how to remove win32: Bamital A O in winlogon.

November 28, 2010 at 06:40:45
Specs: Windows XP, core duo 3ghz/ 4gb
Hi i somehow got this annoying virus ive tried everything to remove it combofix dosent work nether does avast it seems to have infected both winlogon and explorer Ive run multiple scans and it comes out the same bootscan tells me that file is read only and cannot be repaired deleted or moved to the chest. Im at witts end with this as there seems to be no way to remove it. I would aprecciate any help i can get to help remove this the virus name i get is win32 bamital A O identified by Avast Internet Security

my last combofix log
ComboFix 10-11-27.01 - metalman 11/28/2010 7:27:08.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.1126 [GMT -5:00]
Running from: C:\Documents and Settings\metalman.HOME-590B3A0478\My Documents\Downloads\ComboFix.exe
Command switches used :: remove
AV: avast! Internet Security *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *disabled* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Metalman\.COMMgr
C:\Install.exe
C:\Program Files\filesubmit
C:\WINDOWS.0\erularej.dll
C:\WINDOWS.0\Tasks\At10.job
C:\WINDOWS.0\Tasks\At11.job
C:\WINDOWS.0\Tasks\At12.job
C:\WINDOWS.0\Tasks\At13.job
C:\WINDOWS.0\Tasks\At14.job
C:\WINDOWS.0\Tasks\At15.job
C:\WINDOWS.0\Tasks\At16.job
C:\WINDOWS.0\Tasks\At17.job
C:\WINDOWS.0\Tasks\At18.job
C:\WINDOWS.0\Tasks\At19.job
C:\WINDOWS.0\Tasks\At2.job
C:\WINDOWS.0\Tasks\At20.job
C:\WINDOWS.0\Tasks\At21.job
C:\WINDOWS.0\Tasks\At22.job
C:\WINDOWS.0\Tasks\At23.job
C:\WINDOWS.0\Tasks\At24.job
C:\WINDOWS.0\Tasks\At25.job
C:\WINDOWS.0\Tasks\At26.job
C:\WINDOWS.0\Tasks\At27.job
C:\WINDOWS.0\Tasks\At28.job
C:\WINDOWS.0\Tasks\At29.job
C:\WINDOWS.0\Tasks\At3.job
C:\WINDOWS.0\Tasks\At30.job
C:\WINDOWS.0\Tasks\At31.job
C:\WINDOWS.0\Tasks\At32.job
C:\WINDOWS.0\Tasks\At33.job
C:\WINDOWS.0\Tasks\At34.job
C:\WINDOWS.0\Tasks\At35.job
C:\WINDOWS.0\Tasks\At36.job
C:\WINDOWS.0\Tasks\At37.job
C:\WINDOWS.0\Tasks\At4.job
C:\WINDOWS.0\Tasks\At5.job
C:\WINDOWS.0\Tasks\At6.job
C:\WINDOWS.0\Tasks\At7.job
C:\WINDOWS.0\Tasks\At8.job
C:\WINDOWS.0\Tasks\At9.job

C:\WINDOWS.0\system32\winlogon.exe . . . is infected!!

C:\WINDOWS.0\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-10-28 to 2010-11-28 )))))))))))))))))))))))))))))))
.

