inoculan and winlogon


i just found the backdoor Subseven 2.2 server virus.

I'm doing a full scan of the HD. During the first part of the scanning everything runs smoothly.
I'm also runing task manager to see if no weird programs are running, but only inocuLAN.exe used cpu time.

Once the scanning reached WINNT\system32 i noticed that
winlogon.exe started to run, and using over 90% of the time.

What is the reason of winlogon to start running?

upto now i foudn 3 infected files in WINNT\SYSTEM32
the filenames are LJFF.exe, MBQT.exe and EYMGDKWE.exe.
Inoculan was not able to cure these files, so i moved them to another location. Are these programs part of windows 200? or are they created by the Virus?
Who is Participating?
tituba2Connect With a Mentor Commented:
Go to

They have a tool for subseven and more detailed info for you

IMO when your system goes so screwy, your best bet to reduce problems and downtime is to rebuild. Sorry. You should firm up on good administrative techniques, and after rebuild, do NOT plug into network until you've locked the hatches and performed the upgrades.

Abide rules of never use server to do any workstation function, whether surfing web, downloading, or eMail, eChat or whatever.

Once you've let remote users manage your machine, you've lost complete control. They could have done anything, and you cannot recover from such unknown. Start it fresh, completely clean disk, with OS and no additional 'toys'.

> I'm also runing task manager to see

you are too late

> Are these programs part of windows 200?

This no longer matters. You gave control to a foreigner (outside your building) such that they could have renamed anything to anything.

Giving control to 'friends' is not my implication. There may even be a good reason to run sub-seven. and, Inoculan may be wrong, it has been before. but... to KISS it, simplify, I vote for the rebuild.
elfieAuthor Commented:
the free dos tool couldn't clean the files, but found a other number of suspicious files (that Inoculan didn't found). The filename resembled like to files that had the viruses in them.

I just removed the files completely from the systems, and now all tools indicate that the syustem is clean.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.