Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TR/Patched.Gen virus and loss of Windows Explorer on Windows XP Pro SP3


  • This topic is locked This topic is locked
57 replies to this topic

#1 maryba

maryba

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 29 June 2012 - 09:06 AM

Summary
Two problems:
1) After an Avira detection of TR/Patched.Gen and reporting that Explorer.exe and winlogon.exe were infected and quarantined (by me),
2) Windows Explorer no longer functions.

Sequence of events
Within a minute of opening a website, Avira (free edition) did a popup alert to say "TR/Patched.Gen" detected. I took the "Deny" option and within seconds, another popup occurred, this time saying 2 detects of the same item. Did a Deny again and again another popup saying the same thing except 4 detects. Repeated several more times with varying counts of the same item. I did the deny option every time. In meantime, Avira's system scan had started and eventually stopped with a summary showing Explorer.exe and winlogon.exe as being "infected" (my terminology). I took the option to quarantine them.

Before the Avira system scan had ended, I had started a Malwarebytes QuickScan. But since it was going so slowly and because it dawned on me that I shouldn't be running both Avira's and MB's scans at the same time, I cancelled MB. And I then did as described above with the Avira scan.

Avira recommended a restart so I took that option. When Windows restarted, it wouldn't display the Task Bar or Start button. No keyboard or mouse function seemed available so couldn't start Windows Explorer. When I restarted in Safe Mode, I got past the login screen but still could not start Explorer. I couldn't find explorer.exe in the Windows folder (had restarted in Safe Mode with DOS prompt) so pasted a copy from another computer's XP Pro installation. On restart, the TaskBar and a session of Explorer showed up and both were usable. I ran a MB scan and found no detections.

On next OS restart, after Desktop showed, I only got a "Windows Explorer has encountered a problem and needs to close..." popup. Same results after several retries. I finally tried TaskManager and found that I can start and run a wide variety of programs with no problems, so far. Also have full network and internet function. Can do any file management functions but only in DOS (cmd/CLI). But, at least, no further Avira detections.

Since events in the previous paragraph, I am now encountering a "Generic Host Process for Win32 Services has encountered a problem and needs to close..." popup - followed by a popup stating "DCOM Server Process Launcher Service... system will shutdown in xx seconds". Which it will do unless I DOS-prompt enter "@shutdown -a".

Additionally, I have reloaded copies of explorer.exe and winlogon.exe from both
1) the other computer's XP Pro installation and
2) the OEM-supplied OS Reinstallation CD - XP Pro SP3.
I had varying results: one time, got BSOD; another time, got Windows Explorer and Taskbar showing but with Avira detecting the TR/Patched.Gen again in the same way as described in the first paragraph. If I let "Explorer.exe" get quarantined, the Avira detection stops. But one thing I've noticed is the source files (explorer.exe and winlogon.exe) are immediately increased in byte size when copied onto the target operating system HD. Does this mean Patched.Gen in running in background and sees the arrival of the new explorer and winlogon exe files and modifies then - that quickly? Scary, if so.

So, presently, I'm still able to run programs from Task Manager's File/Run tab and from the DOS prompt. Wanted to underscore that because I'm not sure how I would be able to run ComboFix, if needed, without use of the mouse on the Desktop - i.e., dragging and dropping the "fix.txt" file onto the ComboFix icon.

Re attached Gmer.log: Gmer ran for several hours so I was suprised that there was so little content in its log. Can that be expected?
DDS.txt enclosed and Attach.txt is attached.

Any help would be appreciated.


Mike
===========



.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512
Run by ADMIN at 11:50:17 on 2012-06-26
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.521 [GMT -6:00]
.
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://yahoo.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [Dexpot] c:\program files\dexpot\dexpot.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_2_202_235_ActiveX.exe -update activex
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.15.1
TCP: Interfaces\{74344527-37CC-4E06-AE03-95A902FE9028} : DhcpNameServer = 192.168.15.1
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\admin\application data\mozilla\firefox\profiles\qj4idqyr.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com
FF - plugin: c:\documents and settings\admin\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\admin\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\admin\local settings\application data\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-5-11 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-5-11 86224]
R2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-5-11 110032]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-5-11 83392]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-1-26 50704]
S0 cerc6;cerc6; [x]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-3-30 136176]
S3 A193_ADS;VideoXpress V2 Analog Capture;c:\windows\system32\drivers\A193_ADS.sys [2010-12-22 277888]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-6-16 250056]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-3-30 136176]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-06-26 17:50:23 600 ----a-w- c:\documents and settings\all users\application data\auwmaaa.tmp
2012-06-26 17:33:58 600 ----a-w- c:\documents and settings\all users\application data\uuzmaaa.tmp
2012-06-25 18:22:49 56 ----a-w- c:\documents and settings\admin\T.BAT
2012-06-25 12:10:23 606 ----a-w- c:\documents and settings\all users\application data\eibnaaa.tmp
2012-06-24 22:13:49 8 ----a-w- c:\documents and settings\admin\IE.bat
2012-06-23 16:48:31 1058304 ----a-r- c:\windows\explorer.exe
2012-06-23 16:40:38 594 ----a-w- c:\documents and settings\all users\application data\maxlaaa.tmp
2012-06-16 14:57:51 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
==================== Find3M ====================
.
2012-06-24 16:45:09 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-25 06:32:27 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-04-17 03:18:01 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-04-04 21:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-27 05:11:08 444283 ----a-w- c:\program files\common files\WinPcapNmap.exe
.
============= FINISH: 11:51:07.34 ===============

