Explorer.exe, Winlogon.exe Infected

Discussion in 'Malware Help (A Specialist Will Reply)' started by Tyranoid, Feb 21, 2012.

  1. Tyranoid

    Tyranoid Private E-2

    Greetings,

    I'm working with a deeply infected PC.

    Its performance is very, very sluggish. I've had an exceedingly difficult time running anti-virus and anti-malware software simply because they won't run at all or will run but with strict limits as a result of the infection.

    Independent of your forum's preliminary removal procedures, I attempted to install and run Avast. Avast installed without much hassle and proceeded to perform a quick scan just prior to completing its installation. After the quick scan, it asked if it could perform a boot time scan, which I agreed to. The boot time scan unveiled an enormous number of infected files and Avast was able to repair or quarantine all but two: explorer.exe and winlogon.exe

    With that, I decided to do a little bit of research and I discovered that these two system files are frequently infected in combination. But I also discovered that repairing them isn't easy; hence why I registered with your forum for your assistance in this matter going forward.

    Unfortunately, I encountered issues running all of your software, and I'll explain in what way I had problems with each of them:

    SUPERAntiSpyware
    I couldn't install SUPERAntiSpyware without renaming the installation file. After installing it, I was unable to run it, even after renaming the executable. However, I was able to run SUPERAntiSpyware Portable. I attached a log.

    Malwarebytes Anti-Malware
    I was able to install Malwarebytes Anti-Malware without much hassle, but I couldn't run the executable without renaming it. I attached a log.

    ComboFix
    I couldn't run ComboFix as is. It simply won't open. I haven't tried renaming it yet, and I didn't want to take that step unless specifically instructed to.

    RootRepeal
    RootRepeal was literally crashing and rebooting my PC each time I tried to run it normally. Renaming it wasn't helping matters. So I decided to try it in Safe Mode. As luck would have it, it opened without crashing my PC. But upon opening it, I got an error message saying: "invalid PE image found!" I clicked OK, and then clicked the "Scan" button. A list of drivers and system files populated the window. But a "Select Drives" form didn't open as described in the instructions. I saved a log and attached it to my thread, but I don't know how helpful it will be.

    MGtools
    I seemed to have the most luck running MGtools as is right up until I got error message type 4: "Process DLL.EXE - Application Error The application failed to initialize properly (0xc0000135) Click on any key to terminate." I attached the logs.

    Other thoughts and observations
    • I considered reformatting and reinstalling Windows XP until I discovered that I'm unable to boot from my Windows XP installation disc for some odd reason. I double checked my PC's BIOS and my CD-ROM drive definitely has priority over the hard disk drive in the boot order. What makes this even stranger is that the PC won't recognize the Windows XP installation disc when I'm in Windows, but it will recognize other discs such as my Microsoft Office installation disc. I know that my Windows XP installation disc is good because I've tested it in several other disc drives. One thing I haven't tried yet is booting to a different disc, like Knoppix.
    • Doing anything on this PC after booting normally is just excruciatingly slow. But it's actually manageable after booting to Safe Mode.
    • The PC won't recognize USB flash drives at all. There's no prompt. It doesn't show up in explorer. Just nothing at all. I don't know if this is part of the infection or a product of malfunctioning hardware.

    If I think of anything else, I'll edit my post.

    I appreciate any help or insight you could offer, and I apologize if I left anything out of my thread that might otherwise be of service to you up front.

    Thank you for investigating and helping me solve this problem.
     

    Attached Files:

    Tyranoid, Feb 21, 2012
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Rename ComboFix to 123.exe and see if it will run. Do you have a log from Avast showing the infections?
     
    TimW, Feb 22, 2012
    #2
  3. Tyranoid

    Tyranoid Private E-2

    Hi TimW. Thank you for replying.

    I renamed ComboFix.exe to 123.exe as you suggested, and I was able to run it this time.

