win32:Bamital-BD [Trj]

Windows Vista

C:\windows\explorer.exe is infected with win32:Bamital-BD

When I start windows and login I end up with just a blank (black) screen with a pointer.

It does this in safe mode also.

Malwarebytes detects nothing (ran through task manager-new task)

Avast will not do anything with it.

Hi,

Please download zoek.exe and save it to your desktop.

[*] Close any open browsers.

[*] Temporarily disable your AntiVirus program. (If necessary)
If you are unsure how to do this please read this or this Instruction.

[*] Double click on zoek.exe to run the tool .
Please wait while the tool does not start…

[*] Copy the text present inside the code box below and paste it into the large window in the zoek tool:



process;
srinfo;
systemscpecs;
installedprogs;
DIR /S /A:L "%systemdrive%\*">>"%temp%\log.txt";b
C:\Windows\system32\services.exe;i
C:\Windows\SysNative\services.exe;i
explorer.exe;z
winlogon.exe;z
filesrcm;
startupall;
skipfix-iedefaults;
firefoxlook;
chromelook;


[*] Click on
http://www.mcshield.net/personal/magna86/Images/Run%20Script%20by%20zoek.png
button
Please wait until a logreport will open (this can be after reboot)

[*] Save notepad to your Desktop and attach here zoek-results.log

Note: It will also create a log in the C:\ directory named “zoek-results.log

=========== Next ===========

Please download aswMBR and save it to your desktop.

Double click aswMBR.exe to start the tool.

[*]Select Yes if prompted to download the Avast database.
[*]Click Scan
[*]Upon completion of the scan ( Scan finished successfully ) click Save log and save it to your desktop, and attach that log in your next reply for review.
Note: do NOT attempt any Fix yet.

how do i do this without being able to get online, i am using my cell for internet access right now.

[*]Download FRST to a USB flash drive.

Download link is for 32bit(x86) or x64bit based system:
http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

[*]Plug the USB drive into the infected machine.

Boot your computer into Recovery Environment

[*]Restart the computer and press F8 repeatedly until the Advanced Options Menu appears.
[*]Select Repair your computer.
[*]Select Language and click Next
[*]Enter password (if necessary) and click OK, you should now see the screen below …

http://i1090.photobucket.com/albums/i366/garyr56/W7InstallDisk2.png

[*]Select the Command Prompt option.
[*]A command window will open.

[*]Type notepad then hit Enter.
[]Notepad will open.
[list]
[*]Click File > Open then select Computer.
[*]Note down the drive letter for your USB Drive.
[
]Close Notepad.[/list]
[*]Back in the command window …

[*]Type e:/frst.exe
(or type e:/frst64.exe If you download the FRST for 64-bit windows) and hit Enter
(where e: is replaced by the drive letter for your USB drive)

[*]FRST will start to run.
[list]
[*]When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]When finished scanning it will make a log FRST.txt on the flash drive.[/list]
[*]Next

[*]Type explorer.exe;winlogon.exe into the Search: field in FRST then click the Search File(s) button.
[*]FRST will search your computer for files and when finished it will produce a log Search.txt on the flash drive.
[*]Exit FRST.
[*]Close the command window.
[*]Boot back into normal mode and post me the FRST.txt and Search.txt logs please.

was able to get online, worked through task manager…continuing with first set of directions, reply with results shortly…thx

Great. If you able to log in normaly in Windows, follow zoek and aswMBR instructions and attach logs here.
If for some reason you again can not access the Windows, FRST.exe ( FRST64.exe ) is a tool that runs outside of Windows via USB drive, so you can use it. )

Here they are, let me know if I did it right

  1. Download ComboFix from here and save it to your Desktop.
    If you are unsure how ComboFix works please read this guide carefully.
    note: ComboFix must be downloaded to your Desktop.

  2. Temporarily disable your AntiVirus program.
    If you are unsure how to do this please read this or this Instruction.

How to disable avast:

[*]Right-click on the avast! icon in the lower right corner of the screen and choose Open Avast! User Interface.
[*]In the window that opens on the top right corner, click Settings.
[*]In a new window that opens, choose the option Troubleshooting, Uncheck Enable avast! self-defense, and click OK.

[*]Right-click on the avast! icon in the lower right corner of the screen and select avast! shield controls .
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn on this option after the cleaning.

  1. Run ComboFix. Click on I Agree!
    ComboFix will check if there is a newer version of ComboFix available.
    Click Yes if prompted to download.
    ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
    Click Yes to allow ComboFix to continue.
    If Recovery Console is not installed, ComboFix will offer download & installation.
    Click Yes to allow ComboFix to install Recovery Console.
    Note:Do not mouse-click Combofix’s window while it is running.
    If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart computer once more.

  2. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
    Attach log reports ( ComboFix.txt) back to topic.

Also, tell me do you have Windows Vista installation CD ?

I dont believe I have the Vista CD but I may have the recovery disk that came with my pc.

Combofix finished and I guess rebooted while I was taking the dog out, well it is trying to reboot, it sems to be stuck @ the ‘Logging Off’ screen.

Give him time to rebot mashine. If after some time it doesn’t restart, then you restart mashine manually. CF will continue to work when you boot up again.
Attach here CF log. I will be online later tonight (in my time).

ok here we go

BTW after a couple reboots, I was able to login as normal and so far so good.

Now how about the cleanup? (logs, programs from this etc)

Hi,

Please download AdwCleaner and Junkware Removal Tool and save tools to your desktop.

[*]Launch AdwCleaner by double-clicking it.
[*] Click on the [Delete] Wait for the programme completes his work.
The program will close all active programs. Click OK to confirm that.
On the next two windows that open ( Informations and Restart required ) click OK

[] The computer will restart and open a notepad ( C:\AdwCleaner[S1].txt ) with the report.
[*] Save the notepad report on the Desktop
THEN…
[
]Run Junkware Removal Tool the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select “Run as Administrator”.
[]Shut down your protection software now to avoid potential conflicts.
[
]The tool will open and start scanning your system.
[]Please be patient as this can take a while to complete depending on your system’s specifications.
[
]On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

[*] Attach the contents of JRT.txt into your next message.
[*] Attach here C:\AdwCleaner[S1].txt

============ NEXT ============

Open notepad and copy/paste the text present inside the code box below:



ClearJavaCache:: 
FileLook::
c:\windows\System32\wininit.exe
c:\windows\explorer.exe
C:\Windows\system32\w.dll


Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

ok here we go

Heres the combotxt

Open notepad and copy/paste the text present inside the code box below:



File::
c:\windows\system32\w.dll


Save this as CFScript.txt

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Close all browser windows and refering to the picture above.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will will re-run. When finished, it will produce a log for you.
Attach the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )


How’s your computer running now?

Seems to be running fine, I did some windows updates and it slowed it down…I updated to SP1 and then SP2, I wasnt able to for quite a while but no scans ever found anything, AVG, AVAST, online scanners and MWB didnt find anything previously so thats one good thing., now I have close to 150 updates to do.

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.


Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[
] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.


I recommended you to keep Malwarebytes and to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

Thank you very much for all your help, you saved my butt.