Dropper and winlogon issues

system · January 18, 2011, 10:49am

Hi there.

Avast keeps detecting Dropper in explorer.exe and Malware-gen in winlogon.exe at each reboot.
They can’t be removed/repaired it seems - Read Only files (6009)
Search engine results get diverted.

Also System Restore has been affected. No Restore Points can be found before 3rd Jan, which is about when the problem must have begun.

Ran MBAM Quick Scan - Found some problems and I have gotten rid of those
See attached log.
Ran OTL All Users scan with this pasted into custom scan box (as advised):

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
/md5stop
%systemroot%*. /mp /s
CREATERESTOREPOINT

See attached log file.

Any help would be much appreciated.
Thanks.

My system:
Windows XP Home SP3.
Avast Free 5.1.864
Firefox 3.6.13
Internet Explorer 6.0.2900.5512 I dont use IE only Firefox

Pondus · January 18, 2011, 11:09am

Avast Free 5.1.864

Latest avast! is 5.1.889

you should also attach the OTL log`s

Essexboy is notified…

system · January 18, 2011, 12:55pm

Sorry about that.

Please find attached the OTL log.

I am running avast 5.1.889

system · January 18, 2011, 12:57pm

and the extra.txt log

magna86 · January 18, 2011, 4:58pm

You are infected with malware name Bamital.

you have to wait for of essexboy. He will have to replace the infected system files (winlogon.exe & explorer.exe) using a legitimate program, called BlitzBlank.

This is a very tricky infections and currently there is no other way to repair & fix system.
In some cases malware will not allowfor replase of infected files with a legitimate one.
Will have to go with BlitzBlank script program that also deletes the infected and immediately replaced with legitimate files.
…but as I said, this malware is a very complex and in some cases replacing files fails leading to damaged system. In 95% cases a replacement pass without interference and the system been disinfected.

Currently none of the antivirus product has no definition of any fix for this malware…

system · January 18, 2011, 7:53pm

Do I have to wait for Essexboy?

Pondus · January 18, 2011, 7:56pm

any minute now…if the wife allow him internet tonight ;D

essexboy · January 18, 2011, 9:04pm

Yep she let me go ;D

OK Combofix could not find a replacement file on the first scan so I will search in your system restore for a copy. If it does not find one I will need you to place a copy of the files in your windows/system32/dllcache folder. I will extract some copies from my vm and upload then to my site in a bit

