Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Explorer.exe and Winlogon.exe Virus - AVG


  • This topic is locked This topic is locked
2 replies to this topic

#1 cakeman181

cakeman181

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:10 AM

Posted 11 November 2010 - 04:16 AM

Hi, i have the above virus coming up on my AVG Free scanner. It is unable to fix them. I have run ComboFix and have attached the report. Any help would be greatly appreciated.

ComboFix 10-11-10.01 - Andrew 11/11/2010 13:53:12.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.895.505 [GMT 11:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
..

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
..

c:\windows\system32\winlogon.exe . . . is infected!!

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

..
((((((((((((((((((((((((( Files Created from 2010-10-11 to 2010-11-11 )))))))))))))))))))))))))))))))
..

2010-11-10 03:02 . 2010-11-10 03:02 5460 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-11-10 00:43 . 2010-11-10 00:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-11-03 23:59 . 2010-11-11 01:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-02 02:11 . 2010-11-02 02:11 -------- d-----w- c:\documents and settings\Andrew\Application Data\AVG10
2010-11-02 02:07 . 2010-11-02 02:07 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-11-02 02:05 . 2010-11-11 02:34 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-11-02 02:04 . 2010-11-02 02:04 -------- d-----w- c:\program files\AVG
2010-11-02 01:56 . 2010-11-11 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

..
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
..
2009-01-10 04:30 . 2008-03-14 00:45 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-01-10 04:30 . 2008-03-14 00:45 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-10 04:30 . 2008-03-14 00:45 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-01-10 04:30 . 2008-03-14 00:45 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-01-10 04:30 . 2008-03-14 00:45 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
..

------- Sigcheck -------

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download.bak\cf8ec753e88561d2ddb53e183dc05c3e\winlogon.exe
[-] 2004-08-04 . 6E5AC6AEBDC9B080E8C1DCC2141F5539 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download.bak\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe
[-] 2007-06-13 . 04D9D3792735FE66B9A12D878F6EC355 . 1033216 . . [6.00.2900.3156] . . c:\windows\explorer.exe
[7] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
..
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
..
..
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-10 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-03-28 454656]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-19 925696]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-01-19 159744]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-10 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-10 86960]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-24 210472]
"{B179023B-6238-4499-8F26-CD73E9D90E0A}"="c:\program files\Mediafour\MacDrive 7\MacDrive.exe" [2007-07-12 179288]
"MDGetStarted.exe"="c:\program files\Mediafour\MacDrive 7\MDGetStarted.exe" [2007-06-13 139264]
"WinVNC"="c:\program files\TightVNC\WinVNC.exe" [2007-05-07 589824]
"EPSON Stylus CX4700 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADP.EXE" [2005-02-02 98304]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-12 47392]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2006-11-07 12451]

c:\documents and settings\Andrew\Start Menu\Programs\Startup\
Shortcut to netlogin.lnk - c:\documents and settings\Andrew\My Documents\netlogin.bat [2008-7-14 73]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Soulseek-Test\\slsk.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\KAV\\KAV70\\English\\setup.exe"=
"c:\\Program Files\\Webcam\\NetCamCtr1\\WSRV.exe"=
"c:\\Program Files\\TightVNC\\WinVNC.exe"=
"c:\\Program Files\\IncredibleCharts\\IncredibleCharts.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"67:UDP"= 67:UDP:DHCP Discovery Service
"5400:TCP"= 5400:TCP:Cameras
"5400:UDP"= 5400:UDP:Cameras UDP

