Winlogon.exe

Welcome to Majorgeeks!

Please attach the other logs requested in the READ ME.

- CounterSpy
- Bitdefender Online scan
- PandaActiveScan

Also go back to step 2 of the READ & RUN ME and follow those steps properly! That is why you could not find the file you were looking for. But there are more than just that one.


You also did not install and run Spybot -Search & Destroy as requested. Why did you skip so much of the READ & RUN ME?


Now to get you started on fixing the malware, let's remove a malware service first.

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Update Service For Windows
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pastewinupdate into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT and reboot when it tells you it needs to.

After reboot attach a new HJT log.

 

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 7
Java 2 Runtime Environment, SE v1.4.2_04

Now install the current version of Sun Java from: Sun Java Runtime Environment

Continue by downloading a tools we will need - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later.

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\WINDOWS\WINLOGON.EXE

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: Shell=Explorer.exe 1
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O9 - Extra button: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O9 - Extra 'Tools' menuitem: Chinese Navigation - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\drivers\ntdebug.dll

NOTE: HJT will popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll
C:\WINDOWS\ExERoute.exe
C:\WINDOWS\WINLOGON.EXE
C:\WINDOWS\system32\cws.exe
C:\WINDOWS\system32\interest.exe
C:\WINDOWS\system32\ineptpui.dll
C:\WINDOWS\system32\lylk.dat
C:\WINDOWS\system32\qproecss.exe
C:\WINDOWS\system32\drivers\ntdebug.dll

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

After reboot locate the below folder and delete if found:
C:\Program Files\CNNIC

Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\WINDOWS\Temp
C:\Documents and Settings\Mariana Ara£jo\Local Settings\Temp

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Let's try one more time and also add those other files to the list. They are part of the infection.

First Run Pocket Killbox and select File, Cleanup, Delete All Backups


Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.

C:\WINDOWS\WINLOGON.EXE

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

F2 - REG:system.ini: Shell=Explorer.exe 1
O4 - HKLM\..\Run: [Torjan Program] C:\WINDOWS\WINLOGON.EXE
O4 - HKLM\..\RunServices: [Torjan Program] C:\WINDOWS\WINLOGON.EXE

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\ExERoute.exe
C:\WINDOWS\WINLOGON.EXE
C:\WINDOWS\system32\dxdiag.com
C:\WINDOWS\system32\finder.com
C:\WINDOWS\system32\MSCONFIG.COM
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\rundll32.com

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

Is your PC set to show extensions for known file types as requested in step 2 of the READ ME. The reason I ask is because you list the below:

c:\WINDOWS\system32\command (shortcut with dos icon)
c:\Program Files\Common Files\iexplore (shortcut with dos icon)

When they should be listed as
c:\WINDOWS\system32\command.pif
c:\Program Files\Common Files\iexplore.pif

Is there also a filenamed C:\windows\services.exe

 

Please download and install the below and use it to do a full registry backup. We are going to have to do some registry edits and I want to be sure we have a backup to restore from.

Erunt

Let me know when you have done that. Mean while, I'll look into whether or not I can automate some of the information retrieval and also the removal process. I'm not sure if if I can. I may need you to do some manual editing in the registry. Are you familiar with using Regedit? Also not that this program makes a false copy of regedit.exe and calls it regedit.com which is the malware itself. Because of this, will will have to install and use the below program to avoid this problem. So also install the below

Registrar Lite

 

Sorry!!!! It took a while to write this script and I had some issues at home to take care of.

Download and extract the attached ZIP file to D:\VIRUS TOOLS\ShowNew\

Yes I want it in the same folder with ShowNew so I can use some files already located there.

Then run the FixAutex.bat file. It will attempt to delete some files ***ociated with the infection, but it is not a complete fix. I need to see the registry keys that will be put into a log file name c:\autoinfo.txt attach this log file to your next message. This infection puts a lot of entries into the registry.

 

See if you can find and delete the below files:
C:\Program Files\Internet Explorer\xye1.dat
C:\Program Files\Internet Explorer\xye1.exe
C:\Program Files\Internet Explorer\zt.dat

Tell me what you find and if you could delete them.

