Winlogon.exe is infected with Win32:Malware-gen

[attcbf]

Hello, and happy MLK day.

I am running Windows XP Pro SP 2 (build 2600)(ver 5.1). My anti-virus is avast 5 (newly updated) and Malwarebytes' anti-malware. I keep on getting an Avast warning that it is blocking (1) win32:malware-gen[Trj], found in my c:\windows\systems32\winlogon.exe; and (2) win32:Patched-UE[Trj] found in c:\windows\explorer.exe. I cannot quarantine, delete or repair these files either after boot scan or normal scan after computer boots up.

When I run malwarebytes on the files, it does not identify any infections. But when I run avast on the files, it detects the viruses.

I have an external drive with an earlier installation (but same build, etc.)of win xp sp2 . Is there some way to cut and paste these non-infected files with the ones infected on my internal hard drive?

If not, what do I do?

Thank you.

[DavidR]

This is not a false detection and whatever you do don't try to delete these files or your system will be toast. That is one reason why avast isn't taking any action on these important system files. Even though they er infected they still function.

These infected files need to be replaced by clean ones, but before that the underlying infection needs to be sorted or any clean replacements will be infected.

I take it that this XP Pro SP2 version isn't the 64bit version ?
If not - Having XP SP2 no doubt leaves your system more vulnerable to attack and SP3 has been out for over 18 months, Microsoft stopped issuing security updates for XP SP2 in July last year, so SP3 is an imperative security update (but you can't do this whilst infected).

This normally requires special tools to resolve and specialist help to deal with it, unfortunately essexboy who has the tools and knowledge is likely to be in bed now (11.30p.m. in the UK) and won't be back until tomorrow.

You could try a System Restore to a point in time when this infection wasn't present, this may work, if it does you are in luck if not you will need specialist help.

[attcbf]

David, thank you for responding.  I am running the 32-bit version of xp sp2.  The system restore was turned off, so that is not an option.  Reading from another post in this forum, it appears that combofix was run and was able to get rid of a similar infection.  Should I download and run that or wait for essexboy to wake up and get online?

[DavidR]

I would say wait, it is the safer option as if there are no clean copies of those two files, I don't know if combofix can do anything.

It isn't a case of his getting up and getting on line, he doesn't work for avast, but is a volunteer like the majority of the Evangelists and he has a day job, so it could be some time before he is on-line. He took some time of work recently and I don't know how long that might be for, but I think he was back at work today.

So there is always the option to try combofix, but you need copies of the two files on your system. Normally copies can be saved into the root drive, C:\, but your problem is further complicated by having SP2. I have copies of those two files that I have uploaded to mediafire (a file sharing site), but those are for XP Pro SP3 and may not be compatible with your system.

When your done with this, system restore as imperfect as it is is better than nothing, unless you have something to replace it, like hard disk imaging software, this can make an exact copy of your hard disk, partitions, etc.

[attcbf]

Thanks again, David.  I guess I will wait for someone to post who can give further help.

[DavidR]

You're welcome.

[attcbf]

 ???Although there have been some replies to this topic, I am still in need of assistance.  Thank you.

[attcbf]

This is what I have done so far. I ran DDS and Gmer and ComboFix, and as the character limit precludes me from pasting the logs and reports into the post, the DDS reports and the Gmer report are attached. The ComboFix report wil be attached to the next post.  When I ran ComboFix, it detected some problems, but it does not appear to have solved them, as I am still getting the avast malware warning re: winlogon.exe, that is infected with win32:malware-gen and win32:Patched-UE[Trj] found in c:\windows\explorer.exe.  Both Mbam and Superantispyware, which were run after Combofix,   detected nothing.

I also have noticed in the last day or so that my wireless keyboard and trackball (both logitech devices) now need to be about a foot from the wireless receivers in order to run properly; & I am getting redirected to ad & spam sites from google.  I do not know if these are all symptoms of the same infections or if there is something more insidious going on, but help is definitely needed.

Thank you.

[attcbf]

The ComboFix report is attached.

Any and all help is needed.  This has kept me from using my computer, which I need for work, for the last 4 days.
Thank you.

[Pondus]

Essexboy is notified

he is usually in the forum from 8:00pm to 11:59pm uk time


Essexboy prefer the OTL log`s so you may follow the guide here and attach those also
http://forum.avast.com/index.php?topic=53253.msg451454#msg451454

[attcbf]

Pondus, thank you very much.

The OTL reports are attached.

[attcbf]

Essexboy, if you are there, please review the reports attached to the prior posts and let me know what my next step should be.  Thank you.

[argus]

MD5=375F1144332062F5C72F7B94BF4E4192 -- C:\WINDOWS\explorer.exe

http://www.virustotal.com/file-scan/report.html?id=1f865d4736ea9905424d0d465e208dd08e979177922b74785534732817f495da-1294898110

MD5=06E9698963CCDB85FAE513801F7AF6B5 -- C:\WINDOWS\system32\winlogon.exe

http://www.virustotal.com/file-scan/report.html?id=1f865d4736ea9905424d0d465e208dd08e979177922b74785534732817f495da-1294898110

Bamital again

Please wait a moment

[attcbf]

Hi Argus,

Is there something zi should be doing with the links you posted?

MD5=375F1144332062F5C72F7B94BF4E4192 -- C:\WINDOWS\explorer.exe

http://www.virustotal.com/file-scan/report.html?id=1f865d4736ea9905424d0d465e208dd08e979177922b74785534732817f495da-1294898110

MD5=06E9698963CCDB85FAE513801F7AF6B5 -- C:\WINDOWS\system32\winlogon.exe

http://www.virustotal.com/file-scan/report.html?id=1f865d4736ea9905424d0d465e208dd08e979177922b74785534732817f495da-1294898110

[essexboy]

Hi it seems as though combofix found a spare copy, but it is reporting a lot of files failing the sig check...  So could you re-run combofix please and allow it to update if it asks.  Attaching the log on completion.  We may need to do a system file scan - do you have an XP cd