Trojan.Pandex!inf and Winlogon.exe

I recently received the dropper Trojan Pandex.  And Symantec NIS 2009, could not resolve the issue only block each attack.  I researched this trojan with Symantec and followed their instructions for removal, which did not resolve the attacks.

this is very late now.

process explorer has a handy little feature that works well with antivirus.

suspend service


I encountered a trojan like that where I could never delete the file because it was tied to winlogon.exe

i suspended all the services the trojan file was tied too

winlogon.exe
rundll.dll
explorer.exe

ran my kaspersky antivirus(file was scheduled to be deleted on reboot)

hard reset the box. no smooth shutdown. press and hold your power button.

on reboot the file was finally purged. For some reason there is a command to reload the trojan dll before the delete on reboot occurs (i think this has to do with the relationship with winlogon). it's a pretty slick design.

the ability to suspend winlogon and do a hard reboot prevents the dll from executing code to save itself from the impending deletion scheduled by the antivirus.

i tried numerous methods from hijack this, vundofix, look2me killers, sysinternal delete on reboot tool, avg, kaspersky, manual deletion, registry deletion, could not rename file, could not move file, unlocker, spysweeper, ad-aware, etc.

it wasn't until i combined process explorer, kaspersky, and unlocker that i was able to knock out the hardest trojan on the system.

unlocker allowed me to see what services locked the trojan file

process explorer allowed me to suspend the locking services stopping the trojan from executing survival code

kaspersky scheduled the file for deletion on reboot

and doing a hard reboot to not allow the suspended services to process anything after the deletion was scheduled.

this made the file deletion the TOP priority upon reboot. no other code gets to butt in line.

Hi, I'm running XP Pro SP 2. My notebook login process incredibly slow. With norman Malware romover, i've found that winlogon.exe and svchost.exe was infected (with camocxp.dll). I've managed to remove the file, but the key under HKLM\Software\Microsoft\WindowsNT\Winlogon\Notify\lxsotocs, which i think responsible for the startup of this dll (camocxp.dll) can't be deleted. Please i need some suggestion, what to do.

hi out there! :-) I'm running XP-PRO,SP2 on a n Athlon 2500+ , and last night my Symantek AV found a Trojan.Pandex!inf  in the system32/Winlogon.exe file, and could neither clean nor quarantine ("access denied".). Could some kind person please lead me thru the chain of DOS commands required to replace the infected system32/Winlogon.exe with a healthy copy from my XP installation CD?

I have made several unsuccessful attempts in the Recovery Console, on the basis of the following (in a Microsoft webpage):

COPY

copy source destination

Use this command to copy a file. In the command syntax, source specifies the file to copy and destination specifies the folder or file name for the new file. You cannot use wildcard characters indicated by an asterisk (*), and you cannot copy a folder. If you copy a compressed file from the Windows CD-ROM, the file is automatically decompressed at the same time it is copied.

The source of the file can be removable media, any folder in the system folders of the current Windows installation, the root of any drive, the local installation sources, or the Cmdcons folder.

If destination is unspecified, the default destination is the current folder. If the file already exists, you are prompted whether you want the copied file to overwrite the existing file. The destination cannot be removable media.

 

cheers---nervsov

 

 

 

Edited by nervsov - 25 April 2007 at 1:51am

Sorry for the multiple posting (newbie).  Please help

I used the KasperskyAnti-virus but got a message that the file could not be disinfected.   Do I neutralize the file? Appreciate any suggestions.