Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Winlogon.exe Infected?

  • Please log in to reply
2 replies to this topic

#1 Dijital


  • Members
  • 3 posts
  • Local time:05:27 PM

Posted 15 December 2006 - 06:07 PM

Greetings All!

Friend of mine brought his XPSP2 system to me to have cleaned up. Turns out that when AVG was installed, it was detecting winlogon.exe as a "Generic.KZY" trojan and was deleting it every bootup, putting the PC in an infinite reboot loop. So I slaved the drive into another computer ran a full scan, deleted the nasties, copied a known good winlogon.exe from another computer. Boot up the computer, same problem. So I do some Googling, find the thread on Grisoft forums regarding a potential bug in AVG that could be causing this, even though it indicates it usually happens on older systems without service packs.. Well I give it a try and uninstall AVG completely, reboot into normal mode, all is good. Reinstall AVG from scratch, update to the absolute latest version and reboot the computer. SAME THING. Hmmm.

I go back into safe mode, uninstall AVG, reboot to normal mode, no problem. Install Avast figuring perhaps this was an AVG issue. Lo and behold, Avast detects it as Win32:Trojano-2423[Trj]. It gets even better.. I run the system through an online scan on Symantec, it doesn't detect anything. Then I hopped over to VirusTotal and uploaded it for scanning, and every one returns no infection, even the Avast scan which is the exact same version as I have installed. Needing to do some deeper inspection now and here's where it gets really weird.

First thing I do is compare the filesizes of this winlogon.exe and the one in ServicePackFiles\i386. They are the exact same length, 502,272 bytes, and Avast/Avg detects does not detect this one as infected. Interestingly in an explorer window, the one in servicepackfiles shows the pretty window/moon icon, whereas the one in the system32 folder shows as just the vanilla executable file icon. Then I checked the older copy in $NtServicePackUninstall$ and it's also detected as being infected. Might I add system restore has been turned off and the RPs deleted through this whole process. If I restart and go into safe mode and check the winlogon.exe file, it's showing as the normal icon.

Checked all running services (there are not many), nothing out of the ordinary running, ran a rootkit check, nothing comes up there either. Also ran a process explorer to see all running processes/dlls in use and they are all signed properly. In fact the only thing that looks strange is that in the system32 folder, there is a file showing up called "scanregw.exe" in an explorer window. I know this is a Microsoft registry scanner but when you mouseover it, normally it would indicate the digitally signed "Microsoft Corporation" company name, though it doesn't. The strange part of this however is that from a command prompt it is called "?canregw.exe", and is not found if you try to do a dir for scanregw. I did a registry search on the string "canreg" and can't see anywhere that this file is being loaded so not sure if this is actually a bad file. However, Avast does detect it as Win32:PurityScan-AF [Trj]. It also had System, Hidden, and Read-only attributes when I did an attrib on it. I tried removing those, and can remove S and H, but when I try R it tells me access denied. Can't do it from explorer either and I think it's because when I check the properties of it, it doesn't give me security options, it appears to be 16-bit, with a properties window like a .pif would be.

I've cleaned up some pretty ugly systems in the past but this one's really got me scratching my noggin. Anyone got a clue on this? Cheers.

- Dij

Moderator Edit: Moved topic to more appropriate forum. ~ Animal

Edited by Animal, 15 December 2006 - 08:52 PM.

BC AdBot (Login to Remove)


#2 Doc.Logix


  • Members
  • 7 posts
  • Local time:06:27 PM

Posted 15 December 2006 - 07:52 PM

Is an interesting one, at first glance I would suspect not the winlogon, but a thread hooked into the process. However you noted you ran a process explorer, and found nothing unusual.

One sugestion I would give, would be a simple test. if you have a PE cd, something like say BartPE or Reatogo XPE. otherwise a linux based recovery boot. Boot the system with such as one of these, and in your %SYSTEMROOT%\SYSTEM32\CONFIG rename the "system" file (system registry hive) to something like system.oem, then grab a copy of "system" from %SYSTEMROOT%\RESTORE\ and drop it into the %SYSTEMROOT%\SYSTEM32\CONFIG folder and try a reboot. By doing the rename you can of course put the original hive back into service just as easily after conducting the test.

You could use same procedure with the security and software hives also, but one at a time. Should this cease to happen, you now know from what section of registry it is being called.

Another thing I have noticed with the on=demand scanners, is you don't actually have to access thesuspect file. All you need to do is put the focus on the directory where the file resides. I ahve never carified, but would suspect that if a script were to initiate a "CD" command into a directory where the suspect file is it would trigger your AV.

Also I have seen many malware products that hook into winlogon.exe on startup, and many are ugly to defeat. Running HiJackThis and studying the logfile could help also, but you would need to disable the AV to get a good bootup to do so. I am always a little iffy about allowing a full boot up on a machine in question of being infected.


#3 Dijital

  • Topic Starter

  • Members
  • 3 posts
  • Local time:05:27 PM

Posted 15 December 2006 - 11:34 PM

Hey Doc,

A thread hooked into the process is exactly what I was thinking as well, But I checked all the active processes and they appeared to all be signed properly, and the ones that don't have a proper signature I know what are for. I actually did do a HJT scan as well, but I'm pretty sure there was nothing out of the ordinary there. And unfortunately I don't have a PE disc kicking around and even if I did, I deleted all the system restore points and the registry backups.

However... I managed to fix it all up. And I think that weird ?canregw.exe file did have something to do with it, though I don't know for the life of me how. What I did was booted to recovery console from an XP disc, and this way I was able to remove the read-only attribute from the file and delete it. Then I deleted the system32 copy of winlogon.exe and copied over the one from servicepackfiles/i386 (because none of the AVs indicated it was similarly infected like the system32 copy was getting) then crossed my fingers and rebooted.

To my extreme delight, the system came up fine and my winlogon.exe was back to the good ol' window/moon icon and scanned as clean from Avast. I uninstalled Avast and put AVG back in to see if it would detect it wrong again and it did not. After many many reboots to test and make sure everything is operational, it looks as though it's all back in business. Even a problem with a very slow shutdown stopped happening after this! So now I've created a new restore point, slapped my friend in the head for using IE, then slapped him again harder for letting his kids not only use IE, but use the computer with impunity (downloading & installing) with Administrator privs. *sigh*

He's happy even despite the slaps... after all, all he was trying to do was install a new video card and this just all started happening. :-) Thanks for your suggestions, I appreciate it!

- Dij

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users