Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Malware
  New Posts New Posts RSS Feed: Trojan.Pandex!inf and Winlogon.exe
  FAQ FAQ  Forum Search   Calendar   Register Register  Login Login

Trojan.Pandex!inf and Winlogon.exe
 Post Reply Post Reply Page  123 4>
Author
Message
  Topic Search Topic Search  Topic Options Topic Options
chimpmagnet View Drop Down
Newbie
Newbie
Avatar

Joined: 25 February 2007
Online Status: Offline
Posts: 8 		  Quote chimpmagnet Quote  Post ReplyReply Direct Link To This Post Topic: Trojan.Pandex!inf and Winlogon.exe
    Posted: 25 February 2007 at 6:39am

Guys

Please please please help!  My Symantec AV detects the above virus but cannot delete or quarantine it because it's in Winlogon.exe.  The Winlogon.exe file cannot be deleted manually or accessed in any way because it is constantly locked by something (can't even copy it!). I can't even submit it for online virus scan, due to it being locked.

The Winlogon.exe file is in C:\windows\system32 and has been updated very recently. There is also wsys.dll, main.sys and runtime.sys.

I have run HijackThis, Dr.WebCureIt, ATF Cleaner, SuperAntiSpyWare and MWAV.  They got rid of some malware, but unfortunately none of these worked on winlogon.exe -- in fact MWAV even said that winlogon.exe was locked and so couldn't even scan it!

I tried System Restore (several different days) but the virus still pops up in Symantec.

I'm afraid that my information might be getting stolen!

I'm on XP SP2.

Please help!



Edited by chimpmagnet - 25 February 2007 at 6:57am
Back to Top
Karlchen View Drop Down
Senior Member
Senior Member
Avatar

Joined: 18 June 2005
Location: Germany
Online Status: Offline
Posts: 5121 		  Quote Karlchen Quote  Post ReplyReply Direct Link To This Post Posted: 25 February 2007 at 9:00am
Hello, chimpmagnet.

Looking for "Trojan.Pandex" gives various results, some of them indicating it may be known as "W32.agent.ady" by some AV products.
Interestingly enough looking for "pandex" on the Symantec webpages yields absolutely no results.

So far I found no thread about removing "Trojan.Pandex" which ended successfully. At best, after trying a lot of things, people gave up, formatted and installed Windows from the scratch (which very likely is the only way of making absolutely sure Pandex is gone.)

You may check out some thread over at the CastleCops e.g.: (1) / (2) / (3) / (4)

You may find some information about Pandex even in this forum, cf. thread: Hey EP/MP ....new creatures ???
It will not help too much, because it is mainly focussed on analyzing the trojan components, not on how to get rid of it.

Some things are sure, though:
  • You should not connect the infected machine to the internet at any rate. It will very likely send out (confidential) information.(cf here)

  • You will need to replace the modified winlogon.exe by a clean winlogon.exe from your installation CD (this can only be done inside the recovery console) And maybe some more system files, not sure.

  • You will need to remove the dropper files, which at minimum are:
    + %temp%\[random number].exe, e.g. 1623906.exe
    + %windir%\system\reg.sys
    + %windir%\system\main.sys
    + %windir%\system\wsys.dll
    + (maybe some more)


If you wish to re-install your machine from the scratch, this is o.k. - Backup any important data beforehand.

In case you wish to go through the cleaning procedure manually and step by step, I think, the first things to do are:

  • Create an Autoruns logfile and post it here.
    As it may be quite long, it may be a good idea to zip it up and attach it to your reply using the "packer" symbol inside the forum editor.

  • Create a RootkitRevealer logfile and post it here.
    As it may be quite long, it may be a good idea to zip it up and attach it to your reply using the "packer" symbol inside the forum editor.

  • Inspect your infected machine using a specialized programme like e.g. IceSword and maybe use it to kill some of the malicious processes and files, too.
    But keep in mind you will have to replace any infected Windows system file by a clean copy. So make a list of infected system files you delete.

Whatever you decide to do, good luck!

Karl
--
P.S.:
Should you opt for the manual process and should you be successful, do not forget to turn off System Restore once and turn it back on so as to remove any copy of the malware which may have made its way into a System Restore Point.


Edited by Karlchen - 25 February 2007 at 9:08am
Back to Top
chimpmagnet View Drop Down
Newbie
Newbie
Avatar

Joined: 25 February 2007
Online Status: Offline
Posts: 8 		  Quote chimpmagnet Quote  Post ReplyReply Direct Link To This Post Posted: 25 February 2007 at 12:20pm

Karl

Many thanks for the reply. I will do a full re-install ... I have spent way too much time on this now and have exhausted a lot of options.

It's just very disappointing that the big AV companies can't stop these viruses - Symantec didn't even help me when I contacted their analysts via online chat.

