explorer.exe and wininit.exe infected by Win32:Patched-RP[trj]

[kricxjo]

Hello,

Yesturday at 2:00am my Avast!Free Ed. 5 found some malicious softwer. I haven't got log but it looked like that:

C:\Windows\explorer.exe   Threat: Win32:Patched-RP [Trj]
C:\Windows\System32\wininit.exe    Threat: Win32:Patched-RP [Trj]
C:\Windows\explorer.exe   Threat: Win32:Patched-RP [Trj]  (sic! this is not my mistake)

I use avast! from quite a long time and I update it and virus databases regularly. My system is MS Win Vista Home Premium OEM with ServicePack 1 [Version:6.0.6001] 32-Bit(x86).
 
If I click Repair, I get Error: Access is denied (5)
If I click Move to Chest or delete I get Error: The specified file is read only (6009)

In the morning at 6:00am I tried to start my computer, but after log on I couldn't do anything (there is logon screen without any icons, without mouse currsor, not responding on any key stroke ...etc)
I tried to log on to safe mode with console and it is possible, but I can't install anything from removable midias in that mode.
I prepared Dr.Web CureIt LiveCD and now it is scanning...
I tried to use sfc /scanfile to replace explorer.exe and wininit.exe but it failed. I tried to use WinPE environment to extract from SP1 installer a new, clear copy of these files but I'm not sure if they are not different from my original ones.

I've read post: "Explorer.exe infected with Win32:Patched-RP, among others", but in my Avast! log there was no [rtk]. Is that mean I don't have any rootkit or I need simply more scans to prove it.

I am very interested in any help or comment.

[DavidR]

It means that this is more a complex problem and needs a specialist tool TDSSkiller and a specialist in malware removal as this one really is hassle.

Those files are essential system files and if removed could cause lots of damage, as even infected they still perform the function plus more. So not only does the rootkit hiding/protecting them need to be dealt with and the infected files replaced which you have been trying to do.

~~~~
-  Also see Using TDSS Killer - http://www.bleepingcomputer.com/virus-removal/remove-tdss-tdl3-alureon-rootkit-using-tdsskiller

####
Try searching for explorer.exe in the viruses and worms forum as there have been a couple of recent occurrences of this and it requires other tools and a specialist in malware removal.

[kricxjo]

I already downloaded TDSSKiller, but how can I use it without having access from outer source (I cannot copy or run anything from USB-Drive, SDCard etc., because I don't have drivers for them in Save Mode Command Line). Does it have a version for GNU/Linux or so? Could I for example use UBUNTU-Live CD to run TDSSKiller?

[DavidR]

I don't believe you could run it from a live linux cd as it is a windows application, unfortunately this is something for a specialist (which isn't myself)

I don't know if SAS might work as it has a portable version and it has improved the TDSS/TLD3 detections.

Portable version of SAS, http://www.superantispyware.com/portablescanner.html, no installation required. Though I don't know if given what you have said it will be allowed to run either.

Did you get any joy out of the Dr.Web CureIt LiveCD scan ?

Since Kaspersky make the tdss killer I don't know if they have a LiveCD, http://www.google.com/search?q=Kaspersky+recovery+disk. Also see http://www.techmixer.com/free-bootable-antivirus-rescue-cds-download-list/.

[kricxjo]

O.K.

I ran DrWeb CureIt and found nothing
I ran KAV Rescue Disc and found 7 trojans, but it was old virus def db (log attached to this post - unfortunatelly in polish)
I haven't got configured internet connection but it's OK by now.
I downloaded new virus definitions and started KAV once again
I downloaded (on other windows-based computer) all Live CD from your previous post, it is;
KAV, BitDefender, F-Secure, Avira, Trinity, AVG, SARDU plus some others: McAfee, SAS Portable
and burnt them on CDs/DVDs.
But most of this stuff (except maybe SAS) is simple AntiViruses without anti-rootkit and anti-malwere options.
I live in a dormitory where WiFi is strictly restricted. (hidden SSID, MAC Filtered, WPA2 etc...)
I'm not much familiar with GNU/Linux, but if Live CD is based on full LINUX distribution (like KAV, BitDef)
 it's no problem to change MAC address and configure WiFi-card otherwise I don't have possibility to update definitions.
I found ubcd4win as a good alternative, but VISTA, I have, was provided as OEM without any installation files.
It has preinstalled Windows PE environment on hard drive, accessible from BIOS, instead.

I think I can download TDSSKiller using KAV Rescue Disc and copy it to some place on a system-disc (C: in my case, NTFS)
 and then rename it to random name; change extention to .com and boot a) WinPE or b) Safe-mode with command line.
It should run wihout installation. Am I right?
My question is: Does it have any chance of success? And which option is better? (In my opinion "a" is safer, isn't it?)
I can also try the same trick with SAS Free and MBAM. Save logs and post them here.
And after that try to use sfc /scanonce ... ?

I appologise for log file it is UTF8 ANSI file written in polish

[DavidR]

Unfortunately my use and knowledge of Linux liveCDs is almost zero, I toyed with them many years ago and quickly gave up on it.

If you manage to get tdss killer downloaded renaming it may get past whatever would be trying to kill/block it, if it is a simple file name blocker.

If you are familiar with WinPE that would be safer as you aren't working in the installed OS, some malware is capable of running even in safe mode.

The two programs that appear to have been picked up HyperChem 6 and Rainbow Technologies/Client Activator appear to be using the same file name activator.exe so I don't know where you got these programs for them to be using this common file name or if it is really infected with Win32.Mudrop.jnd.

You could if you manage to get the opportunity upload one of them to virustotal and see if other AVs detect it.

Sorry I haven't been a great deal of help in this one I not a specialist malware remover.

[essexboy]

Hi could you let me know the status of your computer at the moment.

Can you access normal mode ?
Can you control - alt - delete and access task manager ?
Can you access safe mode with networking ?
Can USB drives be read in safe mode ?
Do you have access to another system to create a windows live CD ?

[DavidR]

Thanks for joining, the OP has previously use another PC to download other tools, so should be available.

I downloaded (on other windows-based computer) all Live CD from your previous post, it is;
KAV, BitDefender, F-Secure, Avira, Trinity, AVG, SARDU plus some others: McAfee, SAS Portable
and burnt them on CDs/DVDs.

[kricxjo]

I've already erased those two files, but I've checked
explorer.exe and wininit.exe with VT.com
Here are results.
I wasn't able to reach this forum for a while
and was wondering if it has been blocked or so,
but I think it's not very probable to affect my FF browser
by rootkit if it is run from Live CD, am I right?

[kricxjo]

Hello Essexboy

I can't access to normal mode
I can't access to TskMgr
I can't access to safe mode otherwise then with Command Line
USB drives can't be read in safe mode ?
I have another machine with WinXP HE SP2 and network

[kricxjo]

I am really sorry but I have to leave just in a moment to work.

 Would you be so kind and help me later?

thank you in advance.

[essexboy]

OK then lets use a windows live cd and trusty old OTL  
Time is not a problem

Please print these instruction out so that you know what you are doing

File details OTLPENet.exe
Bytes=126,850,486
MB=120.9
MD5=8A7C5BA1C92552ADDCC5E468D0AA069A

• Download OTLPENet.exe to your desktop
  
• Ensure that you have a blank CD in the drive
• Double click OTLPENet.exe and this will then open imgburn  to burn the file to CD
  
  
• Reboot your system using the boot CD you just created.

Note : If you do not know how to set your computer to boot from CD follow the steps here

• As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads    
• Your system should now display a Reatogo desktop.

Note : as you are running from CD it is not exactly speedy

• Double-click on the OTLPE icon.
  
• Select the Windows folder of the infected drive if it asks for a location
• When asked "Do you wish to load the remote registry", select Yes
  
• When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  
• Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  
• OTL should now start.
• Drag and drop this attached scan.txt into the Custom scans and fixes box
  
• Press Run Scan to start the scan.
  
• When finished, the file will be saved  in drive C:\OTL.txt
  
• Copy this file to your USB drive if you do not have internet connection on this system.
• Right click the file and select send to : select the USB drive.  
• Confirm that it has copied to the USB drive by selecting it
• You can backup any files that you wish from this OS
• Please post the contents of the C:\OTL.txt file in your reply.
  

[DavidR]

I've already erased those two files, but I've checked
explorer.exe and wininit.exe with VT.com

That is why I was trying to avoid you doing as it could seriously harm your system as your Reply #9 indicates. Explorer.exe has links to most functions.

Those files are essential system files and if removed could cause lots of damage, as even infected they still perform the function plus more. So not only does the rootkit hiding/protecting them need to be dealt with and the infected files replaced which you have been trying to do.

Here are results.
I wasn't able to reach this forum for a while
and was wondering if it has been blocked or so,
but I think it's not very probable to affect my FF browser
by rootkit if it is run from Live CD, am I right?

The forum was unavailable for a short time, I found that too and my ping tests all timed out, that is how I check if it is a forum server problem of something on my side.

[kricxjo]

DavidR, I didn't mean that explorer.exe and wininit.exe have been erased, but activator.exe, which I believe you asked me to scan with Virus Total. My reply was a little bit confusing and may misled you. Unfortunatelly my English is not good enough.

[DavidR]

Your English is very good, my Polish is non-existent.

If you are able to please continue with essexboy's instructions when you have time.