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:19 PM

Posted 30 June 2012 - 12:24 AM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 maryba

maryba
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 30 June 2012 - 11:38 AM

Hi Gringo,

Thanks for your fast response.

Couple of things regarding running ComboFix:
1) I can't access the Avira icon in the system tray to disable Avira - my entire taskbar, including the system tray is no longer visible. I've tried End Process-ing all the apparent "av..." processes showing in TaskManager, Processes tab and could not close avguard.exe or avshadow.exe - got a popup saying "Access Denied" - I had also gone to msconfig, Startup tab to disable "avgnt" but no luck: next OS restart, Avira had started and msconfig, Startup tab still showed "avgnt" checkmarked "on" in the Startup Item column.

2) And for the likely "fix.txt" file you might provide to drag and drop onto the Desktop Combofix icon, I have no display of icons or use of mouse or keyboard on the Desktop. Something to do with having no explorer.exe running, I suppose.

I have "apparent" full use of DOS Prompt to manage files and run programs and TaskManager's File, Run to run programs. Just no Desktop, Taskbar, or Windows Explorer.

Any guidance? Will wait til I hear from you before running ComboFix.


Mike

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:19 PM

Posted 30 June 2012 - 11:55 AM

go ahead and run combofix and give me an update to what you have after it finishes


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 maryba

maryba
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 30 June 2012 - 01:00 PM

Hola Gringo,

Ran SecurityCheck and then ComboFix. I had lost where SC's log file was stored (by default of last store use of Notepad) so I reran another SC after CF and that version is what's included below.

As you expected, CF commented and warned about Avira still running but proceeded gracefully - I'm guessing. It also installed a copy of Recovery Console. Glad to have that in case of this or any future need.

Looking forward to your response.


Mike
====


Results of screen317's Security Check version 0.99.42
Windows XP Service Pack 3 x86
Internet Explorer 6 Out of date!
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Enabled!
Avira Desktop
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Malwarebytes Anti-Malware version 1.61.0.1400
Java™ 6 Update 20
Java™ 6 Update 23
Java version out of Date!
Adobe Flash Player 11.3.300.262
Adobe Reader X (10.1.1)
Mozilla Firefox (6.0.2)
````````Process Check: objlist.exe by Laurent````````
Avira Antivir avguard.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C::
````````````````````End of Log``````````````````````









