Ok, here's the deal: I was dealing with some "moody" software of sorts and when I ran one particular piece of this software I encountered an error message displaying "DEP has closed Winlogon.exe blah blah blah". So I shat bricks and instantly killed two processes named "File1.exe" and "File2.exe". I then proceeded to do a system restore straight away. I booted back up and started scanning away. I found some cookies, an old Trojan that had been restored sneakily from a previous infection which I have since removed from the system volume information recovery files and not much else. I did also have to remove a ".tmp" file from the temp folder in the windows DIR which was attempting to use firefox.exe to connect to the net through steam.exe. Comodo hasn't flagged this problem since. I looked up some viruses/malware relating to Winlogon.exe and found what seemed to be 3/4 variants of the same malware which replaces Winlogon.exe with "WvnLogon.exe/WinIongon.exe/Winlogin.exe" and creates or moves a bunch of folders/files/registry keys. The "Winlogon.exe" also starts taking up huge amounts of memory usually in the order of 50mb to half the available RAM. I used the info provided to search out all the possible folders/files/registry entries the related infection creates and found NONE of them. There are no new processes in the task manager or in the startup list and no new services in the startup list either. “Winlogon.exe” is also staying between 700k and 1500k memory usage maxing out at 2100k. I’ve scanned with: Avira Spybot S&D Adaware and I have scanned using Panda Active scanner and have found only cookies and a few files flagged as suspicious which I am aware of and have removed as a precaution (they are related to other “moody” products). SO, what I want to ask is would any one have any advice for me to check if my system is clean? I “think” that the DEP protection stopped the initial attempt to gain control of my system. What makes me think this? One of the most likely Trojans this could have been replaces the “Winlogon.exe” file and then logs you off and restarts the PC. In my case, once DEP had stopped the “Winlogon.exe” process nothing happened other than the actions I took to try to protect my PC, no automatic logoff or automatic shutdown. So, what do you guys think? Other than I should get a punch to the chops and I should avoid “moody” items of any kind?
I have learned a fair amount from some poor decisions in the past, but yeah, this was a moment of weakness that has cost me.... I was just wondering it there was a super tool to check if I'm really free off this recent intrusion? Or do you think if Panda didn't find anything there isn't anything to find? ALSO does any one know if Malwarebytes would be compatible with Spybot AND Adaware?
Please use only: 1- One anti-virus 2- One spyware program 3- one malware removal software 4- Use only 1 firewall Using more than 1 will cause conflict and render them useless.. might as well not have them. Also, what is your windows? I say format and re-install.
Sorry, forgot to say, i'm on Win XP Pro SP2. I'll be moving on up to Win7 Pro in January. I'm thinking of Dumping Adaware and getting Malwarebytes Anti-Malware. That will leave me with: Avira anti-vir Comodo Personal Firewall Spybot S&D Malwarebytes Sound adequate?
A the security and protection of XP is abysmal... I say screw it.. format and clean install when you'll get Win7. The time you install XP will take you, based on my experience a nice 2-3 days until everything is configured, and make that a week or 2 until everything is organized properly and didn't forget anything. This is truly not worth it. just make sure you don't carry that malware or virus with you when you backup. Use a different PC to scan your backup media just to be sure, before transporting everything to Win7. Best Solution for future prevention: - install Win7 64-bit (takes 20-25min) for maximum security and real DEP protection when enabled. - install the latest drivers for it - install latest software versions - install Microsoft Security Essential (anti-virus and anti-spyware) - 100% free and in 64-bit. - DO NOT tweak Windows 7 (or Vista).. Windows 7 doesn't work like XP: Services only runs on event calls.. that is the point of a service, else it would be startup program. Disabling services will only damaged the system. Leave as is. Windows 7/Vista memory management is very well design.. your RAM FIRST then your page file. So need to disable page file. Windows 7/Vista is auto-maintained.. the only you can do safely is clear the temp directory time to time, if you want. Windows 7/Vista optimizes itself over time.. the more you restart and use your computer the more it will be optimized The first few days Windows 7 will be slow as the system indexes everything.. just leave your computer overnight so that if finishes what it has to do. Defrag is automatic. Vista/Win7 firewall is top notch compared to XP one, making just as good as most software. well you get the idea...
