modified winlogon is this a real threat

donut53

Comodo Family Member

Offline

Posts: 71

modified winlogon is this a real threat

« on: August 04, 2012, 12:12:17 PM »

After running CCE quick scan it showed one threat. I choose to ignore the threat for now and ran a scan using CIS. The results of CIS scan were no threats found. Here is the text info from the CCE scan.

====== System Information ======
Computer Name:   HPDESKTOP
Log on User:   John
Memory Size:   7.75 GB.
Windows Directory:   C:\Windows
Windows Version:   7 (64bit)
CCE Version:   2.5.242177.201

Virus database version: 13147

[12:45:29] Scan started.
====== Cleanup results ======
Global   WINLOGON   SYSCHANGE   Ignore   OK

What should I do?


	Logged

EricJH

Global Moderator
Comodo's Hero

Offline

Posts: 16661

Re: modified winlogon is this a real threat

« Reply #1 on: August 04, 2012, 04:34:45 PM »

Please check the digital signature of the winlogon file to see it has a valid digital signature by Microsoft.

To know for sure that winlogon.exe is the original file you can use Sigcheck to see if it is digitally signed by Microsoft.

Download this zip archive and unpack it to C:\Program Files\SysinternalsSuite\ . When done run sigcheck.reg to add it to the registry.

When this is done navigate to the system32 folder, look up and select winlogon.exe click right and choose Signature from the context menu. A black command box will pop up. See if it is signed or not.


	Logged

Please read: Introduction to the 5.x Sandbox
With CIS v4 my p2p client (uTorrent, e Mule...) is not working properly anymore

donut53

Comodo Family Member

Offline

Posts: 71

Re: modified winlogon is this a real threat

« Reply #2 on: August 05, 2012, 12:11:07 PM »

Quote from: EricJH on August 04, 2012, 04:34:45 PM

I am unable to get a black command box to open.. I right click on the file and select signature but then I get a box asking what program to open the mui file..


	Logged

EricJH

Global Moderator
Comodo's Hero

Offline

Posts: 16661

Re: modified winlogon is this a real threat

« Reply #3 on: August 05, 2012, 12:49:01 PM »

That's odd and has me stuck for answer.... Roll Eyes

I asked the other mods to take a look at this problem.


« Last Edit: August 05, 2012, 12:57:01 PM by EricJH »	Logged

Please read: Introduction to the 5.x Sandbox
With CIS v4 my p2p client (uTorrent, e Mule...) is not working properly anymore

Ronny

Product Translator
Global Moderator
Comodo's Hero

Offline

Posts: 13195

Volunteer Moderator

Re: modified winlogon is this a real threat

« Reply #4 on: August 05, 2012, 01:16:55 PM »

Please run the extra tool 'Autoruns' and click on the 'Winlogon' part in the left menu.
Then post a screenshot of the results please so we might see what has been changed.


	Logged

Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy - update Jan 3rd 2013!

donut53

Comodo Family Member

Offline

Posts: 71

Re: modified winlogon is this a real threat

« Reply #5 on: August 05, 2012, 02:32:59 PM »

Quote from: Ronny on August 05, 2012, 01:16:55 PM

Please run the extra tool 'Autoruns' and click on the 'Winlogon' part in the left menu.
Then post a screenshot of the results please so we might see what has been changed.

Here it is and I also provided screenshot of the cce scan..

Does it make sense to you that CCE would show a threat but CIS does not?


« Last Edit: August 05, 2012, 02:48:01 PM by donut53 »	Logged

jay2007tech

Malware Research Group
Global Moderator
Comodo's Hero

Offline

Posts: 1795

Re: modified winlogon is this a real threat

« Reply #6 on: August 05, 2012, 07:02:11 PM »

how about this

Click on "start"
Click on "All Programs"
Click on "Accessories"
Click on "Command Prompt" <---------Right Click on - RUN AS ADMIN
type in "sfc /scannow" <----without the " "


	Logged

It's hard being a crooked Admin when the files won't pass an md5checksum test. But like any other good crooked Admin it can be done, it just takes time(and lots of it) and a few aspirins

donut53

Comodo Family Member

Offline

Posts: 71

Re: modified winlogon is this a real threat

« Reply #7 on: August 05, 2012, 07:55:13 PM »

Quote from: jay2007tech on August 05, 2012, 07:02:11 PM

how about this

Click on "start"
Click on "All Programs"
Click on "Accessories"
Click on "Command Prompt" <---------Right Click on - RUN AS ADMIN
type in "sfc /scannow" <----without the " "

Ran sfc /scannow earlier today and no problems or issues were found..


