Winlogon.exe ??

[JhonnyB]

So, I recently updated my COMODO firewall and it made a malware scan and found a Trojan in C:/Windows/system32/winlogon.exe .
It couldn't remove it so It quarantined it and after that I couldnt reboot into windows, I would get a blue screen stop error.
So I uninstalled comodo thorugh safe mode and now It booted just fine.No other scan recognizes this file as trojan so I dont really know what I can do.
Any thoughts?

[JhonnyB]

Bump, Plx

[abri]

Hi JhonnyB,
Welcome to the Malware Forum!

I advise you not to bump as it leads to scoldings. What trojan did it find? It may have been a false positive. If you're having malware symptoms go through the READ & RUN ME FIRST and attach the requested scans. Alternatively, you could go to the Alternate Scans and run BitDefender and Panda and see if they come up with anything. These can only be run with Internet Explorer. They're both good.

Thanks.
abri

[JhonnyB]

I ran the online scans and they didnt detect any malware. Also I may have some symptoms but I think they can be traced to other reasons and for the most part my laptop is working fine.
I did some reading and found out this file is genuine and has something to do with the boot process ,so that would explain why quarantining it gave me that error.
But there are some trojans which pose as it. Still not sure why my firewall detects it as a threat, but Im more calm now.
Thx

[abri]

Hi jhonny,
If you happen to have the Combofix log and the MGlogs.zip, I could check them to see if the file you're worried about is infected. If you'd like for me to do this, please attach them to your next post.
abri

[JhonnyB]

Hi abri, I didnt know there was another reply here, but I have attached the files in this post, so if you can check it out it would be cool.
Btw my OS is in czech so I dunno if that may be a problem to understand the log files.

[abri]

Hi JhonnyB,
Please do the following:

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for attaching back to the forum).
• Attach Report.txt with your next post.

abri

[JhonnyB]

Done, it looks like it didnt find anything.

[abri]

Hi JhonnyB,
I'm always the optimist. I had hoped SDFix would pick up that lot of tmp files you have. I think what Comodo found was a false positive.

Please do the following:

Delete this file: C:\WINDOWS\system32\eRLog.ini

And this folder: C:\WINDOWS\System32\drivers\down

Then rename the following files in the box below by putting the name .old after them:
(example: C:\WINDOWS\system32\SET479.tmp would become SET479.tmp.old)

Quote:

C:\WINDOWS\SET431.tmp
C:\WINDOWS\system32\SET479.tmp
C:\WINDOWS\system32SET480.tmp
C:\WINDOWS\system32SET484.tmp
C:\WINDOWS\system32SET489.tmp
C:\WINDOWS\system32SET464.tmp
C:\WINDOWS\system32SET465.tmp
C:\WINDOWS\system32SET47A.tmp
C:\WINDOWS\system32SET47B.tmp
C:\WINDOWS\system32SET47C.tmp
C:\WINDOWS\system32SET481.tmp
C:\WINDOWS\system32SET485.tmp
C:\WINDOWS\system32SET486.tmp
C:\WINDOWS\system32SET48B.tmp
C:\WINDOWS\system32SET4DE.tmp
C:\WINDOWS\system32SET4DF.tmp
C:\WINDOWS\system32SET4EB.tmp

Also, if you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

And finally, please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip.

Let me know how things are running.
abri

[JhonnyB]

Done, but I dont have the C:\WINDOWS\System32\drivers\down folder on my system.

[abri]

Hi JhonnyB,
If your computer is running as it should and you do not see any changes in your programs after changing the names of the tmp files, I would like for you to delete them all. They'll be these renamed with .old at the end.

Code:

C:\WINDOWS\SET431.tmp
C:\WINDOWS\system32\SET479.tmp
C:\WINDOWS\system32SET480.tmp
C:\WINDOWS\system32SET484.tmp
C:\WINDOWS\system32SET489.tmp
C:\WINDOWS\system32SET464.tmp
C:\WINDOWS\system32SET465.tmp
C:\WINDOWS\system32SET47A.tmp
C:\WINDOWS\system32SET47B.tmp
C:\WINDOWS\system32SET47C.tmp
C:\WINDOWS\system32SET481.tmp
C:\WINDOWS\system32SET485.tmp
C:\WINDOWS\system32SET486.tmp
C:\WINDOWS\system32SET48B.tmp
C:\WINDOWS\system32SET4DE.tmp
C:\WINDOWS\system32SET4DF.tmp
C:\WINDOWS\system32SET4EB.tmp

After you've deleted them, please reboot and make sure your computer is still working as it should. If so, you can run the final cleanup instructions in the box below:

Quote:

Your logs look good. If you're not experiencing any malware symptoms, please do the following:

• If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.
• If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
• If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
• Go to add/remove programs and uninstall HijackThis.
• Then go into Windows Explorer and find MGTools directly under C:\ (or the root drive where your operating system is installed).
• Open the MGTools folder and delete the contents.
• Then delete the folder itself.
• Look for any leftover logs on your desktop and if found delete them
• Run CCleaner
• After you've completed the above, please follow the instructions at this link for setting a clean restore point. Disable and Enable System Restore!
• Once you've done this, please take a look at the link that follows. It's a good read and has some good information to help you prevent further malware invasions.
  
  How to Protect Yourself from Malware

Let us know how things went!

abri

[JhonnyB]

So everything is working fine :d
Thanks a lot abri, I really appreciate it .

[abri]

That's good to hear.
Enjoy your computering.