Detected explorer.exe and winlogon.exe as infected

This is my problem at the moment. My computer is suffering from pop-ups, frequent redirects while browsing the internet and a difficulty in logging into my computer (as I have 2 user accounts on my computer). By difficulty, I mean sometimes upon logging into windows, the computer simply stops processing and fails to load at startup. Task manager is “sometimes” still accessible.

After a full system scan with avast, these things come up however no action is possible since they are all read only.

I have also scheduled at scan at boot up. The problems were detected but were unable to be removed.

Please advise me on the next best course of action. A picture of the files that were detected are below.

http://img340.imageshack.us/img340/4602/avastfullscanreport.png

Thank you for your assistance.

Have you tried scanning with Malwarebytes ?

Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
always run update before you scan so you have the latest database
click the remove selected button to quarantine anything found
you may post the scan log here

Yes I have run malware bytes. Unfortunately, it does not pick the trojan up.

Follow this guide from Essexboy and post the log`s
http://forum.avast.com/index.php?topic=53253.0

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. and MBAM scan log )

Here’s my MBAM report.

Malwarebytes’ Anti-Malware 1.46
www.malwarebytes.org

Database version: 4736

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/3/2010 10:48:50 AM
mbam-log-2010-10-03 (10-48-50).txt

Scan type: Full scan (C:|D:|E:|)
Objects scanned: 318760
Time elapsed: 1 hour(s), 15 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users.WINDOWS\Documents\Server\admin.txt (Malware.Trace) → No action taken.
C:\Documents and Settings\All Users.WINDOWS\Documents\Server\server.dat (Malware.Trace) → No action taken.

Hi two programmes to run for you

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

THEN

Run OTL and copy/paste the following into the custom scans/fixes box, ensure all users is selected and press run scan

/md5start
explorer.exe
winlogon.exe
wininit.exe
/md5stop

Here are the OTL logs

I didn’t see any “extras.txt” so it’s just the OTL here

I’ll run those things you just posted essexboy. I’ll be a couple of minutes.

Prior to running Combofix (unless you have already started) Run this fix to stop the returning infection - I will also need the OTL run to search for replacement files

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - No CLSID value found. O3 - HKLM\..\Toolbar: (Veoh Browser Plug-in) - {D0943516-5076-4020-A3B5-AEFAF26AB263} - Reg Error: Value error. File not found O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Reg Error: Key error.) O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab (Reg Error: Key error.) O29 - HKLM SecurityProviders - (snapapi32.dll) - File not found O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\Install.exe -- File not found [2010/09/24 10:42:44 | 000,000,112 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lc6p04Q1.dat [2006/04/24 11:09:14 | 000,000,005 | -HS- | C] () -- C:\WINDOWS\System32\ddfceebfcb2_s.dll [2006/05/17 10:20:49 | 000,000,377 | ---- | M] () -- C:\Program Files\Common Files\vifyx [2006/05/16 20:42:29 | 000,000,000 | ---D | M](C:\Documents and Settings\LocalService\Application Data\?racle) -- C:\Documents and Settings\LocalService\Application Data\?racle [2006/04/18 12:00:32 | 000,000,000 | ---D | M](C:\WINDOWS\System32\?ystem) -- C:\WINDOWS\System32\?ystem [2006/04/18 12:00:32 | 000,000,000 | ---D | M](C:\WINDOWS\system32\?ystem\?ystem) -- C:\WINDOWS\system32\?ystem\?ystem [2006/04/18 12:00:31 | 000,000,000 | ---D | C](C:\WINDOWS\System32\?ystem) -- C:\WINDOWS\System32\?ystem (C:\Documents and Settings\LocalService\Application Data\?racle) -- C:\Documents and Settings\LocalService\Application Data\?racle

:Files
ipconfig /flushdns /c
C:\WINDOWS\tasks\At*.job

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

I just ran the Combofix thing. The log is attached. Should I still run the OTL?

Yes please

Infected copy of c:\windows\system32\drivers\intelide.sys was found and disinfected Restored copy from - Kitty had a snack :p Infected copy of c:\windows\system32\winlogon.exe was found and disinfected Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

The autofix worked ;D

Once OTL has run the fix - no need for a further scan now

We will remove the final bits of malware

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:


Renv::
c:\program files\Adobe\Reader 8.0\Reader\Reader_sl .exe
c:\program files\ATI Technologies\ATI.ACE\cli .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Common Files\Java\Java Update\jusched .exe
c:\program files\DivX\DivX Update\DivXUpdate .exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
c:\program files\HP DVD\Umbrella\DVDBitSet .exe
c:\program files\HP DVD\Umbrella\DVDTray .exe
c:\program files\Microsoft IntelliPoint\ipoint .exe
c:\program files\Microsoft IntelliType Pro\itype .exe
c:\program files\Picasa2\PicasaMediaDetector .exe
c:\program files\QuickTime Alternative\qttask                                                                                                                 .exe
c:\windows\system32\HDAShCut .exe

  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt [*]A new OTListit log.