    After some time, it prompted me to download and install Windows Recovery Console. I agreed. A few moments later, it warned that it didn't appear my PC was behind an active Internet connection. I know for a fact that isn't the case. In spite of how infected my PC is, I'm still able to browse web sites. In fact, if I wasn't behind an active Internet connection, I wouldn't have been able to email myself logs produced on the infected PC. Regardless, the download failed, but the scan continued. I attached a log.

    Unfortunately, I was unable to locate an avast log assuming that one was even created. It could be that it was removed unintentionally after I uninstalled avast. The only reason why I did that is because I couldn't interact with the software. With the exception of the boot time scan that it offered to perform during the installation process, I couldn't open the user interface and I couldn't bring up a menu from the system tray. Since I was unable to figure out how to disable its active protection feature, I just thought it best to uninstall it for now so that I could run this other software without interference.
     

    Attached Files:

    Tyranoid, Feb 23, 2012
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's see if we can handle those files:

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    ClearJavaCache::
KILLALL::

FCopy::
c:\windows\ServicePackFiles\i386\winlogon.exe | c:\windows\system32\winlogon.exe
c:\windows\ServicePackFiles\i386\explorer.exe | c:\windows\explorer.exe
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Note: If after running Combofix you discover none of your programs will open up, and you recieve the following error: "Illegal operation attempted on a registry key that has been marked for deletion". Then the answer is to REBOOT the machine, and all will be corrected.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below log:

    • C:\MGlogs.zip
    • c:\combofix.txt
     
    TimW, Feb 23, 2012
    #4
  5. Tyranoid

    Tyranoid Private E-2

    I'm having some difficulty completing these steps.

    After dragging and dropping CFScript.txt on top of ComboFix.exe (mine is still named 123.exe), it proceeded to load a series of files before launching the blue command prompt. Then it prompted me about downloading and installing Windows Recovery Console, but it still failed just as described in my original post. But now it's stalling at the window which says:

    "Scanning for infected files . . ."
    "This typically doesn't take more than 10 minutes"
    "However, scan times for badly infected machines may easily double"

    After sitting there for more than an hour doing absolutely nothing, I thought I'd try it again. I carefully executed each step exactly as you described in your instructions until I returned to this window. Then I left it overnight in hopes that it would proceed scanning sooner or later.

    When I woke up this morning, I discovered that it still hadn't scanned anything. It's just perpetually stalled at this window.

    As I reported earlier, ComboFix has completed its scan successfully before after I renamed it to 123.exe. Why it's not completing now I can only guess has something to do with the script I'm launching in combination with it.

    Is there something else I can try? Would there be any benefit to launching the script in combination with ComboFix in Safe Mode?
     
    Tyranoid, Feb 25, 2012
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Try downloading a fresh copy of ComboFix to your desktop. Let it overwrite your present copy.
     
    TimW, Feb 25, 2012
    #6
  7. Tyranoid

    Tyranoid Private E-2

    I updated ComboFix and ran through all the steps again, but I'm once again stalled at that same window I described earlier.
     
    Tyranoid, Feb 25, 2012
    #7
  8. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
winlogon.exe
explorer.exe
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
    TimW, Feb 26, 2012
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The main reason for this is that you do not have enough memory to properly run Windows XP SP3 and other applications. Your logs show the below
    Code:
    Total Physical Memory 256.00 MB 
Available Physical Memory 69.40 MB
    The minimum I recommend these days for Windows XP is 8 times the memory you have. And that equals 2 GB.

    By the way, do not rename combofix.exe to 123.exe
     
    chaslang, Feb 26, 2012
    #9
  10. Tyranoid

    Tyranoid Private E-2

    I have attached the SystemLook log.
     

    Attached Files:

    Tyranoid, Feb 26, 2012
    #10
  11. Tyranoid

    Tyranoid Private E-2

    Thanks for replying chaslang.

    I agree this PC could definitely use a lot more physical memory.

    I renamed combofix.exe to 123.exe in accordance with TimW's instructions. "ComboFix.exe" doesn't launch at all, but "123.exe" does. Should I have approached this step differently?
     
    Tyranoid, Feb 26, 2012
    #11
  12. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Will ComboFix run in safe mode?
     
