Hi there, I have the same problem as I’ve noticed a few other posters (Eyes70 and Dominoboy) have had. Hopefully Essexboy or someone else can help me out.
I have the virus in both the explorer.exe and winlogon.exe and Avast cannot remove since it’s a read-only file.
I have attached what came up after I did the OTL quick scan. Let me know if I need to give you any more information!
Thanks.
OK yet another explorer/winlogon infection
Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following
:OTL O4 - HKU\S-1-5-21-2693613500-1025516215-2630329190-1006..\Run: [cibop] C:\Documents and Settings\CorinneB\cibop.exe File not found O20 - HKU\S-1-5-21-2693613500-1025516215-2630329190-1006 Winlogon: Shell - (C:\Documents and Settings\CorinneB\vpyu.exe) - C:\Documents and Settings\CorinneB\vpyu.exe File not found O33 - MountPoints2\{b8a3fc64-c624-11df-9775-0025d3485981}\Shell\AutoRun\command - "" = E:\DIJAMANTE\veciti.exe -- File not found O33 - MountPoints2\{b8a3fc64-c624-11df-9775-0025d3485981}\Shell\explore\command - "" = E:\DIJAMANTE\\veciti.exe -- File not found O33 - MountPoints2\{b8a3fc64-c624-11df-9775-0025d3485981}\Shell\open\command - "" = E:\DIJAMANTE\\veciti.exe -- File not found:Files
ipconfig /flushdns /c:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
.
THEN
Download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop
[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[*]Double click on ComboFix.exe & follow the prompts.
[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
I’ve attached both logs from the ComboFix and the OTL.
Thanks for your help!
Could you download a copy of winlogon,exe and explorer.exe from my site to your c:\windows\system32\dllcache folder please http://cid-32d8666f4048075b.office.live.com/self.aspx/Malware%20files/winlogon.exe
Once done rerun combofix and then lets see if it can find the replacement
I hope I did that right. I downloaded winlogon and explorer from your folder and saved them in the folder you specified. I have now attached the new Combofix log.
Thanks!
OK CF is not finding it so I will give it a nudge, if it doesn’t work we will leave windows and work outside
Please open Notepad
[*] Click Start , then Run[*]Type notepad .exe in the Run Box.
Now copy/paste the entire content of the codebox below into the Notepad window:
FCopy:: c:\windows\system32\dllcache\explorer.exe|c:\windows\explorer.exe c:\windows\system32\dllcache\winlogon.exe|c:\windows\system32\winlogon.exe
Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Save the above as CFScript.txt
Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
I’ve posted the new log.
OK we need to work outside of windows no
Download fresh copies of the two files and place them on your c drive i.e. C:\explorer.exe
Please print these instruction out so that you know what you are doing
OTLPEStd.exe
MD5=107440596207871822220183734CF7C4
98,217,771bytes / 93.6MB
[*]Download OTLPEStd.exe to your desktop
[*]Download the attached scan.txt to a USB
[*]Ensure that you have a blank CD in the drive
[*]Double click OTLPEStd.exe and this will then open imgburn to burn the file to CD
[*]Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
[*]As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads 
[*]Your system should now display a Reatogo desktop.
Note : as you are running from CD it is not exactly speedy
[*]Double-click on the OTLPE icon.
[*]Select the Windows folder of the infected drive if it asks for a location
[*]When asked “Do you wish to load the remote registry”, select Yes
[*]When asked “Do you wish to load remote user profile(s) for scanning”, select Yes
[*]Ensure the box “Automatically Load All Remaining Users” is checked and press OK
[*]OTL should now start.
[*]Double click the Custom scans and fixes box
[*]In the dialogue locate the scan.txt you have on the USB
[*]Press Run Scan to start the scan.
[*]When finished, the file will be saved in drive C:\OTL.txt
[*]Copy this file to your USB drive if you do not have internet connection on this system.
[*]Right click the file and select send to : select the USB drive.
