Win32:Bamital-AQ affected explorer.exe and winlogon.exe

Heyy again…Find the attached report created by BlitzBlank after the execution and reboot…thanks

I scanned my full system with Avast and guess what…the infection on explorer.exe and winlogon.exe is CURED!!!..phew…thanks a ton man…BUT…the Bamital-AQ is still existing and now it has moved to 2 other files in C:\System Volume Information_restore… Please the attached scanned results.

C:\System Volume Information_restore folder is the system restore one.
Delete old restore points or disable/enable system restore to delete the infected restore points.

Heyy…I deleted system restore points…and verified that it was 0 MB…updated my Avast virus definitions then ran a full system scan again…and the Bamital-AQ malware still exists and it is moving…now affected 3 files and also the avast update had some problems which the scan isolated them…Please see the attached scan results.

NB: I fear the malware might attack again the explorer.exe an winlogon.exe which are clean now.

I’m sorry I had a problem with the internet yesterday >:(

Excellent Bamital has been removed. System Restore will fix later.

Download gmer.zip from here to your Desktop

Run gmer.exe

[*] Click on Rootkit/Malware Tab.
[*] Click on Scan.
[*] When Scan is done click on Copy.
Then open Notepad and right click use options Paste. Save this notepad as file1

[*] Repeat this with >>> Autostart Tab.
Save this notepad as file2.txt.

Attach here file1 and file2 notepads.

Find the attached reports generated from GMER as you requested.

NB: Unknowingly another problem which made me scratch my head is solved, my notepad icon is back!!..Thanks

Open notepad and copy/paste the text present inside the code box below:

File::
c:\windows\system32\fopbjgzcoxnjtg.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"phijwzrecye"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\mchInjDrv]

Rootkit::
c:\docume~1\ADMINI~1\LOCALS~1\Temp\mc21.tmp

Driver::
mchInjDrv

Save this as CFScript to desktop.

http://img213.imageshack.us/img213/1218/cfscript1.gif

Drag CFScript.txt into Combofix.exe. ComboFix will re-run.

When finished, it will produce a log for you.
Copy/paste the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

sniper619

Do you wish to delete the hidden rude folder in root C ;D

Better cut that folder to a different partition

Heyy argus…Find the attached report of ComcoFix.

PS: I will move it to my HDD…lol :wink:

Are there any problems?

I think it’s ok

No man…no problems at all…just those infections detected by Avast in the last scan, they won’t move upto explorer and winlogon will they?..

Any precautions to take for preventing future attacks as I really don’t know how it got into the PC since the PC does not have net connection!

Thanks a lot for your help and time man…

It is necessary to uninstall Combofix

Start >> Run

Combofix /Uninstall

Enter

This will reset the System Restore points and I think that Avast will no longer detect infection.

I suggest to you to remove GMER logs from topic.

It tells me ‘Windows cannot find Combofix/’. Make sure you typed the name correctly then try again. To search for a file click the start button and then search.

Oops sorry my bad…had typed ComboFix/ Uninstall instead of ComboFix /Uninstall (the stroke mistake)…so now its gone…

How about GMER?

Thanks…

Yep :slight_smile:

Remove GMER logs from topic.

Heyy argus…after some time I ran a full system scan and the results were unbelieavble that explorer.exe and winlogon.exe are cured from that malware, thanks to you and your tools, but from the scan ONE threat was detected named Win32:Malware-gen affecting D:\System Volume Information-… …please see the scan results attached.

Any Danger?

D:\System Volume Information\ is System Restore

See the first image
Reboot
then other image

argus, please, consider http://forum.avast.com/index.php?topic=19387.msg607589#msg607589

Sorry Tech :slight_smile:

Don’t worry. Just a suggestion :slight_smile: