My wife’s computer seems to have a problem. She let her Avast registration expire, and her machine seems to have gotten some malware and search redirection software. The first hint was that she had a “Check Disk” pogram that kept giving bogus warnings and suggested upgrading to a paid version. It placed an icon on her desktop and ran on startup. The executable was “C:\Documents and Settings\steph\Local Settings\Temp\1241594968.exe”

After booting into safe mode and removing this file, I installed Avast 5 and updated it. Now Avast 5.0.677 finds that c:\windows\explorer.exe has Win32:Malware-gen. It is unable to repair or move it to the chest. I tried running MBAM, but it finds nothing.

I’ve attached the MBAM and OTL logs. Any ideas?

I would just boot a Linux CD and replace explorer.exe with the one from the Windows XP with SP3 CD, but I’m not sure if this is the best solution.

< MD5 for: EXPLORER.EXE > [2008/04/14 07:00:00 | 001,033,728 | ---- | M] () Unable to obtain MD5 -- C:\WINDOWS\explorer.exe

< MD5 for: WINLOGON.EXE >
[2008/04/14 07:00:00 | 000,507,904 | ---- | M] () Unable to obtain MD5 – C:\WINDOWS\system32\winlogon.exe

Hi both winlogon and explorer are infected and there are no apparent backups on your system. Do you have access to another XP computer or the XP cd ?

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Here is the combofix log.

I’ve got the XP Pro with SP3 CD available (and can get pretty much any other version needed from MSDN).

Could you copy both files to the following location please C:\windows\system32\dllcache

Once done then re-run combofix - it should pick them up - if not I will do it manualy

Ran

Copied both files, re-ran combofix, got a BSOD + instant reboot while building log. Ran combofix for third time, got attached log.

Can you confirm that the files were copied to the dllcache folder as they do not appear on your log and CF did not see them