Virus: winlogon.exe & explore.exe

[lchg]

Here are the new reports/logs.  Thanks.  Not sure it matters, but my virus protection is now itentify ComboFix as a virus and deleting it off my desktop.

[essexboy]

Are you still getting alerts on explorer ?

If so I will have to use the big AV - This is a new version so I have not yet formulated proper instructions for it 

Download the latest Dr Web form here http://www.freedrweb.com/?lng=en

It will download as an 8 digit file

Run the file and agree to the enhanced mode
Run a quick scan initially - it will lock your desktop for the duration
About half way through it will ask to either buy or download the demo.  Close the box using the X
Allow it to cure
At the end a log will be generated please post that

[lchg]

Yes, it is still showing as infected.  I will give the new version a try.

[lchg]

The CureIt.log is too large to attach and has too many characters to post directly.  I can break the log down into 3 or 4 smaller text files and post separately.  Is that okay with you?

[DavidR]

Or you could upload it to Mediafire:

- Mediafire.com - Upload to http://www.mediafire.com/ and post the sharing link.

[lchg]

Thanks for the tip.  Here is the link: http://www.mediafire.com/file/xegq4h866bttkvc/CureIt.log

[DavidR]

You're welcome, I mentioned it as essexboy does use it, so it should be easier for him to access it than on multiple smaller files. Hopefully he will be back on-line soon.

[lchg]

Not sure if this is useful information, but McAfee came up with the following message after running the CureIt scan:
File deleted - winlogon.exe 
Generic.dxl.ucd 
C:\Windows\system32\dllcode\winlogon

[essexboy]

Intriguing Dr Web cleared explorer and winlogon in memory

Have you rebooted since the file was deleted ?

[lchg]

It did not reboot automaticallt abd I did not reboot.  Should I reboot now or run CureIt again and then reboot?

[essexboy]

Reboot now please and let me know if you are still getting the explorer alert

[lchg]

Rebooted and ran a scan with Hitman Pro.  The two files are still showing as infected.  This is a resilient virus!

[essexboy]

One further area to check

Please download MBRCheck.exe to your desktop.

• Be sure to disable your security programs
  
• Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
• A window similar to this should open on your desktop:

• If you are prompted with options, enter N at the prompt and press Enter[/i]
  
• Press Enter[/i] again
  
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop.  Please post the contents of that file.

[lchg]

The file is attached

[essexboy]

OK before we proceed does your computer have a recovery partition ? If so what is the make of your computer

Run MBRCheck.exe once again.
 
You will be presented with the following dialog:
 

Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

 
Enter Y and press Enter.
 
The following dialog will be presented:

Options:
[1] Dump the MBR of a physical disk to file.
[2] Restore the MBR of a physical disk with a standard boot code.
[3] Exit.
 
Enter your choice:

 
Enter 1 and press Enter
 
The following dialog will be presented:
 

Enter the physical disk number to fix (0-99, -1 to cancel):

 
Enter 0 and press Enter
 
The program will ask for the file name to dump to, type dump.txt and Press Enter. You should see a Dumped successfully message. Type -1 and press Enter twice to exit the program. Save the dump.txt file to your desktop then attach it on your next reply.