At the end I'm not sure if this is a false positive or a legitimate worm, I'd love to get this resolved though.

Follow this guide form our expert malware remover Essexboy and post the log`s ( in the new topic you have started )
http://forum.avast.com/index.php?topic=53253.0

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. and Malwarebytes scan log)

Essexboy usually arrives in the forum late UK time

I downloaded combofix again today and ran it but now it just freezes at the point where it says “however, scan times for badly infected machines may easily double.”

I ran avast boot scan and it stills finds the same malware/viruses.

Is there anything else I can try?

Yep lets use Dr Web first

Download Dr Web from here http://www.freedrweb.com/?lng=en link on the top right of the page, tick the EULA and then download

It will download as an 8 digit file save it to your desktop

Restart in safe mode and run
Accept the enhanced version
Then run the quick scan
About halfway through you will be prompted to buy - just X the box closed
Once finished it will generate a log please attach that

Hey,
I ran dr Web and it found a virus under “ms.dll” which it said had a “Trojan.Generator” or something to that effect. I clicked “fix it” which I think was a bad idea. It finished the scan and found nothing else. It then restarted but now it’s stuck in an endless cycle of rebooting. I can’t even get into safe mode anymore.

Which also means I’m unable to get the log from dr web’s scan.

Is it still salvageable?

EDIT: I disabled automatic restart and it gave me this message:
“STOP: c000021a {Fatal System Error}
The Windows Logon Process system process terminated unexpectedly with a status of 0xc0000005 (0x00000000 0x00000000).
The system has been shut down”

Can you access the safe mode menu ? If so select last known good let me know if that works

I tried last known good configuration and it didn’t work; it stayed in the continuous reboot cycle until I disable auto restart.

Sounds like the winlogon is corrupted or mayhap crss

Please print these instruction out so that you know what you are doing

OTLPEStd.exe
MD5=107440596207871822220183734CF7C4
98,217,771bytes / 93.6MB

[*]Download OTLPEStd.exe to your desktop
[*]Download The attached scan.txt
[*]Ensure that you have a blank CD in the drive
[*]Double click OTLPEStd.exe and this will then open imgburn to burn the file to CD

[*]Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
[*]As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads

[*]Your system should now display a Reatogo desktop.
Note : as you are running from CD it is not exactly speedy
[*]Double-click on the OTLPE icon.
[*]Select the Windows folder of the infected drive if it asks for a location
[*]When asked “Do you wish to load the remote registry”, select Yes
[*]When asked “Do you wish to load remote user profile(s) for scanning”, select Yes
[*]Ensure the box “Automatically Load All Remaining Users” is checked and press OK
[*]OTL should now start.
[*]Double click the Custom scans and fixes box
[*]In the dialogue locate the scan.txt you have on the USB
[*]Press Run Scan to start the scan.
[*]When finished, the file will be saved in drive C:\OTL.txt
[*]Copy this file to your USB drive if you do not have internet connection on this system.
[*]Right click the file and select send to : select the USB drive.
[*]Confirm that it has copied to the USB drive by selecting it
[*]You can backup any files that you wish from this OS
[*]Please post the contents of the C:\OTL.txt file in your reply.

Ok, I ran the OTL PE.

Here’s the txt file from it.

Hey fellas,

Yesterday, I started having this exact same problem: Browser redirecting to ads; found “Dropper-EPI” and “Malware-gen” in explorer.exe and winlogon.exe, respectively. I will be watching this thread very closely until an attempted fix is successful.

I would try ComboFix and/or Dr Web right away, but I’m betting my computer will react the same as Bkjsun’s did. If anyone insists I take my chances and try them anyway, I’ll make sure to have OTLPEStd.exe on disc as a precaution.

SEP, MBAM, and Spybot are all unaware of this thing. Avast can detect it but can’t fix it. I’m just gonna sit on the problem until I read a post that says something like, “That fixed it. Thanks for your help.”

Just so I’m clear on this: No one has resolved their Dropper-EPI/Malware-gen problem, yet. Correct?

i have not started a thread yet but thought i would share my latest finidings.

1. Avast still tells me i’m infected (explorer and winlogon, if I rename either then up to twenty files are reported as infected.
2. Like our original poster I am now in an endless startup loop
3. tonight I removed the drive and scanned from my other laptop(viw my external caddy) , all files on all drives, result? mo infected files…hmmm

i’m so confused rigt now…don’t tell me it’s time to movr to another AV product?

