I am running Windows XP Pro SP 2 (build 2600)(ver 5.1). My anti-virus is avast 5 (newly updated) and Malwarebytes’ anti-malware. I keep on getting an Avast warning that it is blocking (1) win32:malware-gen[Trj], found in my c:\windows\systems32\winlogon.exe; and (2) win32:Patched-UE[Trj] found in c:\windows\explorer.exe. I cannot quarantine, delete or repair these files either after boot scan or normal scan after computer boots up.
When I run malwarebytes on the files, it does not identify any infections. But when I run avast on the files, it detects the viruses.
I have an external drive with an earlier installation (but same build, etc.)of win xp sp2 . Is there some way to cut and paste these non-infected files with the ones infected on my internal hard drive?
This is not a false detection and whatever you do don’t try to delete these files or your system will be toast. That is one reason why avast isn’t taking any action on these important system files. Even though they er infected they still function.
These infected files need to be replaced by clean ones, but before that the underlying infection needs to be sorted or any clean replacements will be infected.
I take it that this XP Pro SP2 version isn’t the 64bit version ?
If not - Having XP SP2 no doubt leaves your system more vulnerable to attack and SP3 has been out for over 18 months, Microsoft stopped issuing security updates for XP SP2 in July last year, so SP3 is an imperative security update (but you can’t do this whilst infected).
This normally requires special tools to resolve and specialist help to deal with it, unfortunately essexboy who has the tools and knowledge is likely to be in bed now (11.30p.m. in the UK) and won’t be back until tomorrow.
You could try a System Restore to a point in time when this infection wasn’t present, this may work, if it does you are in luck if not you will need specialist help.
David, thank you for responding. I am running the 32-bit version of xp sp2. The system restore was turned off, so that is not an option. Reading from another post in this forum, it appears that combofix was run and was able to get rid of a similar infection. Should I download and run that or wait for essexboy to wake up and get online?
I would say wait, it is the safer option as if there are no clean copies of those two files, I don’t know if combofix can do anything.
It isn’t a case of his getting up and getting on line, he doesn’t work for avast, but is a volunteer like the majority of the Evangelists and he has a day job, so it could be some time before he is on-line. He took some time of work recently and I don’t know how long that might be for, but I think he was back at work today.
So there is always the option to try combofix, but you need copies of the two files on your system. Normally copies can be saved into the root drive, C:, but your problem is further complicated by having SP2. I have copies of those two files that I have uploaded to mediafire (a file sharing site), but those are for XP Pro SP3 and may not be compatible with your system.
When your done with this, system restore as imperfect as it is is better than nothing, unless you have something to replace it, like hard disk imaging software, this can make an exact copy of your hard disk, partitions, etc.
This is what I have done so far. I ran DDS and Gmer and ComboFix, and as the character limit precludes me from pasting the logs and reports into the post, the DDS reports and the Gmer report are attached. The ComboFix report wil be attached to the next post. When I ran ComboFix, it detected some problems, but it does not appear to have solved them, as I am still getting the avast malware warning re: winlogon.exe, that is infected with win32:malware-gen and win32:Patched-UE[Trj] found in c:\windows\explorer.exe. Both Mbam and Superantispyware, which were run after Combofix, detected nothing.
I also have noticed in the last day or so that my wireless keyboard and trackball (both logitech devices) now need to be about a foot from the wireless receivers in order to run properly; & I am getting redirected to ad & spam sites from google. I do not know if these are all symptoms of the same infections or if there is something more insidious going on, but help is definitely needed.
Hi it seems as though combofix found a spare copy, but it is reporting a lot of files failing the sig check… So could you re-run combofix please and allow it to update if it asks. Attaching the log on completion. We may need to do a system file scan - do you have an XP cd
After the computer rebooted and while combofix was generating its log, avast malware warning re: winlogon.exe came up again and all of the icons on my desktop, and the start menu disappeared. The start menu buttons on my keyboard also do not work.
Could you reboot to see if they are restored I have uploaded fresh copies of the files (winlogon and explorer) to my site. http://cid-32d8666f4048075b.office.live.com/self.aspx/Malware%20files/winlogon.exe download and save to your c:\windows\system32\dllcache folder. Then re-run combofix. If they fail it may mean you have a newer variant