As always GoodBytes you have been immensely helpful! Just to clarify as I don't want to assume: I use CCleaner, WinASO and Windows washer. Are these programs needed with win 7? Is the microsoft security essentials meant as a replacement for Spybot/Adaware/Avira? If MS Security is a replacement, would it protect me from the really nasty stuff that you can find in things like torrents? Thanks again! +Rep
CCleaner is all you need if you want to clean your registry (useful when some driver cause problem and you can to uninstall it completely and remove any left out registry items, also useful to clean you temp, web browser cache and so on in one shot, and a s a bonus you can manage you stratum program.. msconfig still does that.) Yes. I am obligated to say don't torrent. But I'll say this, no anti-virus provides 100% protection, even the best of the best anti-virus that you paid a 1 million dollar per day. But at 90% and up, plus A LOT of virus don't do jack **** anymore under Vista/Win7 other than stand there, so you are good. Also with Windows 7, you can do daily backups, system restore point, and even system image backup (professional and higher editions). Just stop running video.avi.exe, and you'll be much better. If you run a program, and it needs true admin privileges, you will have User account control prompt requesting you to continue under Win7/Vista. If you open a picture, and it needs true admin, then you know it's a virus and you can click on cancel which will then not run the program. Oh yes, in Windows 7, no one is true admin, even if your account is "Administrator", your not true admin. It's line Linux.. but less annoying, and don't need the Terminal for admin access (you get a dialog box instead). The way it runs is that for an application to need admin privileges it needs to include a strictly formatted manifest file that must be embedded in the exe. When you run a program, Windows looks at manifest file, reads it, and then prompt you with admin privileges, if you agree it elevates the program to true admin, and runs it. Also, 32-bit drivers don;t work under Windows 7/Vista 64-bit. most people don't know how to make 64-bit drivers.. so making malware at a driver level or a rootkit wont' work. Also, Windows 7/Vista 64-bit has a driver forced driver signature requirement. If it's not approved by Microsoft.. no change it will get installed. SO that is also out of the way... The rest is experience. Also, don't torrent - I don't want to hear reasons (I know them all.. backups and such...) I am just telling you in the case your going illegal: Software is made by programmers, and software engineers, need to put food on their table for their family... please if you enjoy a software, please purchase it, or seek for alternative free software, and if you have have the ability to provide a donation, please do. As a developer myself with my free software, any donation.. even if it's 1$ is GREATLY appreciated, as it at least pays part of the server and domain name.... meaning the project can still go on. Thanks again! +Rep[/QUOTE]
System image backup is incorporated in all Win 7 versions. In Windows Vista only for Business and up. It can save you a ton of work when you have to start over. I use it when I would otherwise perform a clean install. I also recommend MSE, not intrusive, catches plenty of stuff and uses little resources. If you really want a paid AV look into NOD32.
Hey guys, thanks again! As always your help is much appreciated. I was wondering about not using Windows washer. I know that CCleaner does most of what windows washer does and windows washer doesn’t actually work under windows 7 yet but I found the “Bleach” and “Shred” tools pretty useful. Is there any alternative to this kind of near permanent deletion tool? (I realise that nothing Is truly gone unless physically damaged but WinWash certainly made things difficult to retrieve) As for NoD32, I actually moved from Nod to Avira which I now prefer more! Don’t worry about the “going illegal” part, I’ll be purchasing Win7-pro from either Dabs or Overclockers in January when I get paid, I actually quite like it despite it’s horrible visual similarities to OSx. There are a few questions I’d like to ask about win7 before I purchase but I’ll have a look around the other threads and start a thread of my own if I don’t find what I’m looking for. Thanks again! Oh and Merry Christmas for next week!
If you use MacOSX.. the only thing that LOOKS the same form far is the large icons on the task bar. Win7 is FAR from being used the same way as MacOS X. And that is you leave the task bar with big icons, and set to combine. (you can change those by right-clicking, on the task bar > Properties).
what always makes me laugh is when I get an email from someone I know.. and it's a virus attached or site to a virus- and they are like oh my machine has been running kind of slow lately.. then the next thing you know they wiped and have no backup of their work XD
