Infection from website, infected explorer.exe and winlogon.exe

Viruses and worms
1

Hello!

After being hit by some infections from a latin america news website PODER, I followed the Avast instructions to have it review problems after bootup. It found infections with explorer.exe and winlogon.exe. I reviewed some similar problems people encountered here and elsewhere. The common thread of solutions was to use a program called ComboFix to disinfect the explorer.exe and winlogon.exe files.

There remain infections with the Win32:WinPatch in the winlogin…

edit: Meant to add this detail to the original post… Avast informs me that I still have a threat, explorer.exe is infected with Win32: Win32:Patched-UE[Trj]

I will be posting the log in less than 5 minutes…

2

ATTACHED AS FILE

3

Ignore, added to original post.

4

Hi

Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\atxhqi.dll

Driver::
vfvbzbgea

NetSvc::
vfvbzbgea

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):96,38,50,50,14,32,a6,68,d1,8d,99,7a,0c,35,7d,33,28,e1,51,8e,4e,
   98,da,66,d8,63,d3,0d,68,a6,1e,9c,f7,65,7f,19,15,30,70,77,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):0d,48,83,b3,8b,c0,16,fc,60,7b,f7,78,9d,a6,52,21,d9,60,64,a5,29,
   0f,c5,5a,13,4a,9d,c9,ae,e8,ad,8f,0d,7f,17,0a,7c,fd,3d,34,00,00,00,00,00,00,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{84083ee5-06a5-4e33-8792-98c42bb540a5}]
@Denied: (Full) (Everyone)
"Model"=dword:0000011a
"Therad"=dword:00000011
"MData"=hex(0):85,8b,fd,20,ce,cb,a4,e4,66,14,4f,d9,ef,fd,e4,b9,1c,82,b7,6c,7c,
   68,29,18,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{caf1a451-4081-46f7-bf79-cd9985113c19}]
@Denied: (Full) (Everyone)
"Model"=dword:000000f1
"Therad"=dword:00000020
"MData"=hex(0):2b,8f,78,29,5a,0c,ce,ec,48,d4,68,e5,9f,6a,96,3e,ab,de,c5,81,26,
   38,95,44,ab,9e,50,1b,eb,77,d1,ab,ce,4a,c2,09,3e,66,22,82,83,e0,8b,c5,07,bb,\

Save this as CFScript to desktop


http://img213.imageshack.us/img213/1218/cfscript1.gif

Close all browser windows and refering to the picture above, drag CFScript into Combofix.exe
Then post the resultant log

5

Argus, thanks for responding!

Attached is the resultant log. FYI: CF rebooted Windows after completing its runs, but unfortunately the computer “hung” after user login screen … no start button, no icons. I waited 5-10 minutes but with no change I manually turned off and turned on the laptop. Once I logged in, CF resumed as if that “hang” never happened.

Unfortunately upon opening IE to post the log, my Avast informed me I still had infections…

Also, just prior to running through your instructions I had completed a scan with “ESET Online Scanner” and it noted a few baddies. I am including that logfile as well.

Thanks again for the quick response!

6

please do the following

Download the zip file from this link and extract it to C http://www.speedyshare.com/files/26377546/XP-sp3.zip

C:\explorer.exe
C:\winlogon.exe

Restart your computer and press button the F8

When menu appears you should choose Microsoft Windows XP.

Then menu will appear where you should choose Microsoft Windows Recovery Console.

Start the Recovery Console and you will be asked which installation you want to log. Type in 1 and confirm with Enter.

Similarly, you can be asked for password - type in it or just press Enter if you do not have password.

On display will appear the following:

C:\Windows>_

Next Type (all command / line confirm with Enter):

cd …

copy explorer.exe c:\windows\explorer.exe

will appear query: type in y

copy winlogon.exe c:\windows\system32\winlogon.exe

will appear query: Type the y

type in:

exit to restart the PC.

All of this will look like in the picture below (in the yellow boxes is what you knocking):


http://img209.imageshack.us/img209/118/20110119135814.jpg

Thereafter Run Combofix
Then post the resultant log .

All of these bills right on paper to know what to knocking.

7

OK! First launching of IE that didn’t generate the error.

Log file should be attached.

8

This now looks great.
Tell me do you have now a problem

9

Ok! Avast Quick Scan is giving me the thumbs up as well, no threats detected.

Argus, thank you again for your invaluable assistance!

For the future, is there something I can do to protect myself from this type of malware/infection?

10

Get Malwarebytes Anti-Malware (MBAM)
http://www.malwarebytes.org/mbam.php

Its one time fee is well worth the additional protection against malware.

11

It is necessary to uninstall Combofix

Start >> Run


Combofix /Uninstall

Enter

The recommendation that you install this program. MCShield
It will prevent infection by computer via USB flash drive, mobile phone or any memory card.
And not only will prevent infection, but will immediately clean Memory card or external HDD

The program is very good (excellent)

Currently on the internet there is no better program for that purpose
The program is free