Explorer.exe infected, Win32:Bamital-X

Windows 7 64b. Another case of Bamital. I had even run a scheduled full scan the previous night with 0 threats only to somehow get the system infected with Bamital and Malware.gen the next morning.

I got a popup saying something about msnmgr and explorer.exe and that Windows Defender etc wants to download some update for a threat it supposedly detected. I don’t think I even had Defender running though because I usually run Avast. So, I immediately rebooted and found that even though the login screen still loads, I’m faced with a black screen because explorer.exe is not starting at all. I tried to start explorer.exe manually, but it refused saying that the file is infected. I can still run scans through task manager though, and all the other processes seem to load, including Avast services. I stopped 2 processes I didn’t recognize before running the scans though.

Then I got here, read the other threads about fixing this and downloaded a few more tools on another computer. I think I have everything else removed except I don’t know how to fix explorer.exe as Avast seems to be the only one even detecting a threat in there at the moment, but it can’t repair it nor move it…

mbam: Fixed a few issues after Avast.
Hitman Pro x64: Uploaded several files into some “cloud” without asking, dunno why. Fixed wininit though.
Norman Malware Cleaner: Fixed a few more issues
Dr.Web. didn’t find anything
Spybot S&D: Still managed to find something minor
CCleaner: I probably should have run this first to clean all the temporary files, cookies, etc.

I don’t think winlogon.exe was ever infected, but maybe I need to run all the scans in safe mode? However, this leads to another annoyance. In safe mode, I get explorer.exe process running with desktop and start menu, but there is also some safe mode help support window popping up in a loop every 5 seconds messing up with focus just so that I can’t run much of anything through the start menu. I’m avoiding running browsers on that system, so I’m using another computer to type this…

I was under the impression that Hitman Pro is supposed to replace the explorer.exe with a working one but as it’s not even detecting any threats, it’s not doing that. It was happy to ask me to activate the free trial to fix wininit though…

Afaik, in short, Avast still detects a threat in explorer.exe but I can’t do anything about it. That’s all though, no other threats detected.

So, is there something else I can do, or should I just call it a paper weight after all this work and start reinstalling windows 7? I hope the OEM disc still allows that, but it used to work with older Windows versions. I can attach the OTL log or other logs if still required.

I can attach the OTL log or other logs if still required.
I recomend you follow this guide from Essexboy and post the log`s http://forum.avast.com/index.php?topic=53253.0

To avoid using 20 post with copy and paste you have to attach the log`s

Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. and MBAM scan log )

I suggest Hitman Pro - Second Opinion Malware Scanner

Bamital/Drooptroop Remediation

@jtaylor…read his post again

Mbam finished and the log is attached, but OTL seems to stall and go “not responding” while scanning WwanSvc. I checked that it’s some WWAN AutoConfig service and it is stopped. OTL is still taking hefty amounts of CPU processing though after a few minutes. It shouldn’t take this long, should it?

Edit: I had to disable service scanning to get it to finish scanning. Otherwise, I went with the instructions, that is, checked “scan all users” and clicked run scan.

Then you can expect a reply from Essexboy here late tomorrow

Hi there run this and let me know the outcome please

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.

:Files
ipconfig /flushdns /c
C:\Windows\explorer.exe|C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_ae46d6aeac7ca7c7\explorer.exe
/replace

:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Looks like it didn’t find the explorer.exe and I’m still faced with a black screen after reboot. But, I did get a log from OTL and attached it.

Syntax is correct - I will try a replace from another location

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Files C:\Windows\explorer.exe|C:\Windows\SysWow64\explorer.exe /replace

:Commands
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

I don’t seem to have any instance of explorer.exe directly under c:\windows. The SysWow64 one does exist though.

I’m not sure did OTL really move anything. I’m assuming it was supposed to do that on reboot, but I’m still greeted with this ominous black screen… and no explorer.exe seems to be running.

Lets try windows SFC and see if that will replace it

Go to start > Run and type in the following

sfc /SCANFILE=c:\windows\explorer.exe

Well, I don’t have a start menu either, but I get your point and already had command prompt open. “Windows Resource Protection” actually found the file to be corrupt and claims to have repaired it “from store”. And, yes, there is an explorer.exe at the correct location now. I’ll reboot and hope for the best.

Wow, it works. I finally got my desktop, start menu and everything back. Thank you for the help, and I’ve learned too. Everything looks intact but I’ll scan the computer once again trying to make sure that everything is clean again before working on it.

Edit: Avast free full scan found no threats. Malwarebytes’ Anti-Malware full scan also comes up clean too. Hitman Pro appears to have run a quick scan on start up automatically. It didn’t find anything either. Looks safe to me.

A 64bit windows 7 is new territory at the moment, the only one I can practice on is my own system. It does not help that there are 32 and 64 bit versions of most system files. We are now looking for ways to combat the first 64bit rootkit, we have had limited success so far

I wonder why windows stopped me replacing the dodgy file yet allowed the malware to… another area for investigation ;D

Btw, looking at the quarantine tab on Malwarebytes Anti-Malware… It found quite a few different things all at the same time and moved them:
Adware.Adrotator
Rogue.AntimalwareDoctor
Trojan.FakeAlert
Malware.Trace
Malware.Packer.Gen

All of those practically appeared at once or at most overnight. Maybe from a single click. Teaches me to keep the scans on. I must have either clicked just the wrong link on Google or they came through MSN, some IRC link or however these things spread. :stuck_out_tongue: It was my first infection too…

All of those practically appeared at once or at most overnight. Maybe from a single click. Teaches me to keep the scans on. I must have either clicked just the wrong link on Google or they came through MSN, some IRC link or however these things spread. :p It was my first infection too..
Recomended MalwarebytesPRO with IP block and auto update, a onetime fee for a lifetime license

Thank you for the idea to try SFC. Unfortunately for me (Win7 in case it might matter), using the “/scanfile” option was apparently a mistake. It only lets you fix one file at a time that way, and I had two corrupt files. When I restarted after it said it had successfully fixed the first one, I got a blue screen that Startup Repair couldn’t fix. It failed twice, first with “Unknown Bugcheck (F4 I believe)”, then just “unable to repair” “a patch is preventing the system from starting”. Third time I let it use System Restore and it brought back Windows, but also my corrupt file.

Using the full “sfc /scannow” form found and said it fixed both corrupt files at once, and allowed a successful restart with both corrupt files actually fixed. It produced a huge log file that required admin privileges to access, and help to interpret:
http://support.microsoft.com/kb/928228/en-us

A good instruction page for SFC is here:
http://support.microsoft.com/kb/929833

I can’t be sure it was fixing C:\Windows\explorer.exe but not C:\Windows\System32\wininit.exe that caused the bluescreen, but fixing both together seems to have rid me of Bamital.

Hope this helps someone…

I was trying to be cheeky and only scan the infected files - windows should have replaced them with no problem

Although I should have replaced both explorers not just the one