Thanks again - it's good to know that there are good people out there.
Back to Top
fcukdat View Drop Down
Senior Member
Senior Member
Avatar

Joined: 02 September 2006
Location: United Kingdom
Online Status: Offline
Posts: 370 		  Quote fcukdat Quote  Post ReplyReply Direct Link To This Post Posted: 25 February 2007 at 12:59pm

Sorry fella's if i'm unfashionably late but here's some additional advice should anyone else come across this thread requiring help etc

My apologies chimpmagnet for not posting earliar,i have been busy trying to capture this type of stuff

Congrats you are the unfortunate victim of CWS ****

The free Kasp AV6 personal trial will disinfect the patched Winlogon.exe

http://www.kaspersky.com/

IceSword force delete will nuke wsys.dll(located in Windows/system32 folder) and svchost.exe(located in Windows/temp folder).

Each time i'm getting this infection on my Pc it is dropping 3 different named .sys files in the system32 folder.If you goto view tab and arrange icons by date modified it will probaly be the last 3 .sys files.

Upload these to VirusTotal service for malware checking and if you get any positive identifications delete them in safemode.

http://www.virustotal.com/en/indexf.html

HTH:)
___________
Ade Gill
Malwarebytes Researcher

Back to Top
chimpmagnet View Drop Down
Newbie
Newbie
Avatar

Joined: 25 February 2007
Online Status: Offline
Posts: 8 		  Quote chimpmagnet Quote  Post ReplyReply Direct Link To This Post Posted: 25 February 2007 at 1:11pm

Fcuk, I was just about to re-intall XP -- Good timing!!

I am going to try out ur suggestion now.  Thanks for the post, I will update soon.
Back to Top
techno_rulez View Drop Down
Groupie
Groupie


Joined: 26 January 2007
Location: Czech Republic
Online Status: Offline
Posts: 62 		  Quote techno_rulez Quote  Post ReplyReply Direct Link To This Post Posted: 25 February 2007 at 1:24pm
Originally posted by chimpmagnet

Fcuk, I was just about to re-intall XP -- Good timing!!


I am going to try out ur suggestion now. Thanks for the post, I will update soon.


chimpmagnet
You can also use the Windows XP recovery console to delete the file, that is reported by Symantec AV. You can also use some Rescue CD based on BartPE or Windows PE. This will ensure the file will not be held by some process.

Usually it is not even possible to remove the files held by Winlogon.exe in the Safe Mode, as the Winlogon.exe is started there as well.

Note: Infected files hold by Winlogon.exe (Winlogon\Notify registry branch) can be sometimes renamed and after restart, the file can be deleted (this removal technique can be used to remove parts of I-Worm/Stration (E-mail-Worm.Warezov))

Edited by techno_rulez - 25 February 2007 at 1:34pm
Back to Top
chimpmagnet View Drop Down
Newbie
Newbie
Avatar

Joined: 25 February 2007
Online Status: Offline
Posts: 8 		  Quote chimpmagnet Quote  Post ReplyReply Direct Link To This Post Posted: 25 February 2007 at 2:57pm

So far so good, Kaspersky seems to be holding up well !

 

Silly question -- how do I use IceSword to force delete wsys.dll and other files?!

 



Edited by chimpmagnet - 25 February 2007 at 3:01pm
Back to Top
fcukdat View Drop Down
Senior Member
Senior Member
Avatar

Joined: 02 September 2006
Location: United Kingdom
Online Status: Offline
Posts: 370 		  Quote fcukdat Quote  Post ReplyReply Direct Link To This Post Posted: 25 February 2007 at 3:11pm

How i use IceSword is by clicking the file tab and opening up the folder explorer tree.

If when you arranged system32 folder by date modified there are any suspect dll's such as Xsfer,wsys and usbpda at the bottom.

Find them using Icesword file tree,it will list files in order(abc)

Goto the malware file entry and use right click/force delete option on each if present.

Reboot to see if they have been nuked.

HTH



Edited by fcukdat - 25 February 2007 at 3:14pm
___________
Ade Gill
Malwarebytes Researcher

Back to Top
Xiotek View Drop Down
Newbie
Newbie
Avatar

Joined: 26 February 2007
Location: United States
Online Status: Offline
Posts: 1 		  Quote Xiotek Quote  Post ReplyReply Direct Link To This Post Posted: 26 February 2007 at 2:34am
Nice !
Back to Top
chimpmagnet View Drop Down
Newbie
Newbie
Avatar

Joined: 25 February 2007
Online Status: Offline
Posts: 8 		  Quote chimpmagnet Quote  Post ReplyReply Direct Link To This Post Posted: 26 February 2007 at 5:10am

Guys I think everything is OK now. Thanks a lot for your help. This seems to be quite a new trojan as there was very little help out there and my Symantec AV could sort it out either. I'll be dumping my Symantec now for sure!!!

By the way, do you think the command below would have picked up the problem with winlogon.exe and fixed it?

sfc /scannow
Back to Top
 Post Reply Post Reply Page  123 4>

Forum Jump Forum Permissions View Drop Down

Privacy Statement