Topic: Computer locking up in rotation... awakward! (Page 2 of 2)

Actually, I did use that tool. Yesterday. It didn't find or fix anything.

Hold on a sec, winlogon.exe, the default one I mean, is the process on which all session specific processes depend, and my process explorer shows it.
If you have a virus which disguises as another winlogon, you should use removal tools, but if it turns out it is not a virus,
check it in process explorer, in a tree view, to see dependencies (and which sub-process may cause the lock)

(other than that, one of them may be a virus indeed. Process explorer also allows you, on a right click, to find the path to the executable, another way to find which one is doing what,
but the tips you just received from others sound right).

(Edited by _Mauro on 03-19-2006 17:37)

I wonder... this feel like a stab in the dark, but it sounds like something is making a login attempt every three minutes or so, so winlogon is being called again. If your prefetch is packed it can slow down program execution (rather than speeding it up, which is what it's meant to do. Go Microsoft!) so that could be why winlogon.exe is suddenly chewing up ~90% of your processor time.


Justice 4 Pat Richard

Processes don't need to login: winlogon.exe is for human users.
Processes are started by a given virtual user anyway, would it be System, etc. And this doesn't require a logon or password,
these users are provided by the system and cannot be accessed as user accounts from a Windows logon pad.

As far as I can tell, some winlogon subproc, or a virus disguised as winlogon, try to register themselves as dcom components and fail.

Maybe it is posible to remove all winlogon.exe variants on your system an reinstall them from the .cab files from your windows cd. However this will not help when something is calling winlogon. But it might if winlogon.exe is tainted.

.........................................................................
:: Develop yourself, develop your life, develop the world ::
.........................................................................

It might mess up more if it isn't done correctly: I've considered this option, Rnd2th, and if
the virus has added registry entries, for example, to register itself as a service, or application running from startup,
the casual lag will be removed, but sporadic errors will pop up instead, at startup for instance, or whenever the registry
tries to refer to something that was pointing to the now missing object.

...the best way to safely remove them is to either follow a step-by-step guide from an antivirus vendor,
or use an antivirus.

Btw, what's up on the antivirus front? You didn't mention such a software, or an av scan Insider?

Handy tip: In Process Explorer go to Add column and select Imgae Path. It shows up the directory where the process was called. Winlogon.exe should usually be located at system32. Ideally, you could replace it with another clean copy if you boot in "DOS mode" and change it from there. Make sure not to delete the old one in case something goes wrong.


You might want to consider Avast! as an antivirus.
http://www.avast.com/
__________________________________


Sexy Demoness cel

(Edited by Alevice on 03-20-2006 19:08)

_mauro you are right ofcourse but i still consider reinstalling winlogon as an serious option. But only if it's infected in one way or another. If it is clean reinstalling winlogon would be pretty uesless.

.........................................................................
:: Develop yourself, develop your life, develop the world ::
.........................................................................

Right clicked it in Process Explorer, says it's coming from system32 =\. I'm afraid to delete it now.

Screencap the Process Explorer Tree view, and post away. At least I will be able to tell you which subproc depend on this.
After that, I have ways to dig for more info (should be easy: one of the subproc of winlogon tries to register as DCOM... should be easy as googling "subproc names" + DCOM).

No webspace =\.

imageshack.us

__________________________________
Something else

Sexy Demoness cel

http://img301.imageshack.us/my.php?image=proctree3cs.jpg

Well..
A tree has branches in general.

What you gave me is the process list, the bare trunk.
It's what the Task manager shows normally.

You have to select "View -> show process tree" for me to be able to use new informations.
Basically, a tree is.. if you used Windows Explorer before, a tree is just that: nodes with branches and leafs.

And pay attention to sorting your list prior to enabling "show process tree", because a sort could alter the tree view and switch it back to list (ps explorer bug apparently).

http://img488.imageshack.us/my.php?image=proctree0ru.jpg

Ok, much better. command.exe has nothing to do on that list.
On a win ME or 98, ok, on a WinXP, it shouldn't exist, and you can safely assume it is a virus.

Could tipycally be this one (the smtp - I try to send myself by email every 3 minutes symptom tells a lot):
http://www.liutilities.com/products/wintaskspro/processlibrary/command/

For the rest, all the winlogon subprocs look like valid entries.
Check the auto-updates though, try disabling it too, but I *strongly* think command.exe is the virus.

