Avast keeps warning me about winlogon and explorer.exe errors. Ran MBAM to no avail. Please advise. Here are my logs. Thanks in advance for your help.
Hello Broncofan1 and welcome to the forum.
I reviewed your logs and you did the correct thing in posting them, however let me ask you what kinds of problems are you having with your machine?
Do you have files in your Avast Virus Chest? If so, can you give us a screen shot of what is in your Chest?
Because I do see problems in your logs, I am going to refer you to our Certified Malware expert, named Essexboy. He will also review your logs and give you further instructions, however he comes on the forum late UK time. He will respond to you in this thread, so remember to check this thread daily. I will continue to provide assistance in the meantime, then remain in the background while he works with you.
IMPORTANT: If you are on a home network, disconnect the affected machine from the network. Do not share a USB/flash drive with this affected machine. Do not use this machine unless Essexboy instructs you do to malware removal instructions; use a different machine if possible to check email, sync your phone, etc.
Please do not make any further changes to your machine now that you have provided the logs.
Let me know if you have any questions. Thank you.
Yes, I have 4 files in the chest. The main issue I have is links from google searches are being redirected to incorrect sites - usually advertisements. The computer also does not shut down properly on occasion and needs to be manually powered off.
I am having trouble pasting a screen shot so I will just type out what is in my chest.
Name//Original Location//Transfer time
A0002423.exe//c:\system volume information_restore{D53440EE0-EEC6-4D7F-B32C-94685FEE7185}\RP3//11/21/2010 6:52:57 PM
A0002531.exe//c:\system volume information_restore{D53440EE0-EEC6-4D7F-B32C-94685FEE7185}\RP3//11/22/2010 7:13:17 PM
explorer.exe//c:\windows\system32\dllcache//11/21/2010 4:27:46 PM
winlogon.exe//c:\windows\system32\dllcache//11/22/2010 6:54:14 PM
All were last changed on 4/14/2008 and labeled as Win32:Malware-gen.
can you post the Malwarebytes scan log sorry see it above ;D
Essexboy have been notified, he usuallly enters the forum late UK time
I also have 2 instances of a c:\windows\explorer.exe and c:\windows\system32\winlogon.exe errors that cannot be moved to my chest because the files are read only. All are listed as Threat:Win32:Bamital-AO with a high severity.
Even thought these files are infected you can’t simply move them or delete them or your system could be toast.
The only way to deal with this is to replace them with clean copies, this can’t be done until the underlying malware is dealt with or the clean replacements would also be infected. This is going to take specialist tools and someone experienced in their use and that is essexboy. So unfortunately we are going to have to wait for him to goin the forums later as he is at work.
at this time you may choose to hibernate 
or leave it open
winlogon is infected ???
Regards!!!
Hi there delete your current copy of combofix please and download then run a fresh copy. Both explorer and winlogon are infected and there are no apparent spares on your system. Do you have access to another XP system or an XP CD
Download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop
[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[*]Double click on ComboFix.exe & follow the prompts.
[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Here is a mediafire link for copies of XP SP3 winlogon.exe and explorer.exe http://www.mediafire.com/?3s5sr8r4o75nah9 the file is a 7zip archive and the name is Winlog-Explorer.7z
Here is the new report you requested.
I do not have access to another XP system but it looks I can use the links provided by David. I have not downloaded them and will not until I receive instructions from you.
Thank you.
Well essexboy will be tucked up in bed right now and I’m just about to do the same, almost 3am here.
Sounds good. I appreciate all the help and support. Chat with you tomorrow.
Hi
This is probably Bamital
@essexboy will replace those files
to speed things done please do the following:
Need to send the file to analyze.
Go to virustotal website http://www.virustotal.com/
Click the browse button. Copy and paste the lines in bold in the open box, then click Send File after pasting one line. You will only be able to have one file scanned at a time.
c:\windows\system32[b]winlogon.exe[/b]
c:\windows[b]explorer.exe[/b]
If the file has been analyzed before, click the Reanalyse File Now button.
Please copy and paste the results of the scan in your next post.
Could you download the files please and copy them to c:\windows\system32\dllcache and then re-run combofix, it should find the files there and then run a replace for you
Once done please post the combofix log so that I can see if it worked - or we have something deeper
One small problem. I am trying to save the file at that location but I cannot find the dllcache folder. I tried to add a new folder to the system32 folder but I get an error message stating the file name already exists. Is there a trick to find the hidden folder.
I found the dllcache folder. Here is my new log. I don’t think the fix took.
It is a hidden folder (don’t try creating it):
- Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, uncheck Hide extensions for known file types, etc. see image.
It looks like the files I put in the dllcache folder are infected. I attached a copy of my virus chest for your review.
Do the transfer times to the chest roughly match when you copied them to the dllcache ?
If so you should have got an alert at the time you copied them ?
If you did get an alert when copying the files - Essentially the underlying infection is still present and it is infecting the new files. Unfortunately we will have to wait for essexboy to get back from work and use some more tools.
Yes. I got an alert just after copying them to the dllcache folder.
I really appreciate you guys helping me through this issue.