win32 winpatch virus

Hi

Avast has found win32 winpatch virus on my winxp laptop. It had infected the explorer.exe and winlogon.exe files couldn’t be moved to chest.

I went looking online and found reference to someone using the tool combofix to fix this was on the bleeping computer website. This didn’t work entirely the explorer.exe no longer works. Have tried to restore this but no luck so far. Have tried using the kasperky v10 boot disc but that wont work either.

Any advice would be greatly appreciated getting the explorer.exe working would be great before then looking at removing the virus.

Regards

Joe :slight_smile:

Please attach your logs. (AdwCleaner, MBAM, OTL and aswMBR…!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0

Are you able to access windows ?

Yes I am. Sorry for the late replay only issue is that windows explorer crashes on start up but this is a result of using a tool called combofix. Which I have removed now. Will be sending the log files you need to shortly.

thanks again for the help

if you have run combofix, attach that log also

I have run Adw Cleaner but on reboot no log file was reproduced I think might be because explorer.exe is not working. Am running programs from the run prompt in task manager.

Combofix also never produced a log file either.

Will be attaching the malwarebytes log have that one at least

Here is the Mbam log

This is the OTL log

sorry did this wrong didn’t include the script

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
dir “%systemdrive%*” /S /A:L /C
CREATERESTOREPOINT

Will try again

Yes please as that will show me any spare explorers that I can use

Only got one log file from using OTL

Do you get any errors at all at start ? This may be Barmital… Could you attach the combofix log please

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
DRV - File not found [Kernel | Boot | Stopped] -- System32\drivers\qxvphl.sys -- (axekhn)

:Files
C:\WINDOWS\explorer.exe|C:\WINDOWS\ServicePackFiles\i386\explorer.exe /replace

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

This is the aswMBR.exe log file

The only error I got running OTL is that at one point it looked for the D: drive cd drive but there is nothing in that so I just pressed cancel and it continued. Will carry out your instructions now

Fantastic Laptop boots up ok and everything seems ok

Here are the log files

New OTL log file

So all is back to normal now is that correct ?

yes I believe so will do an avast boot scan now but am very hopeful all good.

thanks very much for the help

:slight_smile:

Let me know the result of the Avast scan and if you are happy I will tidy up

Have run an Avast Boot Scan which did some items which were moved to chest. Then ran a full scan from within windows was clean then ran another boot scan again was clean.

Only issue is that with the boot scan it would find some zip files which it said were corrupted. However I think these files are part of a legit application. Do you think this is a concern ?

Am happy to say all is good now unless above is an issue