Heyy again…Find the attached report created by BlitzBlank after the execution and reboot…thanks
I scanned my full system with Avast and guess what…the infection on explorer.exe and winlogon.exe is CURED!!!..phew…thanks a ton man…BUT…the Bamital-AQ is still existing and now it has moved to 2 other files in C:\System Volume Information_restore… Please the attached scanned results.
C:\System Volume Information_restore folder is the system restore one.
Delete old restore points or disable/enable system restore to delete the infected restore points.
Heyy…I deleted system restore points…and verified that it was 0 MB…updated my Avast virus definitions then ran a full system scan again…and the Bamital-AQ malware still exists and it is moving…now affected 3 files and also the avast update had some problems which the scan isolated them…Please see the attached scan results.
NB: I fear the malware might attack again the explorer.exe an winlogon.exe which are clean now.
I’m sorry I had a problem with the internet yesterday >:(
Excellent Bamital has been removed. System Restore will fix later.
Download gmer.zip from here to your Desktop
Run gmer.exe
[*] Click on Rootkit/Malware Tab.
[*] Click on Scan.
[*] When Scan is done click on Copy.
Then open Notepad and right click use options Paste. Save this notepad as file1
[*] Repeat this with >>> Autostart Tab.
Save this notepad as file2.txt.
Attach here file1 and file2 notepads.
Find the attached reports generated from GMER as you requested.
NB: Unknowingly another problem which made me scratch my head is solved, my notepad icon is back!!..Thanks
Open notepad and copy/paste the text present inside the code box below:
File::
c:\windows\system32\fopbjgzcoxnjtg.dll
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"phijwzrecye"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]
Rootkit::
c:\docume~1\ADMINI~1\LOCALS~1\Temp\mc21.tmp
Driver::
mchInjDrv
Save this as CFScript to desktop.
http://img213.imageshack.us/img213/1218/cfscript1.gif
Drag CFScript.txt into Combofix.exe. ComboFix will re-run.
When finished, it will produce a log for you.
Copy/paste the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )
sniper619
Do you wish to delete the hidden rude folder in root C ;D
Better cut that folder to a different partition
Heyy argus…Find the attached report of ComcoFix.
PS: I will move it to my HDD…lol
Are there any problems?
I think it’s ok
No man…no problems at all…just those infections detected by Avast in the last scan, they won’t move upto explorer and winlogon will they?..
Any precautions to take for preventing future attacks as I really don’t know how it got into the PC since the PC does not have net connection!
Thanks a lot for your help and time man…
It is necessary to uninstall Combofix
Start >> Run
Combofix /Uninstall
Enter
This will reset the System Restore points and I think that Avast will no longer detect infection.
I suggest to you to remove GMER logs from topic.
It tells me ‘Windows cannot find Combofix/’. Make sure you typed the name correctly then try again. To search for a file click the start button and then search.
Oops sorry my bad…had typed ComboFix/ Uninstall instead of ComboFix /Uninstall (the stroke mistake)…so now its gone…
How about GMER?
Thanks…
Yep
Remove GMER logs from topic.
Heyy argus…after some time I ran a full system scan and the results were unbelieavble that explorer.exe and winlogon.exe are cured from that malware, thanks to you and your tools, but from the scan ONE threat was detected named Win32:Malware-gen affecting D:\System Volume Information-… …please see the scan results attached.
Any Danger?
D:\System Volume Information\ is System Restore
See the first image
Reboot
then other image
argus, please, consider http://forum.avast.com/index.php?topic=19387.msg607589#msg607589
Sorry Tech
Don’t worry. Just a suggestion