Friend of mine brought his XPSP2 system to me to have cleaned up. Turns out that when AVG was installed, it was detecting winlogon.exe as a "Generic.KZY" trojan and was deleting it every bootup, putting the PC in an infinite reboot loop. So I slaved the drive into another computer ran a full scan, deleted the nasties, copied a known good winlogon.exe from another computer. Boot up the computer, same problem. So I do some Googling, find the thread on Grisoft forums regarding a potential bug in AVG that could be causing this, even though it indicates it usually happens on older systems without service packs.. Well I give it a try and uninstall AVG completely, reboot into normal mode, all is good. Reinstall AVG from scratch, update to the absolute latest version and reboot the computer. SAME THING. Hmmm.
I go back into safe mode, uninstall AVG, reboot to normal mode, no problem. Install Avast figuring perhaps this was an AVG issue. Lo and behold, Avast detects it as Win32:Trojano-2423[Trj]. It gets even better.. I run the system through an online scan on Symantec, it doesn't detect anything. Then I hopped over to VirusTotal and uploaded it for scanning, and every one returns no infection, even the Avast scan which is the exact same version as I have installed. Needing to do some deeper inspection now and here's where it gets really weird.
First thing I do is compare the filesizes of this winlogon.exe and the one in ServicePackFiles\i386. They are the exact same length, 502,272 bytes, and Avast/Avg detects does not detect this one as infected. Interestingly in an explorer window, the one in servicepackfiles shows the pretty window/moon icon, whereas the one in the system32 folder shows as just the vanilla executable file icon. Then I checked the older copy in $NtServicePackUninstall$ and it's also detected as being infected. Might I add system restore has been turned off and the RPs deleted through this whole process. If I restart and go into safe mode and check the winlogon.exe file, it's showing as the normal icon.
Checked all running services (there are not many), nothing out of the ordinary running, ran a rootkit check, nothing comes up there either. Also ran a process explorer to see all running processes/dlls in use and they are all signed properly. In fact the only thing that looks strange is that in the system32 folder, there is a file showing up called "scanregw.exe" in an explorer window. I know this is a Microsoft registry scanner but when you mouseover it, normally it would indicate the digitally signed "Microsoft Corporation" company name, though it doesn't. The strange part of this however is that from a command prompt it is called "?canregw.exe", and is not found if you try to do a dir for scanregw. I did a registry search on the string "canreg" and can't see anywhere that this file is being loaded so not sure if this is actually a bad file. However, Avast does detect it as Win32:PurityScan-AF [Trj]. It also had System, Hidden, and Read-only attributes when I did an attrib on it. I tried removing those, and can remove S and H, but when I try R it tells me access denied. Can't do it from explorer either and I think it's because when I check the properties of it, it doesn't give me security options, it appears to be 16-bit, with a properties window like a .pif would be.
I've cleaned up some pretty ugly systems in the past but this one's really got me scratching my noggin. Anyone got a clue on this? Cheers.
Moderator Edit: Moved topic to more appropriate forum. ~ Animal
Edited by Animal, 15 December 2006 - 08:52 PM.