winlogon.exe infected with Win32: Evo-gen [Susp]

I am receiving a notification by Avast that winlogon.exe is infected with Win32: Evo-gen [Susp]. I have run many scans, including:

MalwareBytes: Latest scans report no malware.

SuperAntiSpyware: Latest scans report no malware.

Microsoft Safety Scanner: No Results.

TDSSkiller: No results.

ComboFix: It detected a problem with winlogon.exe, however it apparently wasn’t able to fix the issue, because a follow up scan by Avast still finds the infection in winlogon.exe. I have attached my ComboFix Log file. I Followed instructions in the post here: http://forum.avast.com/index.php?topic=95673.0

Spyware Doctor: Latest scan reports no malware/viruses, however a previous scan found and removed Win32: Evo-gen [Susp] from explorer.exe

OTL: Attached logs. Followed instructions here: http://forum.avast.com/index.php?topic=53253.0

aswMBR.exe: Attached log. Followed instructions here: http://forum.avast.com/index.php?topic=53253.0

Thanks, in advance for any help!

We will need to locate a spare copy of winlogon

Run an OTL scan with the following script please

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
winlogon.*
/md5stop
CREATERESTOREPOINT

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt . These are saved in the same location as OTL.
[*]Post both logs

Additional information:

A ‘file scan’ of winlogon.exe with Spyware Doctor returns the following:


Threat Name - Suspicious.Cloud.7.F
Type - File
Risk Level - Medium
Infection - C:\WINDOWS\System32\winlogon.exe


Threat Name - Suspicious.Cloud.7.F
Type - Process
Risk Level - Medium
Infection - winlogon.exe (C:\WINDOWS\System32\winlogon.exe)


Detected file has been exonerated by the cloud file scanner. C:\WINDOWS\System32\winlogon.exe


Detected file has been exonerated by the cloud file scanner. 740:winlogon.exe (C:\WINDOWS\System32\winlogon.exe)


Thanks, again!

Thanks! New OTL Log is attached… I didn’t receive the Extras.txt log this time.

The extras.txt file is only created on the first run of OTL, so that is normal.

Okay, great! Thanks.

What David said ;D

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from “Start with Windows”
Reboot and then run OTL

http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O3 - HKU\S-1-5-21-605954717-609216319-3101409435-1005\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.

:Files
ipconfig /flushdns /c
C:\I386\WINLOGON.EX_ /E
C:\WINDOWS\system32\winlogon.exe|C:\winlogon.exe /replace

:Commands
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

run farbar service scanner

http://i1224.photobucket.com/albums/ee362/Essexboy3/Farbar/FSS-1.jpg

Tick “All” options.
Press “Scan”.
It will create a log (FSS.txt) in the same directory the tool is run.

Please copy and paste the log to your reply.

I’ve run the OTL and attached log.

Below is result of Farbar:

Farbar Service Scanner Version: 24-04-2012 Ran by Michael Brame (administrator) on 26-04-2012 at 14:57:37 Running from "C:\Documents and Settings\Michael Brame\Desktop\Virus Removal Tools" Microsoft Windows XP Professional Service Pack 3 (X86) Boot Mode: Normal ****************************************************************

Internet Services:

Connection Status:

Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.

Windows Firewall:

Firewall Disabled Policy:

System Restore:

System Restore Disabled Policy:

Security Center:

Windows Update:

Windows Autoupdate Disabled Policy:

File Check:

C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:

aswTdi(9) Gpc(6) IPSec(4) NetBT(5) pctgntdi(10) PSched(7) Tcpip(3)
0x0A000000040000000100000002000000030000000A0000000900000008000000050000000600000007000000
IpSec Tag value is correct.

**** End of log ****

How is it running now ? Any further alerts ?

Unfortunately, yes. Avast is still reporting that C:\WINDOWS\System32\winlogon.exe is infected with Win32: Evo-gen [Susp].

Should I try running OTL Fix with the script again?

OK copy the winlogon at C:\wnlogon.exe to C:\windows\system32\dllcache

Then re-run Combofix and allow it to update if requested

I don’t have a copy of winlogon.exe in the root of C:\

So the extraction failed then

Give me a few minutes and I will upload an SP3 copy to my site for you to download

Ok it is there

Click the globe under my avatar and then locate and download winlogon.exe to your C:\windows\system32\dllcache folder
Then re-run combofix

I downloaded winlogon.exe to C:\windows\system32\dllcache\ and ran ComboFix again. I’ve attached the log. Avast is still reporting the infection in winlogon.exe

I REALLY appreciate all the help…

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
FCopy:: c:\windows\system32\dllcache\winlogon.exe|c:\windows\system32\winlogon.exe
Save this as [b]CFScript.txt[/b], in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Done. I’ve attached the ComboFix log.

A subsequent scan of winlogon.exe with Avast returns no threat. ;D

Where there is a will there is a way ;D

Any further problems ?

Not at all. ;D Wow… I can’t tell you how much I appreciate your help! This one had me pulling my hair out! :smiley:

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Remove ComboFix
[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall
(Notice the space between the “x” and “/”)
then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[
]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
[] Go to this site and click Do I have Java
[
] It will check your current version and then offer to update to the latest version

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave: