I am showing virus infection for the following files: winlogon.exe & explore.exe. I ran ComboFix, but cannot reboot my computer. Upon manual shutdown, the virus reappears. The ComboFix log and an OTL file log are attached. Any help is appreciated. Thanks.

You got Bamital/Drooptroop.

Please download and run Hitman Pro - Second Opinion Malware Scanner.

http://hitmanpro.wordpress.com/2010/08/22/bamital-drooptroop-remediation/

I tried Hitman Pro 3.5.6 earlier today. It identifies the 2 files as infected; however, I get the following message from Hitman for both infected files: “To maintain system stability, Windows must restor original version of this file. Insert you Windows installation CD-ROM”. I found my operating system recovery CD and did as instructed, but the files in the HitMan screen change to Do Not Delete after hitting the next button. The infected files still remain.

Do you have access to another computer to copy those files?

Also could you look in your recycle bin to see if the copies were placed there

If you can get other copies then place them on your root c drive and let me know - I will then swap them

I have a copy of both files (XP SP2) at these locations

http://cid-32d8666f4048075b.office.live.com/self.aspx/Malware%20files/EXPLORER.EXE

http://cid-32d8666f4048075b.office.live.com/self.aspx/Malware%20files/EXPLORER.EXE#resId/32D8666F4048075B!162

Okay, I got a copy of the files from another computer and have them on my root C drive (I see you have made a copy too, thanks). Should I rerun Hitman and try to redirect it to my C drive? It did not have a browse option before?

Nope what we will do now if use Combofix to move them to make sure it is done safely

1. Please open Notepad
   [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Fcopy:: C:\explorer.exe|c:\windows\explorer.exe C:\winlogon.exe|c:\windows\system32\winlogon.exe

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
   [*]Combofix.txt [*]A new OTListit log.

The reports you requested are attached.

Numpty CF did not work quite right so lets try again - I will look at the logs whilst you do this

1. Please open Notepad
   [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Fcopy:: c:\windows\system32\dllcache\winlogon.exe|c:\windows\system32\winlogon.exe

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
   [*]Combofix.txt .

Here is the next ComboFix report. Just so you know, the computer rebooted while running the ComboFix this time. Thanks.

What problems are you exoperiencing now ?

Combofix is making me work today

1. Please open Notepad
   [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

SRPeek:: c:\windows\explorer.exe

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
   [*]Combofix.txt .

Sorry for the difficulties. Looks like the explorer.exe file is still a problem. The updated Combofix.txt is attached.

No problem - I get to use commands that are rarely used ;D

1. Please open Notepad
   [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

SCOPY:: RP5\A0007046.exe|c:\windows\explorer.exe

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
   [*]Combofix.txt .

Here is the latest. Sorry, but I have to run and may not get back to this until tomorrow. I really appreciate your time and effort.

No problem - I have been going over the logs to try and find the trigger as the file gets re-infected as soon as CF fixes it. I have noticed an anomoly which I would like to clear now. Follow this immediately with the CF script

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O15 - HKLM\..Trusted Domains: //about.htm/ ([]myui in Trusted sites) O15 - HKLM\..Trusted Domains: //Exclude.htm/ ([]myui in Trusted sites) O15 - HKLM\..Trusted Domains: //LanguageSelection.htm/ ([]myui in Trusted sites) O15 - HKLM\..Trusted Domains: //Message.htm/ ([]myui in Trusted sites) O15 - HKLM\..Trusted Domains: //MyAgttryCmd.htm/ ([]myui in Trusted sites) O15 - HKLM\..Trusted Domains: //MyAgttryNag.htm/ ([]myui in Trusted sites) O15 - HKLM\..Trusted Domains: //MyNotification.htm/ ([]myui in Trusted sites) O15 - HKLM\..Trusted Domains: //NOCLessUpdate.htm/ ([]myui in Trusted sites) O15 - HKLM\..Trusted Domains: //quarantine.htm/ ([]myui in Trusted sites) O15 - HKLM\..Trusted Domains: //ScanNow.htm/ ([]myui in Trusted sites) O15 - HKLM\..Trusted Domains: //strings.vbs/ ([]myui in Trusted sites) O15 - HKLM\..Trusted Domains: //Template.htm/ ([]myui in Trusted sites) O15 - HKLM\..Trusted Domains: //Update.htm/ ([]myui in Trusted sites) O15 - HKLM\..Trusted Domains: //VirFound.htm/ ([]myui in Trusted sites)

:Commands
[purity]
[resethosts]
[EMPTYFLASH]
[CREATERESTOREPOINT]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

CFScript

1. Please open Notepad
   [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

SCOPY::
RP5\A0007046.exe|c:\windows\explorer.exe

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
   [*]Combofix.txt [*]A new OTListit log.

Here are the new reports/logs. Thanks. Not sure it matters, but my virus protection is now itentify ComboFix as a virus and deleting it off my desktop.

Are you still getting alerts on explorer ?

If so I will have to use the big AV - This is a new version so I have not yet formulated proper instructions for it

Download the latest Dr Web form here http://www.freedrweb.com/?lng=en

It will download as an 8 digit file

Run the file and agree to the enhanced mode
Run a quick scan initially - it will lock your desktop for the duration
About half way through it will ask to either buy or download the demo. Close the box using the X
Allow it to cure
At the end a log will be generated please post that

Yes, it is still showing as infected. I will give the new version a try.

The CureIt.log is too large to attach and has too many characters to post directly. I can break the log down into 3 or 4 smaller text files and post separately. Is that okay with you?

Or you could upload it to Mediafire:

• Mediafire.com - Upload to http://www.mediafire.com/ and post the sharing link.