local time:06:04 PM

Posted 05 December 2006 - 04:38 AM

you might want to try an online scan with EWIDO to make sure all traces are gone.

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:04 PM

Posted 05 December 2006 - 02:26 PM

The legit winlogon.exe file is located in the C:\Windows\System32 folder. A copy is also found in C:\i386 and C:\Windows\ServicePackFiles\i386.

Location from which it is running is the key to determining if its bad.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 scratcher

scratcher
  • Topic Starter

  • Members
  • 124 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:04 AM

Posted 05 December 2006 - 08:25 PM

Many thanks for your replies.

I think I have a better handle on this problem now.

* HP Pavilion dv7 *  2.20 gigahertz AMD Phenom II N850 Triple-Core *  4.0 GB RAM  *  Windows 7 Home Premium (x64) *   Firefox 3.6.17 * Thunderbird 3.1.11 *  Comodo Firewall  *  Malwarebytes' Anti-Malware 1.50.1 Pro *  avast! Free Anti-Virus 2014.9.0.2007  *  Erunt  *


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,934 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:04 PM

Posted 06 December 2006 - 05:32 AM

Your welcome.

BTW others have reported this as a possible false positive at the a-squared Support forum[/B
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users