I scanned my computer.... it found one virus and it wont let me do anything. I cant clean/delete or even quanentine this stupid thing how can i get rid of it?


i think this virus is also the reason i cant bring up the task manager with ctrl-alt-del :(


it says its in c:\windows\system32\winlog.exe but when i go look for it to try and delete it all i can find is winlogon which doesnt look like a virus cause when i right click it it had microsofts signature

Google the virus name to find more info about it, and the best was to get rid of it. Read the instructions very carefully.
You'll probably have to boot up into safe mode (tap F8 when your PC is booting up to give you the option to do this) to delete it, possibly from more than one location, and more than likely you'll have to find and delete some registry entrys.

What does Mcafee say it's called?

Had something like this befor...

To enable the taskmanager.

Click Start, Run and type this command exactly as below copy and paste


REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

That will sort that part out

If it don't then try the others here http://windowsxp.mvps.org/Taskmanager_error.htm

At least you will then be able to kill the virus process and remove it, but as the chap above said , you might wanna track it down on the net and find out how to remove it from the registry.



it says its in c:\windows\system32\winlog.exe but when i go look for it to try and delete it all i can find is winlogon which doesnt look like a virus cause when i right click it it had microsofts signature

If you can't see it make sure you have show system and hidden files enabled in the folders propertys, that winlog.exe rings a bell, think it might have been the same one i had to clean off a friends computer. I thinks it a trojan that makes your computer remotely accessable =/

Yep, it's from the bagle trojan family, here's the base descrip from sophos:



"W32/Agobot-LF is a network worm which also allows unauthorised remote access to the computer via IRC channels.

W32/Agobot-LF copies itself to network shares with weak passwords and
attempts to spread to computers using the DCOM RPC and the RPC locator vulnerabilities.

These vulnerabilities allow the worm to execute its code on target computers
with System level privileges. For further information on these vulnerabilities
and for details on how to protect/patch the computer against such attacks
please see Microsoft security bulletins MS03-026 and MS03-001. MS03-026 has been superseded by Microsoft security bulletin MS03-039 (http://www.microsoft.com/technet/security/bulletin/MS03-039.asp).

W32/Agobot-LF moves itself to the Windows system folder as winlog.exe and creates the following registry entries to run itself on system startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
Windows Login = winlog.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\
Windows Login = winlog.exe

On NT-based version of Windows the worm creates a new service
named "Windows Login" with the startup property set to automatic, so that the service starts automatically each time Windows is started.

W32/Agobot-LF attempts to terminate and disable various anti-virus and
security related programs. It also attempts to terminate processes associated
with the W32/Blaster family of worms. W32/Agobot-LF collects system information and registration keys of popular
games that are installed on the computer"

Looks like you'll need a dos based program on disc to clean it thoroughly.

i think this virus is also the reason i cant bring up the task manager with ctrl-alt-del :(


it says its in c:\windows\system32\winlog.exe but when i go look for it to try and delete it all i can find is winlogon which doesnt look like a virus cause when i right click it it had microsofts signature

Got EXACTLY the same problem here.

Just two hints for the future:

- keep your windows version up to date. The exploited buffer overflow was fixed in 2003!
- run windows on non administration accounts whenever possible

Just two hints for the future:

- keep your windows version up to date. The exploited buffer overflow was fixed in 2003!
- run windows on non administration accounts whenever possible

will try this, thanks !

I use AVG antivirus which is free from grisoft.com, i have found that it catches a lot more viruses than norton or mcafee. And you can run it alongside them if your not sure about it.

Never had any virus problems since i switched to using firfox for my browser. Internet explorer has a nasty habit of letting some files download without notifying you. Ofcourse it also helps that i dont visit warez sites that often anymore.

[ edited ]

i Gotta process called Winlogon.exe :p XP lol

WinLogon.exe is the process that handles your varius user profiles i believe.

How do i restart in safemode with xp :eek:

Hold F8 while booting. A menu will appear, allowing you to enter into safemode

what Conduit said.

boot into safemode, or do what i do and use a Live cd like knoppix or Bart's PE. That way, you can be sure nothing is locked or being hidden.