[den01]

Hi,
Would you please help me with this:
I have my daughters laptop (Packard bell) which is corrupted with win32:bamital-af (as avast say)
I am able to boot the laptop and (when xp is up) it shows that trayapp.msi to install, and i am able to shut this through ctrl-alt-del.
Also, any program don’t want open (as browsers, word...) and windows installer is corrupted as well, with winlog.
Laptop itself has xp oem version.

Would you please advice me what to do sort out this. Thank you.

On additional note: i do not have Packard bell cd, however, i have my retailer xp pro, and one other oem xp sp3. I woas thinking even to repair xp, but i am not sure can i do that with these cd’s, as i am not sure i will be able to activate xp with the Packard bell oem xp sticker, as cs’d are obviesly not the same version as preinstalled xp version. (and addition: on xp updates shows that sp3 is as an update, but its not possible to update it as installer is corrupted.

I am on my other laptop, and i will be able to act immediately on your advice.

Thank you very much
D

[Advertisements]

i was just checking some bits (as well as previous post related to this issue) and relised that it seems i am not able to run any file as administrator. i presume this will also help you to assist me of whet to do.
thanks

[den01]

i was just checking some bits (as well as previous post related to this issue) and relised that it seems i am not able to run any file as administrator. i presume this will also help you to assist me of whet to do.
thanks

[den01]

also, i have just relised that when you wnat shut down laptop, kservice.exe is shown as error......
is there any way to repair this by cleaning....
or is it safe to do xp repair with cd#s i've got

[den01]

anyone please....

[den01]

i understend guys you are busy before x-mas, but would you just quickly advice me from where i should start here...
thank you

[azarl]

Hi

Welcome to Geekstogo. I'll be helping you with this problem.

• Please read all of my response through at least once before attempting to follow the procedures described. I would recommend printing them out, if you can, as you can check off each step as you complete it. If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
  
  
• Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you

If it is a Bamital infection that you have, it may require a reinstall, but let's look first

ComboFix
Download ComboFix from one of these locations:

Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your Antivirus and Antispyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of its process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue its malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

[den01]

Thank you very much for your reply.
I will be home in about 1 hour, and will immediately do as you are advising me to do.
Thank you once more. I will be here in 1h.
Rgds.
Den

[den01]

Hi Azarl,
I am in front of Packard Bell and already started working on your instructions.
combofix is running right now; although i had to download it through my laptop (on which im now) as all browsers are unuseble on packard bell.
Will post log file shortly.
Thank you for having the time for me on this festive season.
Rgds.
Den

[den01]

Hi Azarl,
Combo fix was working....
it didnt ask anything about recovery console (it was only to update combofix definition)...
scan started, gone all the way to "something 50", and try to fix corupted winlog, and it seems dint clean it...
for internet expolorer said its fixed...
then deleted some "oem-inf or ini" and reboot laptop...
now the reboot started and its with BSOD with the msg:
"STOP: c000021a {fatal system error}
The windows login prcess system process terminated unexpectedly with a status of 0xc0000005 (0x00000000 0x00000000).
The system has been shut down."

i will wait for futher instructions...

[azarl]

Have you the ComboFix log please?

[den01]

unfortunately, there is no combofix.txt here: C:\ComboFix.txt

[den01]

this is the only combofix.txt and it was in c:combofix/combofix.txt

ComboFix 10-12-26.01 - Louise J 27/12/2010 14:36:46.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.895.530 [GMT 0:00]
Running from: C:\Documents and Settings\Louise J\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.

[azarl]

Try c:\qoobox\

[den01]

Azarl, there are 2 combofix txt files, one ComboFix2.txt and Other one ComboFix3.txt.
as i was about to copy them, i relised that the date is like 2 months old, and i have just called the girl, and she said that "she did some scans, as someone told her" ?!?!
in the next 2 posts i will paste both txt

[den01]

from ComboFix2.txt


ComboFix 10-10-31.04 - Louise J 01/11/2010 14:35:09.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.895.368 [GMT 0:00]
Running from: c:\documents and settings\Louise J\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\winlogon.exe . . . is infected!!

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

.
((((((((((((((((((((((((( Files Created from 2010-10-01 to 2010-11-01 )))))))))))))))))))))))))))))))
.

