GenderLife Forum: The Information Exchange

I got a worm in my computer that keeps redirecting me to useless search engines like newserversearch.com and adsense.com.

The trick is this: this worm has installed itself in WinLogon.exe. It has other hidden copies of itself. When I boot, if the worm is not running, it installs itself in the registry and starts with Windows.

To kill it, I have to terminate it in each process (Process Explorer does the trick), clean the registry (RegCleaner), delete it from the browsers (HijackThis!), disable any suspicious start program (Autoruns) and terminate WinLogon itself (using Killbox).

Of course, that means the computer reboots. Then, since the worm has made dozens of copies of itself (I've found many, but others are still there: it does NOT change the modified time! and it appends itself to legit exe and dll files!), it just re-installs itself and starts sending me to crap search web sites and makes my computer slow as molasses.

Short of doing a full reinstall, this one is a nightmare. Of course, I've run the usual course of antivirus, antimalware, antispyware and antiworm software (AVG, Avast, Spybot, etc. --nothing that is not free, though).

Any ideas? This is the Worm from Hell.

Boot up in safe mode (press F5 or F8 before the Windows load screen appears after boot up).
In safe mode, processes are stripped back to the minimum. You'll be able to run a virus scan without most of the worm processes running.
Also go to Start/Run and type msconfig. Go to the startup tab and remove any objects that look suspicious.
You can check suspicious startup objects and processes at http://www.sysinfo.org to make sure whether they are legit or nasty.

Oh, but I know exactly in what process the worm is hiding: Windows Logon (winlogon.exe).

Even in safe mode, it's one of the essential processes that is ALWAYS there (like System, svchost, services and rundll32).

The only way to clean is to nuke the process, which means the computer shuts down, and to pre-select deletion of infected files on reboot (Killbox can do that).

The bad thing is that the worm doesn't leave any detectable cues behind: it doesn't change the time stamp and all antiworms/antivirus fail to detect it. I've found it inside some files only because they are running when they shouldn't be, or their size appears unfamiliar (I'm enough of a geekette to notice when my RCMan.exe is bigger than it should be).

So, unless I manage to mark ALL infected files for deletion upon reboot in Killbox, and I've killed all the processes/threads related to it in Process Manager before, it will come back again and again.

A pest.

The problem is that those morons at MicroSoft have made Winlogon a loader program, which means as soon as your computer starts, any program that has the call instruction to be loaded by Winlogon will be loaded, before nearly everything else.

That's how they run the authenticity verification software. So all a worm like this has to do is to pretend to be an authentication check, and winlogon.exe loads it stupidly in memory as the first thing when the computer starts.

Genius, no?

From what I've read,it sounds like you might have whats called a multipartite virus.

There comes a time when one must weigh the effort required to continue the fight against the effort required to format and re-install.

I tend to add artificial weight to re-installs, first because that way I'm SURE I didn't miss a problem somewhere, and second because Windows seems to be happier if it's wiped every 6 months or so anyway. ^_^

One option that I just read about is to do a system restore to an earlier date.It won"t work though if system restore has been infected , disabled by the virus,or if the earlier files are infected also.Just my 2 cents worth.

Use a dos bootdisk or a linux bootdisk. You can then replace winlogon.exe with a clean version from another PC.

Myself, I'd just load windows onto a second partition, then clean the original install from the second install (if I was that desperate to keep the original install. Personally, I'd just nuke the original install).

I agree that Windoze needs to be reinstalled every so often. So far I have only had to resort to reinstalling twice.

I try to do it every 6 months. Blows out the accumulated crap.

Well, looks like I did it.

I write-protected all the EXEs and DLLs and then deleted or replaced by clean versions the ones that were called at bootup (by Winlogon) when they shouldn't have been called.

Cleaned the registry by hand (which is a bitch) and made sure that there were no autoloading calls in the Autoruns (which was easy) and, after Killboxing things a dozen times, it seems to be clean.

Cross my fingers.

Woo! I am extremely impressed by your worm squashing abilities. I didn't think you could save Windows like that, but I guess you can!

Now stay away from warez sites.

Warez??? What warez???

Actually, it's movies. Can't get the versions in Spanish around here, only English and French, and I don't order online because of credit card paranoia.

Since my mom only understands Spanish and Italian, I have to get copies in those languages for her to watch, when I want her to see a movie (that I own in English or French, but she cannot understand those).

Sucks, no?

Why don"t you just redo the movies that you have in English and French by adding subtitles to the movies in Spanish and Italian?

Because my mom is over 70 and has poor vision, now. She enjoys the movies better if she can focus on the action, instead of having to read the subs.

Otherwise, ripping the DVDs I have, adding the subs with Subtitle Workshop and burning it again takes about the same in total.

Stinky
At least Pan's Labyrinth would have been easy!

Download MalwareBytes:

http://www.malwarebytes.org/mbam.php

It will have to reboot to fix it. And try to stay away from sites that load java. And use newsgroups for movie stuff. Safer.

If you use Firefox, get the NoScript add-on. You have to give permission for sites to use JavaScript, but it's amazing how many useless extraneous scripts you can find on even a regular Web page.

Oh and one more thing.......

You need to go into "My Computer" and turn off the automatic System Restore. Of course if you have a power outtage while you're removing the thing your fucked. But you see windows makes a registry backup of your last logon or boot. So if this thing is there you must prevent windows from having access to that.

Then boot in safe mode and remove the virus. or worm. or whatever. Empty the trash just in case.

Then if you feel lucky, you can use the power switch on the back of your computer. Then repower and hard boot. Note you can lose a lot of crap this way, but then looking at your system, I don't see a downside.

If that doesn't work take it to a computer repair shop and have them remove it for you.

Get a decent anti-virus anti-spyware program like Vipre.

For those who pick up a rootkit or similar nasty that seems to be immune to ordinary anti-virus products I suggest Hitman-Pro.

It is a different kind of anti-malware product that uses a cloud-computing approach. That is to say it uses internet while running.

Hitman-Pro does not inoculate your computer or prevent infections, it only searches for and cleans up infections found. It operates in part by checking suspicious files against its database and the first suspicious but unrecognized file is uploaded for off-line manual analysis and incorporation into the cloud if anything nasty is found.

So let me summarize, HitmanPro is not what you want to use for your everyday anti-virus, it would not do a good job. But it is what you want to use for an infection that seems to be immune to anything else.

It is shareware, free for 30 days trial. That will seem a really good deal if your computer is otherwise screwed. At least to get your safely back on the air while you clean it up.

Isn't that in itself a bit risky? A program that will need to send stuff from your computer to the company that produces it?

You need to trust that company completely, make sure they won't be sending your cacheed bank passwords and card numbers.

That is the definition of Spyware, Adware.......... Once again Marcella you are right....................

I use Spybot Search and Destroy and MalwareBytes and I have zero problems. I use these with Norton Gamer Edition.

Yes it is risky.

The Hitman Pro folks have a good reputation, but yes, in the end that is all you have. They do upload only executables, or so they say.
Yes, you need to trust them. But no, "trust completely" is probably overstating it. Many folks are blissfully unaware of just how risky their computing is already.

As I alluded to, Hitman Pro can cure some really really nasties when nothing else will, but it is not a cure of first resort.

To everyone, you will know you have big problems when clicking on a Google search result frequently takes you to unexpected spam.

spysheriff is always funs.

Spybot S&D worked well, but it's "Teatimer.exe" program that was the heart of the application was raising hell with driver conflicts in my audio workstation. So I turned it off. And forgot to turn it back on... got a nasty trojan. Vipre killed it on installation.