And to make it clear: on Win2k+, command.exe is known as CMD.exe and never appears as command.exe,
nowhere.

So if you're running a 2k+ version, that's the cause, and that's what you should remove:
either by using an Antivirus now, any antivirus, before this thing spams more people
with itself, or by googling "command.exe" or "virusname" and finding a step-by-step guide.

My 2 cents.

Ah, it could also be this virus: check the symptoms (some specific files in your system folders).
http://www.sophos.fr/virusinfo/analyses/w32rontokbra.html
By any means, install an Antivirus now, and run a comprehensive check: I wasn't able to figure out wether one these virii
registers itself as DCOM, but rontokstuff does use Remote Procedure Calls (so it does use a Distributed software
component architecture of some sort).

Please, Avast Antivirus is a pain in the rear to uninstall, but you'll be better off having Avast and a hard time to uninstall it
than nurturing this lil' worm.

Well, I downloaded avast and scanned for about 80 minutes. It retrieved nothing =\.

I am sort of giving up.

Sorry, but this relationship is not going anywhere
Nah, seriously, I have the expertise, you have the comp, and there are miles between us.

I am *certain* command.exe is a nasty thing, certain it is a subproc of winlogon.exe, not certain you spotted it right
when you mentionned winlogon.exe (simply cause I didn't see it freeze myself).

With the info provided and the adequate skills, you could look up the symptoms of a virus without the antivirus:
registry entries, files that shouldn't be where they are... all of these could be spotted manually, removed manually.

Avast could just not be aware of it, or the virus could be one which affects known antivirii to limit their capabilities, etc.

It's sad though, I admire your perseverence and we are getting so close... But if you keep depending on my tip,
the physical distance per se will cause lots of stabs in the dark.

----

One thing though: to accelerate the resolution process, you should have mentionned you had no antivirus a while ago,
and filled that gap. There's no shame in going around without an antivirus.

Well I'm positive that it's command.exe, all I need to do is figure out how to disable the program (turn it off) and then I can go in and manually delete it follwed by a few virus scans... I just don't know how to turn it off. I try to kill the process in procexplorer and it says it can't.

Sysinternals have a pskill which can force a process to die. Doesn't work all the time,
works well 9/10 times though.

OR
boot from a linux live disk or a bartPE cd start file manager kill & delete command.exe

.........................................................................
:: Develop yourself, develop your life, develop the world ::
.........................................................................

Skaarjj :

Entirely off-topic again... I tried running sfc.exe from the command prompt and it told me that they (scannow,scanonce,etc) were invalid commands.
I don`t get it.

quote:

---

boot from a linux live disk or a bartPE cd start file manager kill & delete command.exe

---

I do have a copy of knoppix laying around here somewhere...

Oh well. I'm gonna try googling for some more answers. If I come up short I'll just have to reformat =\.

docilebob:

Did you put a slant-sign (/) in front of the commands?

At the command prompt you should type something like
> sfc /scannow

.



-- not necessarily stoned... just beautiful.

Yup.

It works fine on my machine.

What is the exact error message you're getting?

.



-- not necessarily stoned... just beautiful.

Sorry it took so long to answer.

Now it tries to run, (must have had a syntax error) but right after it starts, it asks for my Service pack 2 CD. Never had one. And it won`t continue without it.

I think that means it wants to update some files. Try putting the Windows install CD in the drive and see if it will run with that. I'm just guessing here because I'm running tests on w2k and it asks for the install CD.

If you try it with the install CD and that doesn't work, try downloading the SP2 ISO file from MircoSoft, burn it to a CD and run sfc again. When it asks for the SP2 CD, give it the one you downloaded.

Note: When you burn the ISO file to a CD, you need to make sure your burning software writes it as a disc image, not as a file.

.



-- not necessarily stoned... just beautiful.

I tried the install CD and all recovery and factory software CDs just in case. I`ll try the download and burn thing.

Thanks.

Ok, just for closure`s sake, I was still having trouble with sfc running, so I ran the Repair program from the install CD. SFC now runs flawlessly, and when I tell it to.
All is well in Wonderland.