2010-11-28 02:22:15 . 2010-11-28 02:22:15 -------- d-----w- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Codemasters
2010-11-28 02:18:08 . 2008-04-28 21:53:40 805400 ----a-r- C:\WINDOWS.0\system32\tmp84.tmp
2010-11-28 02:18:08 . 2008-04-28 21:53:40 805400 ----a-r- C:\WINDOWS.0\system32\tmp83.tmp
2010-11-28 01:21:20 . 2010-11-28 02:18:14 -------- d-----w- C:\Grid
2010-11-27 21:36:35 . 2010-11-27 21:37:56 -------- d-----w- C:\Documents and Settings\Administrator.HOME-590B3A0478.000
2010-11-26 22:25:46 . 2010-11-28 06:29:02 0 ----a-w- C:\WINDOWS.0\Sqevi.bin
2010-11-26 22:25:44 . 2010-11-26 22:25:44 -------- d-----w- C:\Documents and Settings\metalman.HOME-590B3A0478\Local Settings\Application Data\{75EE2750-4A04-41D8-8D26-229AF030BCFA}
2010-11-26 22:06:16 . 2010-11-26 22:06:16 -------- d-----w- C:\Documents and Settings\metalman.HOME-590B3A0478\Application Data\Ewva
2010-11-26 22:06:15 . 2010-11-27 13:53:13 -------- d-----w- C:\Documents and Settings\metalman.HOME-590B3A0478\Application Data\Xaepwy
2010-11-26 22:05:39 . 2010-11-26 22:05:39 470528 --sh--w- C:\WINDOWS.0\system32\regcap.dll
2010-11-26 22:05:34 . 2010-11-26 22:05:33 54272 --sh--w- C:\WINDOWS.0\system32\mapiprov32.dll
2010-11-26 05:48:28 . 2010-11-26 05:48:28 -------- d-----w- C:\Program Files\Pro Pinball
2010-11-25 23:58:08 . 2010-11-25 23:58:08 -------- d-----w- C:\Program Files\TopWare
2010-11-25 23:55:41 . 2010-11-25 23:55:41 -------- d--h--w- C:\WINDOWS.0\PIF
2010-11-20 04:02:24 . 2010-11-20 04:02:24 -------- d-----w- C:\Program Files\EA Games
2010-11-20 03:21:21 . 2010-11-20 03:21:21 -------- d-----w- C:\Documents and Settings\METALM~1~HOM
2010-11-20 03:19:14 . 1998-10-29 21:45:06 306688 ----a-w- C:\WINDOWS.0\IsUninst.exe
2010-11-20 01:04:04 . 2010-11-20 01:13:26 -------- d-----w- C:\WINDOWS.0.0
2010-11-20 01:04:03 . 2010-11-20 01:04:03 -------- d-----w- C:\Documents and Settings\metalman.HOME-590B3A0478\WINDOWS
2010-11-18 06:31:30 . 2010-11-18 06:50:12 -------- d-----w- C:\Fraps
2010-11-17 19:17:33 . 2010-11-17 19:17:33 -------- d-----w- C:\Program Files\Common Files\Futuremark Shared
2010-11-17 19:16:50 . 2010-11-17 19:16:50 -------- d-----w- C:\Program Files\Futuremark
2010-11-17 19:08:55 . 2010-10-16 18:55:00 888424 ----a-w- C:\WINDOWS.0\system32\nvdispco32.dll
2010-11-17 19:08:55 . 2010-10-16 18:55:00 813672 ----a-w- C:\WINDOWS.0\system32\nvgenco32.dll
2010-11-17 19:08:55 . 2010-10-16 18:55:00 4882432 ----a-w- C:\WINDOWS.0\system32\nvcuda.dll
2010-11-17 19:08:55 . 2010-10-16 18:55:00 14532608 ----a-w- C:\WINDOWS.0\system32\nvoglnt.dll
2010-11-17 19:08:53 . 2010-10-16 18:55:00 1462272 ----a-w- C:\WINDOWS.0\system32\nvapi.dll
2010-11-17 19:06:01 . 2010-10-16 18:55:00 6359552 -c--a-w- C:\WINDOWS.0\system32\dllcache\nv4_disp.dll
2010-11-17 19:06:01 . 2010-10-16 18:55:00 6359552 ----a-w- C:\WINDOWS.0\system32\nv4_disp.dll
2010-11-17 18:49:14 . 2010-10-16 18:55:00 9623680 -c--a-w- C:\WINDOWS.0\system32\dllcache\nv4_mini.sys
2010-11-17 18:49:14 . 2010-10-16 18:55:00 9623680 ----a-w- C:\WINDOWS.0\system32\drivers\nv4_mini.sys
2010-11-17 18:21:55 . 2010-11-17 18:21:55 -------- d-----w- C:\Program Files\Phyxion.net
2010-11-17 17:38:19 . 2010-11-17 17:38:19 -------- d-----w- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Electronic Arts
2010-11-17 17:38:19 . 2010-11-17 17:38:19 -------- d-----w- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\EA Core
