Jump to content

winlogon.exe - are my duplicates or backups?


Recommended Posts

I downloaded something from a website and it only turns out later that some people have had bad experiences with this website and that the website distributes viruses, miners, Trojans and key-loggers. Understandably, I get worried and scan my pc a few times, quarantine what I downloaded (it got flagged) and went on with my happy days. However, the past few days since I downloaded this file my PC has been acting strange - sometimes when booting up, it would stay on a black screen for a while, prompting me to restart my pc. Sometimes, my PC has also been running slow - I could barely search things up as the websites would run ever so slowly. I have confirmed this isn't due to a website being down. When my PC was running slow, I ran a through internet speed checks (the google one) and found out I was getting around 10mbps download speed which is significantly slower than my average 65. 

So I decide to check task manager, and find some strange services. I look them up on chrome, figure out all of them are normal window processes (though some have the chance of being malware in disguise). One which stuck out to me was winlogon.exe. Apparently, it can only be found in the System 32 folders. I searched it up on File Explorer and found multiple 23kb files of it outside of System 32. I accidentally ran one and it didn't let me run it on my PC.

These were the main directories to the winlogon.exe's outside of System 32: C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~18362.959.1.9\amd64_microsoft-windows-winlogon_31bf3856ad364e35_10.0.18362.693_none_c562f7a666b59776\r

C:\Windows\WinSxS\amd64_microsoft-windows-winlogon_31bf3856ad364e35_10.0.18362.693_none_c562f7a666b59776\r

(these directories were generally the same across some of the winlogon.exe's. difference was that the last letter would instead be f instead of r or any other combinations. Please let me know if you want to know these directories too.)

Please help, I don't want any viruses on my pc.

Thank you.

 

 

Link to post
Share on other sites

Hello    :welcome:

My name is Maurice.  Let me know what name you prefer to go by.

 

The 2 Windows folder / areas you cited are normal  & are parts of how the Windows system itself keeps track of updates to the operating system.

Please do not mess with those sections.  FYI  Malwarebytes for Windows can identify any harmful keylogger,   One should not speculate on whether this pc has one.

Likewise, it is not a good practice to use anything other than known & reputable security apps to determine 'if' there is any sort of malware.

 

to start helping you, I do need prelim report.

I would appreciate  getting some key details from this machine.
 NOTE: The tools and the information obtained is safe and not harmful to your privacy or your computer, please allow the programs to run if blocked by your system.

Do have patience while the report tool runs.  It may take several minutes.  Just let it run & take its time.  You may want to close your other open windows so that there is a clear field of view.
Download Malwarebytes Support Tool
    
  
    Once the file is downloaded, open your Downloads folder/location of the downloaded file
    Double-click mb-support-1.7.0.827.exe  to run the report

Once it starts, you will see a first screen with 2 buttons.  Click the one on the left marked "I don't have an open support ticket".

        You may be prompted by User Account Control (UAC) to allow changes to be made to your computer. Click Yes to consent.
        
    Place a checkmark next to Accept License Agreement and click Next
Now click the left-hand side pane "I do not have an open support ticket"

    You will be presented with a page stating, "Get Started!"
    Do NOT use the button “Start repair” !   But look instead at the far-left options list in black.

    Click the Advanced tab on the left column
    
    Click the Gather Logs button
    
    A progress bar will appear and the program will proceed with getting logs from your computer.  Please do have patience.  It takes several minutes to gather.
   
    Upon completion, click a file named mbst-grab-results.zip will be saved to your Desktop. Click OK.  Then Exit the tool.

    Please attach the ZIP file in your next reply.

Sincerely,

Maurice

Link to post
Share on other sites

Thank you, Maurice, for replying to me so quickly. Malwarebytes still has not disappointed me. Please refer to me as 'PVG'. 

I trust you that the files attached in the zip are not harmful to my PC nor my privacy.

I followed as you said, and have a zip file, and have attached it. Please let me know if any of the results are alarming.

Sincerely, PVG.

mbst-grab-results.zip

Link to post
Share on other sites

Hello PVG.    Thank you for the report.

I will have you just start with doing a Windows 10 System File Checker tool scan  as a first check of this system.

Open an elevated command prompt window i.e. run Command Prompt as an administrator .
It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is
To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )
On that command prompt,  Copy & Paste this command
 

sfc /scannow

tap Enter-key  and have patience.   What I am after is what it shows at the very bottom after the scan has finished.

Report that to me in your next reply.

[    2      ]    NEXT

The Microsoft Safety Scanner  is a free Microsoft stand-alone virus scanner that  can be used to scan for & remove malware or potentially unwanted software from a system. 
The download links & the how-to-run-the tool are at this link at Microsoft 
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download
  
Let me know the result of this.
The log is named MSERT.log  
the log will be at  %SYSTEMROOT%\debug\msert.log   which in most cases is
C:\Windows\debug\msert.log
Please attach that log with your reply.
 

Link to post
Share on other sites

I have a problem. When I try to load the sfc /scannow command, it gives me this prompt: 

You must be an administrator running a console session in order to use the sfc utility.

As far as I'm aware, the windows account I use for windows is the administrator account on my PC, so I assume the problem is "running a console session." How may I do that?

Thanks.

Link to post
Share on other sites

Thank you, I slept well. I figured out how to run Command Prompt in Administrator mode, so I just did that, and here are the results:

C:\WINDOWS\system32>sfc /scannow

Beginning system scan.  This process will take some time.

Beginning verification phase of system scan.
Verification 100% complete.

Windows Resource Protection found corrupt files and successfully repaired them.
For online repairs, details are included in the CBS log file located at
windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log. For offline
repairs, details are included in the log file provided by the /OFFLOGFILE flag.

 

I have also attached the Windows Safety Scanner results (I ran the scan with the "Full Scan" option)

 

msert.log

Link to post
Share on other sites

Good morning.   Thanks.

This machine used to have Avast antivirus at some time in the past,  and then it was uninstalled.   However, that left behindmany traces, including many 'scheduled tasks'.

So the next thing we need to have you do is, to get and run the Avast tool to remove traces of it.

[    1    ]

Please get, save, & then run the Avast uninstall tool

https://support.avast.com/en-us/article/Uninstall-Antivirus-Utility/

 

[    2     ]

You should do this at a point where you will not be needing to use the system for any other purpose.

I have a custom script that will do additional cleanups.

The system will be rebooted after the script has run.

.

This custom script is for  PVG  only / for this  machine only.

 
Close and save any open work files before starting this procedure. 

I am sending a    custom Fix script which is going to be used by the FRST  tool. They will both work together as a pair.

Please RIGHT-click the (attached file named) FIXLIST and select SAVE  link AS and save it directly ( as is) to the Downloads folder

The tool named FRSTENGLISH .exe   tool    is already on the Downloads
Start the Windows Explorer and then, to Downloads folder


RIGHT click on  FRSTENGLISH     and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

frst-fix.jpg.f6a25291b39a03d418acc9a3b7136900.jpg

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. This run here should be fairly quick.
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

 

Fixlist.txt

Link to post
Share on other sites

Good morning.   Thanks for the log report.   That's a good run.   The Windows System File Checker found no issue.

 

I would suggest a free scan with the ESET Online Scanner
Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.

When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan

Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
Click The blue “Save scan log” to save the log.
If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).
Press Continue when all done.  You should click to off the offer for “periodic scanning”.
 
 

Link to post
Share on other sites

 

Good afternoon.   That is most excellent result from the ESET online scanner.   From this and from what you just reported,  we can wrap up this case.     🙂

You can delete the ESET download-file   esetonlinescanner.exe

Delete msert.exe

Delete   mb-support-1.7.0.827.exe

Delete   mbst-grab-results.zip   on the Desktop

To remove the FRST  tool & its work files, do this.  Go to your  Downloads folder.  Do a RIGHT-click on FRSTENGLISH.exe & select RENAME & then change it to UNINSTALL.exe .
Then run that ( double click on it)  to begin the cleanup proceed.

.

Backup is your best friend.  Keep backups of your system on a regular basis to offline storage & keep those safe. https://forums.malwarebytes.com/topic/136226-backup-software/

It is not enough to just have a security program installed. Each pc user needs to practice daily safe computer and internet use.

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".
Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Don't remove ( or change )  your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

 

Stay safe.  I wish you all the best.   😎

Sincerely,

Maurice

 

 

Link to post
Share on other sites

Thank you very, very much, Maurice! I am glad that my computer is safe from these viruses, and I will definitely use your advice and tips in my daily computer usage so that I can stay as safe as possible. I'm glad we had this interaction, you were brilliant.

I don't think I've said it enough, but THANK YOU!!

Sincerely,

PVG.

Link to post
Share on other sites

You are most welcome.    😉

Here are tips on keeping your web browsers safer.   Make time  and read all of this.     apply the tips.

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

 

If this pc has the Google Chrome browser, or the Brave browser, I suggest you install the Malwarebytes Browser guard for Chrome.

To get & install the Malwarebytes Browser Guard extension for Chrome,

 

Open this link in your Chrome   browser: 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup.

.

For    Mozilla Firefox, to get & install the Malwarebytes Browser Guard  Firefox extension.

Open this link in your Firefox browser:   

https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

Then proceed with the setup.

That link is for English US.   There are other language version.  Just go to the very bottom right of the page and look at “Change language” list drop down.

.

The Java version on this machine is out of date  & insecure.   Uninstall   Java 8 Update 231

If and only if there is a application that has to have Java, then get the very latest from Oracle.   See the information here

https://securitygarden.blogspot.com/2020/07/oracle-java-se-jre-security-updates.html

 

I wish you all the best.

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.