Hello,
I would greatly appreciate assistance in ridding my system of these infected files. Attached are MBAM & OTL logs. I have the Windows SP3 CD available (it was actually in the drive E: as I ran these). Also I ran ComboFix (log file attached) without success. Avast still reports explorer.exe & winlogon.exe as infected.
Thanks,
lunarc
Just to be clear (before the real experts look at this) what is the original full file names and paths where these detections are reported by Avast?
Please download and extract the files on root C http://www.speedyshare.com/files/25986130/argus.zip
c:\winlogon.exe
c:\explorer.exe
Then do the following:
Download BlitzBlank and save it to your desktop.
http://download1.emsisoft.com/BlitzBlank.exe
icons look like this
http://img6.imageshack.us/img6/9824/icon48blitzblank.png
Click OK at the warning (and take note of it, this is a VERY powerful tool!).
Click the Script tab and copy/paste the following text there:
MoveFile:
c:\winlogon.exe c:\windows\system32\winlogon.exe
c:\explorer.exe c:\windows\explorer.exe
Click Execute Now.
Your computer will need to reboot in order to replace the files.
When done, post me the report created by Blitzblank C:\blitzblank.txt
Replacing the infected files is all well and good, but if the underlying infection isn’t first resolved then the replacements will also be infected.
Never seen this tool in use before so lets see what the result is … If it fails
Please open Notepad
[*] Click Start , then Run[*]Type notepad .exe in the Run Box.
Now copy/paste the entire content of the codebox below into the Notepad window:
SRPeek:: c:\windows\system32\winlogon.exe c:\windows\explorer.exe
Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Save the above as CFScript.txt
Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
I think you will not find copies of the SR
Otherwise this is an effective way to replace the files, I think you should either wait for the outcome.
Attached is the ComboFix log after running the script. I have not yet tried BlitzBlank to replace the files. I’ve read elsewhere (http://www.bleepingcomputer.com/forums/topic345879.html/page__hl__srpeek__st__15) that they can be replaced via Recovery Console after expanding them from CD to hard disk & then booting to CD? That seems safer if all else is equal. I have been able to expand them from the Windows CD to HD.
Thanks!
lunarc
Edit: missed the part about running OTL again, doing that right now & will post new log as soon as it’s done!
Edit 2: just added OTL log.
Nothing, try my instructions. RC is the last option.
Expand and copy the two files to C:\windows\system32\dllcache then rerun combofix, it should find them there and replace them
I expanded explorer.ex_ and winlogon.ex_ from CD to c:\windows\system32\dllcache, renamed them explorer.exe & winlogon.exe, and then ran ComboFix again. I wasn’t sure if I was supposed to include the script…I did it first without and then (after seeing that it didn’t work and the two files had disappeared) again with–attached log file is with script (I had also copied the files to c:). I guess the next step is to try BlitzBlank…
I downloaded & ran BlitzBlank with script. The system is now rebooting repeatedly. Tried Last Good Config and that didn’t work, and I get a BSOD when trying Safe Mode. I am able to get to the BlitzBlank log (attached) by booting to a 2nd HD.
At this point I’m leaning toward reinstall, unless anyone thinks there are other non-Herculean options worth pursuing…
I figured I’d try the Recovery Console, following the current status of other thread op bjksun http://forum.avast.com/index.php?topic=68334.30. I was able to start that on the infected system and both c:\windows\explorer.exe & c:\windows\system32\winlogon.exe were showing as 0 bytes. I still had copies of those files from the CD in c:\ so I copied them over. The system now boots normally and an Avast scan on those files was clean. I’m currently running a boot scan of the system drive and will re-run OTL and post results as soon as it’s done.
If anyone has any other suggestions for verifying that I’ve killed this, I’d be happy to do that and post results. Happy New Year!
Hi I just checked the CF log and it appears that you placed both files at the root c drive, CF automatically killed these. I saw no indication of the files in windows\system32\dllcache. But as you have replaced them via the RC it should be good. Methinks I will investigate this BlitzBlank as it appears to do the same as Hitmanpro and messes the transfer
What problems do you have now ?
The Avast boot time scan on the system drive found nothing. Attached is the log from OTL that I ran after that. Everything seems to be working normally. Anything else I should worry about? 
Thanks for all of your help!
The logs look good ;D
I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems
Now the best part of the day ----- Your log now appears clean 
A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:Commands [resethosts] [purity] [emptytemp] [EMPTYFLASH] [CLEARALLRESTOREPOINTS] [Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
Click Start > Run and copy/paste the following bolded text into the Run box and click OK:
ComboFix /Uninstall
Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep
We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application.
Upgrading Java:
[*]Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 23.
[*]Click the “Download” button to the right.
[*]Select your Platform and check the box that says: “I agree to the Java SE Runtime Environment 6 License Agreement.”.
[*]Click on Continue.
[*]Click on the link to download Windows Offline Installation (jre-6u23-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager…
[*]Close any programs you may have running - especially your web browser.
[*]Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
[*]Check any item with Java Runtime Environment (JRE or J2SE) in the name.
[*]Click the Remove or Change/Remove button.
[*]Repeat as many times as necessary to remove each Java version.
[*]Reboot your computer once all Java components are removed.
[*]Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u23-windows-i586-p.exe and select “Run as an Administrator.”)
SPRING CLEAN
Download and run Puran Disc Defragmenter
For the first run I would recommend a boot defrag and disck check
Now that you are clean, to help protect your computer in the future I recommend that you get the following free programme:
http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Update and run weekly to keep your system clean
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.
To keep your operating system up to date visit
[*]Microsoft Windows Update
To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe 