Hi guys

I’m using avast! free antivirus on Windows XP SP2. Some days ago my winlogon.exe and explorer.exe have been infected: win32:patched-rp [trj]. SUPERAntiSpyware and a full scan with avast! couldn’t solve the problem, as expected since both files are system files. Since then I’m using my laptop and I haven’t used the infected computer anymore.

From what I have found in this forum I suppose I have to run Combofix and OTL (which I’m not familiar with at all). I already have an older version of Combofix on my computer that I used some months ago, so I guess I have to replace it with a current version? The Windows Recovery Console is already installed.

Could someone please give me instructions on how to proceed? I have a general idea but I’m not sure about the details, e.g. do I have to use the windows safe mode, is OTL really necessary, how to replace the current version of Combofix, …

TIA
homerjay

Follow this guide and post the log`s here, then Essexboy will help you
http://forum.avast.com/index.php?topic=53253.0

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. and Malwarebytes scan log )

Subscribed to this topic ;D

I would recommend initially that you run a fresh copy of Combofix and then run the OTL scans - Attaching all logs here

Thanks for the quick help.

I downloaded and run Combofix. It had to install the Windows Recovery Console which is odd because it is already installed, at least I thought so. Then there was a popup telling me the computer had to be rebooted because of some rootkit detection. I clicked yes, now all I see is a blue screen and the cursor. Shall i reboot manually?

Regards
homerjay

Yes please

Ok, situation is as follows: I rebooted manually, Combofix run, while it was creating the logfile avast! came up with a virus warning (explorer.exe), Combofix finished, all I have now is a blue screen and I can not manually start explorer.exe via task manager, seems that avast! has put explorer.exe into quarantine. I managed to start Firefox via task manager to create this reply. Logfile of Combofix is attached.

What shall i do next?

Regards
homerjay

OK Avast should not have done that as it is a protected file. Lets now find some spares

Run OTL and copy/paste the following in the custom scans and fixes box

/md5start
winlogon.exe
explorer.exe
/md5stop

Then press run scan

Done. Files are attached.

OK no spares - we will have to try a repair, explorer is still there but infected along with winlogon

Download Dr Web from here http://www.freedrweb.com/?lng=en link on the top right of the page, tick the EULA and then download

It will download as an 8 digit file save it to your desktop

Restart in safe mode and run
Accept the enhanced version
Then run the quick scan
About halfway through you will be prompted to buy - just X the box closed
Once finished it will generate a log please attach that

Done. It found winlogon.exe and explorer.exe infected with Win32.Dat.4. When asked I clicked both time “Disinfect” and it seems that worked (no error message or warning). I cannot attach the logfile, it’s too big. I can zip it, but I understand that a zip archive can not be attached.

Do you need the logfile? If yes: what can I do to make it available?

Upload the zip file to Mediafire.

I uploaded it: http://www.mediafire.com/?jq7mjtasbjggebc

PW is: avast

FYI: in the meantime I did a quick scan with avast!, I didn’t find anything.

OK that looks good ;D

Could you do one more OTL run so that I can be sure all is gone. Just run a quick scan this time with all users selected

Done, logfile is attached.

In case my computer is now “safe” I was wondering if I should delete all existing restore points to make sure the infection won’t come back. And additionally delete all temporary files? Does that make sense?

Thanks for the help so far. I’m shutting down my computer now, it’s already 11 PM in Germany therefore it’s time to get some sleep.

I’ll check back tomorrow evening when I’m home from work.

Regards
homerjay

Methinks you are done ;D Let me clear the temps and reset the restore points

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [purity] [emptytemp] [EMPTYFLASH] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

[*]Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 22.
[*]Click the “Download” button to the right.
[*]Select your Platform and check the box that says: “I agree to the Java SE Runtime Environment 6 License Agreement.”.
[*]Click on Continue.
[*]Click on the link to download Windows Offline Installation (jre-6u22-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager…
[*]Close any programs you may have running - especially your web browser.
[*]Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
[*]Check any item with Java Runtime Environment (JRE or J2SE) in the name.
[*]Click the Remove or Change/Remove button.
[*]Repeat as many times as necessary to remove each Java version.
[*]Reboot your computer once all Java components are removed.
[*]Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u22-windows-i586-p.exe and select “Run as an Administrator.”)

SPRING CLEAN

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[*]SpywareBlaster to help prevent spyware from installing in the first place.

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe

I did the last steps, everything went well. Afterwards I did an avast! quick scan, no threats found.

Thank you very much, you’re help is highly appreciated. If I should encounter any problems I’ll come back. I sure hope that won’t be necessary.

Great job! ;D

Glad to be of assistance ;D