Virus: winlogon.exe & explore.exe

[lchg]

I am showing virus infection for the following files: winlogon.exe & explore.exe.   I ran ComboFix, but cannot reboot my computer.  Upon manual shutdown, the virus reappears.  The ComboFix log and an OTL file log are attached.  Any help is appreciated.  Thanks.

[Jtaylor83]

You got Bamital/Drooptroop.

Please download and run Hitman Pro - Second Opinion Malware Scanner.

http://hitmanpro.wordpress.com/2010/08/22/bamital-drooptroop-remediation/

[lchg]

I tried Hitman Pro 3.5.6 earlier today.  It identifies the 2 files as infected; however, I get the following message from Hitman for both infected files:  "To maintain system stability, Windows must restor original version of this file.  Insert you Windows installation CD-ROM".  I found my operating system recovery CD and did as instructed, but the files in the HitMan screen change to Do Not Delete after hitting the next button.  The infected files still remain.

[essexboy]

Do you have access to another computer to copy those files?

Also could you look in your recycle bin to see if the copies were placed there

If you can get other copies then place them on your root c drive and let me know - I will then swap them

[essexboy]

I have a copy of both files (XP SP2) at these locations

http://cid-32d8666f4048075b.office.live.com/self.aspx/Malware%20files/EXPLORER.EXE

http://cid-32d8666f4048075b.office.live.com/self.aspx/Malware%20files/EXPLORER.EXE#resId/32D8666F4048075B!162

[lchg]

Okay, I got a copy of the files from another computer and have them on my root C drive (I see you have made a copy too, thanks).  Should I rerun Hitman and try to redirect it to my C drive?  It did not have a browse option before?

[essexboy]

Nope what we will do now if use Combofix to move them to make sure it is done safely

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Fcopy::
C:\explorer.exe|c:\windows\explorer.exe
C:\winlogon.exe|c:\windows\system32\winlogon.exe

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new OTListit log.

[lchg]

The reports you requested are attached.

[essexboy]

Numpty CF did not work quite right so lets try again -  I will look at the logs whilst you do this

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Fcopy::
c:\windows\system32\dllcache\winlogon.exe|c:\windows\system32\winlogon.exe

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt .

[lchg]

Here is the next ComboFix report.  Just so you know, the computer rebooted while running the ComboFix this time.  Thanks.

[essexboy]

What problems are you exoperiencing now ?

Combofix is making me work today

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

SRPeek::
c:\windows\explorer.exe

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt .

[lchg]

Sorry for the difficulties.  Looks like the explorer.exe file is still a problem.  The updated Combofix.txt is attached.

[essexboy]

No problem - I get to use commands that are rarely used 

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

SCOPY::
RP5\A0007046.exe|c:\windows\explorer.exe

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt .

[lchg]

Here is the latest.  Sorry, but I have to run and may not get back to this until tomorrow.  I really appreciate your time and effort.

[essexboy]

No problem - I have been going over the logs to try and find the trigger as the file gets re-infected as soon as CF fixes it.  I have noticed an anomoly which I would like to clear now.  Follow this immediately with the CF script

 Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O15 - HKLM\..Trusted Domains: //about.htm/ ([]myui in Trusted sites)
  O15 - HKLM\..Trusted Domains: //Exclude.htm/ ([]myui in Trusted sites)
  O15 - HKLM\..Trusted Domains: //LanguageSelection.htm/ ([]myui in Trusted sites)
  O15 - HKLM\..Trusted Domains: //Message.htm/ ([]myui in Trusted sites)
  O15 - HKLM\..Trusted Domains: //MyAgttryCmd.htm/ ([]myui in Trusted sites)
  O15 - HKLM\..Trusted Domains: //MyAgttryNag.htm/ ([]myui in Trusted sites)
  O15 - HKLM\..Trusted Domains: //MyNotification.htm/ ([]myui in Trusted sites)
  O15 - HKLM\..Trusted Domains: //NOCLessUpdate.htm/ ([]myui in Trusted sites)
  O15 - HKLM\..Trusted Domains: //quarantine.htm/ ([]myui in Trusted sites)
  O15 - HKLM\..Trusted Domains: //ScanNow.htm/ ([]myui in Trusted sites)
  O15 - HKLM\..Trusted Domains: //strings.vbs/ ([]myui in Trusted sites)
  O15 - HKLM\..Trusted Domains: //Template.htm/ ([]myui in Trusted sites)
  O15 - HKLM\..Trusted Domains: //Update.htm/ ([]myui in Trusted sites)
  O15 - HKLM\..Trusted Domains: //VirFound.htm/ ([]myui in Trusted sites)
  
  :Commands
  [purity]
  [resethosts]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

CFScript

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

SCOPY::
RP5\A0007046.exe|c:\windows\explorer.exe

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new OTListit log.