This very well could be a real threat that was added in DAT 5808. When the detection occurs, what program or file does McAfee point to? This may be a virus that runs in active memory or injected into a critical Windows process (rootkit, winlogon.exe). If this is the case, you should start with scans in Safe Mode.
It points to winlogon.exe. So I should scan while in safe mode?
Yes, I would start with a scan in Safe Mode. Safe mode will prevent many programs from starting up with Windows and may also prevent the virus from loading and protecting itself. However, some advanced viruses will find ways to load even in Safe Mode. If this is the case, you will need a specialized tool or BootCD to remove this threat.
I suggest you try MalwareBytes first as it may detect and remove this threat as it has a recovery method that may allow for removal of the instruction to start the virus up with your computer in normal and safe modes.
I have the same problem. I have run malwarebytes, superantispyware, spybot, and McAfee scans all in safe mode, and it is still there, annoying me. I posted on CNET community also, because this virus seems to appear in every process that I open now. I am reposting the post that I put up at CNET here:
For no apparent reason (i.e., I was not browsing, or doing anything else that should have caused a virus appearance), I started getting McAfee warnings from my on-access scan, telling me that I had a virus. At first, the warnings would only come when I opened a VLC media file (like listening to the radio on my computer). Soon after, however, whenever I opened any process, such as a browser, email program, folder, etc., the warning would pop up. It's gotten a little out of hand. When I reboot now, it just appears multiple times warning me that it is in every application that boots up.
It tells me that the name of the program is "WINLOGON.EXE" and has been detected as Generic.dx!har, detection type is a Trojan, and the application it appears in is whatever application I open. For example, it is now telling me that the application is C:\WINDOWS\Explorer.EXE or C:\Program Files\VideoLAN\VLC\vlc.exe.
Often, McAfee says that it has deleted the file, but then it appears again saying that the delete has failed (Clean failed). I have read about it online, and there is a lot of conflicting information out there. It appears it is a real program that is in Windows\system32, but there seems to be the idea that it can become infected, and something will need to be done. I have run all the standard programs, such as malwarebytes, and superantispyware, spybot, and McAffe scans...McAfee is the only one that seems to find this particular virus, and it deletes all but a few places where it appears.
Since finding this virus, my OS seems to have slowed down quite a bit. Anyone out there heard of this, or have any relatively easy ways to take care of it that can be explained to a relative layperson (meaning, I know a little bit about computers, but I am not a programmer, a web designer, and do not work in computers...:(
Thanks in advance for any help you can give me!
I have run Malware Bytes, and McAfee in safe mode. Malwarebytes did not detect anything, McAfee found 2 instances in winlogon.exe, but can not delete it! Computer is sluggish, but I have no pop ups anymore.
It definitely sounds like a rootkit that is loaded into the Winlogon.exe process. It may also be registered to load into every program as well. This would make it extremely difficult to remove and possibly allow it to hide itself from normal programs. First, let's try to find out if it has any traces pointing to malware in startup sections of your registry.
The tool, "AutoRuns" will scan and list all files registered to start up with your computer and browser.
Download and Run AutoRuns
- When it starts, Press <ESC> to cancel the initial scan.
- Go to the OPTIONS menu and make sure "Verify Code Signatures" AND "Hide Microsoft and Windows Entries" are checked.
- Choose the FILE menu - > Refresh.
This will scan your computer's startup locations and list them. It is done when the lower left status bar says "Ready."
You can us the FILE menu to save a file with a list of your startup items. Please attach it to your post and wait for further instructions.
Thanks for the speedy reply. I'm not sure if this is the file you are looking for (autoruns.arn), but it is attached here. I do wonder how I might have gotten this trojan, however...I was not even browsing when it first appeared! Anyway, thanks so much for the help. I look forward to the next step, so long as it isn't "reformat, sucker!"
By the way, when I first tried to go to get the autoruns.exe file, and follow the directions you gave with my browser open, my computer shut itself down and rebooted on its own. Strange.
Message was edited by: sldreone on 11/24/09 4:01 AM
AutoRuns.arn.zip 112.1 K
I quickly looked over your Autoruns file and did not see anything questionable listed in the Winlogon, AppInit_DLLs, Services, drivers, or shell entries. I also saw you have Avast, Spybot TeaTimer, SuperAntiSpyware, and McAfee all installed. It's generally not a good idea to have more than one primary antivirus installed and running at the same time.
Chances are this is a rootkit that actively is hiding and protecting itself.
You can try "RootRepeal" to scan and find hidden things on your system.
- Download RootRepeal
- Extract the file to your Desktop and Rename the file to something random like "abcd1234"
- Run the program by double-clicking on it.
- Click on the REPORT TAB at the bottom of the program. [DO NOT SKIP THIS STEP]
- Click on the SCAN Button. Check each option shown. Click OK.
- After a few minutes (depending on your PC speed and number of files on your system), the scan should be done and show a Report text file. Please reply with the information in this file.