Ok Essexboy, here is the combofix log and the OST log (by OTListit log did you mean a normal OTL log??) that includes the little extra thing you posted earlier that I should include in the custom scan box:

/md5start
explorer.exe
winlogon.exe
wininit.exe
/md5stop

Things are looking good so far, thanks in advance Essexboy! Is there anyway I can give you a good rating or something cause you deserve a lot more than a “thank you” xD

I ran another avast scan this morning and this is what I got:

http://img405.imageshack.us/img405/7158/avastlog.png

Are more things coming back again?! Should I run through all the fixes again? Recommendations?

Those entries are as a result of system restore making a copy of the removed repaired/patched files, let avast remove them to the chest.

The restore points in the c:\system volume information folder are inert, unless you use system restore and go back to a point that these are restored. So the advice is as above allow avast to move them to the chest (as you have done from your image), leave a few weeks and scan within the chest, if still infected then delete from the chest.

I normally wouldn’t suggest early deletion as it isn’t a good option, but in this case where these are proven to be malicious, deletion from the chest is an earlier option.

Ok, I have done just that and sent them to the chest. Things are looking good so far but I’ll send a pre-final report later this evening and (if I remember) another in a week or 2. My OTL and combofix logs are above in a previous post, if you are interested in checking them over.

Those tools I used are pretty effective, they really should be advertised more! i.e. Combofix and OTL. My computer is no longer having difficulty logging into the 2 different accounts and I am also not getting redirected anymore while internet browsing. I have noticed also that Windows update is updating properly now as well (which is a problem I had forgotten to mention on my first post).

Thank you very much Pondus, Essexboy (and DavidR and YoKenny) you guys rock.

On a side note: now that I am running avast, that is generally enough for keeping my computer safe right? Or should I be running something special every now and then just to keep the wolves at bay, so to speak. i.e. combofix or OTL.

Use MalwareBytes Anti-Malware (MBAM)to protect from this type of infection.

You’re welcome.

I will leave the logs to essexboy who has much more experience in this area than I.

The tools are very effective, but they really aren’t tools to use without the help and advice of someone experienced in their use, so advertising some of them isn’t a good idea as people could get in trouble using them without assistance.

The special tools used should be for that purpose, special needs and aside from being used with assistance, you have to always download the latest version of them, so they aren’t the sort of tool to keep on your system.

MBAM on the other hand is a general anti-malware application that compliments avast and running it once a week (having updated its definitions first) should be fine.

Oh I see, so MBAM then :slight_smile:

P.S. Lol one random point of interest: what’s all that stuff you guys have as your signitures? Is that like your system info? Should I be making something like that? If so, waht’s the order you have to write it in, if any.

DavidR: Core2Duo E8300/ 2GB Ram/ WinXP ProSP3/ avast! free 5.0.677/ Outpost Firewall Pro/ Firefox 3.6.10, NoScript, RequestPolicy/ MailWasher Pro/ SuperAntiSpyware Pro/ MalwareBytes AntiMalware/ WinPatrol Plus/ Drive Image 7.1 /OE6 /SnagIt 9.1 Image Capture

YoKenny: E5200 2.5GHZ, 4GB RAM, 320GB HD, Windows 7 Home Premium 64bit, avast! V5 Free, IE9
P4 2.8GHZ, 1.5GB RAM, 40GB HD, XP Pro SP3 32bit, Acronis True Image Home 2010, avast! V5 Pro
with Finjan SecureBrowsing, IE8, hpHosts, MVPS HOSTS files, MBAM Full, PSI, SpeedFan, WinPatrol PLUS

Pondus: Lenovo S10-2. Intel Atom CPU N280 - 1.66Ghz. 2GB ram. WinXP SP3 32bit. avast AIS 5.0.677. MalwareBytes PRO

Yes it is a brief description of our system/s; by creating a signature in your forum profile, it help those who might be helping you if they know a little about your system (OS, CPU and RAM) and security programs and saves yourself having to constantly repeat it when asked.

However, there is a little hiccup in your path:
You need 20 posts to be able to edit your profile and use the PM function:
The problem comes from drive by spammers, who having registered put objectionable or commercial links in their profile signature to try and gain link promotion, etc.

There have also been cases of the PM function being abused to spam forum members, so you will notice that you can’t use the PM function either.

Unfortunately because of the actions of others legitimate members suffer by the actions to prevent this spamming.

This is the latest log (however I tried cranking up the sensitivity (as much as I could figure out)):

http://img338.imageshack.us/img338/7158/avastlog.png