Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Increasing Alert Popups. Winlogon.exe and Explorer.exe deleted


  • This topic is locked This topic is locked
2 replies to this topic

#1 CollieAnn

CollieAnn

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:39 PM

Posted 01 January 2011 - 04:06 PM

Hello

I've started getting unexpected popup alerts that appear to be from AVG due to the logo being the same as AVG in the top left corner of the window, but I understand they are not from AVG.

When it originally happened, I thought the alerts were real (even though I hadn't been doing a scan or opening a referenced file), so I clicked on "delete infections" or "remove unhealed infections." Then each popup had progressively more entries. The entries, though, were the same ones, just repeated. These were the three entries that were repeated:

"c:\\windows\system32\winlogon.exe TrojanhorsePatched_c.KAI
c:\\windows\system32\winlogon.exe(684) TrojanhorsePatched_c.KAI
c:\\windows\Explorer.exe virus identifiedwin32/patched.GB
c:\\windows\explorer.exe(3688) virus identifiedWin32/Patched.GB"

Each entry said it could not be resoved because:

"Object is white-listed (critical/system file that should not be removed")

After a time, I ran Spybot, which found one trojan horse problem.
Then I ran the real AVG scan, and when it completed, a window popped up saying it needed to restart the computer to complete the cleanup.
I said OK
Then I couldn't boot my system. Got a blue screen with something like this:

"Windows login process terminated unexpectedly. with a status of 0xC0000034 system has been shut down
c0000034 Fatal System Error"

SO - a friend came over who was able to boot off a disk. It appeared the computer had deleted the winlogon.exe and explorer.exe. After we put those files back on the machine, it booted and is running again.

Last night, I did another Spybot scan, which found two problems - one had to do with a Trojan. These were resolved.
Then I ran MS Malware, which also found a problem or two. Trojan again. Resolved.

HOWEVER, this morning the popups have begun again. As long as I "ignore" or "close" the windows, they haven't been as many, but in the last hour, they are picking up again. Here are the latest ones I'm "ignoring:"

"Resident Shield alert
Accessed file is infected
Threat detected!
File name: C:\System Volume Information\_restore{D46DE8921-1D39-44D2-A9E9-64119261F211}RP4\A00000160.exe
Trojan horse Patched_c.KAI
Detected on open"

Now it's starting to present the "Multiple threat detection" windows with file names, Infection, and Results columns. Same pattern as before, only not as many entries because I'm selecting "ignore" or "close."

I've attached a copy of the most recent screens I am getting this morning.

I run Windows XP Professional Version 2002 on a DELL Inspiron 710M.

Can you help?
Thanks

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:39 AM

Posted 01 January 2011 - 08:00 PM

Hello CollieAnn ,

Posted Image

You have a Bamital infection.....so let's fix it. :)


This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. YOU MUST UNINSTALL AVG FOR THIS TO RUN.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to CollieAnn.exe and try again.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:12:39 AM

Posted 10 January 2011 - 12:33 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users