2010-11-17 05:20:04 . 2010-11-17 07:29:14 -------- d-----w- C:\Crysis
2010-11-15 07:57:11 . 2010-11-15 07:57:11 -------- d-----w- C:\Documents and Settings\metalman.HOME-590B3A0478\Local Settings\Application Data\Aston2
2010-11-15 07:57:10 . 2010-11-15 08:01:10 -------- d-----w- C:\Documents and Settings\metalman.HOME-590B3A0478\Application Data\Aston2
2010-11-15 07:57:04 . 2010-11-15 07:59:06 -------- d-----r- C:\Program Files\Aston2
2010-11-14 05:47:14 . 2010-11-14 05:47:14 -------- d-----w- C:\Program Files\SystemRequirementsLab
2010-11-14 05:47:02 . 2010-11-14 05:47:02 -------- d-----w- C:\Documents and Settings\metalman.HOME-590B3A0478\Application Data\SystemRequirementsLab
2010-11-14 04:36:08 . 2010-11-14 04:36:08 -------- d-----w- C:\Documents and Settings\metalman.HOME-590B3A0478\Local Settings\Application Data\Activision
2010-11-13 19:43:36 . 2010-11-14 09:14:04 -------- d-----w- C:\Program Files\Fantastic Flame Screensaver
2010-11-13 19:43:20 . 2010-11-13 19:43:20 -------- d-----w- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Laconic Software
2010-11-13 03:57:36 . 2010-11-13 04:37:25 -------- d-----w- C:\feeding frenzy 2 deluxe
2010-11-12 22:23:51 . 2010-11-13 19:56:05 -------- d-----w- C:\Program Files\Free Fire Screensaver
2010-11-12 07:48:18 . 2010-09-07 14:52:03 165584 ----a-w- C:\WINDOWS.0\system32\drivers\aswSP.sys
2010-11-12 07:48:18 . 2010-09-07 14:47:07 17744 ----a-w- C:\WINDOWS.0\system32\drivers\aswFsBlk.sys
2010-11-12 07:48:17 . 2010-09-07 14:53:58 340048 ----a-w- C:\WINDOWS.0\system32\drivers\aswSnx.sys
2010-11-12 07:48:16 . 2010-09-07 14:54:16 99792 ----a-w- C:\WINDOWS.0\system32\drivers\aswFW.sys
2010-11-12 07:47:28 . 2010-09-07 14:53:35 190416 ----a-w- C:\WINDOWS.0\system32\drivers\aswNdis2.sys
2010-11-12 07:47:28 . 2010-09-07 14:47:46 23376 ----a-w- C:\WINDOWS.0\system32\drivers\aswRdr.sys
2010-11-12 07:47:27 . 2010-09-07 14:52:25 46672 ----a-w- C:\WINDOWS.0\system32\drivers\aswTdi.sys
2010-11-12 07:47:26 . 2010-09-07 14:47:19 100176 ----a-w- C:\WINDOWS.0\system32\drivers\aswmon2.sys
2010-11-12 07:47:26 . 2010-09-07 14:47:16 94544 ----a-w- C:\WINDOWS.0\system32\drivers\aswmon.sys
2010-11-12 07:47:26 . 2010-09-07 14:46:51 28880 ----a-w- C:\WINDOWS.0\system32\drivers\aavmker4.sys
2010-11-12 07:47:08 . 2010-09-07 15:12:17 38848 ----a-w- C:\WINDOWS.0\avastSS.scr
2010-11-12 07:47:08 . 2010-09-07 15:11:54 167592 ----a-w- C:\WINDOWS.0\system32\aswBoot.exe
2010-11-12 07:47:08 . 2010-09-07 14:24:46 12112 ----a-w- C:\WINDOWS.0\system32\drivers\aswNdis.sys
2010-11-12 07:46:57 . 2010-11-12 07:46:57 -------- d-----w- C:\Program Files\Alwil Software
2010-11-12 07:46:57 . 2010-11-12 07:46:57 -------- d-----w- C:\Documents and Settings\All Users.WINDOWS.0\Application Data\Alwil Software
2010-11-12 07:11:36 . 2010-11-12 07:11:36 4526 ----a-w- C:\WINDOWS.0\system32\PerfStringBackup.TMP
2010-11-12 07:00:51 . 2010-11-12 07:00:51 -------- d-----w- C:\WINDOWS.0\system32\wbem\Repository
2010-11-03 22:34:10 . 2010-11-04 02:26:00 -------- d-----w- C:\Documents and Settings\metalman.HOME-590B3A0478\Application Data\FrostWire
2010-11-03 22:33:22 . 2010-11-12 06:46:30 -------- d-----w- C:\Program Files\FrostWire
2010-10-29 23:24:10 . 2010-10-29 23:24:12 -------- d-----w- C:\Documents and Settings\metalman.HOME-590B3A0478\Local Settings\Application Data\Ares
2010-10-29 23:24:03 . 2010-11-12 06:49:34 -------- d-----w- C:\Program Files\Ares