    TimW, Feb 26, 2012
    #12
  13. Tyranoid

    Tyranoid Private E-2

    Even in Safe Mode, if it's called "ComboFix.exe", it will not launch. But if I rename it to "123.exe", it will.

    Would you like me to try running it in combination with CFScript.txt in Safe Mode?
     
    Tyranoid, Feb 26, 2012
    #13
  14. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Yes.
     
    TimW, Feb 26, 2012
    #14
  15. Tyranoid

    Tyranoid Private E-2

    Well, I have to admit I'm very confused now.

    As I mentioned before, ComboFix launches in Safe Mode, but it's stalling at that AutoScan window I described before. In fact, it stalls there whether I use CFScript or not.

    That's when I realized I haven't been able to complete a ComboFix scan since I completed it the first time and posted the log.

    Out of curiosity, I booted normally and attempted a ComboFix scan without CFScript. Sure enough, it's stalling at the AutoScan window. It would seem that ComboFix simply won't scan at all now.

    I'm not really sure what's changed to cause this behavior. All I remember doing since completing that first scan is updating ComboFix to the latest versions.
     
    Tyranoid, Feb 26, 2012
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay since you are having problems getting ComboFix to run, let's use a different tool. Once we get a scan log from OTL, we can attempt to make a fix.



    Please download OTL by OldTimer.
    • Save it to your desktop.
    • Double click on the OTL icon on your desktop. (If running Vista or Win7 right-click and select Run as Administrator)
    • Check the "Scan All Users" checkbox.
    • Check the "Standard Output".
    • Change the setting of "Drivers" and "Services" to "All"
    • Copy the text in the code box below and paste it into the Customs Scans/Fixes text-field.
      Code:
      netsvcs
/md5start
afd.sys
atapi.sys
csrss.exe
dhcpcsvc.dll
explorer.exe
lsass.exe
nsiproxy.sys
regedit.exe
services.exe
svchost.exe
tcpip.sys
tdx.sys
userinit.exe
winlogon.exe
/md5stop
%systemdrive%\*.*
%systemdrive%\MGtools\*.*
%systemroot%\*. /mp /s
%systemroot%\system32\*.sys /90
%systemroot%\system32\*.exe /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%windir%\assembly\GAC\*.ini
%windir%\assembly\GAC_MSIL\*.ini
%windir%\assembly\gac_32\*.ini
%windir%\assembly\gac_64\*.ini
%windir%\assembly\temp\*.ini
%windir%\assembly\tmp\u /s
%allusersprofile%\application data\*.exe
hklm\system\currentcontrolset\services\dhcp
hklm\system\currentcontrolset\services\afd
hklm\system\currentcontrolset\services\tdx
hklm\system\currentcontrolset\services\tcpip
hklm\system\currentcontrolset\services\nsiproxy
hklm\software\microsoft\windows\currentversion\run
hklm\software\microsoft\windows\currentversion\runonce
    • Now click the Run Scan button.
    • Two reports will be created:
      • OTL.txt <-- Will be opened
      • Extra.txt <-- Will be minimized
    • Attach both OTL.txt and Extras.txt to your next message. (See how to attach)
     
    chaslang, Feb 26, 2012
    #16
  17. Tyranoid

    Tyranoid Private E-2

    Thank you chaslang,

    I have attached the logs you requested.
     

    Attached Files:

    Tyranoid, Feb 26, 2012
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome. Do you know what all the below MountPoints are? That is do these file/process names look familiar. They appear to load from an external drive.
     