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL IE - HKU\S-1-5-21-1292428093-117609710-1801674531-1007\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key error. File not found IE - HKU\S-1-5-21-1292428093-117609710-1801674531-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-1292428093-117609710-1801674531-1007\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:8074 O3 - HKU\S-1-5-21-1292428093-117609710-1801674531-1007\..\Toolbar\ShellBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. O3 - HKU\S-1-5-21-1292428093-117609710-1801674531-1007\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found. O3 - HKU\S-1-5-21-1292428093-117609710-1801674531-1007\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. [2011/01/07 16:51:09 | 000,000,049 | ---- | M] () -- C:\WINDOWS\7oF5wJf [2011/01/07 16:51:09 | 000,000,048 | ---- | M] () -- C:\WINDOWS\vnT4wLLEs [2011/01/07 16:51:09 | 000,000,048 | ---- | M] () -- C:\WINDOWS\oJRiiX7jR [2011/01/07 16:51:09 | 000,000,048 | ---- | M] () -- C:\WINDOWS\k6sjApWo [2011/01/07 16:51:09 | 000,000,048 | ---- | M] () -- C:\WINDOWS\EeiFVwW4 [2011/01/07 16:51:09 | 000,000,047 | ---- | M] () -- C:\WINDOWS\V7cp2 [2011/01/07 16:51:09 | 000,000,047 | ---- | M] () -- C:\WINDOWS\rQfFOR [2011/01/07 16:51:09 | 000,000,047 | ---- | M] () -- C:\WINDOWS\qL4UajjHH [2011/01/07 16:51:09 | 000,000,047 | ---- | M] () -- C:\WINDOWS\h2SknLu2 [2011/01/07 16:51:09 | 000,000,047 | ---- | M] () -- C:\WINDOWS\CurboAcjW [2011/01/07 16:51:09 | 000,000,047 | ---- | M] () -- C:\WINDOWS\3KB7Xq [2011/01/07 16:51:09 | 000,000,046 | ---- | M] () -- C:\WINDOWS\xTbMqY [2011/01/07 16:51:09 | 000,000,046 | ---- | M] () -- C:\WINDOWS\QhtpYXjhL [2011/01/07 16:51:09 | 000,000,046 | ---- | M] () -- C:\WINDOWS\PxoQCwuU [2011/01/07 16:51:09 | 000,000,046 | ---- | M] () -- C:\WINDOWS\aNyyQ [2011/01/07 16:51:09 | 000,000,046 | ---- | M] () -- C:\WINDOWS\84j5iEhTSO [2011/01/07 16:51:09 | 000,000,046 | ---- | M] () -- C:\WINDOWS\6oNPp [2011/01/07 16:51:09 | 000,000,046 | ---- | M] () -- C:\WINDOWS\3RKOBDmVfR [2011/01/07 16:51:09 | 000,000,046 | ---- | M] () -- C:\WINDOWS\3rEMqwln [2011/01/07 16:51:09 | 000,000,045 | ---- | M] () -- C:\WINDOWS\YAMec7fEx [2011/01/07 16:51:09 | 000,000,045 | ---- | M] () -- C:\WINDOWS\LgmtP [2011/01/07 16:51:09 | 000,000,045 | ---- | M] () -- C:\WINDOWS\iOCkX [2011/01/07 16:51:09 | 000,000,045 | ---- | M] () -- C:\WINDOWS\fRWGEyWepm [2011/01/07 16:51:09 | 000,000,045 | ---- | M] () -- C:\WINDOWS\EOfMmTG8qg [2011/01/07 16:51:09 | 000,000,045 | ---- | M] () -- C:\WINDOWS\CfYPBStQ [2011/01/07 16:51:09 | 000,000,045 | ---- | M] () -- C:\WINDOWS\cbmQXxI7 [2011/01/07 16:51:09 | 000,000,044 | ---- | M] () -- C:\WINDOWS\qJBbLHA3 [2011/01/07 16:51:09 | 000,000,044 | ---- | M] () -- C:\WINDOWS\EWu8DdR [2011/01/07 16:51:09 | 000,000,044 | ---- | M] () -- C:\WINDOWS\dfRBer5rM [2011/01/07 16:51:09 | 000,000,044 | ---- | M] () -- C:\WINDOWS\2eR5l4hdq5 [2011/01/07 16:51:09 | 000,000,044 | ---- | M] () -- C:\WINDOWS\1l7Xs7 [2011/01/07 16:51:09 | 000,000,043 | ---- | M] () -- C:\WINDOWS\XypNX33 [2011/01/07 16:51:09 | 000,000,043 | ---- | M] () -- C:\WINDOWS\XuH2r [2011/01/07 16:51:09 | 000,000,043 | ---- | M] () -- C:\WINDOWS\wbp1iRIoq [2011/01/07 16:51:09 | 000,000,043 | ---- | M] () -- C:\WINDOWS\bVpurUvYy [2011/01/07 16:51:09 | 000,000,043 | ---- | M] () -- C:\WINDOWS\3O5rD [2011/01/07 16:51:09 | 000,000,042 | ---- | M] () -- C:\WINDOWS\vJ774LwaJ [2011/01/07 16:51:09 | 000,000,042 | ---- | M] () -- C:\WINDOWS\J6Kupc [2011/01/07 16:51:09 | 000,000,041 | ---- | M] () -- C:\WINDOWS\SP7N5QR [2011/01/07 16:51:09 | 000,000,040 | ---- | M] () -- C:\WINDOWS\yg7RkwNaX5 [2011/01/07 16:51:09 | 000,000,040 | ---- | M] () -- C:\WINDOWS\PokyMSdtJ [2011/01/07 16:51:09 | 000,000,040 | ---- | M] () -- C:\WINDOWS\LqdImOr [2011/01/07 16:51:09 | 000,000,039 | ---- | M] () -- C:\WINDOWS\U8tvys [2011/01/07 16:51:09 | 000,000,039 | ---- | M] () -- C:\WINDOWS\QHW8XbGH [2011/01/07 16:51:09 | 000,000,039 | ---- | M] () -- C:\WINDOWS\NLMu8B [2011/01/07 16:51:09 | 000,000,038 | ---- | M] () -- C:\WINDOWS\tEhglSdQT8 [2011/01/07 16:51:09 | 000,000,038 | ---- | M] () -- C:\WINDOWS\FO7pnveC3 [2011/01/07 16:51:09 | 000,000,038 | ---- | M] () -- C:\WINDOWS\c6AoRxyXra [2011/01/07 16:51:09 | 000,000,037 | ---- | M] () -- C:\WINDOWS\t3VLmH6e2 [2011/01/07 16:51:09 | 000,000,037 | ---- | M] () -- C:\WINDOWS\SnFYg [2011/01/07 16:51:09 | 000,000,037 | ---- | M] () -- C:\WINDOWS\LBaWy4 [2011/01/07 16:51:09 | 000,000,037 | ---- | M] () -- C:\WINDOWS\Jv2vjXoUJj [2011/01/07 16:51:09 | 000,000,037 | ---- | M] () -- C:\WINDOWS\Ck3U2S [2011/01/07 16:51:09 | 000,000,036 | ---- | M] () -- C:\WINDOWS\xh6uIG [2011/01/07 16:51:09 | 000,000,036 | ---- | M] () -- C:\WINDOWS\PtMWnCrhu [2011/01/07 16:51:09 | 000,000,035 | ---- | M] () -- C:\WINDOWS\xqtIFgU5RK [2011/01/07 16:51:09 | 000,000,035 | ---- | M] () -- C:\WINDOWS\MQ1CiG [2011/01/07 16:51:09 | 000,000,035 | ---- | M] () -- C:\WINDOWS\Cgp8g [2011/01/07 16:51:09 | 000,000,035 | ---- | M] () -- C:\WINDOWS\85rajDP [2011/01/07 16:51:09 | 000,000,034 | ---- | M] () -- C:\WINDOWS\QskGgElj [2011/01/07 16:51:09 | 000,000,034 | ---- | M] () -- C:\WINDOWS\Hkd5Uani [2011/01/07 16:51:09 | 000,000,034 | ---- | M] () -- C:\WINDOWS\esdgQWBj [2011/01/07 16:51:09 | 000,000,033 | ---- | M] () -- C:\WINDOWS\pXT2I [2011/01/07 16:51:09 | 000,000,033 | ---- | M] () -- C:\WINDOWS\M1hYuBT3 [2011/01/07 16:51:09 | 000,000,033 | ---- | M] () -- C:\WINDOWS\5uhJBRCpr [2011/01/07 16:51:09 | 000,000,032 | ---- | M] () -- C:\WINDOWS\UMBLCygPHd [2011/01/07 16:51:09 | 000,000,032 | ---- | M] () -- C:\WINDOWS\sOBqEsOd [2011/01/07 16:51:09 | 000,000,032 | ---- | M] () -- C:\WINDOWS\qfciH [2011/01/07 16:51:09 | 000,000,032 | ---- | M] () -- C:\WINDOWS\M7WyP [2011/01/07 16:51:09 | 000,000,031 | ---- | M] () -- C:\WINDOWS\xpox7uH [2011/01/07 16:51:09 | 000,000,031 | ---- | M] () -- C:\WINDOWS\P3A8WdpgNY [2011/01/07 16:51:09 | 000,000,031 | ---- | M] () -- C:\WINDOWS\NKP256Aw [2011/01/07 16:51:09 | 000,000,031 | ---- | M] () -- C:\WINDOWS\K4kfQd [2011/01/07 16:51:09 | 000,000,031 | ---- | M] () -- C:\WINDOWS\A11kvBuy [2011/01/07 16:51:09 | 000,000,031 | ---- | M] () -- C:\WINDOWS\58s6dXS8C [2011/01/07 16:51:09 | 000,000,030 | ---- | M] () -- C:\WINDOWS\YXcxBUc [2011/01/07 16:51:09 | 000,000,030 | ---- | M] () -- C:\WINDOWS\lyR8Q [2011/01/07 16:51:09 | 000,000,030 | ---- | M] () -- C:\WINDOWS\iypBR [2011/01/07 16:51:09 | 000,000,030 | ---- | M] () -- C:\WINDOWS\gm7jSHxV7Y [2011/01/07 16:51:09 | 000,000,030 | ---- | M] () -- C:\WINDOWS\7d8DwOQ [2011/01/07 16:51:09 | 000,000,029 | ---- | M] () -- C:\WINDOWS\yGQLB [2011/01/07 16:51:09 | 000,000,029 | ---- | M] () -- C:\WINDOWS\SK661liE [2011/01/07 16:51:09 | 000,000,029 | ---- | M] () -- C:\WINDOWS\oxoNdwg [2011/01/07 16:51:09 | 000,000,029 | ---- | M] () -- C:\WINDOWS\MBNGjia [2011/01/07 16:51:09 | 000,000,029 | ---- | M] () -- C:\WINDOWS\KGYFQp28 [2011/01/07 16:51:09 | 000,000,029 | ---- | M] () -- C:\WINDOWS\EQhSj3xV8E [2011/01/07 16:51:09 | 000,000,029 | ---- | M] () -- C:\WINDOWS\1MRuIE8RxX [2011/01/07 16:51:09 | 000,000,028 | ---- | M] () -- C:\WINDOWS\sFSR3OHmKx [2011/01/07 16:51:09 | 000,000,028 | ---- | M] () -- C:\WINDOWS\P7WCgBW [2011/01/07 16:51:09 | 000,000,028 | ---- | M] () -- C:\WINDOWS\oRVXoSH [2011/01/07 16:51:09 | 000,000,028 | ---- | M] () -- C:\WINDOWS\KBGD4jw [2011/01/07 16:51:09 | 000,000,028 | ---- | M] () -- C:\WINDOWS\ACXqv [2011/01/07 16:51:09 | 000,000,028 | ---- | M] () -- C:\WINDOWS\8Shq18voQ [2011/01/07 16:51:09 | 000,000,027 | ---- | M] () -- C:\WINDOWS\wMmPT [2011/01/07 16:51:09 | 000,000,027 | ---- | M] () -- C:\WINDOWS\gLss87MA [2011/01/07 16:51:09 | 000,000,027 | ---- | M] () -- C:\WINDOWS\F5lgAVYa [2011/01/07 16:51:09 | 000,000,026 | ---- | M] () -- C:\WINDOWS\ntQFuwYGn [2011/01/07 16:51:09 | 000,000,026 | ---- | M] () -- C:\WINDOWS\gK5DRA [2011/01/07 16:51:09 | 000,000,026 | ---- | M] () -- C:\WINDOWS\eqq51YwKXD [2011/01/07 16:51:09 | 000,000,026 | ---- | M] () -- C:\WINDOWS\bgxYTFCL [2011/01/07 16:51:09 | 000,000,025 | ---- | M] () -- C:\WINDOWS\ICkLPPEU [2011/01/07 16:51:09 | 000,000,024 | ---- | M] () -- C:\WINDOWS\h5Goo
:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

