Author Topic: Winlogon.exe is infected with Win32:Malware-gen  (Read 25067 times)

0 Members and 1 Guest are viewing this topic.

attcbf

  • Guest
Re: Winlogon.exe is infected with Win32:Malware-gen
« Reply #15 on: January 18, 2011, 09:49:25 PM »
yes, i do have the xp pro sp2 cd.  i will re-run combofix and post log.

attcbf

  • Guest
Re: Winlogon.exe is infected with Win32:Malware-gen
« Reply #16 on: January 18, 2011, 10:05:54 PM »
Attached is the new combofix log.

attcbf

  • Guest
Re: Winlogon.exe is infected with Win32:Malware-gen
« Reply #17 on: January 18, 2011, 10:24:17 PM »
After the computer rebooted and while combofix was generating its log, avast malware warning re: winlogon.exe came up again and all of the icons on my desktop, and the start menu disappeared.  The start menu buttons on my keyboard also do not work.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Winlogon.exe is infected with Win32:Malware-gen
« Reply #18 on: January 18, 2011, 10:43:48 PM »
Could you reboot to see if they are restored I have uploaded fresh copies of the files (winlogon and explorer) to my site.  http://cid-32d8666f4048075b.office.live.com/self.aspx/Malware%20files/winlogon.exe  download and save to your c:\windows\system32\dllcache folder.  Then re-run combofix.  If they fail it may mean you have a newer variant

So I will need to approach it differently

attcbf

  • Guest
Re: Winlogon.exe is infected with Win32:Malware-gen
« Reply #19 on: January 18, 2011, 11:04:44 PM »
Rebooting did bring the desktop icons & start menu back.  However, I do not have a dllcache folder in my c:\windows\system32 directory.

attcbf

  • Guest
Re: Winlogon.exe is infected with Win32:Malware-gen
« Reply #20 on: January 18, 2011, 11:09:27 PM »
I have almost individual 1400 dll files in the system32 directory.  Should i copy the files from your website just into that?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Winlogon.exe is infected with Win32:Malware-gen
« Reply #21 on: January 18, 2011, 11:12:32 PM »
Ooops I forgot dllcache is hidden

  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select show hidden files and folders.
  • Click Yes to confirm.
  • Click OK.

and you should then see the dllcache folder to copy them to

argus

  • Guest
Re: Winlogon.exe is infected with Win32:Malware-gen
« Reply #22 on: January 18, 2011, 11:13:26 PM »
If you try to copy files in dllcache you will infected thouse files to 100%

attcbf

  • Guest
Re: Winlogon.exe is infected with Win32:Malware-gen
« Reply #23 on: January 18, 2011, 11:24:51 PM »
OK, in that case what should I do?

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Winlogon.exe is infected with Win32:Malware-gen
« Reply #24 on: January 18, 2011, 11:26:14 PM »
If you try to copy files in dllcache you will infected thouse files to 100%
If you feel you know better please continue

attcbf

  • Guest
Re: Winlogon.exe is infected with Win32:Malware-gen
« Reply #25 on: January 19, 2011, 12:06:07 AM »
When I copied winlogon.exe into the dllcache folder, an avast malware blocked warning poped up which stated:
Malware Blocked
object: c:\windows\system32\dllcache\winlogon.exe
infection: win32:malware-gen
action: moved to chest
process: \??\windows\system32\winlogon.exe
The threat was detected and blocked when th file was created or modified.

When I copied explorer.exe into the dllcache folder, 2 avast warning pup-ups occurred.

The first stated:
Malware Blocked
object: c\windows\explorer.exe
infection:
action:
process: c:\windows\system32\dwwin.exe

The 2nd pop-up noted:

Trojan Blocked
object: c:\windows\system32\dllcache\explorer.exe
infection: win32:patched-ue[trj]
action: moved to chest
process: \??\windows\system32\winlogon.exe

Also, while I am typing this, a dialog box on my desktop is open which reads: "Windows Exlorer has encountered a problem and needs to close.  We are sorry for the inconvenience."  I have not yet clicked on the close button for fear of what that may do.

Should I continue with running combofix?  Or does the avast warnings mean that combofix will not be able to access the new files I downloaded when it attempts to fix the problem?

This is all very confusing and very frustrating.  Thank all of you for your assistance.

argus

  • Guest
Re: Winlogon.exe is infected with Win32:Malware-gen
« Reply #26 on: January 19, 2011, 02:01:35 PM »
'll Do this as follows:

 Download the zip file from this link and extract it to C   Password AMF  http://www.speedyshare.com/files/26353243/XP2.rar

C:\explorer.exe
C:\winlogon.exe



 Restart the computer and press button the F8

 Menu appears in which you should choose Microsoft Windows XP.

 Then menu will appear where you should choose Microsoft Windows Recovery Console.

 Start will start the Recovery Console and you will be asked which installation you want to log. Type in 1 and confirm with Enter.

 Similarly, you can be asked for password - type in it or just press Enter if you do not have.

 On display will appear the following:

C:\Windows>_
 
 Next Type (all command / line confirm with Enter):


 cd ..

 copy explorer.exe c:\windows\explorer.exe

 will appear query: type in y


copy winlogon.exe c:\windows\system32\winlogon.exe

 will appear query: Type the y

 type in:

 exit to restart the PC.

 All of this will look like in the picture (in the yellow boxes is what you knocking):







 Thereafter Run Combofix
 Then post the resultant log .

 
All of these bills right on paper to know what to knocking.
« Last Edit: January 19, 2011, 03:09:31 PM by argus »

attcbf

  • Guest
Re: Winlogon.exe is infected with Win32:Malware-gen
« Reply #27 on: January 25, 2011, 11:09:43 PM »
Help. ???  The new combofix log is too large to cut and paste and too large to attach.  Not sure how to get it to you to review.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Winlogon.exe is infected with Win32:Malware-gen
« Reply #28 on: January 26, 2011, 12:05:49 AM »
You can use a file sharing site such as Mediafire.com - Upload to http://www.mediafire.com/ and post the sharing link.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

attcbf

  • Guest
Re: Winlogon.exe is infected with Win32:Malware-gen
« Reply #29 on: January 26, 2011, 03:23:57 AM »