S

@slurpee

start your own topic and post the logs from this guide in it, then Essexboy will clean your comp

Follow this guide form our expert malware remover Essexboy ( do NOT post the logs in the guide )
http://forum.avast.com/index.php?topic=53253.0

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. and Malwarebytes scan log)

Start OTLPE as you did previously from CD
Copy the attached Fix.txt to a USB

[*]Insert your USB drive with fix.txt on it
[*]Start OTLPE
[*]Drag and drop fix.txt into the Custom scans and fixes box
[*]If you cannot drag and drop for some reason. Then press the Run Fix button and a dialogue box will pop up asking for the location - select the file on your USB drive
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot when it is done to normal mode if possible
[*]Then post a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

Alright, I ran the fix.
Here’s the log.
It’s still stuck in endless reboot though.

PS Happy New Years

Are you able to start the recovery console from the F8 menu ?

yeah, I have that option.

It asks me which windows installation I would like to log onto

Start the recovery console and log on to the windows installation (normally number 1)

Type Cd system~1_resto~1
Press enter
Type: dir
Press enter

This will now give a list of all your restore points

I would like you to select the last but one restore point - so if the last is RP12 then select RP11

Type: cd rp11 (or whatever the last but one number is)
Press enter
Type: cd snapshot

The command prompt should look like this
c:\system~1\resto~1\rp11\snapshot

Type: copy _registry_machine_system c:\windows\system32\config\system
Press enter

Type: copy _registry_machine_software c:\windows\system32\config\software
Press enter

Type: Exit

Then click enter to restart computer and boot to the hard drive normally.

If the initial one fails then repeat the process but select an earlier restore point

When I typed “Cd system~1_resto~1”
I got the message that the file or directory could not be found.

OK let try the full file path

at the c windows prompt type cd system32
at the c windows\system32 prompt type cd restore
at the prompt c windows\system32\restore type dir

then follow the previous instructions

It doesn’t look like I have any restore points. I’m not sure but under the directory of restore here are the files:

there are 4 files from august 2008 which is when I got the laptop.
then there are two files created 12/27/10 named “.” and “…” but each has 0 bytes.
then there’s machineguid.txt created 12/27/10 with 78 bytes.
finally there’s rstrlog.dat created 12/29/10 with 941,692 bytes.

Not sure what those are but it doesn’t look like I can use any of those to restore from.

Do you have a USB drive ? As I have a programme that is specifically designed to find restore points

We will use an mobile operating system called xPUD, and a script called rst.sh to restore your computer.

On the clean computer.

Creating a bootable USB using xPUD

[*]Please download the following files and save it to the desktop

[]Unetbootin.exe
[]xPUD latest version is xpud-0.9.2.iso
Insert the USB device to make bootable to the computer. (Make sure that no other USB’s are inserted)
[*]Double-click on unetbootin.exe to run
Select Disk Image, ISO and in the space provided, enter the path location of xpud-0.9.2.iso (ex. [I]C:\Documents and Settings[B]yourusername\Desktop\xpud-0.9.2.iso)
[*]Select USB Drive type and the drive letter assigned to your USB stick.
[*]Click “OK” and wait until the program finishes. You now have a bootable xPUD.
[*]Download the following tool and save it inside the bootable USB

[*]rst.sh

Please note: if you prefer to create a bootable CD using xPUD, you may download the ISO image found here and burn it to a CD.

On the infected computer.

[*]Reboot your system using the xPUD bootable USB you just created.
Note : If you do not know how to set your computer to boot from USB follow the steps here
[*]Your system should now display a xPUD desktop.
[*]Select on the File icon; on the right pane click on the “mnt” folder and highlight “sdb1” - this is your USB device.
[indent]sda1,2…usually corresponds to your HDD
sdb1 is likely your USB[/indent]
[*]Click on the “Tool” menu and select Open Terminal

http://noahdfear.net/hives.sh_files/image008.jpg

[*]In the open terminal window, type in the following:

bash rst.sh

[*]Press “Enter” and let it run uninterrupted.
(The program lists available Restore Points and will save a report enum.log located in the USB drive.)
[*]The program is finished when it say’s “Done”.
[*]Type “Exit” to close the terminal window.
[*]Please attached the enum.log file in your reply. (You may remove your USB drive when transferring log to a clean computer).

Please note: If you have an ethernet connection you can access the internet by way of xPUD (Firefox). You can perform all these steps on your sick computer. When you download the download will reside in the Download folder. It can be found under the File tab also. You can similarly access our thread by way of this OS too so you can send the logs that way.