2010-10-29 17:05:45 . 2010-11-19 21:58:42 241572 ----a-w- C:\WINDOWS.0\system32\nvdrsdb0.bin
2010-10-29 17:05:41 . 2010-11-19 21:58:42 241572 ----a-w- C:\WINDOWS.0\system32\nvdrsdb1.bin
2010-10-29 17:05:41 . 2010-11-19 21:58:42 1 ----a-w- C:\WINDOWS.0\system32\nvdrssel.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-28 02:18:08 . 2003-11-07 12:28:56 444952 ----a-w- C:\WINDOWS.0\system32\wrap_oal.dll
2010-11-28 02:18:08 . 2003-11-07 12:28:56 109080 ----a-w- C:\WINDOWS.0\system32\OpenAL32.dll
2010-11-20 00:45:21 . 2004-07-17 11:36:38 12464 ----a-w- C:\WINDOWS.0\system32\drivers\secdrv.sys
2010-10-16 18:55:00 . 2010-10-19 06:50:29 61440 ----a-w- C:\WINDOWS.0\system32\OpenCL.dll
2010-10-16 18:55:00 . 2010-10-19 06:50:22 13012992 ----a-w- C:\WINDOWS.0\system32\nvcompiler.dll
2010-10-16 18:55:00 . 2009-09-27 20:12:22 2932840 ----a-w- C:\WINDOWS.0\system32\nvcuvid.dll
2010-10-16 18:55:00 . 2009-09-27 20:12:22 2666600 ----a-w- C:\WINDOWS.0\system32\nvcuvenc.dll
2010-10-16 17:04:22 . 2010-10-16 17:04:22 81920 ----a-w- C:\WINDOWS.0\system32\nvwddi.dll
2010-10-16 17:04:16 . 2010-10-16 17:04:16 277608 ----a-w- C:\WINDOWS.0\system32\nvmccs.dll
2010-10-16 17:04:16 . 2010-10-16 17:04:16 13851752 ----a-w- C:\WINDOWS.0\system32\nvcpl.dll
2010-10-16 17:04:16 . 2010-10-16 17:04:16 110696 ----a-w- C:\WINDOWS.0\system32\nvmctray.dll
2010-10-16 17:04:14 . 2010-10-16 17:04:14 156776 ----a-w- C:\WINDOWS.0\system32\nvsvc32.exe
2010-10-16 17:04:14 . 2010-10-16 17:04:14 145000 ----a-w- C:\WINDOWS.0\system32\nvcolor.exe
2010-10-05 22:11:48 . 2010-10-19 06:44:01 359016 ----a-w- C:\WINDOWS.0\vncutil.exe
2010-10-05 22:11:48 . 2009-10-27 02:02:42 891496 ----a-w- C:\WINDOWS.0\system32\RTSndMgr.CPL
2010-10-05 22:11:48 . 2009-10-27 02:02:42 84584 ----a-w- C:\WINDOWS.0\SOUNDMAN.EXE
2010-10-05 22:11:48 . 2009-10-27 02:02:42 1833576 ----a-w- C:\WINDOWS.0\SkyTel.exe
2010-10-05 22:11:36 . 2009-10-27 02:02:42 9721960 ----a-w- C:\WINDOWS.0\RTLCPL.EXE
2010-10-05 22:11:36 . 2009-10-27 02:02:42 1489512 ----a-w- C:\WINDOWS.0\RtlUpd.exe
2010-10-05 22:11:24 . 2009-10-27 02:02:42 6164584 ----a-w- C:\WINDOWS.0\system32\drivers\RtkHDAud.sys
2010-10-05 22:11:12 . 2010-10-19 06:43:58 54888 ----a-w- C:\WINDOWS.0\system32\RtkCoInstXP.dll
2010-10-05 22:11:12 . 2010-10-19 06:43:58 129640 ----a-w- C:\WINDOWS.0\RtkAudioService.exe
2010-10-05 22:11:12 . 2009-10-27 02:02:41 19580520 ----a-w- C:\WINDOWS.0\RTHDCPL.EXE
2010-10-05 22:10:50 . 2009-10-27 02:02:41 2180712 ----a-w- C:\WINDOWS.0\MicCal.exe
2010-10-05 22:10:38 . 2009-10-27 02:02:41 64104 ----a-w- C:\WINDOWS.0\ALCMTR.EXE
2010-10-05 22:10:38 . 2009-10-27 02:02:41 285288 ----a-w- C:\WINDOWS.0\system32\ALSNDMGR.CPL
2010-10-05 22:10:38 . 2009-10-27 02:02:41 2815592 ----a-w- C:\WINDOWS.0\ALCWZRD.EXE
2010-09-29 17:11:02 . 2010-04-11 03:06:48 1251944 ----a-w- C:\WINDOWS.0\RtlExUpd.dll
2010-09-24 03:08:29 . 2010-09-24 03:08:56 286720 ----a-w- C:\WINDOWS.0\iun503.exe
2010-09-24 02:52:40 . 2010-09-24 02:52:40 380928 ----a-w- C:\WINDOWS.0\system32\srkey.exe
2010-09-15 16:10:20 . 2010-10-27 22:58:26 1700352 ----a-w- C:\WINDOWS.0\system32\GdiPlus.dll
2010-09-15 16:10:18 . 2010-10-27 22:58:26 24576 ----a-w- C:\WINDOWS.0\system32\msxml3a.dll
2010-09-11 05:06:38 . 2010-09-05 18:02:55 107888 ----a-w- C:\WINDOWS.0\system32\CmdLineExt.dll
2008-03-09 12:25:10 . 2010-03-25 00:10:01 236 ----a-w- C:\Program Files\Common Files\dx.reg
.

