Winlogon.exe trojan Spy-Agent.bv!inf HELP!

Welcome to Majorgeeks!

Start by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O20 - AppInit_DLLs: C:\WINDOWS\system32\msie.dll
O20 - Winlogon Notify: instcat - instcat.dll (file missing)
NOTE: HJT will popup an error about the AppInit_DLLs line. Ignore it and click OK to continue.
After clicking Fix, exit HJT.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\809552510
C:\as.txt
C:\bfgmqrf.exe
C:\cagwaahq.exe
C:\mfoiqj.exe
C:\pfqq.exe
C:\ulfnwey.exe
C:\win32ad.exe
C:\xgvhvnul.exe
C:\WINDOWS\LRUN32.EXE
C:\WINDOWS\ORUN32.EXE
C:\WINDOWS\SYSTEM32\CMMGR32.EXE
C:\WINDOWS\SYSTEM32\wsys.dll
C:\WINDOWS\SYSTEM32\main.sys
C:\WINDOWS\SYSTEM32\runtime.sys
C:\WINDOWS\SYSTEM32\ms.dat
C:\WINDOWS\Temp\mcuE.tmp

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

I see you are running Ad-aware 6 Personal. This version has not been used in over two years. You need to get updated.

Okay now uninstall the Sunbelt CounterSpy trial since we are finished with it now! Then delete the below two folders left behind by the uninstall:
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

Also uninstal Viewpoint Manager (Remove Only) which should have been uninstalled in step 0 of the READ ME.

Now complete step 8 of the READ & RUN ME!

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. ShowNew
2. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Empty any quarantine folders from scanning programs (like SuperAntispyware or similar) then continue.

Now run Pocket Killbox by doubleclicking on killbox.exe

• select File, Cleanup, Delete All Backups ( DO NOT SKIP THIS STEP )
• Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
• Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\SYSTEM32\msie.dll

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. ShowNew

Make sure you tell me how things are working now!

 

You are going to have to tell me exactly what and where McAfee is finding whatever it is reporting. Give me the filenames, the filepaths (i.e., where it is located) and what the name of the infection is according to McAfee. You should have a log where you can find this. McAfee often defaults to writing things to:

C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt


By the way, I forgot to mention earlier you can get the current version of the free Ad-aware here: Ad-Aware SE Personal

 

Click Start and select Search
Now Select "All files and folders"
Enter the winlogon.e* in the "All or part of the file name:" box
(yes the asterisk is supposed to be there right after the e )
Now select "More advanced options"
Make sure the following check boxes are checked:

• Search system folders
• Search hidden files and folders
• Search subfolders

Then click the Search button.

Tell me what matches you get and also tell me the file sizes.

 

I'm going to have you run a procedure below which will attempt to delete the infected winlogon.exe file and replace it with a good copy from your DLLCACHE folder.

• Print or save the below instructions locally because you need to close all browsers later.
• Download the attached FixWinlogon.zip file to your Desktop.
• Now double click on FixWinlogon.zip and extract the contents to your Desktop.
• This should create a folder named FixWinlogon on your Desktop.
• In this folder there should be two files. FixWL.bat and process.exe
• Note some antivirus programs may falsely detect process.exe as malware. It is not malware. Don't worry about it if you see a message about process.exe. Allow it to run later when we run the procedure.
• Now shutdown ALL unnecessary applications including browsers (this one too).
• Now double click on the FixWinlogon folder to open a window showing its contents.
• Now double click on the FixWL.bat file to run this procedure.
• It will create a log file named: c:\FixWL.txt
• After running this you will not be able to shutdown or restart your PC in the normal fashion. You will have to hold in the power button on your PC until it powers down.
• Close ALL open windows now!!!!!
• Power down your PC now. Wait about 15 seconds and then power back up.
• Come back here and attach the c:\FixWL.txt file and a new log from ShowNew.
• How are things working now? Is McAfee still seeing a problem?

 

It does not appear to have run properly. Are you sure that you extracted BOTH files from the ZIP file? Check the FixWinlogon folder on your Desktop. Tell me the names of the files that you see in that folder. Also you must make sure that you do not try to run the FixWL.bat file from inside the ZIP file as it will not work.

Also did any error messages appear? Based on your FixWL.txt log, the commands using process.exe to kill a couple processes did not work. In fact process.exe was not even run based on the logs. Since it did not run, the procedure could not successfully replace the infected winlogon.exe file with a good one.

It is not a problem that I have seen before but I would not classify it as pesky. We have had many malware problems that have taken a lot more work then this to clean. Once we figure out why process.exe did not run, we should be able to fix your problem.

 

No! It should run directly from the FixWL.bat file.

Hangon a few minutes!!! I'll write something up to try......

 

• Click Start, Run, and enter cmd and click OK.
• This should open a command prompt window.
• In the command prompt window enter the below command

cd C:\Documents and Settings\Dave\Desktop\FixWinlogon​

Make sure the prompt in the window now changes to show that you are in the above folder. If it does not show this, stop!!! And tell me what it shows. If it does show the that you are in the FixWinLogon folder, continue on by entering the below commands ( the ones in bold black text are the commands ) into the command prompt window.

process -k smss.exe <--- this should display a message indicating that the smss.exe process was killed. If it does not, stop right here because something is wrong.​

process -k winlogon.exe <--- this should display a message indicating that the winlogon.exe process was killed. If it does not, stop right here because something is wrong.​

FixWL.bat​

Now if the above all worked properly, immediately attach the c:\FixWL.txt file to a message here. Don't try to reboot yet.
If the above did not work, like you did not see the messages from the process commands, tell me if you got a error message or if nothing happened. It is possible that your antivirus or similar is blocking process.exe from running.

 

Enter the below in that command prompt window.

process > plist.txt

This will create a list of processes in a file named plist.txt in the FixWinLogon folder. Attach the plist.txt file here.

Also try downloading SeDebug-Restore and save it to the FixWinlogon folder on your Desktop. Then run the SeDebug-Restore.exe program. Then reboot as it requests. Now try to run what I gave you in message number 18 again. If this does not work, boot into safe mode and try message # 18 again.



Do you have a Windows XP bootable CD?

 

Yes.

But now I also gave you other things to do. Please try them. Get me that plist.txt log too.

I'm referring to a Windows XP SP2 boot CD for your OS. If we cannot get the steps with FixWL.bat to work (and they should work unless something else in your OS is messed up or another component of malware is hiding) then we will need to boot to the recovery console to fix this. I avoiding using the recovery console method as a first step because most people are in situations like you in that they do not have a WIndows Boot CD .

 

Slipstreaming is not performed on an already installed Windows folder as far as I remember.

Based on the log you attached, you should not need one. My fix appears to have worked in safe mode. The good file was copied into the system32 folder as we wanted.

Are you still getting detections? If so, then I would expect that after a reboot to normal mode you were reinfected.

Attach a new log from ShowNew.

 

You're welcome. Your log is clean now!

Yes I accept via PayPal but it's purely optional. If you want you can PM me with an email address and I will send you info.