    chaslang, Feb 26, 2012
    #18
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Now shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Code:
    :OTL
IE - HKU\S-1-5-21-448539723-963894560-839522115-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [URL]http://www.ask.com?o=10148&l=dis[/URL]
IE - HKU\S-1-5-21-448539723-963894560-839522115-1003\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found
FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
[2012/02/19 22:07:11 | 000,002,573 | ---- | M] () -- C:\Documents and Settings\Yanet\Application Data\Mozilla\Firefox\Profiles\rr0ork15.default\searchplugins\askcom.xml
[2010/08/22 22:50:25 | 000,001,734 | ---- | M] () -- C:\Documents and Settings\Yanet\Application Data\Mozilla\Firefox\Profiles\rr0ork15.default\searchplugins\search-the-web.xml
[2009/11/06 09:37:20 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - No CLSID value found.
O3 - HKU\S-1-5-21-448539723-963894560-839522115-1003\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O33 - MountPoints2\{592357f5-b3b6-11df-aea7-00110973ed5d}\Shell\AutoRun\command - "" = I:\I55151L51626174\I55151L51626174\I55151L51626174xhg1.exe
O33 - MountPoints2\{592357f5-b3b6-11df-aea7-00110973ed5d}\Shell\open\command - "" = I:\I55151L51626174\I55151L51626174\I55151L51626174xhg1.exe
[2012/02/26 19:44:16 | 000,000,000 | --SD | C] -- C:\123
[2012/02/26 19:41:43 | 004,420,481 | R--- | C] (Swearware) -- C:\Documents and Settings\Yanet\Desktop\123.exe
[2012/02/18 17:11:17 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/02/20 14:53:05 | 000,472,064 | ---- | C] ( ) -- C:\Documents and Settings\Yanet\Desktop\RR something_or_other.exe
:Files
c:\windows\explorer.exe | C:\MGtools\temp\explorer.exemg /replace
c:\windows\system32\winlogon.exe | C:\MGtools\temp\winlogon.exemg /replace
:Reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\combofix.exe]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{171DEBEB-C3D4-40b7-AC73-056A5EBA4A7E}]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"=-
"SUPERAntiSpyware"=-
[HKEY_USERS\S-1-5-21-448539723-963894560-839522115-1003\Software\Microsoft\Windows\CurrentVersion\run]
"MSMSGS"=-
:Commands
[PURITY]
[EMPTYTEMP] 
[EMPTYFLASH]
[REBOOT]
    • Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
    • If the fix needed a reboot please do it.
    • Click the OK button (upon reboot).
    • When OTL is finished, Notepad will open. Close Notepad.
    • A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    • Attach this log to your next message. (See: How to attach)
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • the log from OTL
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Feb 26, 2012
    #19
  20. Tyranoid

    Tyranoid Private E-2

    I really, really wanted to return this morning with good news, but I'm afraid it's just more of the same from my end. :(

    I followed your instructions right down to the letter. After I clicked the "Run Fix" button, I watched as the desktop icons and Windows task bar disappeared, and OTL's status changed to "Killing processes. DO NOT INTERRUPT . . ." I waited patiently for something else to happen since your instructions mentioned a possible reboot and the creation of a log file. After an hour passed with no update to OTL's status, I gave up and went to bed leaving OTL to continue overnight. When I checked on it this morning about eight hours later, nothing had changed. OTL's status remains "Killing processes. DO NOT INTERRUPT . . ."

    Is it possible that these processes are being stalled due to a lack of available physical memory? If so, I think I might have a spare 512 MB stick I can salvage from a obsolete PC. That would bump up the infected PC's physical memory from 256 MB to 768 MB.

    By the way, I don't recognize any of those MountPoints you inquired about before. To be honest with you, this isn't actually my PC. It belongs to a friend. I'm just trying to get it back in working order for them. But if I had to guess, I doubt they'd recognize those items too.

    I don't know if this is related or not, but since you mentioned those MountPoints, I noticed that there are a series of Removable Drives in Windows Explorer (drives E, F, G, and H) that are hanging around but don't appear to point to anything physical. When I click on one and try to access it, I receive an error message about needing to insert a disc. I don't think those drives are supposed to be there, but at the same time I'm not sure if they're actually doing any harm.
     
    Tyranoid, Feb 27, 2012
    #20
  21. Tyranoid

    Tyranoid Private E-2

    I upgraded the infected PC's RAM from 256 MB to 768 MB. The expected performance boost from tripling the physical memory was immediately noticeable.

    With that, I attempted the OTL Fix again, but it's still stalling at the Killing Processes phase I described before.

