Hi guys, hope you enjoyed your holidays,
Just today I realized my browser would randomly get redirected to other sites. So I ran avast and discovered two items win32 dropper and win32 malware that had infected both explorer.exe and winlogon.exe.
I am attaching the logs from malware bytes and from OTL.
Any help is greatly appreciated. I really can’t afford to get a new laptop.
Thank you!
Oddly enough I have the same problem.When your try to move the file to the chest it wont let you right? .I keep on getting warning every once and awhile that avast has stopped the file from executing.
Yeah, it won’t let me repair the file or move it to the chest. Don’t know what to do.
have all you have a boot cd (to help fix)
If you love God STOP TELLING OTHERS ABOUT GDATA AND BOOT CDS I HAVE HEADACHE FROM YOUR POSTS
>:( >:( >:( >:(
I agree. GData is absolutely useless and will not help us, especially the “boot CD” (normal term: LiveCD), since we can boot Windows.
May I suggest ComboFix?
Yeah, it won't let me repair the file or move it to the chest. Don't know what to do.What to do is relax and wait for Essexboy....... he will be here in 3 - 4 hours
Avast won’t let you move it to the chest or delete it as these are essential system files so there removal could trash your system. Even though they are infected your system still works but this is trying to get out to drag in more malware, the network/web shields (or firewall) should hopefully be blocking these attempts.
So for now do nothing until essexboy can get on the case.
Basically you have to get rid of the underlying infection (the one that is infecting these files) before replacing them with clean copies. If you don’t the replacements will just be infected. Whatever you do don’t simply delete these.
Thanks Pondus and DavidR, I’ll just leave the laptop off for now.
Would it be ok to back up photos or documents onto a cd from the infected computer or would I have a good chance from infecting my other computer when I put the cd in? .Also can I hook up my ipod to my other computer or is their a possibility of that being infected also?
Sorry for all the questions.
You’re welcome, hopefully it won’t be long before essexboy is on the forums.
In this case it doesn’t appear a file infecter, so that shouldn’t be necessary, but of course you routinely backup your important files anyway don’t you ;D
When essexboy does get to this topic, I suggest that you create your own new topic and post the link to that topic. Trying to help two people with something like this is likely to cause confusion as even though it may appear top be the same, the systems and condition may not be identical.
I would keep this computer isolated from others for now until we know exactly what the circumstances are.
Hi your explorer and winlogon files are infected - and currently I cannot see a spare. So lets use Combofix to see if it can find one - if not we will look in system restore
Download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop
[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[*]Double click on ComboFix.exe & follow the prompts.
[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
A mediafire link for XP SP3 winlogon.exe and explorer.exe that I uploaded before.
Ta David ;D
Thanks essexboy!
I ran Combofix and I left it for over an hour while I ran errands. It seems it went through the whole process but froze when writing the log because it’s been on this screen that says producing log do not run any other programs…I think I might have to manually shut down the laptop. Should I do that and run an avast scan again to see if it worked?
Shut it down manually and see if it produces a log - it should be at C:\combofix.txt
No problem, hopefully it will shorten the process.
There was nothing in the log text file except that Avast had been disabled. Should I just run it again?
I’m in exactly the same situation. Background: while surfing in chrome I get a Google site warning, too late I guess as I receive a random popup with a fake AV application, in the background a proxy setting has been entered as I can get out however I recall there were some non-requested sites appearing. I dropped off the network and ran a full scan with the same results as the original poster. During my analysis I did note that there was a copy? Of the two files (explorer and winlogon) in the TEMP folder. Unfortunately after taking a few actions, once restarted I had no explorer (as it had been locked by Avast). I ran a SFC /SCANNOW to replace the corrupt files and I disabled Avast so I could access my PC again. After another restart I replaced Explorer.exe and winlogon.exe from my i386 folder and ran another scan but Avast still tells me they are infected. I have run malwarebytes and spybot and they detect nothing. I have uninstalled Avast as combofix was erroring/blue screening so no joy on that front. I just reinstalled Avast with the latest updates and a full scan tells me the same issue exists. If you rename either of the infected files Avast will go nuts as apparently various threats are being blocked.
At the end I’m not sure if this is a false positive or a legitimate worm, I’d love to get this resolved though.