Winlogon.exe is infected with Win32:Malware-gen

[DavidR]

OK, done. The link is http://www.mediafire.com/?udibjqxk3z8nd1t

You will have to wait for argus to get back, I guess he will be in bed now.

[argus]

Open notepad and copy/paste the text present inside the code box below:

Code: [Select]

SkipFix::

Snapshot::

Save this as CFScript.



Close all browser windows and refering to the picture above.
Drag CFScript.txt into Combofix.exe. ComboFix will re-run.


Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run. When finished, it will produce a log for you.
Copy/paste the contents of the log in your next reply. (typical location: C:\ComboFix.txt )


-----------------

I think that your computer is clean now.
How your computer running now?

[attcbf]

The combofix log is attached.  It was over the message board maximum.

[argus]

How your computer running now?

[attcbf]

Well, I just ran an avast scan and it stated that it found 5 infected files, which it successfully moved to the chest.  The avast report is attached.
Please look at it and maybe you can tell me if there is still more that needs to be done.  Thanks.

[argus]

You had the Panda Security 2008?
It is necessary to run this uninstaller
http://www.pandasecurity.com/resources/sop/UNINSTALLER_09.exe

It is necessary to uninstall Combofix


Start >> Run

Combofix /Uninsltall

Enter

Then do the following

Open Notepad and Copy/Paste everything from the Code box into Notepad:

Code: [Select]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast5"="\"C:\\Program Files\\Alwil Software\\Avast5\\avastUI.exe\" /nogui"


    * Go to File > Save As
    * Save File name as nogui.reg
    * Change Save as Type to All Files and save the file to your Desktop
    * double-click nogui.reg on your Desktop
    * When it asks if you want to merge the info to the registry, hit YES/OK
      Reboot computer

--------------------

The recommendation that you install this program MCSHield
It will prevent infection by computer via USB flash drive, mobile phone or any memory card.
And not only will prevent infection, but will immediately clean Memory card or external HDD

[attcbf]

I uninstalled panda and combofix.  When I clicked on the nogui.reg file, a dialog box entitled registry editor opened which asked "Are you sure you want to add the information in C:\Documents and Settings\Desktop\nogui.reg to the registry?  After clicking on the "Yes" button, a new dialog box appeared, which had a white X in red circle and stated "Cannot import C:\Documents and Settings\Desktop\nogui.reg: Not all data was successfully written to the registry.  Some keys are open by the system or other processes."

What do I need to do?  Also, what does this file I am attempting to add to the registry do?

Thank you.

[argus]

OK no problem

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

[attcbf]

Malwarebytes did not find anything.  However, I am not sure how much I trust this program, as it was continually coming up with nothing even when avast, combofix and other programs were telling me that I still had infected files.  The report is below.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5608

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

1/26/2011 2:31:54 AM
mbam-log-2011-01-26 (02-31-54).txt

Scan type: Quick scan
Objects scanned: 135268
Time elapsed: 2 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[argus]

Malwarebytes is a great program. However, it can not do everything.
This is a severe infection that you have, and some specialized tools must be used.
In my opinion, your computer is clean, rest assured.

Greetings

[attcbf]

Below is the results of a avast boot scan I ran this morning.  It is still finding infected files, but all but one  was moved to chest.  Please take a look and tell me what you think.  Thank you.

01/30/2011 01:16
Scan of all local drives

File C:\Documents and Settings\Craig\Application Data\Sun\Java\Deployment\cache\6.0\32\421e8ea0-2ef51a24|>utilits\common.class is infected by Java:Jade-AB [Heur], Repair: Error 42060 {The file was not repaired.}, Repair: Error 42060 {The file was not repaired.}, Moved to chest
File G:\Documents and Settings\craig\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-51fad18-5ea89263.zip|>vmain.class is infected by Java:Gimsh-A [Expl], Moved to chest
File G:\Documents and Settings\craig\Application Data\Sun\Java\Deployment\cache\6.0\44\232f2a6c-1f56cb12|>vmain.class is infected by Java:Gimsh-A [Expl], Moved to chest
File H:\Craig\Application Data\Sun\Java\Deployment\cache\6.0\32\421e8ea0-2ef51a24|>utilits\common.class is infected by Java:Jade-AB [Heur], Moved to chest
File H:\MSOCache(2)\All Users(2)\{90120000-0030-0000-0000-0000000FF1CE}-C(2)\EnterWW.cab|>DD00705_.WMF Error 42127 {CAB archive is corrupted.}
File L:\fontsfree.exe|>[Embedded_R#001280]|>%temp%\VVSNInst.exe|>VVSN.exe is infected by Win32:Adware-gen [Adw], Moved to chest
File L:\fontsfree.exe|>[Embedded_R#001280]|>%TEMP%\freeze_388.exe|>[Embedded_I#06060]|>[Embedded_R#1baa8] is infected by Win32:Adware-gen [Adw], Moved to chest
File L:\fontsfree.exe|>[Embedded_R#001280]|>%TEMP%\freeze_388.exe|>[Embedded_I#06060] is infected by Win32:Newdotnet-B [Trj], Moved to chest
File L:\fontsfree.exe|>[Embedded_R#001280]|>%TEMP%\freeze_388.exe is infected by Win32:Newdotnet-B [Trj], Moved to chest
File L:\fontsfree.exe|>[Embedded_R#001280]|>%TEMP%\whCC-FREEZE4.exe|>WhAgent.exe is infected by Win32:Spyware-gen [Spy], Moved to chest
File L:\fontsfree.exe|>[Embedded_R#001280]|>%TEMP%\whCC-FREEZE4.exe|>whInstaller.exe is infected by Win32:Spyware-gen [Spy], Moved to chest
File L:\fontsfree.exe|>[Embedded_R#001280]|>%TEMP%\whCC-FREEZE4.exe|>WhSurvey.exe is infected by Win32:Dialer-AGN [Trj], Moved to chest
File L:\fontsfree.exe|>[Embedded_R#001280]|>%TEMP%\whCC-FREEZE4.exe|>Webhdll.dll is infected by Win32:Adware-gen [Adw], Moved to chest
File L:\fontsfree.exe|>[Embedded_R#001280]|>%TEMP%\whCC-FREEZE4.exe|>whiehlpr.dll is infected by Win32:Trojan-gen, Moved to chest
File L:\fontsfree.exe|>[Embedded_R#001280]|>%cscoresys%\ossproxy.exe is infected by Win32:Spyware-gen [Spy], Moved to chest
Number of searched folders: 17950
Number of tested files: 1683761
Number of infected files: 14

[argus]

Install the latest version of Java.

Avast is moved malware (adware) to chest

The recommendation that you install this program http://amf.mycity.rs/programs/mc/mcshield/
It will prevent infection by computer via USB flash drive, mobile phone or any memory card.
And not only will prevent infection, but will immediately clean Memory card or external HDD

[attcbf]

I ran another avast boot scan last night. The results are below. I downloaded LibreOffice (it is like OpenOffice, but designed by former Sun designers who left after Oracle bought Sun) the other day and it seems to run okay, but the bulk of problems Avast found was from that download. Is this something I need to worry about?

Also, I have noticed that overall my computer is running slower. It takes about 2x as long to open a program and about twice as long to load a new page on the web. Please let me know what you think. Thank you.

02/03/2011 01:36
Scan of all local drives

File D:\[OFFICE]\[OFFICE] - LibreOffice\libreoffice1.cab|>standard4.bau|>+BCEEHQQUBB8-\atevent.xml Error 42125 {ZIP archive is corrupted.}
File D:\[OFFICE]\[OFFICE] - LibreOffice\libreoffice1.cab|>standard4.bau|>+BCEEFA-\atevent.xml Error 42125 {ZIP archive is corrupted.}
File D:\[OFFICE]\[OFFICE] - LibreOffice\libreoffice1.cab|>template4.bau|>+BBcEEQ-1+BCE-\Pictures\2000001B00000CD200000CED63AA5866.svm Error 42125 {ZIP archive is corrupted.}
File D:\[OFFICE]\[OFFICE] - LibreOffice\libreoffice1.cab|>template4.bau|>+BBcEEQQU-\Pictures\2000001B00000CD200000CED63AA5866.svm Error 42125 {ZIP archive is corrupted.}
File D:\[ZIPS & INSTALLS]\LibO_3.3.0_Win_x86_install_multi.exe|>$INSTDIR\libreoffice1.cab|>standard4 .bau|>+BCEEHQQUBB8-\atevent.xml Error 42125 {ZIP archive is corrupted.}
File D:\[ZIPS & INSTALLS]\LibO_3.3.0_Win_x86_install_multi.exe|>$INSTDIR\libreoffice1.cab|>standard4 .bau|>+BCEEFA-\atevent.xml Error 42125 {ZIP archive is corrupted.}
File D:\[ZIPS & INSTALLS]\LibO_3.3.0_Win_x86_install_multi.exe|>$INSTDIR\libreoffice1.cab|>template4 .bau|>+BBcEEQ-1+BCE-\Pictures\2000001B00000CD200000CED63AA5866.svm Error 42125 {ZIP archive is corrupted.}
File D:\[ZIPS & INSTALLS]\LibO_3.3.0_Win_x86_install_multi.exe|>$INSTDIR\libreoffice1.cab|>template4 .bau|>+BBcEEQQU-\Pictures\2000001B00000CD200000CED63AA5866.svm Error 42125 {ZIP archive is corrupted.}
File H:\MSOCache(2)\All Users(2)\{90120000-0030-0000-0000-0000000FF1CE}-C(2)\EnterWW.cab|>DD00705_.WMF Error 42127 {CAB archive is corrupted.}
Number of searched folders: 18494
Number of tested files: 1864016
Number of infected files: 0