ComboFix 12-06-28.03 - ADMIN 06/30/2012 12:13:17.1.2 - x86
Running from: C:\ComboFix.exe
AV: Avira Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\ADMIN\Application Data\1&1
c:\documents and settings\ADMIN\Application Data\1&1\1&1 EasyLogin\ErrorLogs\StackTrace.txt
c:\documents and settings\ADMIN\Desktop\System Check.lnk
c:\documents and settings\ADMIN\mail.dat
c:\documents and settings\ADMIN\mess.dat
c:\documents and settings\ADMIN\Recent\Thumbs.db
c:\documents and settings\ADMIN\Start Menu\Programs\System Check
c:\documents and settings\ADMIN\Start Menu\Programs\System Check\System Check.lnk
c:\documents and settings\ADMIN\Start Menu\Programs\System Check\Uninstall System Check.lnk
c:\documents and settings\All Users\Application Data\auwmaaa.tmp
c:\documents and settings\All Users\Application Data\eibnaaa.tmp
c:\documents and settings\All Users\Application Data\khymaaa.tmp
c:\documents and settings\All Users\Application Data\maxlaaa.tmp
c:\documents and settings\All Users\Application Data\qgvmaaa.tmp
c:\documents and settings\All Users\Application Data\uuzmaaa.tmp
c:\windows\d.bat
c:\windows\expl.dat
c:\windows\system32\dllc.dat
c:\windows\system32\PowerToyReadme.htm
c:\windows\system32\svch.dat
c:\windows\system32\winl.dat
c:\windows\T.BAT
.
c:\windows\system32\svchost.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2012-05-28 to 2012-06-30 )))))))))))))))))))))))))))))))
.
.
2012-06-30 16:29 . 2012-06-18 04:16 881475 ----a-w- C:\SecurityCheck.exe
2012-06-29 16:44 . 2012-06-29 16:44 8 ----a-w- C:\IE.bat
2012-06-29 00:38 . 2012-06-29 00:40 -------- d-----w- C:\nocomment062212
2012-06-28 20:07 . 2012-06-28 20:07 -------- d-----w- c:\documents and settings\ADMIN\temptest
2012-06-27 21:58 . 2008-04-14 12:00 1033728 ----a-w- c:\windows\explorer.exe
2012-06-27 21:23 . 2008-04-14 13:42 507904 ----a-w- c:\windows\system32\winlogon1.exe
2012-06-26 17:57 . 2012-06-26 17:57 302592 ----a-w- C:\hwsyc3gx.exe
2012-06-25 18:22 . 2012-06-25 19:43 56 ----a-w- c:\documents and settings\ADMIN\T.BAT
2012-06-24 22:13 . 2012-06-24 22:06 8 ----a-w- c:\documents and settings\ADMIN\IE.bat
2012-06-24 22:06 . 2012-06-24 22:06 8 ----a-w- c:\documents and settings\IE.bat
2012-06-23 15:49 . 2012-06-23 15:49 -------- d-----w- c:\documents and settings\Administrator
2012-06-16 14:57 . 2012-06-24 16:45 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-24 16:45 . 2011-06-20 02:01 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-27 16:20 . 2012-05-12 04:14 137928 ----a-w- c:\windows\system32\drivers\avipbb.sys
2012-04-25 06:32 . 2012-05-12 04:14 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-04-17 03:18 . 2012-05-12 04:14 36000 ----a-w- c:\windows\system32\drivers\avkmgr.sys
2012-04-04 21:56 . 2010-12-23 08:16 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-27 05:11 . 2011-03-29 05:09 444283 ----a-w- c:\program files\Common Files\WinPcapNmap.exe
2011-09-03 06:01 . 2011-09-22 17:12 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2004-08-04 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe
.
[-] 2008-04-14 . BAAB1A93E8177BB362AD27924DB62ADB . 39424 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
.
[-] 2008-04-14 12:00 . FF4ED3983B3B2845DBD08C272533BD4F . 1033728 . . [------] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dexpot"="c:\program files\Dexpot\dexpot.exe" [2009-06-04 1286144]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-05-02 348624]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware (cleanup)"="c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\cleanup.dll" [2012-04-04 1082440]
.
[HKLM\~\startupfolder\C:^Documents and Settings^ADMIN^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
path=c:\documents and settings\ADMIN\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
backup=c:\windows\pss\OpenOffice.org 3.2.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^McAfee Security Scan Plus.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\McAfee Security Scan Plus.lnk
backup=c:\windows\pss\McAfee Security Scan Plus.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MediaTV Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MediaTV Monitor.lnk
backup=c:\windows\pss\MediaTV Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-03 07:37 843712 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-09-05 17:04 35736 ----a-w- c:\program files\Adobe\Reader 10.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2011-11-02 05:25 59240 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
2012-05-02 06:31 348624 ----a-w- c:\program files\Avira\AntiVir Desktop\avgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-06-06 10:01 136176 ----atw- c:\documents and settings\ADMIN\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2006-03-23 22:17 94208 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2012-04-04 21:56 981680 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 10:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-08-26 17:19 17361032 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 17:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\programs - no installation needed\\ws_ftp\\ws_ftp95.exe"=
"c:\\xampp\\xampp\\apache\\bin\\httpd.exe"=
"c:\\xampp\\xampp\\mysql\\bin\\mysqld.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\xampp\\mysql\\bin\\mysqld.exe"=
"c:\\xampp\\apache\\bin\\httpd.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\ADMIN\\Application Data\\hlololol.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Documents and Settings\\ADMIN\\Desktop\\MedArc\\openmrs-standalone-1.8.3\\openmrs-standalone-1.8.3\\database\\bin\\mysqld.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Documents and Settings\\ADMIN\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
.
R0 cerc6;cerc6; [x]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [x]
R3 A193_ADS;VideoXpress V2 Analog Capture;c:\windows\system32\DRIVERS\A193_ADS.sys [x]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [x]
S1 avkmgr;avkmgr;c:\windows\system32\DRIVERS\avkmgr.sys [x]
S2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [x]
S2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-30 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-16 16:45]
.
2012-06-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 23:57]
.
2012-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-30 22:51]
.
2012-06-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-03-30 22:51]
.
2012-06-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-382435906-1983232911-3557363581-1003Core.job
- c:\documents and settings\ADMIN\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 10:01]
.
2012-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-382435906-1983232911-3557363581-1003UA.job
- c:\documents and settings\ADMIN\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 10:01]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://yahoo.com/
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: DhcpNameServer = 192.168.15.1
FF - ProfilePath - c:\documents and settings\ADMIN\Application Data\Mozilla\Firefox\Profiles\qj4idqyr.default\
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Aptunionyf - c:\documents and settings\ADMIN\Application Data\Roetq\fauv.exe
MSConfigStartUp-CmPCIaudio - CMICNFG3.cpl
MSConfigStartUp-qwQyYjawWfCqhWQ - c:\documents and settings\All Users\Application Data\qwQyYjawWfCqhWQ.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-30 12:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-06-30 12:34:06
ComboFix-quarantined-files.txt 2012-06-30 18:33
.
Pre-Run: 31,850,000,384 bytes free
Post-Run: 33,322,045,440 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 3E77FFDDF03404225E0C1F63A98EAFC5