    Would there be any benefit to attempting the OTL Fix in Safe Mode?
     
    Tyranoid, Feb 27, 2012
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    It is worth a try! Let us know what happens.
     
    chaslang, Feb 27, 2012
    #22
  23. Tyranoid

    Tyranoid Private E-2

    Hah! Running the OTL Fix in Safe Mode did the trick! I attached the requested logs.

    Unfortunately, I haven't had much time to inspect the infected PC after OTL completed. And I realize now that any performance enhancement I observe from this point on may just as easily be attributed to the additional RAM I recently installed. However, I have noticed that I can open SUPERAntiSpyware now, which is something I couldn't do before (even after renaming it). But some peculiarities remain. For example, while I can open SUPERAntiSpyware now, any attempt to update its definitions fails instantaneously. In addition, I'm still unable to open Malwarebytes Anti-Malware without renaming it first.

    But I definitely think we're on the right track and I'm very optimistic about the progress we've made so far. Thank you so much for your assistance. :)
     

    Attached Files:

    Tyranoid, Feb 28, 2012
    #23
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay so let's remove these with OTL too. If you cannot run OTL in normal boot mode, run it in safe mode again but do try normal mode first.


    Now shut down your protection software now (antivirus, antispyware...etc) to avoid possible conflicts.
    Code:
    :OTL
O33 - MountPoints2\{0fb92d58-e234-11df-af59-00110973ed5d}\Shell\AutoRun\command - "" = I:\YANET-ACC701A8C\YANET-ACC701A8CDCM.exe
O33 - MountPoints2\{0fb92d58-e234-11df-af59-00110973ed5d}\Shell\open\command - "" = I:\YANET-ACC701A8C\YANET-ACC701A8CDCM.exe
O33 - MountPoints2\{111acc40-a334-11df-ae2e-00110973ed5d}\Shell\AutoRun\command - "" = I:\DRIVE\BIN\april2x2.exe
O33 - MountPoints2\{111acc40-a334-11df-ae2e-00110973ed5d}\Shell\open\command - "" = I:\DRIVE\BIN\april2x2.exe
O33 - MountPoints2\{475d1314-dfd2-11df-af4e-00110973ed5d}\Shell\AutoRun\command - "" = I:\DRIVE\BIN\april2x2.exe
O33 - MountPoints2\{475d1314-dfd2-11df-af4e-00110973ed5d}\Shell\open\command - "" = I:\DRIVE\BIN\april2x2.exe
O33 - MountPoints2\{59af69e2-0d70-11e0-b002-00110973ed5d}\Shell\AutoRun\command - "" = I:\DPFMate.exe
O33 - MountPoints2\{6f253960-03fb-11e0-afe2-00110973ed5d}\Shell\AutoRun\command - "" = J:\YANET-ACC701A8C\YANET-ACC701A8C\YANET-ACC701A8Cswo2.exe
O33 - MountPoints2\{6f253960-03fb-11e0-afe2-00110973ed5d}\Shell\open\command - "" = J:\YANET-ACC701A8C\YANET-ACC701A8C\YANET-ACC701A8Cswo2.exe
O33 - MountPoints2\{6fd72711-95d8-11df-9630-00110973ed5d}\Shell\AutoRun\command - "" = I:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\sic32.exe
O33 - MountPoints2\{6fd72711-95d8-11df-9630-00110973ed5d}\Shell\open\command - "" = I:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\sic32.exe
O33 - MountPoints2\{7354eec0-e2dd-11df-af5e-00110973ed5d}\Shell\AutoRun\command - "" = I:\YANET-ACC701A8C\YANET-ACC701A8CDCM.exe
O33 - MountPoints2\{7354eec0-e2dd-11df-af5e-00110973ed5d}\Shell\open\command - "" = I:\YANET-ACC701A8C\YANET-ACC701A8CDCM.exe
O33 - MountPoints2\{8b98e388-dcc5-11df-af41-00110973ed5d}\Shell\AutoRun\command - "" = I:\DRIVE\BIN\april2x2.exe
O33 - MountPoints2\{8b98e388-dcc5-11df-af41-00110973ed5d}\Shell\open\command - "" = I:\DRIVE\BIN\april2x2.exe
O33 - MountPoints2\{b70b02a3-df9b-11df-af4d-00110973ed5d}\Shell\AutoRun\command - "" = I:\YANET-ACC701A8C\YANET-ACC701A8C\YANET-ACC701A8Cg34.exe
O33 - MountPoints2\{b70b02a3-df9b-11df-af4d-00110973ed5d}\Shell\open\command - "" = I:\YANET-ACC701A8C\YANET-ACC701A8C\YANET-ACC701A8Cg34.exe
O33 - MountPoints2\{f6db38c0-2ee7-11e0-b07e-00110973ed5d}\Shell\AutoRun\command - "" = I:\PcOptions.exe
:Files
C:\Documents and Settings\Yanet\Desktop\CFScript.txt
C:\Documents and Settings\Yanet\Desktop\ComboFix Log 2012-02-22.txt
 