------- Sigcheck -------

[-] 2010-04-11 02:25:34 . 27A5959C94EE173A063CA06BD14F021A . 359040 . . [5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)] . . C:\WINDOWS.0\system32\drivers\TCPIP.SYS
[-] 2010-04-11 02:25:34 . 27A5959C94EE173A063CA06BD14F021A . 359040 . . [5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)] . . C:\WINDOWS.0\system32\dllcache\TCPIP.SYS

[-] 2004-08-04 00:56:58 . 0FCCAC218230DC82295C7D9E303FAEBE . 502272 . . [5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)] . . C:\WINDOWS.0\system32\winlogon.exe

[-] 2004-08-04 00:56:50 . 3ACA5E699B60D6E000E484479789AAD9 . 1032192 . . [6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)] . . C:\WINDOWS.0\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\snxPluginsShell]
@="{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}"
[HKEY_CLASSES_ROOT\CLSID\{F4B3B0AA-13D1-4a36-BDA2-2055B0F3D5DE}]
2010-09-07 15:14:19 152160 ----a-w- C:\Program Files\Alwil Software\Avast5\snxPlugins.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cFosSpeed"="C:\Program Files\Topos\cFosSpeed\cFosSpeed.exe" [2009-02-11 10:33:12 876760]
"SmartDefrag"="C:\Program Files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" [2010-07-09 22:08:04 2712920]
"RTHDCPL"="RTHDCPL.EXE" [2010-10-05 22:11:12 19580520]
"avast5"="C:\Program Files\Alwil Software\Avast5\avastUI.exe" [2010-09-07 15:12:02 2838912]
"NvMediaCenter"="C:\WINDOWS.0\system32\NvMcTray.dll" [2010-10-16 17:04:16 110696]
"NvCplDaemon"="C:\WINDOWS.0\system32\NvCpl.dll" [2010-10-16 17:04:16 13851752]

C:\Documents and Settings\Metalman\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2010-9-30 503808]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS.0^Start Menu^Programs^Startup^Fantastic Flame Agent.lnk]
path=C:\Documents and Settings\All Users.WINDOWS.0\Start Menu\Programs\Startup\Fantastic Flame Agent.lnk
backup=C:\WINDOWS.0\pss\Fantastic Flame Agent.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS.0^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
backup=C:\WINDOWS.0\pss\Run Google Web Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^metalman.HOME-590B3A0478^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\metalman.HOME-590B3A0478\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS.0\pss\LimeWire On Startup.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^metalman.HOME-590B3A0478^Start Menu^Programs^Startup^Need for Speed™ Undercover Registration.lnk]
path=C:\Documents and Settings\metalman.HOME-590B3A0478\Start Menu\Programs\Startup\Need for Speed™ Undercover Registration.lnk
backup=C:\WINDOWS.0\pss\Need for Speed™ Undercover Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS.0\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 03:07:44 932288 ----a-r- C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 08:47:04 35760 ----a-w- C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 3]
2010-03-29 18:54:52 2343120 ----a-w- C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aston2]
2010-11-08 17:56:08 217088 ----a-w- C:\Program Files\Aston2\Aston2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 00:56:50 15360 ----a-w- C:\WINDOWS.0\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22:02 3739648 ----a-w- C:\Program Files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-03 22:32:00 208952 ----a-w- C:\WINDOWS.0\ime\IMJP8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-08-04 06:06:34 1667584 -c----w- C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 20:44:34 3883856 ----a-w- C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2010-10-16 17:04:16 13851752 ----a-w- C:\WINDOWS.0\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2010-10-16 17:04:16 110696 ----a-w- C:\WINDOWS.0\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2004-08-03 22:32:16 455168 ----a-w- C:\WINDOWS.0\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2004-08-03 22:32:16 455168 ----a-w- C:\WINDOWS.0\system32\IME\TINTLGNT\TINTSETP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
2009-11-09 03:17:50 180224 -c--a-w- C:\Program Files\PowerISO\PWRISOVM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2010-09-02 19:15:04 13351304 ----a-r- C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2010-10-05 22:11:48 1833576 ----a-w- C:\WINDOWS.0\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 15:43:18 248040 ----a-w- C:\Program Files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-04-22 04:35:36 202256 ----a-w- C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
2010-07-06 14:01:16 2634048 ----a-w- C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherEye]
2010-09-21 22:22:20 309104 ----a-w- C:\Documents and Settings\metalman.HOME-590B3A0478\Local Settings\Application Data\TheWeatherNetwork\WeatherEye\WeatherEye.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"C:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"C:\\Program Files\\Unreal Tournament 3\\Binaries\\UT3.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R0 aswNdis;avast! Firewall NDIS Filter Service;C:\WINDOWS.0\system32\drivers\aswNdis.sys [11/12/2010 2:47:08 AM 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;C:\WINDOWS.0\system32\drivers\aswNdis2.sys [11/12/2010 2:47:28 AM 190416]
R1 aswFW;avast! TDI Firewall driver;C:\WINDOWS.0\system32\drivers\aswFW.sys [11/12/2010 2:48:16 AM 99792]
R1 aswSnx;aswSnx;C:\WINDOWS.0\system32\drivers\aswSnx.sys [11/12/2010 2:48:17 AM 340048]
R1 aswSP;aswSP;C:\WINDOWS.0\system32\drivers\aswSP.sys [11/12/2010 2:48:18 AM 165584]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS.0\system32\drivers\aswFsBlk.sys [11/12/2010 2:48:18 AM 17744]
S2 avast! Firewall;avast! Firewall;C:\Program Files\Alwil Software\Avast5\afwServ.exe [11/12/2010 2:47:08 AM 119200]
S3 Ambfilt;Ambfilt;C:\WINDOWS.0\system32\drivers\Ambfilt.sys [10/19/2010 1:43:48 AM 1691480]
S3 cpuz130;cpuz130;\??\C:\DOCUME~1\METALM~1.HOM\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> C:\DOCUME~1\METALM~1.HOM\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;C:\Program Files\Common Files\Futuremark Shared\Futuremark SystemInfo\FMSISvc.exe [11/18/2010 12:19:53 AM 128928]
S3 MobileAdapter;Mobile Adapter USB Modem and USB Serial;C:\WINDOWS.0\system32\drivers\qscnusb.sys [5/13/2010 11:45:04 PM 103552]
.
Contents of the 'Scheduled Tasks' folder

2010-11-28 C:\WINDOWS.0\Tasks\Game_Booster_Startup.job
- C:\Program Files\IObit\Game Booster 2\GameBox.exe [2010-10-26 04:06:48 . 2010-11-05 15:55:28]

2010-11-28 C:\WINDOWS.0\Tasks\RealUpgradeLogonTaskS-1-5-21-1004336348-1957994488-725345543-1003.job
- C:\Program Files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09:42 . 2010-02-25 02:09:42]

2010-11-28 C:\WINDOWS.0\Tasks\RealUpgradeScheduledTaskS-1-5-21-1004336348-1957994488-725345543-1003.job
- C:\Program Files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09:42 . 2010-02-25 02:09:42]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = local
IE: {{09E90109-A9AA-4980-BCEF-76F8D924E902}
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{00000000-6E41-4FD3-8538-502F5495E5FC} - (no file)
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-Stuvuke - C:\WINDOWS.0\erularej.dll
MSConfigStartUp-bywifi - C:\Program Files\Bywifi\bywifi.exe
MSConfigStartUp-NVIDIA nTune - C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe
MSConfigStartUp-nwiz - nwiz.exe
MSConfigStartUp-OutpostFeedBack - C:\Program Files\Agnitum\Outpost Security Suite Pro\feedback.exe
MSConfigStartUp-SpeedBitVideoAccelerator - C:\Program Files\SpeedBit Video Accelerator\VideoAccelerator.exe
MSConfigStartUp-Stuvuke - C:\WINDOWS.0\erularej.dll
MSConfigStartUp-{45704DF0-A24D-4567-A4E9-DDC5817DA92C} - C:\DOCUME~1\METALM~1.HOM\LOCALS~1\Temp\{45704DF0-A24D-4567-A4E9-DDC5817DA92C}\694.dll
AddRemove-{5A0B7BA5-4682-4273-81C2-69B17E649103} - C:\Program Files\InstallShield Installation Information\{5A0B7BA5-4682-4273-81C2-69B17E649103}\setup.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-28 07:48:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-11-28 07:52:00
ComboFix-quarantined-files.txt 2010-11-28 12:51:57

Pre-Run: 52,060,315,648 bytes free
Post-Run: 52,621,303,808 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=1 Sets=1,2,3,4
- - End Of File - - 41B778325BDB121FA1B148653CCACE78


See More: how to remove win32: Bamital A O in winlogon.

Report •

#1
November 28, 2010 at 08:14:29
looking in your logs I would suggest that you look at

MSConfigStartUp-Stuvuke - C:\WINDOWS.0\erularej.dll

ussually windows.0 is a non standard install

unless of course there are two operating systems on your computer.
or there was a reinstall

mike


Report •

#2
November 28, 2010 at 08:47:00
also the series of tasks that are listed with at...job are a symptom of a virus that spreads though file sharing. I would suggest researching the conflicker virus. I would also look to see how many rundll32.exe processes are running. this may have been removed through combo fix. but thats probably the origional infection.

then look here:
http://www.symantec.com/security_re...
for bamital

mike


Report •

#3
November 28, 2010 at 09:55:42
yes the windows.0 was from a reinstall did the conflcker test came up with everythings normal checked my taskmanager i dont even have 1 rundll32.exe's running as before i had tons the link you provided me was for symantec software of which i have none I really want to get rid of this crap on my computer any other ideas??

Report •

Related Solutions

#4
November 28, 2010 at 10:53:18
I would suggest running malwarebytes as well. I know that you have avast and a couple of other things too. these need to be stopped temporarily before running malawarebytes. however I would run this in safe mode, maybe even from the command prompt option.

I also recommend running vundofix.

it looks like your system was partially cleaned which is why i am having a hard time finding the actual infection.