2010-11-01 14:31 . 2010-11-01 14:31 -------- d-sh--w- c:\documents and settings\Louise J\PrivacIE
2010-11-01 13:24 . 2010-11-01 13:24 -------- d-sh--w- c:\documents and settings\Louise J\IETldCache
2010-11-01 13:18 . 2010-11-01 13:20 -------- dc-h--w- c:\windows\ie8
2010-10-31 08:19 . 2010-10-31 08:19 -------- d-----w- c:\documents and settings\Administrator
2010-10-26 16:40 . 2010-10-26 16:40 -------- d-----w- c:\documents and settings\Louise J\Application Data\Ibikib
2010-10-26 10:38 . 2010-09-07 14:52 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-10-26 10:38 . 2010-09-07 14:47 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-10-26 10:38 . 2010-09-07 14:47 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-10-26 10:38 . 2010-09-07 14:52 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-10-26 10:38 . 2010-09-07 14:47 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-10-26 10:38 . 2010-09-07 14:47 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-10-26 10:38 . 2010-09-07 14:46 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-10-26 10:38 . 2010-09-07 15:12 38848 ----a-w- c:\windows\avastSS.scr
2010-10-26 10:38 . 2010-09-07 15:11 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-10-26 10:37 . 2010-10-26 10:37 -------- d-----w- c:\program files\Alwil Software
2010-10-26 10:37 . 2010-10-26 10:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-10-25 13:55 . 2010-10-26 11:33 -------- d-----w- c:\documents and settings\Louise J\Application Data\Wiigi
2010-10-24 21:53 . 2010-10-24 21:53 -------- d-----w- c:\documents and settings\Louise J\Application Data\Etuxut
2010-10-24 10:56 . 2010-10-26 17:49 -------- d-----w- c:\documents and settings\Louise J\Application Data\Roobu
2010-10-24 10:56 . 2010-10-24 10:56 -------- d-----w- c:\documents and settings\Louise J\Application Data\Lobeyc
2010-10-23 09:23 . 2010-10-23 09:23 -------- d-----w- c:\documents and settings\Louise J\Application Data\Sano
2010-10-22 22:40 . 2010-10-22 22:40 -------- d-----w- c:\documents and settings\Louise J\Application Data\Cutiy
2010-10-20 20:49 . 2010-10-20 20:49 93184 ----a-w- c:\windows\system32\unthfs.dll
2010-10-15 09:59 . 2010-10-15 09:59 -------- d-----w- c:\program files\intel
2010-10-14 13:20 . 2010-10-22 13:02 -------- d-----w- c:\program files\win
2010-10-13 14:19 . 2010-10-21 10:11 -------- d-----w- c:\program files\temp
2010-10-12 18:00 . 2010-10-12 18:00 -------- d-----w- c:\program files\system
2010-10-12 08:43 . 2010-10-26 23:30 -------- d-----w- c:\program files\tmp
2010-10-12 08:43 . 2010-10-26 18:29 -------- d-----w- c:\program files\Microsoft
2010-10-05 12:41 . 2010-10-05 12:41 5061 ----a-w- c:\windows\atipujilil.dll
2010-10-05 11:16 . 2010-10-05 11:16 5021 ----a-w- c:\windows\igahohil.dll
2010-10-04 20:34 . 2010-10-04 20:34 5065 ----a-w- c:\windows\uzulukel.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

------- Sigcheck -------

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
[-] 2004-08-04 13:00 . !HASH: COULD NOT OPEN FILE !!!!! . 502272 . . [------] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\explorer.exe
[-] 2007-06-13 11:26 . 308E5CC1348A74D1A5E19E44AC371AC1 . 1033216 . . [------] . . c:\windows\explorer.exe
[7] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmpcSys"="c:\apps\SMP\SmpSys.exe" [2005-11-17 975360]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-03-10 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-03-10 688218]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 61952]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-04-27 7561216]
"nwiz"="nwiz.exe" [2006-04-27 1519616]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-01 16208384]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-05 136600]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2008-04-02 136512]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 147514]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"avast5"="c:\program files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 2838912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\APPS\\skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [26/10/2010 10:38 165584]
R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [14/10/2006 11:41 58464]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [26/10/2010 10:38 17744]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/ig?hl=en
uInternet Settings,ProxyServer = hxxp://wwwcache.bris.ac.uk:8080
uInternet Settings,ProxyOverride = ;*.local;<local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: unthfs.dll
FF - ProfilePath - c:\documents and settings\Louise J\Application Data\Mozilla\Firefox\Profiles\2w0v2hf2.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/ig?hl=en&source=iglk
FF - prefs.js: network.proxy.type - 2
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-01 14:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(856)
c:\windows\system32\unthfs.dll
c:\windows\system32\EntApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe
c:\apps\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\Network Associates\VirusScan\mcshield.exe
c:\program files\Network Associates\VirusScan\vstskmgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\RTHDCPL.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
c:\apps\Powercinema\Kernel\TV\CLSched.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2010-11-01 14:55:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-01 14:55
ComboFix2.txt 2010-11-01 12:48

Pre-Run: 21,630,472,192 bytes free
Post-Run: 21,607,137,280 bytes free

- - End Of File - - 2EBB9441ECA69BCE4D2EB7ABC59AA543