NoteO NOT REBOOT OR SHUTDOWN YOUR PC. If you need to log off before we complete this, that's okay. Just don't shutdown or reboot. I have to run out for a little while now too. Be back later.

 

I think I missed one! Does this file still exist?

C:\WINDOWS\WINLOGON.EXE

If so, delete it too!

 

Now download this new version of FixAutex.zip and extract both files into the ShowNew folder. Run the FixAutex.bat like last time.

Attach the new log too! Attach this new log BEFORE your continue otherwise you will overwrite it later and I want to see before and after logs.

Now locate the new fixautex.reg patch that was just extracted from the FixAutex.zip file and double click on fixautex.reg. When it prompts you about adding this to the registry say yes. Tell me if you get a success message.

Now run FixAutex.bat again and attach the second log.

 

Run HijackThis and stop the C:\Windows\Winlogon.exe process like we did in previous steps then do what I just gave you in message # 19.

 

If you are not sure what I meant! This is what I mean

You can then exit HijackThis. Make sure you run the FixAutex.bat file immediately afterwards.

 

Download the FIxAutex.Zip file again. I modified it just now to fix the registry patch. Try the patch again and let me know the results.

Download it from the attachment in msg # 19!

 

DARN!!!!!! These a bug in the .bat file. Hold on while I fix it!!!!

 

Okay to avoid confusion I'm attaching the current FixAutex.zip file here. Extract both files from it again thus overwriting the old ones.

Make sure that c:\windows\winlogon.exe has not restarted. If it did, kill it with HJT.

Also look for ExERoute.exe and kill it if it is running!

Run the new FixAutex.bat file and attach log 1!

Then run the registry patch.

Then run FixAutex.bat again and attach the second log.

 

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

The below file is still showing even though it listed as deleted in the first log.

C:\WINDOWS\ExERoute.exe

Is this process running? If so, kill it with HJT.

See if you can delete the C:\WINDOWS\ExERoute.exe file. Does it stay delete?
If you were able to delete the file, get a new log from FixAutex.bat

 

Darn it! Something is blocking this last fixme.reg patch from posting properly. It is filter the first three letters of ***ociations and replacing it with ***

I'm going to add it to a new copy of FixAutex.zip for you to download (attached here). You can then just double click on the fixme.reg patch.

 

I'm not sure what is causing this! It may be a residual effect from trying to remove this malware since it had itself spread all over your PC.

I ***ume this means you cannot run HijackThis because it is not currently running?

 

I attached a new version of FixAutex.zip to msg #32.

I wanted you to download it and extract the files from it and then double click on the fixme.reg patch that is in the ZIP file. Can this be done?

When you click Start, Run and enter cmd do you get a Command prompt window?

When you click CTRL-SHIFT-ESC, does Task Manager open?

 

Exactly what happens?

Click on File and select New Task (Run...) and enter command.

Does a command prompt open?

Try typing in regedit

Does regedit open?

 

Download this new FixAutex.zip file attach in this message.

Extract all files.

Double click on the NEW fixautex.reg file. Did this add into the registry okay.

Then run the new FixAutex.bat file. Attach the new log.

Has this changed anything?

 

The fixme.reg patch does not appear to have been added to the registry according to your log. Are you sure it added in okay? Try again. If you get a success message then attach a new log from FixAutex.bat so I can verify that it added in.

 

Okay that patch now worked. I trying to figure out if anything in the fixautex.reg patch could have cause this problem. I have not found anything yet. I'm still looking. It is possible that the removal of the worm has messed things up and that we just need to reboot. But I'm a little worried about trying a reboot with this problem occurring. I'm not sure what would happen at reboot.

I do notice something else of concern. Tell me what you see in the below four folders that are new folders from around the date of infection:

Code:

C:\WINDOWS\
CSC           23 Nov 2006              "CSC"
DOWN          21 Nov 2006              "down"
DOWNLOAD      21 Nov 2006              "Download"
INTEL         21 Nov 2006              "Intel"

 

Delete the down, Download, and Intel folders!

Do the below files exist?

C:\windows\system32\command.com
C:\windows\system32\rundll32.exe

If so what are their file sizes and dates?