The other day, some adware/spyware/whatever found its way onto my computer. I’ve tried running Ad-aware and it keeps finding these two objects labeled “WinlogonEXE” (note that the EXE is part of the name and not a file extension here). No matter how many times I scan and delete these files, they keep coming up on startup. It sets my homepage to some spamming search site, and it seems to be slowing down my internet connection in general. I’ve included part of the logfile for the most recent scan below. If anyone is familiar with this malware and can help me get it off my computer for good, I’d greatly appreciate it. I’ll try to provide any more information you request, if needed.
WinlogonEXE Object recognized!
Type : File
Data : help_dcc.dll
Object : C:\WINDOWS\
FileSize : 149 KB
Created on : 02/08/2004 3:32:05 PM
Last accessed : 02/08/2004 5:00:00 AM
Last modified : 02/08/2004 3:32:06 PM
WinlogonEXE Object recognized!
Type : File
Data : help_ecc.dll
Object : C:\WINDOWS\
FileSize : 44 KB
Created on : 02/08/2004 3:32:05 PM
Last accessed : 02/08/2004 5:00:00 AM
Last modified : 02/08/2004 3:59:46 PM
I assume you’ve rebooted the computer and ran the scan again, and the problem recurs. The software might have some automatic reinstall function, so it puts itself back after Ad-Aware cleans it. I’d first suggest, disconnecting the computer completely from the Internet, then running a scan, then rebooting, then running the scan again, and finally reconnecting.
Get yourself a free copy of Spybot Search & Destroy . Spybot works well as a compliment to AdAware; one catches stuff the other misses. Before scanning, don’t forget to have each program check for updates. Then use SpywareBlaster to block over 1000 different flavors of spyware.
You might try killing the processes first through Task Manager. I am assuming Windows XP. This page describes a way to manually get rid of it. You could also run AdAware in Safe Mode and it may be more effectiive. I don’t think you can delete a running process. You should also consider downloading Spyware Blaster, a nice program that prevents identified malware from initial installation. Get the latest update. It works for future prevention.
I’m running Windows98, actually. And I did try running Ad-aware in safe mode, but that only succeeded in freezing up my poor computer (it’s an old and feeble machine…). I’ll try the Spybot and SpywareBlaster programs. If those don’t work, I might try the method described in RealityChuck’s and Toddly’s posts, though I don’t know anything about editing the registry and am extremely wary of doing it.
Editing the registry isn’t so bad as long as you make it a point to do exactly what they say; no more and no less. In addition, make sure you back-up the Registry before making any modifications to it, even if you’re 100% sure that what you’re doing won’t cause you any problems.
Spywareinfo.com has an active and dedicated userbase of spyware killers. Head on over to their forums; chances are good that if it’s a newish mutation of malware that Spybot S&D and/or Ad-Aware doesn’t know how to squash yet, that there are multiple threads on how to manually remove it already.
If not, read their FAQs on asking for assistance–generally, it boils down to not posting logfiles in someone else’s threads unasked. They’ll point you at a utility named Hijack This!, which identifies suspicious-looking registry entries and whatnot, and based on the log from that, you’ll almost always get step-by-step instructions on how to safely remove the offending bit of parasite code.