:Commands
[PURITY]
[EMPTYTEMP] 
[EMPTYFLASH]
[REBOOT]
    • Now click the http://img3.imageshack.us/img3/407/otlrunfix.png button.
    • If the fix needed a reboot please do it.
    • Click the OK button (upon reboot).
    • When OTL is finished, Notepad will open. Close Notepad.
    • A log file will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.
    • Attach this log to your next message. (See: How to attach)
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).


    Then attach the below logs:
    • the log from OTL
    • C:\MGlogs.zip
    Make sure you tell me how things are working now! I think your winlogon.exe file may still be infected. It does not look like it was replaced with the OTL fix.
    Do you have your Windows XP boot CD?
     
    chaslang, Feb 28, 2012
    #24
  25. Tyranoid

    Tyranoid Private E-2

    Unfortunately, I couldn't run OTL normally. It's still stalling indefinitely at "Killing Processes." But it once again worked immediately in Safe Mode. I posted the requested logs.

    The good news is I have my Windows XP Professional installation disc. The bad news is I think the infected PC's CD/DVD-ROM drive is malfunctioning.

    It has power. I can open and close the drive bay normally. It's recognized by BIOS. And it's recognized by Device Manager in Windows. The problem is it's not reading any of the discs I've tested. I've tried booting the infected PC with my Windows XP Professional installation disc, Windows Recovery Console disc, Knoppix disc, and Ultimate Boot CD, but nothing works. It boots straight to Windows each and every time.

    And I've triple checked my boot order in BIOS and the CD/DVD-ROM drive definitely has the highest priority.

    I just think the drive is malfunctioning because it won't read discs in Windows either.

    I might have a spare CD/DVD-ROM drive lying around that I can replace the suspected malfunctioning one with. If not, or if it turns out that it's not the drive but something else at play, is there an alternative solution to not having the ability to boot to disc?
     

    Attached Files:

    Tyranoid, Feb 29, 2012
    #25
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Put the hard disk into another PC as a slave drive and then we would fix the infected winlogon.exe file.

    Can you do this or can you get the CD drive to work?
     
    chaslang, Feb 29, 2012
    #26
  27. Tyranoid

    Tyranoid Private E-2

    I have some good news.

    I replaced the infected PC's CD/DVD-ROM drive with a spare one I found. I can now boot from discs and read discs in Windows. So I'm ready for the next step. :)
     
    Tyranoid, Mar 1, 2012
    #27
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay then rerun the C:\XPsp3bu.exe file that you appear to have downloaded on your own at some point.

    Then copy the below file:

    C:\MGtools\temp\winlogon.exemg

    into the C:\Windows\System32 folder

    Then reboot this PC from the WIndows Boot CD and get into the Command Prompt of the Recovery Console. Once at the command prompt, type in the below commands and take note of what response you receive for the first one. Take note of the space before each C:\

    copy c:\windows\system32\winlogon.exemg c:\windows\system32\winlogon.exe
    exit


    Hopefully you received a response to the 1st commands that 1 File Copied.
    The second command will cause the PC to reboot. Reboot normally into Windows and run the below steps.


    Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )

    Now attach the below log:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Mar 3, 2012
    #28
  29. Tyranoid

    Tyranoid Private E-2

    Thanks as always, chaslang.

    I was able to run through your latest set of instructions without much trouble. I have attached the requested logs.
     

    Attached Files:

    Tyranoid, Mar 4, 2012
    #29
  30. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay that looks like the correct winlogon.exe file was copied now.

    How are things working?
     
    chaslang, Mar 5, 2012
    #30
  31. Tyranoid

    Tyranoid Private E-2

    The PC seemed to be running pretty well, although some peculiarities remained. For example, Windows recognized what appeared to be four removable drives--E, F, G, and H--in Explorer, but not a single one of them pointed to anything physically connected to the PC. I also noticed that a Generic Win32 process would inevitably crash shortly after booting to Windows. I'm not really sure what the consequences were of that since I didn't observe anything unusual in the wake of the crash. But the fact that it was crashing is obviously out of the ordinary. Finally, and this was the most concerning thing to me, some applications still were not functioning properly. Specifically, SUPERAntiSpyware's attempts at updating its definitions would fail instantaneously, and Malwarebytes Anti-Malware still would not open unless the executable file was renamed first.

    I didn't want to assume anything about the state of the infection at this point. It seemed to me that explorer.exe and winlogon.exe had been restored at the very least, and I was very happy with our progress. So with that I decided to reinstall Avast. After all, it was Avast's boot time scan that alerted me that explorer.exe and winlogon.exe were infected in the first place, and it was also Avast that kept crashing prior to asking your forum for assistance with this infection. What better time than now to see if Avast would start functioning properly, I thought.

    So I reinstalled Avast and once again agreed to have it perform a boot time scan next time I restarted. Prior to restarting, I was a bit disheartened to see that AvastGUI was still crashing just like it was before. Nevertheless, I forged ahead and restarted. What happened next was not the boot time scan I scheduled, but a seemingly infinite cycle of reboots that would occur when the Windows loading screen would normally appear in the boot sequence. I attempted to boot using the Last Known Good Configuration, but that resulted in an automatic reboot as well. I also attempted to boot to Safe Mode with and without Networking, but that process would freeze right after loading all of its drivers (with MUP.SYS being the last one, if I recall).

    To be clear, the computer was booting fine before. What seemed to serve as the catalyst to this latest problem was my scheduling of Avast's boot time scan.

    At this point, I decided to talk to the PC's owner and I described the latest round of problems I was having. Since they weren't interested in recovering or backing-up any software or personal files in the first place, they agreed with my recommendation that we simply start fresh by reformatting the hard drive and reinstalling Windows. In retrospect, I suppose this option was always available to us ever since I replaced the PC's malfunctioning CD-ROM drive.

    Last night, I successfully reformatted and reinstalled Windows XP Professional. I'm currently in the process of downloading and installing all of its subsequent Service Packs and updates. I'm planning on converting this rig into a fortress based on your advice in this post. I'm also planning on talking to the owner about investing in some new physical memory, since 256 MB is clearly not enough to run adequately by today's standards.

    I wanted to once again thank you and TimW for your assistance. I really appreciate all the time you spent helping me out with this problem. Does your site accept donations?

    I guess at this point you can consider my case closed. Thanks again. :)
     
    Tyranoid, Mar 6, 2012
    #31
  32. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry to hear about what happened after the Avast scan. It looked like we were getting close to being finished.

    You're welcome. No we have no formal method of accepting donations. You can just send people to the forums for help and to our main website page for file downloads. Also you can try to get people to follow us on Facebook. :)
     
    chaslang, Mar 7, 2012
    #32
  33. Tyranoid

    Tyranoid Private E-2

    Absolutely! It would be my pleasure. :)
     
    Tyranoid, Mar 7, 2012
    #33
  34. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Thank you! Surf safely!
     
    chaslang, Mar 7, 2012
    #34

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds