win32:patched-rp [trj] @ winlogon.exe

[teenkertoy]

After searching this forums and others, I'm really confused about this particular infection.  (All of my troubleshooting is being done from my backup bootable drive, which was cloned before the infection so my operating copy is clean.)

At startup and occasionally after, Avast will block winlogon.exe referencing "win32:patched-rp [trj]".  Avast will detect the infected file every time I scan it, but can't repair or remove it because it's a system file.

Dr.Web will catch it every time I scan, and repairs it, though it gets reinfected upon reboot.

MBAM does not find the infection, even if I right-click on it and scan directly.  The complete scan found 4 registry entries that seem benign, I remember changing those settings at some point.  Log is attached anyhow.

SuperAntiSpyware does not find it if I right-click-scan it.  I have not tried a full and complete scan.

AdAware does not either.  I have not tried a full and complete scan.

I'm also attaching an OTL log, though I'm not sure if the settings I chose are correct.  I can't find the file "scan.txt" that is referenced for a custom scan.

I sent the infected winlogon.exe file to VirusTotal for analysis, and this is the result. <-click

[SafeSurf]

Hello teenkertoy and welcome to the forum. 

I am reviewing your logs, so just give me a few more minutes.

[SafeSurf]

You did all the right things except I probably would have put the items that were detected in MBAM into quarantine instead of ignored them.  

I am not an expert in OTL logs, but you do have a lot of Host files; you may once malware is removed consider something like MVPS for managing hosts, in addition to being careful with things you download from google.

I am going to refer to you to one of our Certified Malware Experts, named Essexboy.  He will be contacting you here in this thread to give you further instructions on a daily basis (he is on UK time zone).  Please do NOT make any changes to your machine since you have posted your logs or you will need to re-do them again.

I will be monitoring in the background and will continue to offer support until he arrives.  Please let me know if you have any additional questions.  Thank you.

Edit:  Please do one more Full MBAM scan and quarantine detected items and post your log here.  Thank you.

[SafeSurf]

Did you see my edit about the MBAM Full scan?

I have contacted Essexboy to assist you after you post your next MBAM log.

Do you have any questions?

[teenkertoy]

Thank you very much SafeSurf, I am very happy for your help!

I will not troubleshoot further tonight, and yes I see your edit about the quarantine.  Thanks for the referral, though I'm on West Coast time zone and need to get some sleep.

I look forward to hearing from you guys tomorrow!

-J

[SafeSurf]

OK...Essexboy tends to check in around 6 PM his time.  I think doing your MBAM Full scan may help with your problem.

Edit:  Do not hotsync your Palm with your PC until your malware is removed.  Hopefully you have a backup on your PDA.  If not NVBackup is free for download, but do not download if you already have another backup tool on your PDA as it will conflict.

[DavidR]

Care has to be taken with these win32:patched-rp [trj] detections as they are essential system files (but patched/infected) and moving them into quarantine or deletion could have a serious impact on your system, they have to be repaired or replaced with clean copies of the original files (this requires experience and additional tools).

Since the MBAM scan didn't detect the win32:patched-rp [trj] on winlogon.exe, I believe it should be OK to run MBAM again just a Quick scan) and allow it to quarantine the items it finds if they are the same as the original log you posted. If this second MBAM scan differs from the first post the contents before taking any action.

[essexboy]

Hi, I have two programmes for you to run.  The first will be an automated attempt at cleaning if that fails the second will be a search for a replacement file to do it manually

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

THEN

Run OTL and in the custom scans/fixes box copy/paste the following, ensure all users is selected and then press run scan

/md5start
explorer.exe
winlogon.exe
wininit.exe   
/md5stop

[teenkertoy]

Thank you all for the support, this is fantastic and I love you guys.

Edit:  Do not hotsync your Palm with your PC until your malware is removed.

Would if I could, but my COM port doesn't work.  This will be another project someday soon.

Care has to be taken with these win32:patched-rp [trj] detections as they are essential system files (but patched/infected) and moving them into quarantine or deletion could have a serious impact on your system, they have to be repaired or replaced with clean copies of the original files (this requires experience and additional tools).

What about using the non-infected explorer and winlogon files from my backup drive?  It's a clone from very recent.  Could I simply copy them onto my primary drive and call it a day?

Since the MBAM scan didn't detect the win32:patched-rp [trj] on winlogon.exe, I believe it should be OK to run MBAM again just a Quick scan) and allow it to quarantine the items it finds if they are the same as the original log you posted. If this second MBAM scan differs from the first post the contents before taking any action.

The 4 registry entries are now in quarantine.

During all of my scanning using my backup drive, I quarantined both winlogon.exe and explorer.exe.  I restored winlogon and repaired it with Dr.Web but completely forgot about explorer.exe.  I didn't notice this until trying to boot from the primary drive this morning to see if the problem was fixed.  So now my primary drive boots to a desktop background with no icons, taskbar, etc.  I can do anything I like with the task manager by invoking "iexplore" and running whatever I choose, to type this reply for example.

I tried restoring the explorer.exe file from quarantine, but Avast puts it back into the \windows\dllcache\ folder where it seems to do no good.  A quick search of my backup shows explorer.exe in \windows\.

(I know, I'm going to break the rules here in a moment)

After copying the backup explorer.exe to my primary windows\ directory and running it, desktop is back up and running and everything looks golden.  Avast shows no infections in the system32\ folder.  I'm going to reboot from the primary drive and see what happens.  Crossing fingers...

[DavidR]

Follow essexboy's instructions as he has the tools and experience to see you through this, simply replacing the files (which isn't as simple as it may sound) without dealing with the cause of the infection, is likely to see them infected too.

[teenkertoy]

Hi, I have two programmes for you to run.  The first will be an automated attempt at cleaning if that fails the second will be a search for a replacement file to do it manually

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

Followed your instructions.  Just after the initial yes/no disclaimer but before reboot, a warning dialogue box popped up with the title ERROR, no text below it, and a single OK button.  I have no idea what that's about, but I clicked OK and the computer rebooted.

At the prompt, I installed recovery console.  Success, then clicked YES to continue scanning.  Just after this but before Stage 1 was complete, I see this window: "mbr.cxxe has encountered a problem and needs to close".  I took shots of the screen and "more detail screens" with my digital camera if you need to see them.  I click CLOSE and ComboFix seems to carry on without trouble completing 50'ish stages and reboots.  The ComboFix log is also attached.

THEN

Run OTL and in the custom scans/fixes box copy/paste the following, ensure all users is selected and then press run scan

/md5start
explorer.exe
winlogon.exe
wininit.exe   
/md5stop

Done, log is attached.

I no longer have Avast showing trojan warnings, everything *appears* ok, but I'll let you judge that.

If you see anything that needs attention, I'll be here!  You guys rock.

-J

[SafeSurf]

Edit:  Do not hotsync your Palm with your PC until your malware is removed.

Would if I could, but my COM port doesn't work.  This will be another project someday soon.

Did this COM port issue start after your malware issues started with your PC?

Some malware can transfer from your PC to your PDA, so until Essexboy is done removing the malware, I do not want you to hotsync for your own protection.

Do you have a backup on your PDA?  If not, can you get your original PDA CD and install the PDA Desktop to another PC for now (or perhaps you had this backed up on a flash drive) if it is essential to hotsync?  Once we fix your malware problems, your COM port for hotsyning your PDA should be resolved or you can try another COM port, but I'm trying to make sure you have a backup on your PDA just in case it decides to crash on you and you need to restore it...I'm well aware of how things like that go.    You can still use your PDA as you normally do, it's just hotsyncing with your PC that is an issue right now until we get your PC back up and running. 

In the meantime, follow Essexboy's instructions to repair your PC.  I will still be here should you have any questions.  Thank you.

[teenkertoy]

Have no worries SafeSurf, I have a couple backups of the PDA.  I haven't used it in years and the unit's memory was lost and defaulted back to factory.  So I was going to restore everything from my backup (as I've done many times before over the years).

The first time I tried to sync was three days after the Trojan infection and it didn't work, nor does it now.  The COM port issue may be related to the Trojan, but I'll worry about it another time.

Thanks for your concern!

-J

[teenkertoy]

In the meantime, follow Essexboy's instructions to repair your PC.  I will still be here should you have any questions.  Thank you.

As far as I can tell, I'm caught up with the instructions.  Many many thanks to you all.  If there are more steps to take, I'm listening : )

-J

[SafeSurf]

I'm usually online when Essexboy is asleep, so we'll have to wait for now unless you have any questions.