Winlogon.exe and explorer.exe is infected

[jeith]

Hi Essexboy,
I tried running Combofix, as u mentioned it asked for microsoft recovery console to be installed. I click "yes" to download. After downloading the recovery console, a message comes up saying "boot partition cannot be enumerated properly". Then this message comes "Whats next? Click "Yes" to continuing for malware, click "no" to exit".

I did not get the message that "The recovery console was successfully installed". So I did not go ahead with the scan. What do you say is it alright to go scan for Malware without installing the recovery console?

[essexboy]

Yes run Combofix, that has given me a possible thought about the malware - could be a new variant, I'll see what CF has to say first though 

[jeith]

I have attached a log file of the Combofix scan.

Also lately i don't see a threat with explorer.exe. Avast reports that only winlogon.exe is infected.

[essexboy]

Lets see if we have a copy in your system restore that is good 

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

SRPeek::
c:\windows\explorer.exe
c:\windows\system32\winlogon.exe

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt .

[jeith]

Hi Essexboy,
I did as u said. It did not ask for reboot. Here is the log

[essexboy]

OK neither of those are any good

Do you have access to a windows CD or another XPSP3 computer that we can copy the file from ?

[DavidR]

I have XP Pro SP3 and have zipped the two files using 7zip and uploaded to mediafire, http://www.mediafire.com/?vymuqzpvkjk55rk.

[essexboy]

Thank you David 

@jeith download and extract the files to your c drive i.e. C:\explorer.exe and C:\winlogon.exe

Then run the following CF script

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Fcopy::
C:\explorer.exe|C:\windows\explorer.exe
C:\winlogon.exe|C:\windows\system32\winlogon.exe   

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new OTL log.

[DavidR]

Thank you David 
<snip>

You're welcome, hopefully jeith has 7zip, if not it is fairly easy to get hold of. There is no password applied to the Wlogon_explorer.7z file.

[jeith]

Thanks David and Essezboy, I have jus downloaded the zipped files and shall do as Essexboy said and post the logs soon.

[DavidR]

No problem, glad I could help.

It is almost 1am in the UK, so essexboy will be in bed now and back later tomorrow.

[jeith]

I have run the combofix. here is the log of it. and a new OTL.

But avast still says that winlogon.exe is affected.

[DavidR]

I'm not too familiar with the combofix logs.

Did you first create and drag the CFScript.txt into combofix.exe as per essexboy's last post ?

I though that this would first replace the two infected files and then start the combofix scan. Though the log still shows that the two files are still infected.
But the log does say it did run the command switches:
Command switches used :: c:\documents and settings\Jeith!\Desktop\CFScript.txt

It does say that the infected files were deleted, so I can only assume that it did replace them with the good copies or your system wouldn't be working without explorer.exe if it just deleted them.

I also assume that an avast scan is no longer reporting these files as infected ?

If you run combofix again manually I guess it wouldn't report these files as infected any longer ?

[jeith]

@DavidR

Yes I did as said by essexboy. once I dragged teh CFScript.txt to Combofix.exe it said a newer version of CF is available do you want to download it. I clicked yes and then it proceeded with the scan. at the end of the scan the CFScript.txt was no longer seen in my desktop (probably since I dragged it onto CF?).

Also as I said avast says winlogon.exe is infected but nothing about explorer.exe.

[DavidR]

You could try to repeat the exercise, creating the CFScript.txt again but only for the winlogon.exe file and drag and drop it again to initiate the combofix scan and see it it jhas any better success this time round.

Code: [Select]

Fcopy::
C:\winlogon.exe|C:\windows\system32\winlogon.exe
If that doesn't work, there must be something else in the mix and will need essexboy's box of trick again.