win32:patched-rp [trj] @ winlogon.exe

After searching this forums and others, I’m really confused about this particular infection. (All of my troubleshooting is being done from my backup bootable drive, which was cloned before the infection so my operating copy is clean.)

At startup and occasionally after, Avast will block winlogon.exe referencing “win32:patched-rp [trj]”. Avast will detect the infected file every time I scan it, but can’t repair or remove it because it’s a system file.

Dr.Web will catch it every time I scan, and repairs it, though it gets reinfected upon reboot.

MBAM does not find the infection, even if I right-click on it and scan directly. The complete scan found 4 registry entries that seem benign, I remember changing those settings at some point. Log is attached anyhow.

SuperAntiSpyware does not find it if I right-click-scan it. I have not tried a full and complete scan.

AdAware does not either. I have not tried a full and complete scan.

I’m also attaching an OTL log, though I’m not sure if the settings I chose are correct. I can’t find the file “scan.txt” that is referenced for a custom scan.

I sent the infected winlogon.exe file to VirusTotal for analysis, and this is the result. <-click

Hello teenkertoy and welcome to the forum. :slight_smile:

I am reviewing your logs, so just give me a few more minutes.

You did all the right things except I probably would have put the items that were detected in MBAM into quarantine instead of ignored them.

I am not an expert in OTL logs, but you do have a lot of Host files; you may once malware is removed consider something like MVPS for managing hosts, in addition to being careful with things you download from google.

I am going to refer to you to one of our Certified Malware Experts, named Essexboy. He will be contacting you here in this thread to give you further instructions on a daily basis (he is on UK time zone). Please do NOT make any changes to your machine since you have posted your logs or you will need to re-do them again.

I will be monitoring in the background and will continue to offer support until he arrives. Please let me know if you have any additional questions. Thank you.

Edit: Please do one more Full MBAM scan and quarantine detected items and post your log here. Thank you.

Did you see my edit about the MBAM Full scan?

I have contacted Essexboy to assist you after you post your next MBAM log.

Do you have any questions?

Thank you very much SafeSurf, I am very happy for your help!

I will not troubleshoot further tonight, and yes I see your edit about the quarantine. Thanks for the referral, though I’m on West Coast time zone and need to get some sleep.

I look forward to hearing from you guys tomorrow!

-J

OK…Essexboy tends to check in around 6 PM his time. I think doing your MBAM Full scan may help with your problem.

Edit: Do not hotsync your Palm with your PC until your malware is removed. Hopefully you have a backup on your PDA. If not NVBackup is free for download, but do not download if you already have another backup tool on your PDA as it will conflict.

Care has to be taken with these win32:patched-rp [trj] detections as they are essential system files (but patched/infected) and moving them into quarantine or deletion could have a serious impact on your system, they have to be repaired or replaced with clean copies of the original files (this requires experience and additional tools).

Since the MBAM scan didn’t detect the win32:patched-rp [trj] on winlogon.exe, I believe it should be OK to run MBAM again just a Quick scan) and allow it to quarantine the items it finds if they are the same as the original log you posted. If this second MBAM scan differs from the first post the contents before taking any action.

Hi, I have two programmes for you to run. The first will be an automated attempt at cleaning if that fails the second will be a search for a replacement file to do it manually

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

THEN

Run OTL and in the custom scans/fixes box copy/paste the following, ensure all users is selected and then press run scan

/md5start
explorer.exe
winlogon.exe
wininit.exe
/md5stop

Thank you all for the support, this is fantastic and I love you guys.

Would if I could, but my COM port doesn’t work. This will be another project someday soon.

What about using the non-infected explorer and winlogon files from my backup drive? It’s a clone from very recent. Could I simply copy them onto my primary drive and call it a day?

The 4 registry entries are now in quarantine.

During all of my scanning using my backup drive, I quarantined both winlogon.exe and explorer.exe. I restored winlogon and repaired it with Dr.Web but completely forgot about explorer.exe. I didn’t notice this until trying to boot from the primary drive this morning to see if the problem was fixed. So now my primary drive boots to a desktop background with no icons, taskbar, etc. I can do anything I like with the task manager by invoking “iexplore” and running whatever I choose, to type this reply for example.

I tried restoring the explorer.exe file from quarantine, but Avast puts it back into the \windows\dllcache\ folder where it seems to do no good. A quick search of my backup shows explorer.exe in \windows.

(I know, I’m going to break the rules here in a moment)

After copying the backup explorer.exe to my primary windows\ directory and running it, desktop is back up and running and everything looks golden. Avast shows no infections in the system32\ folder. I’m going to reboot from the primary drive and see what happens. Crossing fingers…

Follow essexboy’s instructions as he has the tools and experience to see you through this, simply replacing the files (which isn’t as simple as it may sound) without dealing with the cause of the infection, is likely to see them infected too.

