You’re welcome, sorry I can’t do more before essexboy gets back.
Files that you are copied in the DLLCasche are infected by malware name Bamital.
Please download and extract the files on root C. Delete…
c:\winlogon.exe
c:\explorer.exe
Then do the following:
Download BlitzBlank and save it to your desktop.
http://download1.emsisoft.com/BlitzBlank.exe
icons look like this:
http://www.emsisoft.nl/blitzblank/icon48_blitzblank.png
Click OK at the warning (and take note of it, this is a VERY powerful tool!).
Click the Script tab and copy/paste the following text there:
DeleteFile:
c:\windows\system32\dllcache\winlogon.exe
c:\windows\system32\dllcache\explorer.exe
MoveFile:
c:\winlogon.exe c:\windows\system32\winlogon.exe
c:\explorer.exe c:\windows\explorer.exe
Click Execute Now.
Your computer will need to reboot in order to replace the files.
When done, post me the report created by Blitzblank.
Thank you for the information argus. I don’t mean to be disrespectful, but I will wait until getting direction from DavidR or essexboy before moving forward. The information you provided seems good and I hope it works but I see you only have 2 posts so I want to make sure I am getting direction from the correct people on the forum. DavidR or essexboy, can you please confirm what I should do next? Thank you.
I know nothing of blitzblank, so I don’t know how it works, e.g. what it is looking for as if it doesn’t detect and deal with the underlying infection, replacing the current infected files will result in their being infected too.
Ok no problem 
I’m also a AM fighter
These files can not be replaced by Combofix.
If you put them on root C or desktop Combofix will delete them.
They can be replaced and in some other way, but this is the simplest.
Wait for further instructions, I just wanted to help.
Sorry you will need to show hidden folders
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.
You should now see the dllcache
Ooops missed two posts :-[
Now I see the name of the miscreant
Download Dr Web from here http://www.freedrweb.com/?lng=en link on the top right of the page, tick the EULA and then download
It will download as an 8 digit file save it to your desktop
Restart in safe mode and run
Accept the enhanced version
Then run the quick scan
About halfway through you will be prompted to buy - just X the box closed
Once finished it will generate a log please attach that
I’ve downloaded the file to my desktop and restarted in safe mode, but the file will not run. I get the security box asking to run the file, but nothing happens when I click run. I deleted the file and tried it a second time but still no luck.
OK lets try AVP before we look at a live cd
Save these instructions so you can have access to them while in Safe Mode.
Please click here to download AVP Tool by Kaspersky.
[*]Save it to your desktop.
[*]Reboot your computer into SafeMode.
You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
Use your up arrow key to highlight SafeMode then hit [b]enter.[/b]
[]Double click the setup file to run it.
[]Click Next to continue.
[]Accept the Licence agreement and click on next
[]It will by default install it to your desktop folder.Click Next.
[]It will then open a box There will be a tab that says Automatic scan.
[]Under Automatic scan make sure these are checked.
[]Hidden Startup Objects
[]System Memory
[]Disk Boot Sectors.
[]My Computer.
[*]Also any other drives (Removable that you may have)
Leave the rest of the settings as they appear as default.
[*]Then click on Scan at the to right hand Corner.
[*]It will automatically Neutralize any objects found.
[*]If some objects are left un-neutralized then click the button that says Neutralize all
[*]If it says it cannot be Neutralized then chooose The delete option when prompted.
[*]After that is done click on the reports button at the bottom and save it to file name it Kas.
[*]Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.
Note: This tool will self uninstall when you close it so please save the log before closing it.
I think we hit the motherload. The report does not show this, but I kept seeing trojan.win32.patched.kl when items were detected. I am not sure if that is helpful or not.
