Jump to content

? re programs renamed to winlogon.exe, changing back


Recommended Posts

Hi!

I know of someone who has been hit with "Total Security", a rogue antivirus program. (Hopefully this person will post here for help!) It looks like "Total Security" is displaying behavior at least similar to System Security in that basically, all that is functional is a browser, and folders can be opened. This person is unable to download Malwarebytes.

I was reading over the steps here:

http://www.malwarebytes.org/forums/index.php?showtopic=17583

When it gets to the point of renaming procexp.exe to winlogon.exe and then running it, then you can stop the malware by using Process Explorer. Then the next step would be navigating to the malwarebytes website to download malwarebytes, and install and run that, and then remove what is found.

Should that procexp.exe which has been renamed winlogon.exe be renamed back to procexp.exe BEFORE rebooting? Or can it even be deleted altogether?

In a different situation, if a person already did have Malwarebytes installed and it was simply being prevented from running, and so you renamed the .exe to winlogon.exe, I would assume you would rename it back to it's correct name before performing the reboot required to remove the malware? Or would you have to leave it with that winlogon name in order for the removal process to be successfully completed by rebooting? And then you would want to change it back to its correct name after the reboot?

There already is a winlogon.exe in the system32 folder, I guess I am wondering if having 2 programs with that name would be a problem during the boot process.

(Sorry if maybe this is a silly question, but I would like to be certain in case I encounter a situation where I need to do this.)

Link to post
Share on other sites

Hi!

I know of someone who has been hit with "Total Security", a rogue antivirus program. (Hopefully this person will post here for help!) It looks like "Total Security" is displaying behavior at least similar to System Security in that basically, all that is functional is a browser, and folders can be opened. This person is unable to download Malwarebytes.

I was reading over the steps here:

http://www.malwarebytes.org/forums/index.php?showtopic=17583

When it gets to the point of renaming procexp.exe to winlogon.exe and then running it, then you can stop the malware by using Process Explorer. Then the next step would be navigating to the malwarebytes website to download malwarebytes, and install and run that, and then remove what is found.

Should that procexp.exe which has been renamed winlogon.exe be renamed back to procexp.exe BEFORE rebooting? Or can it even be deleted altogether?

In a different situation, if a person already did have Malwarebytes installed and it was simply being prevented from running, and so you renamed the .exe to winlogon.exe, I would assume you would rename it back to it's correct name before performing the reboot required to remove the malware? Or would you have to leave it with that winlogon name in order for the removal process to be successfully completed by rebooting? And then you would want to change it back to its correct name after the reboot?

There already is a winlogon.exe in the system32 folder, I guess I am wondering if having 2 programs with that name would be a problem during the boot process.

(Sorry if maybe this is a silly question, but I would like to be certain in case I encounter a situation where I need to do this.)

Well, disregard the stuff about Total Security, I see there is a thread going about that. I probably didn't really need to include that in the first place, it was just that this was the issue that got me reading about this in the first place and wondering if there was some way around it.

I would still be interested to know the answers to my questions about changing file names to winlogon.exe. Just in case... :rolleyes:

Link to post
Share on other sites

  • Staff

Process explorer is a standalone application (run as is , no installer/uninstaller) and the general rule of thumb with all applications like this is that renaming has no effect and is safe to do as often as you would like , it wont affect anything .

You can keep process explorer as is , rename it back or delete it completely , its up to you and wont change anything no matter what you choose .

If you delete it you can always download it again if you needed it .

Link to post
Share on other sites

OK, thanks! I think if I ever needed it, I would just keep process explorer. (Hey, maybe I'll just get it now. :rolleyes: Why not, eh?)

Re the subject of renaming the Malwarebytes .exe, if you changed the name back from the winlogon rename, at what stage in the removal process would you do that?

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.