Win32:Bamital

Hi, looking for some help removing this trojan from my system.

I actually have several different issues, I’m not even sure if they’re all related to the bamital trojan!

The situation at the moment is as follows: Windows will hang on startup. However, I am able to access avast through the Task Manager - once I’ve disabled the real-time scanning I can start explorer and windows then finishes bootup. Not sure if this is due to bamital infecting the winlogon file or to a conflict between avast and another antivirus program that is still clinging on to life in my system somewhere! Advice on this would be much appreciated!

I still get notifications from avast when opening firefox, and the infected files are identified but avast can’t move/delete/repair because the files are in use/read only.

I’ve completely stretched my (meagre!) understanding of computers to tackle this problem, am now completely stuck and would appreciate some guidance as to what I should do next.

Thanks in advance.

Mat.

try to remove SOME viruses with MBAM
www.malwarebytes.org download,install,update,scan
and wait for essexboy

I still get notifications from avast when opening firefox, and the infected files are identified but avast can't move/delete/repair because the files are in use/read only.
Try this one first TFC - Temp File Cleaner by OldTimer http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/ TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

Have you tried avast boot scan ?
http://sites.google.com/site/spg20scottsweb/home/avast-5-boot-time-scan

Malwarebytes Anti-Malware 1.46 http://filehippo.com/download_malwarebytes_anti_malware/
always update so you have latest database before you scan
click the remove selected button to quarantine anything found
you may post the scan log here if anything is found

Thanks for the suggestions, I’ve given them all a go.

The boot scan encountered the same problem, unable to move/quarantine/delete the infected file (explorer.exe)

I ran a TFC scan which, while successful, hasn’t removed the problem.

Malwarebytes’ Antimalware Scan results are below, the program was able to quarantine and delete all of the items found.

Any suggestions of next steps would be helpful. I’m still getting virus warnings for ‘bamital’ and having to disable active scanning in avast to allow windows to boot fully.

Any suggestions of next steps would be helpful. I'm still getting virus warnings for 'bamital' and having to disable active scanning in avast to allow windows to boot fully.

Follow this guide from Essexboy and post the log`s
http://forum.avast.com/index.php?topic=53253.0

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTL.Txt and Extras.Txt. and MBAM scan log )

Ok here are the scan logs for OTL and MBAM.

Now wait for essexboy ;D it is just midnight here now so i guess you want see him here before late tomorrow

OBS: there have been updates to Malwarebytes, latest datbase now is 4705 so you can update and do a quick scan and see if that changes anything ???

I see that you have run combofix - could I see the log please it is at C:\combofix.txt

Yep no problem. Here it is.

OK I can now see where the problem is

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\windows\system32\wbem\Performance\WmiApRpl_new.ini

  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt .

THEN

Rerun OTL and copy/paste the following in the custom scan/fixes box and then press run scan

/md5start
explorer.exe
winlogon.exe
/md5stop

Post the resultant log please

Ok here are both of the scans.

OK no spare copies on your system - do you have access to a windows CD of the same flavour ?

I don’t have one here at the moment, but I can get hold of one easily enough - what do I need to do with it?