win32:Bamita!-X again!

hello…
same as before…
my computer infected by this malware… :cry:
n here some log from the scan…
is anyone can help me?
thx b 4…

I see you have already run combofix could I see the log please

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

THEN

Run OTL again

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
/md5start
explorer.exe
winlogon.exe
/md5stop

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.

yes i do use it…
here the log…

hum…i wait 4 ur reply or …
do what u say b4 ?? (running the OTL)

Run OTL scan now please - Combofix could not find a spare copy of winlogon or explorer. If OTL cannot find one do you have access to a windows CD or another computer where we can copy them from ?

here the log…
huh window cd?? --a i dont hv one…
another comp ?? well yes i hv… but how i can copy it ??

btw, while i running the OTL… “tread has detected!!” it was from avast… is that ok ?

OK what I need you to do now is copy both explorer.exe and winlogon.exe from the other computer to a USB stick and place the files on your c: drive so that they are like this
C:\explorer.exe
C:\winlogon.exe

Then

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:

Fcopy:: c:\winlogon.exe|c:\windows\system32\winlogon.exe c:\explorer.exe|c:\windows\explorer.exe
  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt [*]A new OTListit log.

OMG…
i use different ver of windows to replace “expoler.exe” n “winlogon.exe” --a
mine is windows XP sp3 n the other is windows 7
now may laptop keep rebooting…
so ?? is there another way to fix it ?
or i must reinstal the windows ??

http://cid-32d8666f4048075b.office.live.com/self.aspx/Malware%20files/winlogon.exe
http://cid-32d8666f4048075b.office.live.com/self.aspx/Malware%20files/EXPLORER.EXE

Download the above two files to your C drive then run the CFScript as previously posted

the problem is…
i cant logon to my computer…
it always reboot…
…how i can fix the problem ??
sorry… im not expert at this… --a

n it has blue screen with it…
heres the notice…
“Stop:c000021a {Fatal Error}
The windows logon process system process terminated unexpectedly with a status of 0xc0000139 (0x00000000 0x00000000).
the system has been shut down”

so is any one can help me ??
or i must reinstall it ?? --a

Can you get to safe mode ? If so let me know as we will need to work from there. By using the wrong version of winlogon it will not work properly

Also if you ahve a disc we can do a repair install

no… i cant…
its always stuck with that blue screen n fatal error thing…
what disc? windows disc ? no i dont hv it… --a

Please print these instruction out so that you know what you are doing

File details OTLPEStd.exe
Bytes=97,702,766
MB=93.1
MD5=FC1A07D156DE710955032B1CF7891671

[*]Download OTLPEStd.exe to your desktop
[*]Ensure that you have a blank CD in the drive
[*]Double click OTLPEStd.exe and this will then open imgburn to burn the file to CD

[*]Reboot your system using the boot CD you just created.
Note : If you do not know how to set your computer to boot from CD follow the steps here
[*]As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads :slight_smile:

[*]Your system should now display a Reatogo desktop.
Note : as you are running from CD it is not exactly speedy
[*]Double-click on the OTLPE icon.
[*]Select the Windows folder of the infected drive if it asks for a location
[*]When asked “Do you wish to load the remote registry”, select Yes
[*]When asked “Do you wish to load remote user profile(s) for scanning”, select Yes
[*]Ensure the box “Automatically Load All Remaining Users” is checked and press OK
[*]OTL should now start.
[*]Drag and drop this attached scan.txt into the Custom scans and fixes box
[*]Press Run Scan to start the scan.
[*]When finished, the file will be saved in drive C:\OTL.txt
[*]Copy this file to your USB drive if you do not have internet connection on this system.
[*]Right click the file and select send to : select the USB drive.
[*]Confirm that it has copied to the USB drive by selecting it
[*]You can backup any files that you wish from this OS
[*]Please post the contents of the C:\OTL.txt file in your reply.