« Last Edit: August 05, 2012, 08:24:39 PM by donut53 »	Logged

jay2007tech

Malware Research Group
Global Moderator
Comodo's Hero

Offline

Posts: 1795

Re: modified winlogon is this a real threat

« Reply #8 on: August 05, 2012, 08:02:00 PM »

Quote

Ran sfc /scannow earlier today and no problems or issues were found..

If thats your only issue, I wouldn't worry about it


	Logged

It's hard being a crooked Admin when the files won't pass an md5checksum test. But like any other good crooked Admin it can be done, it just takes time(and lots of it) and a few aspirins

languy99

Global Moderator
Comodo's Hero

Offline

Posts: 3944

Re: modified winlogon is this a real threat

« Reply #9 on: August 05, 2012, 10:55:38 PM »

go to start and type msconfig, please post a pic of each tab. Thanks


	Logged

http://www.youtube.com/languy99

Software Reviews for all.

Follow me on Twitter http://twitter.com/#!/languy99

Ronny

Product Translator
Global Moderator
Comodo's Hero

Offline

Posts: 13195

Volunteer Moderator

Re: modified winlogon is this a real threat

« Reply #10 on: August 06, 2012, 11:33:29 AM »

There are several stages of 'winlogon' e.g. in win.ini and system.ini, registry etc.
The CCE entrie doesn't show a clue where to look for modified things, I'd suggest to run a MBAM scan to see if that shows more details.


	Logged

Volunteer Moderator
Any concerns? Please send me a PM or review the Forum Policy - update Jan 3rd 2013!

EricJH

Global Moderator
Comodo's Hero

Offline

Posts: 16661

Re: modified winlogon is this a real threat

« Reply #11 on: August 06, 2012, 12:48:31 PM »

Just thinking out loud. May be it is responding to the file not found situation? Try disabling the autorun entry with the file not found error and try again.

Also try running checkdisk to see if the file system is intact. Run chkdsk /f from the command prompt and allow Windows to run chkdsk on the next boot.


	Logged

Please read: Introduction to the 5.x Sandbox
With CIS v4 my p2p client (uTorrent, e Mule...) is not working properly anymore

donut53

Comodo Family Member

Offline

Posts: 71

Re: modified winlogon is this a real threat

« Reply #12 on: August 07, 2012, 10:11:50 AM »

Quote from: languy99 on August 05, 2012, 10:55:38 PM

go to start and type msconfig, please post a pic of each tab. Thanks

Here they are


	Logged

donut53

Comodo Family Member

Offline

Posts: 71

Re: modified winlogon is this a real threat

« Reply #13 on: August 07, 2012, 10:35:44 AM »

Quote from: EricJH on August 06, 2012, 12:48:31 PM

Just thinking out loud. May be it is responding to the file not found situation? Try disabling the autorun entry with the file not found error and try again.

Not sure what you want me to do.. Please help me understand.. ty

Fixed the quote. Eric


« Last Edit: August 07, 2012, 06:14:28 PM by EricJH »	Logged

donut53

Comodo Family Member

Offline

Posts: 71

Re: modified winlogon is this a real threat

« Reply #14 on: August 07, 2012, 11:07:06 AM »

Quote from: Ronny on August 06, 2012, 11:33:29 AM

Do you think this is even an issue.. MBAM and CIS do not find any threats.. Only CCE


	Logged

Tags:

Pages: [1] 2

« previous next »

Jump to:

SSL Certificate

Free Virus Removal

Firewall

Page created in 0.227 seconds with 21 queries.

Design by 7dana.com