essexboy · January 18, 2011, 9:06pm

OK forum limitations - second part of the fix

THEN

Please open Notepad
[*] Click Start , then Run[*]Type notepad .exe in the Run Box.
Now copy/paste the entire content of the codebox below into the Notepad window:

SRPeek:: c:\windows\system32\winlogon.exe c:\windows\explorer.exe c:\windows\system32\sfcfiles.dll

Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Save the above as CFScript.txt
Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
[*]Combofix.txt [*]A new OTListit log.

magna86 · January 18, 2011, 9:34pm

@essexboy

Please,dont understand me wrong and do not be insulting bat…

winlogon.exe and explorer.exe are infected.

… also files located in dllcache are also infected.
You can not clean the infection with ComboFix
because CF cleans all files that is not in the right location.

he must download and extract the files on root C
http://www.speedyshare.com/files/26344724/argus.zip

c:\winlogon.exe
c:\explorer.exe

Then to use BlitzBlank

DeleteFile: 
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\winlogon.exe

MoveFile:
c:\winlogon.exe c:\windows\system32\winlogon.exe
c:\explorer.exe c:\windows\explorer.exe

This mode is quite a safe method. After research on this infection , ASAP and UNITE forums work desinfect on this way.

exemple:
http://forums.malwarebytes.org/index.php?showtopic.....amp;start=
http://www.bleepingcomputer.com/forums/topic357026.html

essexboy · January 18, 2011, 9:40pm

Yes they are infected and there are currently no copies in the dll cache, there may be copies in system restore. I have also uploaded tthe two files to my site here http://cid-32d8666f4048075b.office.live.com/self.aspx/Malware%20files/winlogon.exe

So far my experience with blitzblank has been patchy, 30% of the time it fails and the system will not boot

magna86 · January 18, 2011, 9:52pm

Yes they are infected and there are currently no copies in the dll cache, there may be copies in system restore.

maybe … :-\ but I doubt it. I do not think you’ll find something there.

So far my experience with blitzblank has been patchy, 30% of the time it fails and the system will not boot

Yes…i know.
Its not enough to owerwrite legitimate files via malicious. Malware will cause error in program and process of working and caused BSOD.

You first need to delete infected copy of system files then use MoveFile to overwrite.
Because such a large risk in the middle of disinfection,this malware is verry tricky.

or try with Recovery Console.

edit: files in dll cache is not infected. bat if you try to replase those files from there you will also infected files in dll cache.

essexboy · January 18, 2011, 9:57pm

Combofix uses the recovery console, thereby reducing the knowledge that the OP is required to have

magna86 · January 18, 2011, 10:21pm

Comrade, there are two ways to fix this infection.

or you will use BlitzBlank or Recovery Console.
Currently there is no third way for disinfection.

You work the way you believe to be the best.

essexboy · January 18, 2011, 10:24pm

I would rather take a little longer than render the system unbootable… But that’s me ;D

DavidR · January 18, 2011, 11:42pm

I have seen BlitzBlank used before (suggested by someone in these forums) and it didn’t make a blind bit of difference as simply trying to replace the files without first dealing with the underlying infection failed.

Then essexboy had to do this with the tools that he is familiar with and have proven to get the job done.

system · January 18, 2011, 11:49pm

Essexboy;

So I have to do what you have instructed me to do. I will do this once I get home from work tonight.

Is there anything else I have to?

magna86 · January 19, 2011, 4:58am

I understand you.
But this program would not come into malware experts hands if is not previously tested.
On my home forum (who is also a member of ASAP) We also using this method.
Because there is no other way of working. Or replase files from Recovery Console.

If you need proof …
largest forum also member of ASAP
http://www.bleepingcomputer.com/forums/topic369282.html
I want you to know that I am not here to made evil. I am here because I have the knowledge and desire to help

system · January 19, 2011, 10:49am

As request to post the log after running custom scan > reboot > and then quick scan.

Please find the log attached essexboy

system · January 19, 2011, 11:04am

ESSEXBOY - Please find the combofix log as requested.

Thanks

Dropper and winlogon issues

Announcements