R0 MDFSYSNT;MacDrive file system driver;c:\windows\system32\drivers\MDFSYSNT.SYS [5/09/2007 4:01 PM 277888]
R0 MDPMGRNT;MDPMGRNT;c:\windows\system32\drivers\MDPMGRNT.sys [28/02/2007 12:15 PM 19072]
R2 MacDriveService;MacDriveService;c:\program files\Mediafour\MacDrive 7\MacDriveService.exe [1/05/2007 3:55 PM 143360]
R3 keybmon;keybmon;c:\windows\system32\drivers\keybmon.sys [25/10/2008 12:07 PM 4934]
R3 mousmon;mousmon;c:\windows\system32\drivers\mousmon.sys [25/10/2008 12:07 PM 3491]
S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S3 hwcdcmdm0;HUAWEI Mobile Connect - 3G Modem;c:\windows\system32\drivers\ewusbmdm.sys [27/07/2008 3:21 PM 100992]
S3 hwusbapp;HUAWEI Mobile Connect - 3G PC UI Interface;c:\windows\system32\drivers\ewusbapp.sys [27/02/2008 12:21 PM 65152]
S3 hwusbser;HUAWEI Mobile Connect - 3G Application Interface;c:\windows\system32\drivers\ewusbser.sys [27/02/2008 12:21 PM 65152]
S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [19/01/2008 1:29 PM 81832]
S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [19/01/2008 1:29 PM 13864]
S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [19/01/2008 1:29 PM 107304]
S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s816mgmt.sys [19/01/2008 1:29 PM 99112]
S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:\windows\system32\drivers\s816nd5.sys [19/01/2008 1:30 PM 21928]
S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows\system32\drivers\s816obex.sys [19/01/2008 1:29 PM 97320]
S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [19/01/2008 1:29 PM 97704]
S3 Webcam Corp. Service Starter;Webcam Corp. Service Starter;c:\program files\Webcam\NetCamCtr1\dogsvc.exe --> c:\program files\Webcam\NetCamCtr1\dogsvc.exe [?]
..
Contents of the 'Scheduled Tasks' folder

2010-11-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 02:34]
..
..
------- Supplementary Scan -------
..
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
IE: Add to AMV Convert Tool... - c:\program files\MP3 Player Utilities 4.00\AMVConverter\grab.html
IE: Add to Media Manager... - c:\program files\MP3 Player Utilities 4.00\MediaManager\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {D3D7646F-90DD-477D-8C07-F9A2D7F7B70B} = 10.1.1.1,10.1.150.1
DPF: {15A02B79-60BB-42B8-814E-BF8364106B9E} - hxxp://images.commsec.com.au/downloads/pco3/Pco3X_Commsec.cab
FF - ProfilePath - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\f0ve9pzv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
..
..
------- File Associations -------
..
JSEFile=NOTEPAD.EXE %1
..

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-11 14:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
..
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(908)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3168)
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\progra~1\WINZIP\WZSHLSTB.DLL
c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll
c:\windows\system32\browselc.dll
c:\program files\Common Files\Mediafour\MACFPROP.DLL
c:\program files\Common Files\Mediafour\MACDRAPI.DLL
c:\program files\Common Files\Mediafour\1033\MACFPROP.DL_
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\shdoclc.dll
..
------------------------ Other Running Processes ------------------------
..
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\hpq\Shared\HPQTOA~1.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
c:\windows\system32\SearchProtocolHost.exe
..
**************************************************************************
..
Completion time: 2010-11-11 14:05:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-11 03:05
ComboFix2.txt 2010-11-10 02:40
ComboFix3.txt 2010-11-10 00:23

Pre-Run: 2,640,130,048 bytes free
Post-Run: 2,657,452,032 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - C0FF8178DBFF66115980E92BD858613C

Edited by elise025, 11 November 2010 - 07:42 AM.
Since a log is posted, I am moving this to the malware removal forum ~ Elise


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:10 AM

Posted 11 November 2010 - 04:36 PM

Hello cakeman181 ,

Posted Image

Looks like ComboFix was able to take care of part of it, but not all. You're running Service Pack 2. I'd like for you to update to Service Pack 3, please. That should take care of both infected files. Please then run ComboFix and post the report in your reply. :)

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:10 AM

Posted 17 November 2010 - 10:24 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users