Autoscan: completed 1 minute ago (events: 21, objects: 252340, time: 00:57:19)
Result: Detected (events: 19)
12/4/2010 7:48:35 AM C:\System Volume Information_restore{D53440E0-EEC6-4D7F-B32C-94685FEE7185}\RP20\A0010392.exe
12/4/2010 7:48:35 AM C:\System Volume Information_restore{D53440E0-EEC6-4D7F-B32C-94685FEE7185}\RP20\A0010391.exe
12/4/2010 7:51:18 AM C:\WINDOWS\explorer.exe
12/4/2010 7:52:22 AM C:\WINDOWS\explorer.exe
12/4/2010 8:02:03 AM C:\WINDOWS\system32\winlogon.exe
12/4/2010 8:02:41 AM C:\WINDOWS\system32\dllcache\explorer.exe
12/4/2010 8:03:21 AM C:\WINDOWS\system32\dllcache\winlogon.exe
12/4/2010 8:03:47 AM C:\WINDOWS\system32\winlogon.exe
12/4/2010 8:04:35 AM C:\WINDOWS\explorer.exe
12/4/2010 8:04:44 AM C:\WINDOWS\explorer.exe
12/4/2010 8:06:26 AM C:\WINDOWS\system32\winlogon.exe
12/4/2010 8:06:29 AM C:\WINDOWS\explorer.exe
12/4/2010 8:08:23 AM C:\WINDOWS\explorer.exe
12/4/2010 8:08:25 AM C:\WINDOWS\explorer.exe
12/4/2010 8:08:33 AM C:\WINDOWS\explorer.exe
12/4/2010 8:18:34 AM C:\System Volume Information_restore{D53440E0-EEC6-4D7F-B32C-94685FEE7185}\RP20\A0011599.exe
12/4/2010 8:18:35 AM C:\System Volume Information_restore{D53440E0-EEC6-4D7F-B32C-94685FEE7185}\RP20\A0011600.exe
12/4/2010 8:19:54 AM C:\WINDOWS\explorer.exe
12/4/2010 8:28:35 AM C:\WINDOWS\system32\winlogon.exe
Result: Task started (events: 1)
12/4/2010 7:32:41 AM
Result: Task completed (events: 1)
12/4/2010 8:30:00 AM
OK could you now get a fresh copy of Combofix and run it please
Here is the ComboFix log.
CF is still reporting them infected - any improvement in the system ?
-
Please open Notepad
[*] Click Start , then Run[*]Type notepad .exe in the Run Box. -
Now copy/paste the entire content of the codebox below into the Notepad window:
NetSvc:: WINRMSRPeek::
c:\windows\system32\winlogon.exe
c:\windows\explorer.exeFile::
c:\windows\system32\drivers\48675732.sys
c:\windows\system32\drivers\4867573.sys
c:\windows\system32\drivers\48675731.sys
Folder::Driver::
48675732
48675731
WinRM
-
Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
-
Save the above as CFScript.txt
-
Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
- After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
[*]Combofix.txt .
Attached is the log. I was asked to submit the malware to Bleeping Computer which I did. That file was too large to attach to this post.
OK lets see if we can swap them out - once done let me know how your computer is
-
Please open Notepad
[*] Click Start , then Run[*]Type notepad .exe in the Run Box. -
Now copy/paste the entire content of the codebox below into the Notepad window:
SCOPY:: RP3\A0002531.exe|c:\windows\system32\winlogon.exe RP3\A0002423.exe|c:\windows\explorer.exe
-
Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
-
Save the above as CFScript.txt
-
Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
- After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
[*]Combofix.txt [*]A new OTListit log.
Here are the 2 new logs. Avast is still picking the files up as bad… 
I am also still getting redirected on Google search links.
This looks like a reformat job I am afraid - the virus is too deeply entrenched now
I do have a reformat tutorial
http://www.geekstogo.com/forum/topic/173729-reformat-and-install-of-windows/
On the previous page, I wrote a solution to your problem.
Now I’ve deleted files to wich i dont have permission. If you have ok, if not … sorry
There is a way to replace these files via Recovery Console, but you must have Win CD.
Probably will not work as combofix uses the recovery console to replace system files as part of its routine