[*]Confirm that it has copied to the USB drive by selecting it
[*]You can backup any files that you wish from this OS
[*]Please post the contents of the C:\OTL.txt file in your reply.
thanks for your reply. Problem - I have a netbook so no CD drive. 
Can I get around this somehow or do we have to try something else?
I don’t know how to go about it, that is something I going to have to do at some point as I also have a netbook.
By all accounts it is possible to make a boot USB stick, which you can place the disk image and it is meant to run like a Boot CD. So you could try a google search for create USB boot disk, see this search http://www.google.co.uk/search?q=create+usb+boot+disk+from+iso.
Now you would need to search for how to boot from USB, http://www.google.co.uk/search?q=how+to+boot+from+usb+windows+7.
You would also need to check how you can set your netbook to boot from USB as no doubt you would have to change the boot order if it is supported in your netbook’s BIOS.
Unfortunately that is about as helpful as I can be as I have never done this before.
Edit: just noticed your using XP, just change the windows 7 bit at the end of the search to windows XP to get more specific results, though you will also find results for XP in the above searches.
Thanks! Will try and hopefully post results soon!
You’re welcome, good luck with that.
It just so happens that we have tool for netbooks with no CD
IMPORTANT:
You will need a flash drive with a size of 512 Mb or bigger. Make sure that you do not leave anything important on the flash drive, as all data on it will be deleted during the following steps.
[*]
[list]
[*]Download OTLPEStd.exe from the following link and save it to your Desktop: mirror1.
[*]Download eeepcfr.zip from the following link and save it to your Desktop: the mirror
[*]Finally, if you do not have a file archiver like 7-zip or Winrar installed, please download 7-zip from the following link and install it: the mirror
[*]Once you have 7-zip install, decompress OTLPEStd.exe by rightclicking on the folder and choosing the options shown in the picture below. Please use a dedicated folder, for example OTLPE, on your Desktop
http://i643.photobucket.com/albums/uu158/_temp_/otlpestdsmaller.jpg
[*]Open the folder OTLPEStd which will be created in the same location as OTLPEStd.exe and right-click OTLPE_New_Std.iso. Select 7-Zip and from the submenu select Extract files… and extract the content onto your Desktop in a OTLPE folder:
http://i643.photobucket.com/albums/uu158/_temp_/otlpestdsmall2.jpg
[*]Please also decompress eeepcfr to your systemroot (usually [b]C:[/b]).
[*] Empty the flash drive you want to install OTLPE on.
Go to C:[b]eeecpfr and double-click usb_prep8.cmd to launch it.
[*] Press any key when asked to in the black window that opens.
[*]As indicated in the image, make sure you have selected the correct flash drive, before proceeding.
For Drive Label: type in OTLPE.
Under Source Path to built BartPE/WinPE Files click … and select the folder OTLPE that you created on your Desktop.
Finally check Enable File Copy.
http://i643.photobucket.com/albums/uu158/_temp_/otlpe-2.jpg
[*]Click on Start, accept the disclaimers and wait for the program to finish.
Your bootable flash drive should now be ready!
thank you, i will try that!
Alright, so I hate to post this, but I have a new problem. I went away for a few weeks and turned my computer off. When I just tried rebooting my computer, it keeps trying to restart again and again with no luck. It starts doing the Windows load up, then flashes a black screen, then tries again. I know this has something to do with the virus, but I’m not sure what I can do at this point. I tried starting in Safe Mode, but no luck. Any suggestions?
Were you able to create a bootable USB ? As OTLPE works outside of windows and will still run, thereby enabling me to see what is wrong
No, I hadn’t done that yet. Uhoh…
Is there anything you can suggest on your end at this point or will I need to take it to someone in-person? Thank you!
If you run the OTLPE it will produce a log for me to analyse and create a fix ;D
OK, so I’m just a bit confused. I thought that since I didn’t create the OTLPE before my computer crashed, I was hooped. But are you saying that I can create the OTLPE from another computer, and use it on my netbook to fix it? If so, I will do that right now!