GenderLife Forum: The Information Exchange

I got a worm in my computer that keeps redirecting me to useless search engines like newserversearch.com and adsense.com.

The trick is this: this worm has installed itself in WinLogon.exe. It has other hidden copies of itself. When I boot, if the worm is not running, it installs itself in the registry and starts with Windows.

To kill it, I have to terminate it in each process (Process Explorer does the trick), clean the registry (RegCleaner), delete it from the browsers (HijackThis!), disable any suspicious start program (Autoruns) and terminate WinLogon itself (using Killbox).

Of course, that means the computer reboots. Then, since the worm has made dozens of copies of itself (I've found many, but others are still there: it does NOT change the modified time! and it appends itself to legit exe and dll files!), it just re-installs itself and starts sending me to crap search web sites and makes my computer slow as molasses.

Short of doing a full reinstall, this one is a nightmare. Of course, I've run the usual course of antivirus, antimalware, antispyware and antiworm software (AVG, Avast, Spybot, etc. --nothing that is not free, though).

Any ideas? This is the Worm from Hell.

Boot up in safe mode (press F5 or F8 before the Windows load screen appears after boot up).
In safe mode, processes are stripped back to the minimum. You'll be able to run a virus scan without most of the worm processes running.
Also go to Start/Run and type msconfig. Go to the startup tab and remove any objects that look suspicious.
You can check suspicious startup objects and processes at http://www.sysinfo.org to make sure whether they are legit or nasty.

Oh, but I know exactly in what process the worm is hiding: Windows Logon (winlogon.exe).

Even in safe mode, it's one of the essential processes that is ALWAYS there (like System, svchost, services and rundll32).

The only way to clean is to nuke the process, which means the computer shuts down, and to pre-select deletion of infected files on reboot (Killbox can do that).

The bad thing is that the worm doesn't leave any detectable cues behind: it doesn't change the time stamp and all antiworms/antivirus fail to detect it. I've found it inside some files only because they are running when they shouldn't be, or their size appears unfamiliar (I'm enough of a geekette to notice when my RCMan.exe is bigger than it should be).

So, unless I manage to mark ALL infected files for deletion upon reboot in Killbox, and I've killed all the processes/threads related to it in Process Manager before, it will come back again and again.

A pest.

The problem is that those morons at MicroSoft have made Winlogon a loader program, which means as soon as your computer starts, any program that has the call instruction to be loaded by Winlogon will be loaded, before nearly everything else.

That's how they run the authenticity verification software. So all a worm like this has to do is to pretend to be an authentication check, and winlogon.exe loads it stupidly in memory as the first thing when the computer starts.

Genius, no?

From what I've read,it sounds like you might have whats called a multipartite virus.

There comes a time when one must weigh the effort required to continue the fight against the effort required to format and re-install.

I tend to add artificial weight to re-installs, first because that way I'm SURE I didn't miss a problem somewhere, and second because Windows seems to be happier if it's wiped every 6 months or so anyway. ^_^

One option that I just read about is to do a system restore to an earlier date.It won"t work though if system restore has been infected , disabled by the virus,or if the earlier files are infected also.Just my 2 cents worth.

Use a dos bootdisk or a linux bootdisk. You can then replace winlogon.exe with a clean version from another PC.

Myself, I'd just load windows onto a second partition, then clean the original install from the second install (if I was that desperate to keep the original install. Personally, I'd just nuke the original install).

I agree that Windoze needs to be reinstalled every so often. So far I have only had to resort to reinstalling twice.

I try to do it every 6 months. Blows out the accumulated crap.