win32:dropper-epi virus in winlogon.exe and explorer.exe

Viruses and worms
1

Hello…
I’d like to know if how can I completely delete win32:dropper-epi virus.
I was asked to scan antivirus but I really can’t delete winlogon.exe and explorer.exe
that were infected by this annoying virus.
Ran OLT and ComboFix.Please see attached files.
Whenever I open a program,Avasts antivirus warns me about the virus.
It does the same thing even after running combofix.
Thanks.
Jared

2

Run a boottime scan with avast.

3

Hi jared30

Open notepad and copy/paste the text present inside the code box below:

File::
c:\windows\system32\XDva296.sys
c:\windows\system32\XDva359.sys
c:\windows\system32\XDva369.sys
c:\windows\system32\XDva377.sys
c:\docume~1\ADMINI~1\LOCALS~1\Temp\1074765

Driver::
XDva296
XDva359
XDva369
XDva377
ByakkoDriver

RegLock::
[HKEY_USERS\S-1-5-21-790525478-1757981266-1801674531-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0b,95,0f,b6,7f,ab,1a,42,b6,bc,22,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0b,95,0f,b6,7f,ab,1a,42,b6,bc,22,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{0434d03b-8112-41b9-b2b3-791129ca4fec}]
@Denied: (Full) (Everyone)
"Model"=dword:000000b6
"Therad"=dword:0000001a
"MData"=hex(0):73,d5,cf,b8,a4,07,89,80,31,e4,35,6b,2a,ca,fe,43,b6,1f,81,1f,5a,
   1b,4d,36,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,ee,21,46,8f,3c,f2,5c,68,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):67,a1,6f,29,47,00,a3,d5,1b,4d,b8,27,7b,92,48,83,20,f7,bc,bf,fd,
   64,fc,d8,72,16,89,af,b7,41,3c,f8,03,d2,0c,66,41,74,fc,f7,00,00,00,00,00,00,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

Save this as CFScript to desktop


http://img141.imageshack.us/img141/1218/cfscript1.gif

Close all browser windows and refering to the picture above.
Drag CFScript.txt into Combofix.exe. ComboFix will re-run.

When finished, it will produce a log for you.
Copy/paste the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )


Eddy

We need to replace files

winlogon.exe
explorer.exe

Avast can not be disinfected

4

Thanks for the response Argus and Eddy!

Ran combofix as instructed.

Here’s the log.

Thanks,
Jared30

5

Download the zip file from this link and extract it to C http://www.speedyshare.com/files/26377546/XP-sp3.zip

C:\explorer.exe
C:\winlogon.exe

Restart your computer and press button the F8

When menu appears you should choose Microsoft Windows XP.

Then menu will appear where you should choose Microsoft Windows Recovery Console.

Start the Recovery Console and you will be asked which installation you want to log. Type in 1 and confirm with Enter.

Similarly, you can be asked for password - type in it or just press Enter if you do not have password.

On display will appear the following:

C:\Windows>_

Next Type (all command / line confirm with Enter):

cd …

copy explorer.exe c:\windows\explorer.exe

will appear query: type in y

copy winlogon.exe c:\windows\system32\winlogon.exe

will appear query: Type the y

type in:

exit to restart the PC.

All of this will look like in the picture below (in the yellow boxes is what you knocking):


http://img209.imageshack.us/img209/118/20110119135814.jpg

Thereafter Run Combofix
Then post the resultant log .

All of these bills right on paper to know what to knocking.

6

Thanks Argus. I’ll print this out,back up some of important files and do this on weekend.
I’ll let you know the results. Thanks again.

7

Hi Argus,
I have done what you instructed me to do,however I wasn’t able to replace winlogon.exe file it says"cannot find the file in the recovery console" I typed it correctly I also checked the files I downloaded from the link you provided and extracted in C drive: windows.exe and the other one is windows NT logon application or something,. Please see attached file. Thanks!

8

Please download and extract the files on root C http://www.speedyshare.com/files/26377546/XP-sp3.zip

c:\winlogon.exe
c:\explorer.exe


http://img266.imageshack.us/img266/4626/myfile350262.jpg

Then do the following:

Download BlitzBlank and save it to your desktop.
http://download1.emsisoft.com/BlitzBlank.exe

icons look like this
http://img6.imageshack.us/img6/9824/icon48blitzblank.png

Click OK at the warning (and take note of it, this is a VERY powerful tool!).
Click the Script tab and copy/paste the following text there:

DeleteFile:
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\winlogon.exe

MoveFile:
c:\winlogon.exe c:\windows\system32\winlogon.exe
c:\explorer.exe c:\windows\explorer.exe

Click Execute Now.
Your computer will need to reboot in order to replace the files.

When done, post me the report created by Blitzblank C:\blitzblank.txt

9

Hi Argus!
It scares me to death when I saw the bluescreen!-but it was just a notification :slight_smile:
Thanks a lot! I’m scanning my pc with avast now, hopefully the virus will be gone forever!
So far, I’m not seeing any pop up messages everytime I open a program! You’re a genius!
Kudos to you and your team!
Thanks,
Jared30

10

Run Combofix again and put for me log

11

Here’s the log.thanks

12

01/25/2011

This is an old log.Run Combofix again and set me a new log.

It scares me to death when I saw the bluescreen!-but it was just a notification :-)

It also should happen when BB changed files.

13

here’s the new log.thanks.

14

The CF log seems clean and there is no traces of malware. Your PC is clean.

It is necessary to uninstall Combofix

Start >> Run

Combofix /Uninstall

Enter.


http://img534.imageshack.us/img534/723/iconwave.gif

15

yeah you’re right Argus! no more annoying pop ups!
I’m supposed to reformat my pc because of that virus!
good thing I found this forum.

Thanks a lot for all your help and for your quick responses.

I really appreciate your help!

-Jared 30

16

jared30

The recommendation that you install this program. [b]http://amf.mycity.rs/programs/mc/mcshield/[/b]
It will prevent infection by computer via USB flash drive, mobile phone or any memory card.
And not only will prevent infection, but will immediately clean Memory card or external HDD

Excellent program

17

got it. I’ve installed the mcshield.thanks again.