Thank you for all of the responses. I’ll reply to this one as it asks the most questions.
I’m running XP Pro SP3
Until the trojan struck I have been running McAfee Suite, which includes a firewall as I understand it.
I have not removed McAfee.
Yes, I have MS updates enabled
- What other tools did you use?
When the trojan struck, McAfee reported that the trojan “Backdoor-DKI!env.b quarantined”, however it was either too late or too little because it got through. I figure that McAfee noticed just a small part of this hydra-headed thing. Initial visible symptoms were a pop-up saying “Java Update in progress” (or words to that effect) and then a blank YouTube video screen was shown. After that the usual symptoms of these things: invented spyware alerts, all attempts to run applications were hijacked, I was routed to porn sites, and attempts to run IE or Firefox displayed a phony warning sign about infection and wanting me to purchase alleged spyware removal software.
I have never had this happen to me before, but I’ve seen it happen to other people. The trojan host was a car club forum that Google subsequently marked as unsafe.
McAfee support emailed me Stinger.exe which made no difference whatsoever. I noted that the build date for Stinger was March 18, 2010 – five months ago.
So, I went to the internet cafe up the street and did some research on the symptoms. In the end I used the following …
Avira
Avast!
Hitman Pro 3.5
Gmer
Malware Bytes
Window Security Scan
Windows Defender
… each of which took a slightly different and/or informed view of the problem and reported and/or took various actions. Hitman Pro was the tool that zapped the trojan hardest and let me get control back of my PC to the point when I could run the other stuff.
After doing full system scans by all tools numerous times, I involved McAfee Virus Team and by remote access to my PC they ran various tools as well. They found evidence of where the trojan had been, such as a left over but now empty directory, however I got the impression that I now knew more about this thing than they did. I’m not at all happy with McAfee – but that’s another story.
Trojan:Win32/Bamital.A patches and redirects the following functions of the Windows Socket module, which are used by the browser, to its malicious routine so it can monitor and modify Web search queries and offer its own online advertisements.
I think you intended to list some Winsock functions?
Avast reported that a proxy server was being used with the IP address of 127.0.0.1:6522 and suggested it be repaired, which I okayed. I don’t know if Avast was successful in that so I used various DOS level net and msconfig commands to restore default network software settings. The trojan also enabled proxy server in IE and Firefox, which I manually removed.
Avast also reported that EXPLORER.EXE and WINLOGON.EXE were trojans and suggested action was delete. I don’t know how they could be infected because I gather they are Windows protected files and Avast was unable to delete them.
Have you run any Avast scans (Full or Boot-time scans)?
Is anything sitting in your Virus Chest? If so, please give the exact name and spelling of the name of the item (or a clear screen shot). If you have not run these scans, please do so and report back along with the above answers. Thank you.
Yes, I have Avast now running and have done both boot and full scans.
Where do I find the Virus Chest?
I can’t be sure that I have every trace of this trojan removed. I’m wondering why Avast is showing the pop-up described in my initial post only sometimes. I’m wondering if it is now a false positive?
Thanks again for all advice on this.