--- end of Mike to Gringo ---

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:19 PM

Posted 30 June 2012 - 03:10 PM

SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
explorer.exe
svchost.exe
winlogon.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 maryba

maryba
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 30 June 2012 - 03:26 PM

Gringo,

SystemLook 30.07.11 by jpshortstuff
Log created at 15:14 on 30/06/2012 by ADMIN
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.exe"
C:\WINDOWS\explorer.exe --a---- 1033728 bytes [21:58 27/06/2012] [12:00 14/04/2008] FF4ED3983B3B2845DBD08C272533BD4F

Searching for "svchost.exe"
C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe --a---- 199240 bytes [22:40 10/03/2012] [21:56 04/04/2012] 097D0E812D7A9A3101CE46CB2BE0474D
C:\WINDOWS\system32\svchost.exe --a---- 39424 bytes [12:00 14/04/2008] [12:00 14/04/2008] BAAB1A93E8177BB362AD27924DB62ADB

Searching for "winlogon.exe"
C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe --a---- 199240 bytes [22:40 10/03/2012] [21:56 04/04/2012] 097D0E812D7A9A3101CE46CB2BE0474D
C:\WINDOWS\system32\winlogon.exe --a---- 502272 bytes [12:00 14/04/2008] [10:00 04/08/2004] 01C3346C241652F43AED8E2149881BFE

-= EOF =-


Mike
====

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:19 PM

Posted 30 June 2012 - 03:52 PM

Greetings mike


do you have access to another windows XP computer?


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 maryba

maryba
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 30 June 2012 - 03:57 PM

Yes And 1 OEM-provided ReInstallation CD. And 1 new installation CD. All are XP Pro

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:19 PM

Posted 30 June 2012 - 04:23 PM

Greetings


That is good news!!

I want you to copy these files to a jump drive from the clean computer

c:\windows\system32\winlogon.exe

c:\windows\system32\svchost.exe

c:\windows\explorer.exe



Now I want you to move them to the infected computer but you will not be able to move then to the correct folders yet

I want you to put the on the C:/ Drive


c:\winlogon.exe

c:\svchost.exe

c:\explorer.exe



then when that is complete run this again for me

SystemLook:


  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
explorer.exe
svchost.exe
winlogon.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 maryba

maryba
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 30 June 2012 - 04:41 PM

Gringo,

Here ya go.




SystemLook 30.07.11 by jpshortstuff
Log created at 16:31 on 30/06/2012 by ADMIN
Administrator - Elevation successful

========== filefind ==========

Searching for "explorer.exe"
C:\explorer.exe --a---- 1033728 bytes [22:30 30/06/2012] [13:42 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
C:\WINDOWS\explorer.exe --a---- 1033728 bytes [21:58 27/06/2012] [12:00 14/04/2008] FF4ED3983B3B2845DBD08C272533BD4F

Searching for "svchost.exe"
C:\svchost.exe --a---- 14336 bytes [22:30 30/06/2012] [13:42 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\svchost.exe --a---- 199240 bytes [22:40 10/03/2012] [21:56 04/04/2012] 097D0E812D7A9A3101CE46CB2BE0474D
C:\WINDOWS\system32\svchost.exe --a---- 39424 bytes [12:00 14/04/2008] [12:00 14/04/2008] BAAB1A93E8177BB362AD27924DB62ADB

Searching for "winlogon.exe"
C:\winlogon.exe --a---- 507904 bytes [22:30 30/06/2012] [13:42 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe --a---- 199240 bytes [22:40 10/03/2012] [21:56 04/04/2012] 097D0E812D7A9A3101CE46CB2BE0474D
C:\WINDOWS\system32\winlogon.exe --a---- 502272 bytes [12:00 14/04/2008] [10:00 04/08/2004] 01C3346C241652F43AED8E2149881BFE

-= EOF =-


Mike
====

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:02:19 PM

Posted 30 June 2012 - 08:55 PM

Greetings

Very good job!!

Lets run this now.

Blitzblank.

Download BlitzBlank and save it to your desktop. Open Blitzblank.exe

  • Click OK at the warning (and take note of it, this is a VERY powerful tool!).
  • Click the Script tab and copy/paste the following text there:
CopyFile:
C:\explorer.exe C:\WINDOWS\explorer.exe
C:\svchost.exe C:\WINDOWS\system32\svchost.exe
C:\winlogon.exe C:\WINDOWS\system32\winlogon.exe
C:\explorer.exe C:\WINDOWS\system32\dllcache\explorer.exe
C:\winlogon.exe C:\WINDOWS\system32\dllcache\winlogon.exe
C:\svchost.exe C:\WINDOWS\system32\dllcache\svchost.exe
  • Click Execute Now. Your computer will need to reboot in order to replace the files.
  • When done, post me the report created by Blitzblank. you can find it at the root of the drive Normaly C:\

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 maryba

maryba
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 30 June 2012 - 09:26 PM

Whew! I was sweating bullets.

But looks good. Very pleased to have Windows Explorer and Taskbar back.

A few observations/questions:
1) I assume the blue screen (not BSOD) during startup was BlitzBlank doing its job - thanks for the warning!
2) System Tray icons tool a verrrrry long time to display. Is that likely only a one-time thing? I've only rebooted once.
3) Same with my email client and browser. Guess I could've closed and reopened them to see if any faster.
4) How did TR/Patched.Gen pull this off? Was it embedding code in explorer.exe, winlogon.exe, and the svchost.exe we "repaired"? Bastards!
5) Am I out of the woods?
6) Is Avira good enough? It would seem maybe not.

BB log here:



BlitzBlank 1.0.0.32

File/Registry Modification Engine native application
CopyFileOnReboot: sourceFile = "\??\c:\explorer.exe", destinationFile = "\??\c:\windows\explorer.exe"CopyFileOnReboot: sourceFile = "\??\c:\svchost.exe", destinationFile = "\??\c:\windows\system32\svchost.exe"CopyFileOnReboot: sourceFile = "\??\c:\winlogon.exe", destinationFile = "\??\c:\windows\system32\winlogon.exe"CopyFileOnReboot: sourceFile = "\??\c:\explorer.exe", destinationFile = "\??\c:\windows\system32\dllcache\explorer.exe"CopyFileOnReboot: sourceFile = "\??\c:\winlogon.exe", destinationFile = "\??\c:\windows\system32\dllcache\winlogon.exe"CopyFileOnReboot: sourceFile = "\??\c:\svchost.exe", destinationFile = "\??\c:\windows\system32\dllcache\svchost.exe"


====
Mike
====

#14 maryba

maryba
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 30 June 2012 - 09:41 PM

Whoops! Too soon.

Forgot to include in previous reply that I couldn't start Control Panel. Got message saying "This file does not have a program associated with it for performing this action. Create an association in Folder Options Control panel." Unhappy to see this but couldn't quite figure out the corrective action.

But, more important, I've just now experienced another "Windows Explorer has encountered a problem and needs to close...". Its error signature shows "shlwapi.dll". And within another minute, "Dr Watson has encountered...." happened also.

Any ideas?


Mike
====

#15 maryba

maryba
  • Topic Starter

  • Members
  • 120 posts
  • OFFLINE
  •  
  • Local time:12:19 PM

Posted 30 June 2012 - 09:45 PM

Should note that running any other already-opened programs doesn't happen or is very slow to respond. Just clicked on TaskBar icons for OutlookExpress, WIndows Explorer, and a Notebook session and no response. At least browser is still working for the moment.

Mike




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users