Author Topic: Winlogon.exe and explorer.exe is infected  (Read 29122 times)

0 Members and 1 Guest are viewing this topic.

jeith

  • Guest
Re: Winlogon.exe and explorer.exe is infected
« Reply #15 on: October 23, 2010, 12:37:57 AM »
Hi Essexboy,
I tried running Combofix, as u mentioned it asked for microsoft recovery console to be installed. I click "yes" to download. After downloading the recovery console, a message comes up saying "boot partition cannot be enumerated properly". Then this message comes "Whats next? Click "Yes" to continuing for malware, click "no" to exit".

I did not get the message that "The recovery console was successfully installed". So I did not go ahead with the scan. What do you say is it alright to go scan for Malware without installing the recovery console?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Winlogon.exe and explorer.exe is infected
« Reply #16 on: October 23, 2010, 12:57:23 PM »
Yes run Combofix, that has given me a possible thought about the malware - could be a new variant, I'll see what CF has to say first though 


jeith

  • Guest
Re: Winlogon.exe and explorer.exe is infected
« Reply #17 on: October 23, 2010, 02:33:19 PM »
I have attached a log file of the Combofix scan.

Also lately i don't see a threat with explorer.exe. Avast reports that only winlogon.exe is infected.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Winlogon.exe and explorer.exe is infected
« Reply #18 on: October 23, 2010, 02:48:13 PM »
Lets see if we have a copy in your system restore that is good  ;D

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote
SRPeek::
c:\windows\explorer.exe
c:\windows\system32\winlogon.exe

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt .

jeith

  • Guest
Re: Winlogon.exe and explorer.exe is infected
« Reply #19 on: October 23, 2010, 10:50:57 PM »
Hi Essexboy,
I did as u said. It did not ask for reboot. Here is the log

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Winlogon.exe and explorer.exe is infected
« Reply #20 on: October 23, 2010, 11:15:40 PM »
OK neither of those are any good

Do you have access to a windows CD or another XPSP3 computer that we can copy the file from ?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89249
  • No support PMs thanks
Re: Winlogon.exe and explorer.exe is infected
« Reply #21 on: October 23, 2010, 11:51:19 PM »
I have XP Pro SP3 and have zipped the two files using 7zip and uploaded to mediafire, http://www.mediafire.com/?vymuqzpvkjk55rk.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Winlogon.exe and explorer.exe is infected
« Reply #22 on: October 24, 2010, 12:31:33 PM »
Thank you David  ;D

@jeith download and extract the files to your c drive i.e. C:\explorer.exe and C:\winlogon.exe

Then run the following CF script

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote
Fcopy::
C:\explorer.exe|C:\windows\explorer.exe
C:\winlogon.exe|C:\windows\system32\winlogon.exe   

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new OTL log.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89249
  • No support PMs thanks
Re: Winlogon.exe and explorer.exe is infected
« Reply #23 on: October 24, 2010, 04:44:32 PM »
Thank you David  ;D
<snip>

You're welcome, hopefully jeith has 7zip, if not it is fairly easy to get hold of. There is no password applied to the Wlogon_explorer.7z file.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

jeith

  • Guest
Re: Winlogon.exe and explorer.exe is infected
« Reply #24 on: October 25, 2010, 01:45:15 AM »
Thanks David and Essezboy, I have jus downloaded the zipped files and shall do as Essexboy said and post the logs soon.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89249
  • No support PMs thanks
Re: Winlogon.exe and explorer.exe is infected
« Reply #25 on: October 25, 2010, 01:55:33 AM »
No problem, glad I could help.

It is almost 1am in the UK, so essexboy will be in bed now and back later tomorrow.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

jeith

  • Guest
Re: Winlogon.exe and explorer.exe is infected
« Reply #26 on: October 25, 2010, 02:03:01 AM »
I have run the combofix. here is the log of it. and a new OTL.

But avast still says that winlogon.exe is affected. :(
« Last Edit: October 25, 2010, 02:15:50 AM by jeith »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89249
  • No support PMs thanks
Re: Winlogon.exe and explorer.exe is infected
« Reply #27 on: October 25, 2010, 02:22:38 AM »
I'm not too familiar with the combofix logs.

Did you first create and drag the CFScript.txt into combofix.exe as per essexboy's last post ?

I though that this would first replace the two infected files and then start the combofix scan. Though the log still shows that the two files are still infected.
But the log does say it did run the command switches:
Command switches used :: c:\documents and settings\Jeith!\Desktop\CFScript.txt

It does say that the infected files were deleted, so I can only assume that it did replace them with the good copies or your system wouldn't be working without explorer.exe if it just deleted them.

I also assume that an avast scan is no longer reporting these files as infected ?

If you run combofix again manually I guess it wouldn't report these files as infected any longer ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

jeith

  • Guest
Re: Winlogon.exe and explorer.exe is infected
« Reply #28 on: October 25, 2010, 02:36:11 AM »
@DavidR

Yes I did as said by essexboy. once I dragged teh CFScript.txt to Combofix.exe it said a newer version of CF is available do you want to download it. I clicked yes and then it proceeded with the scan. at the end of the scan the CFScript.txt was no longer seen in my desktop (probably since I dragged it onto CF?).

Also as I said avast says winlogon.exe is infected but nothing about explorer.exe.


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89249
  • No support PMs thanks
Re: Winlogon.exe and explorer.exe is infected
« Reply #29 on: October 25, 2010, 03:28:24 AM »
You could try to repeat the exercise, creating the CFScript.txt again but only for the winlogon.exe file and drag and drop it again to initiate the combofix scan and see it it jhas any better success this time round.

Code: [Select]
Fcopy::
C:\winlogon.exe|C:\windows\system32\winlogon.exe

If that doesn't work, there must be something else in the mix and will need essexboy's box of trick again.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security