HELP PLEASE! Rootkit Hidden Process - winlogin.exe

[PamJ]

Maxx-original, Less than ten minutes after I get into Windows, avast gives me a suspicious file warning that this rootkit has been detected.  It gives me the choice of deleting, or ignoring.  When I choose "ignore", it then warns me that it's dangerous to work with a virus in the operating memory,and suggests I let avast do a scan during the boot phase.  If I choose "yes," then the computer reboots and goes into an avast scan.

When I did the scan because of this warning for the first time yesterday, it found this item.  I didn't put it in the chest at the time, because I didn't know what I was doing (see prevous posts of mine)--and came running here!  Last night, I went through the process in the above paragraph of this post three times, and avast never found the offending file during the boot scan, even though it warned me about it each time before I selected to do the boot scan.  (Found a couple other things, though, including one other rootkit related to mywebsearch, and a webex thiing.)

I tried doing a "thorough scan" on the windows/system32 file itself, and it came up with nothing.

DavidR, should I now just try those two programs you suggested?

If everything else fails, should I choose "delete" instead of ignore?  I realize that's really a no-no, because if there's some small chance it's not a virus/malware, I'll be in trouble.  (I do see the suspicios winlogIN file sitting right along side the MS winlogON in Sys32).

The only scan I haven't done is when you opean avast, it automatically does a memory scan, but I've been stopping that scan so I can go right into the program. Is this scan different than other scans I've had avast do?

Anyone ever have avast continually give a warning about something, and then not find it so it can be put in the chest?

It doesn't appear I can move the offending file to the chest manually, as the instructions for moving files into the "user files," appear to say you have to open the file to do it, which of course I can't do (doesn't make sense to me, so maybe I'm reading the instructions on how to do it incorrectly).

Thanks!

[DavidR]

Deletion as Maxx said isn't a very good option as you effectively have none left.

But if this file can be found on your system you could have it analysed at: VirusTotal - Multi engine on-line virus scanner and report the findings here. However by its nature this file is likely to be hidden as per the anti-rootkit scan (happens 8 minutes after boot) it is hiding from view.

- Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, see image. This however may not reveal a file hidden from the system.

As for the other two applications I personally would run them, they too have option to quarantine, etc.

[Maxx_original]

PamJ: that's exactly what i'm talking about... antirootkit detection goes another way than the scanner detection (antirootkit could be more proactive)... you have been notified about the infection and the file was sent to us (if you haven't unchecked the default option).. the exact detection for avast scanner should be released soon (maybe today)...

[PamJ]

Ah, now I think I see.  The detection of the rookit works differntly than the scan(ner)doesn--any scan--which explains why it's detecting it, but doesn't see it during the scan!  And the detection of this rootkit thing by the scan(ner) is what you mentioned should be released soon.

Yes, Maxx, that option to send to avast is checked.  If it sends it every time the warning comes up, you probably have received it about 5 or 6 times by now.  (Sorry!)  (Didn't know if maybe a log was kept of things sent to avast, so when/if it comes up again, it won't send a duplicate.)

Again, please excuse my ignorance on some of this stuff.  I am learning, though!

[PamJ]

- Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, see image. This however may not reveal a file hidden from the system.

DavidR, you are a genius!  The hidden files option was already set to disable (meaning the files aren't hidden), but I did have to change the protected system files so they wouldn't be hidden.  I was going to do a boot-time scan, but had a few questions about it (which I'll post later in another thread), so I decided to try the simple way first, and just did a thorough scan on the sys32 folder. (Doing this scan before "unhiding" the system files didn't find anything.) 

THIS time the scan found it, and I was able to move it into the chest.  Now I can breathe a little easier while I learn a bunch more, get some more security on my system, and run some of those other AV programs you mentioned to get things as clean as possible.


Thank YOU!

[DavidR]

You're welcome, looks like Maxx has added the signature of this to the VPS for the regular scanner part of avast.

[Lisandro]

Just did a thorough scan on the sys32 folder. (Doing this scan before "unhiding" the system files didn't find anything.)

This shouldn't happen... avast scans hidden files, at least, it should.

[PamJ]

Just did a thorough scan on the sys32 folder. (Doing this scan before "unhiding" the system files didn't find anything.)

This shouldn't happen... avast scans hidden files, at least, it should.

 
I'm new at these scans, but I did do several "thorough" scans on just the sys32 folder before I changed the settings so protected system folders would not be hidden.  Nothing came up before I did that. The first time I did it after unhidding those folders, the warning popped up that this suspicious rootkit had been found, and I safely moved it to the chest.  (Prior to this I was getting the warning shortly after the computer booted up every time, but the boot scan wasn't finding it (found other stuff, though).

I'm just glad it's in the chest now, and thank everyone for their help.  I'll be hanging around here, reading, and learning!

[DavidR]

The un-hiding of files is basically so 'you' can check with windows explorer find it and upload to virus total, etc. (no longer required) the hiding of files is from the user interface and as Tech mentions avast isn't relying on that.

The reason it was detected this time round was because the signature was added in a VPS update, previously it wasn't detected as there was no signature to check against. So previous to the VPS update, the only means of finding the suspect file was by the anti-rootkit scan/analysis which is completely different and doesn't rely on signatures to find suspect files.

[Lisandro]

I suggest you test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.

[PamJ]

The un-hiding of files is basically so 'you' can check with windows explorer find it and upload to virus total, etc. (no longer required) the hiding of files is from the user interface and as Tech mentions avast isn't relying on that.

The reason it was detected this time round was because the signature was added in a VPS update, previously it wasn't detected as there was no signature to check against. So previous to the VPS update, the only means of finding the suspect file was by the anti-rootkit scan/analysis which is completely different and doesn't rely on signatures to find suspect files.

Oh, so between the other times and this time I did it, Avast! had automatically updated, which included this problem (signature?), when it hadn't before.  (I'm sorry, still not up on all the terminology. If I'm understanding--- a "signature" is something in the database that Avast! uses to check your computer against when it runs scans, sort of a description of a virus, etc, that it needs to look for.  Right?  )

Tech, I intend to run several applications this w/e, including those mentioned earlier by DavidR.  I will add your suggestions as well. Thank you.

This place is great!

[DavidR]

A signature is much like a fingerprint when looking for criminals, a signature is used when looking for viruses/malware, etc. The VPS (a.k.a. iAVS) containing these signatures is the avast virus database and is automatically updated so you have the latest signatures.

A simplification, there will be code within the malware file that can be recognised as belonging to a specific virus/malware and that is known as its signature and how it would be detected in the future.

[PamJ]

Thanks, DavidR, for your patience in explaining these things!

[DavidR]

You're welcome, it has been quite a learning experience for you

[PamJ]

Yes, DavidR, it has! 

I love working with computers and learning about everything, but unfortunately that learning usually (not always, but usually) stems from  problems that come up (like this one), and then I have to stop and learn in order to fix!  I intend to change that!  (Too much TV!!!    )