Followed your instructions. Just after the initial yes/no disclaimer but before reboot, a warning dialogue box popped up with the title ERROR, no text below it, and a single OK button. I have no idea what that’s about, but I clicked OK and the computer rebooted.

At the prompt, I installed recovery console. Success, then clicked YES to continue scanning. Just after this but before Stage 1 was complete, I see this window: “mbr.cxxe has encountered a problem and needs to close”. I took shots of the screen and “more detail screens” with my digital camera if you need to see them. I click CLOSE and ComboFix seems to carry on without trouble completing 50’ish stages and reboots. The ComboFix log is also attached.

Done, log is attached.

I no longer have Avast showing trojan warnings, everything appears ok, but I’ll let you judge that.

If you see anything that needs attention, I’ll be here! You guys rock.

-J

Did this COM port issue start after your malware issues started with your PC?

Some malware can transfer from your PC to your PDA, so until Essexboy is done removing the malware, I do not want you to hotsync for your own protection.

Do you have a backup on your PDA? If not, can you get your original PDA CD and install the PDA Desktop to another PC for now (or perhaps you had this backed up on a flash drive) if it is essential to hotsync? Once we fix your malware problems, your COM port for hotsyning your PDA should be resolved or you can try another COM port, but I’m trying to make sure you have a backup on your PDA just in case it decides to crash on you and you need to restore it…I’m well aware of how things like that go. :stuck_out_tongue: You can still use your PDA as you normally do, it’s just hotsyncing with your PC that is an issue right now until we get your PC back up and running.

In the meantime, follow Essexboy’s instructions to repair your PC. I will still be here should you have any questions. Thank you.

Have no worries SafeSurf, I have a couple backups of the PDA. I haven’t used it in years and the unit’s memory was lost and defaulted back to factory. So I was going to restore everything from my backup (as I’ve done many times before over the years).

The first time I tried to sync was three days after the Trojan infection and it didn’t work, nor does it now. The COM port issue may be related to the Trojan, but I’ll worry about it another time.

Thanks for your concern!

-J

As far as I can tell, I’m caught up with the instructions. Many many thanks to you all. If there are more steps to take, I’m listening : )

-J

I’m usually online when Essexboy is asleep, so we’ll have to wait for now unless you have any questions.

Alright. You mentioned earlier my HOSTS file was pretty chaotic. Where can I learn more about managing it better? My goal is to use a combination of MPVS (which I’m nearly certain I’ve installed at one point) and the Chrome version of AdBlocker. I love not seeing advertisements and flashy banners, especially not having to wait for them to load.

-J

AdBlocker or AdBlockPlus for Chrome is something new. I use FF and have used AdblockPlus for quite a while as well as NoScript…something I believe which is also coming to Chrome. Take a look in the Support section of this forum for more information. It will add more protection to your browser.

Yes, MVPS will help manage Hosts. There are other companies as well.

I would also recommend if you use USB/flash drives something like Panda USB Vaccine to “Vaccinate” your machine against autoruns.inf (a malware that AV’s can’t get rid of) and it vaccinates your USB/flash drives/other removable devices against autoruns.inf as well. You can disable it with a simple click and it’s easy to run, and does not conflict with Avast. Panda USB Vaccine
http://www.pandasecurity.com/homeusers/downloads/usbvaccine/

But before you go adding or changing anything, we need to fix your malware problem…so don’t do anything yet.

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe
One major bad boy down, this was why combofix had to install the recovery console

What problems are outstanding as both logs look good

As far as I can tell, everything is running smoothly. No more errors or warnings on this end.

The COM port still doesn’t work, but I don’t think it’s malware related. I’ll troubleshoot that one on my own for a bit.

Thank you all very, very much. What’s the best way to show my appreciation here? Do you have a “rep” button or something like that?

-J

What's the best way to show my appreciation here?
Stick around and mayhap you can give some help ;D

Looking at that I am a happy bunny :slight_smile:

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [purity] [emptytemp] [EMPTYFLASH] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

[*]Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 21.
[*]Click the “Download” button to the right.
[*]Select your Platform and check the box that says: “I agree to the Java SE Runtime Environment 6 License Agreement.”.
[*]Click on Continue.
[*]Click on the link to download Windows Offline Installation (jre-6u21-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager…
[*]Close any programs you may have running - especially your web browser.
[*]Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
[*]Check any item with Java Runtime Environment (JRE or J2SE) in the name.
[*]Click the Remove or Change/Remove button.
[*]Repeat as many times as necessary to remove each Java version.
[*]Reboot your computer once all Java components are removed.
[*]Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u21-windows-i586-p.exe and select “Run as an Administrator.”)

SPRING CLEAN

Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:
[*]SpywareBlaster to help prevent spyware from installing in the first place.

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes. Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :wave: