Replace an infected system32/winlogon.ece (688)

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I have been searching with google for a solution to replace instead of
deleting winlogon.exe via AVG Anti-virus scan (Trojan horse
Generic12.KAO) but do not seem to locate any instructions -
 
I understand this is a required win XP file, but the required file is
about a third of the size of the current file...

I have the following Trojans listed in the scan:

Trojan horse Generic12.KOA
Windows\system32\winlogon.exe (688)  
Windows\system32\fccaBSmN.dll

Trojan horse Dropper.Bravix.O
Windows\brastk.exe
Windows\system32\brastk.exe

Trojan horse Agent.ALLS
Recyclers\S-1-5-21-2616091594-1302815556-3866106918-1009\Dc124.exe

Trojan horse Agent.AHRN
Windows\Karna.dat

I can not update AVG, nor can I update windows... Last updates were
performed OCT-11-2008.

I can not install:
Malwarebytes, Spybot Search & Destroy, nor can I install Superantispyware.

I did manage to scan with ewido.com/en/onlinescan, and I have managed to
install A squared and it found a good number of infections...

I am getting redirects of Firefox now that were not happening 30 minutes
ago...

JR the postman


Re: Replace an infected system32/winlogon.ece (688)

On Wed, 28 Jan 2009 01:36:37 +0000, Postman Delivers wrote:

<snip>

nfected system32/winlogon.exe not ece

JR the postman

Re: Replace an infected system32/winlogon.ece (688)

On Wed, 28 Jan 2009 01:36:37 GMT, Postman Delivers wrote:

Quoted text here. Click to load it

"The only way to clean a compromised system is to flatten and rebuild.
ThatĘs right. If you have a system that has been completely compromised,
the only thing you can do is to flatten the system (reformat the system
disk) and rebuild it from scratch (re-install Windows and your
applications)..."
http://www.microsoft.com/technet/community/columns/secmgmt/sm0504.mspx

Re: Replace an infected system32/winlogon.ece (688)



Quoted text here. Click to load it

Have you tried scannow to repair system files ?
http://www.updatexp.com/scannow-sfc.html
You may need your XP cd handy.

Alternatively, boot with a BartPE-type disk and manually replace the file.




 

Re: Replace an infected system32/winlogon.exe (688)


| I have been searching with google for a solution to replace instead of
| deleting winlogon.exe via AVG Anti-virus scan (Trojan horse
| Generic12.KAO) but do not seem to locate any instructions -

| I understand this is a required win XP file, but the required file is
| about a third of the size of the current file...

| I have the following Trojans listed in the scan:

| Trojan horse Generic12.KOA
| Windows\system32\winlogon.exe (688)
| Windows\system32\fccaBSmN.dll

| Trojan horse Dropper.Bravix.O
| Windows\brastk.exe
| Windows\system32\brastk.exe

| Trojan horse Agent.ALLS
| Recyclers\S-1-5-21-2616091594-1302815556-3866106918-1009\Dc124.exe

| Trojan horse Agent.AHRN
| Windows\Karna.dat

| I can not update AVG, nor can I update windows... Last updates were
| performed OCT-11-2008.

| I can not install:
| Malwarebytes, Spybot Search & Destroy, nor can I install Superantispyware.

| I did manage to scan with ewido.com/en/onlinescan, and I have managed to
| install A squared and it found a good number of infections...

| I am getting redirects of Firefox now that were not happening 30 minutes
| ago...

| JR the postman


Place the drive in a surrogate PC and scan the system.

Lets say that the surrogate PC is drive "C:" and the affected drive is drive
"F:" in the
surrogate PC.

When completed, if the AV software such as AVG deletes
F:\windows\system32\winlogon.exe ,
you can either
extract it from the i386 folder or copy it from surrogate PC.

1.    Copy from surrogate PC.
Again assuming that the surrogate PC is drive "C:" and the affected drive is
drive "F:"

copy  %windir%\ServicePackFiles\i386\winlogon.exe   F:\windows\system32

2.    Extract from i386 folder
Again assuming that the surrogate PC is drive "C:" and the affected drive is
drive "F:"

expand  C:\i386\winlogon.ex_   F:\windows\system32\winlogon.exe

if the i386 installation files are not on the hard disk but on a CDROM and the
CDROM drive
is "D:"

expand  D:\i386\winlogon.ex_   F:\windows\system32\winlogon.exe


I hope this gives you some ideas of an approach to take.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: Replace an infected system32/winlogon.exe (688)

On Wed, 28 Jan 2009 06:26:15 -0500, David H. Lipman wrote:

Quoted text here. Click to load it

* * *
Thanks to everyone for the suggestions...  

Update: Using the Avira AntiVirus Rescue System (Bootable Linux scanner)
it found and renamed 104 files.
 
Seems windows replaced the file, as I was able to remove the winlogon.xxx
file... and the correct winlogon.exe slipped into the right place...
 
I was able to perform a check disk and delete 400 corrupt files on the
disk. I can now add the programs I use for a proper cleaning.  
 
I am a bit sad the Avira AntiVirus Rescue System did not include a mouse
enabled write text file to disk procedure.  In addition the program
locked up the computer after the renaming process, when I tried to drop
into the CLI to try and save the file...  
 
But this off line scanner took the first step and has allowed the anti-
virus to update, and I am able to do a better scan, as I can begin to
clean this Windows XP system and save the documents...  I may do a new
installation, since I presume this compromised windows XP install may
have contaminants of the bad guys awaiting for a wakeup call when it is
used to surf the web...
 
Again thanks to everyone, and I want you to know I was delighted to find
Avira AntiVirus Rescue System used a Linux distro to make this virus scan
possible.  Nothing against Bart PE, but I find a using a Live CD Linux
operating system is a good step forward.   Using a KDE Linux operating
system running in memory as a vehicle for scanning and fixing a windows
installation is something I asked about within the last year in this
newsgroup.
 
Puppy is a small Linux operating system that will run in 64 megs of
memory and as a Live CD it does not touch the hard drive, but mounting
the hard drive you can access the hard drive and its structure as if you
were using windows explorer...  

I use Mepis 7 a KDE Debian based Live CD (needs 256 megs of memory) with
excellent hardware recognition to recover all files from the hard drive
in a crashed non operational Windows systems.  The KDE Konqueror a web
browser/file manager is easy to use, and if you did not know any better
it is windows XP explorer and Internet Explorer 6.0 in a single program.
 
I also use the free clonezilla a specialty Linux for making backups of
hard drives when you have your operating system set up as you want.  This
I find is the best way to protect your software, and invested time spent
in customization. A one terabyte hard drives cost less than a hundred US
dollars with free shipping, making a backup and setting it on a shelf for
several months before you again format and make another current back up
is not out of the realm of possibility for the home users that does not
set up a raid...

JR the postman

Site Timeline