As for if that doesn't work, I am still looking for manual removal options for you.

mike


Report •

#5
November 28, 2010 at 13:01:15
right now im running the online eset scanner then ill try running malwarebytes as for the vundofix i havent tried that yet but will ill post the eset log here when its done im hoping something will work

Report •

#6
November 28, 2010 at 13:07:06
heres the log from eset now im going to try vundofix and then malwarebytes I hope this helps you figure out how to remove it

C:\Documents and Settings\All Users.WINDOWS.0\Application Data\SafeReturner\Quarantine\explorer.exe.vir Win32/Bamital.EV trojan deleted - quarantined
C:\Documents and Settings\All Users.WINDOWS.0\Application Data\SafeReturner\Quarantine\winlogon.exe.vir Win32/Bamital.EV trojan deleted - quarantined
C:\Documents and Settings\metalman.HOME-590B3A0478\My Documents\Downloads\registrybooster.exe a variant of Win32/RegistryBooster application deleted - quarantined
C:\Documents and Settings\metalman.HOME-590B3A0478\My Documents\Downloads\appz\MsgPlusLive-483.exe a variant of Win32/Adware.CiDHelp application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS.0\erularej.dll.vir a variant of Win32/Cimag.EE trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_acbdk probably a variant of BAT/TrojanDownloader.Agent.MWNWNCW trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_asdqz probably a variant of BAT/TrojanDownloader.Agent.MWNWNCW trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_cyifw probably a variant of BAT/TrojanDownloader.Agent.MWNWNCW trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_ehbcv probably a variant of BAT/TrojanDownloader.Agent.MWNWNCW trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_fnpmo probably a variant of BAT/TrojanDownloader.Agent.MWNWNCW trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_hkftb probably a variant of BAT/TrojanDownloader.Agent.MWNWNCW trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_hvnex probably a variant of BAT/TrojanDownloader.Agent.MWNWNCW trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_jguof probably a variant of BAT/TrojanDownloader.Agent.MWNWNCW trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_jxlvt probably a variant of BAT/TrojanDownloader.Agent.MWNWNCW trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_lavnv probably a variant of BAT/TrojanDownloader.Agent.MWNWNCW trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_llotk probably a variant of BAT/TrojanDownloader.Agent.MWNWNCW trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_lmjrs probably a variant of BAT/TrojanDownloader.Agent.MWNWNCW trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_lwhvl probably a variant of BAT/TrojanDownloader.Agent.MWNWNCW trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_manjw probably a variant of BAT/TrojanDownloader.Agent.MWNWNCW trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_okguz probably a variant of BAT/TrojanDownloader.Agent.MWNWNCW trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_qpthx probably a variant of BAT/TrojanDownloader.Agent.MWNWNCW trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_swigz probably a variant of BAT/TrojanDownloader.Agent.MWNWNCW trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_uyngn probably a variant of BAT/TrojanDownloader.Agent.MWNWNCW trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_wckac probably a variant of BAT/TrojanDownloader.Agent.MWNWNCW trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_zjrne probably a variant of BAT/TrojanDownloader.Agent.MWNWNCW trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_zlkph probably a variant of BAT/TrojanDownloader.Agent.MWNWNCW trojan cleaned by deleting - quarantined
C:\WINDOWS.0\explorer.exe Win32/Bamital.EV trojan unable to clean
C:\WINDOWS.0\system32\winlogon.exe Win32/Bamital.EV trojan unable to clean
Operating memory Win32/Bamital.EV trojan


Report •

#7
November 28, 2010 at 13:45:05
having trouble running malwarebytes from the command box in safe mode what do i type in to run it ive tried a few different lines and nothing worked! whats the command line to run it.

Report •

#8
November 29, 2010 at 03:54:50
im away from my computer until tues. it looks like the last scan found a few though. id say run malware from regular safe mode.

mike


Report •

#9
January 26, 2011 at 16:51:36
you cant!!!! even my NOD32 cant fix it!!!!!!!!
you need download Hitman Pro 3.5 Anti-malware
and scanned again
there is option you see for replacement for this 2 files
and you need win cd

Report •

Ask Question