Help please! Win32 Dropper and Win32 Malware gen in explorer and winlogon

[bkjsun]

Hi guys, hope you enjoyed your holidays,

Just today I realized my browser would randomly get redirected to other sites. So I ran avast and discovered two items win32 dropper and win32 malware that had infected both explorer.exe and winlogon.exe.

I am attaching the logs from malware bytes and from OTL.
Any help is greatly appreciated. I really can't afford to get a new laptop.

Thank you!

[Fawkes]

Oddly enough I have the same problem.When your try to move the file to the chest it wont let you right? .I keep on getting warning every once and awhile that avast has stopped the file from executing.

[bkjsun]

Yeah, it won't let me repair the file or move it to the chest. Don't know what to do.

[nsm0220]

have all you have a boot cd (to help fix)

[superhacker]

have all you have a boot cd (to help fix)

If you love God STOP TELLING OTHERS ABOUT GDATA AND BOOT CDS I HAVE HEADACHE FROM YOUR POSTS
 

[13thSlayer]

have all you have a boot cd (to help fix)

If you love God STOP TELLING OTHERS ABOUT GDATA AND BOOT CDS I HAVE HEADACHE FROM YOUR POSTS
 

I agree. GData is absolutely useless and will not help us, especially the "boot CD" (normal term: LiveCD), since we can boot Windows.
May I suggest ComboFix?

[Pondus]

Yeah, it won't let me repair the file or move it to the chest. Don't know what to do.

What to do is relax and wait for Essexboy....... he will be here in 3 - 4 hours

[DavidR]

Hi guys, hope you enjoyed your holidays,

Just today I realized my browser would randomly get redirected to other sites. So I ran avast and discovered two items win32 dropper and win32 malware that had infected both explorer.exe and winlogon.exe.
<snip>

Avast won't let you move it to the chest or delete it as these are essential system files so there removal could trash your system. Even though they are infected your system still works but this is trying to get out to drag in more malware, the network/web shields (or firewall) should hopefully be blocking these attempts.

So for now do nothing until essexboy can get on the case.

Basically you have to get rid of the underlying infection (the one that is infecting these files) before replacing them with clean copies. If you don't the replacements will just be infected. Whatever you do don't simply delete these.

[bkjsun]

Thanks Pondus and DavidR, I'll just leave the laptop off for now.

[Fawkes]

Would it be ok to back up photos or documents onto a cd from the infected computer or would I have a good chance from infecting my other computer when I put the cd in? .Also can I hook up my ipod to my other computer or is their a possibility of that being infected also?

Sorry for all the questions.

[DavidR]

Thanks Pondus and DavidR, I'll just leave the laptop off for now.

You're welcome, hopefully it won't be long before essexboy is on the forums.

[DavidR]

Would it be ok to back up photos or documents onto a cd from the infected computer or would I have a good chance from infecting my other computer when I put the cd in? .Also can I hook up my ipod to my other computer or is their a possibility of that being infected also?

Sorry for all the questions.

In this case it doesn't appear a file infecter, so that shouldn't be necessary, but of course you routinely backup your important files anyway don't you

When essexboy does get to this topic, I suggest that you create your own new topic and post the link to that topic. Trying to help two people with something like this is likely to cause confusion as even though it may appear top be the same, the systems and condition may not be identical.

I would keep this computer isolated from others for now until we know exactly what the circumstances are.

[essexboy]

Hi your explorer and winlogon files are infected - and currently I cannot see a spare.  So lets use Combofix to see if it can find one - if not we will look in system restore


Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

[DavidR]

A mediafire link for XP SP3 winlogon.exe and explorer.exe that I uploaded before.

http://www.mediafire.com/?3s5sr8r4o75nah9

[essexboy]

Ta David