Bamital-AF removal; explorer.exe & winlogon.exe both infected; using taskmanager

Inactive
By jomon324
Oct 22, 2010
Topic Status:
Not open for further replies.
  1. Hello, I'm a first timer here, so I'm gonna try my hardest to do the right things. ***note: I am a fairly inexperienced user in regards to virus destruction, so please bear with me if I sound stupid.***

    Allright, so what I started with was Avast! antivirus scanning my computer after around eight different types of windows came up, each saying that they were an antivirus software that I had never used, and an error box entitled "ThinkPoint" which cascaded infinitely while Avast blocked it. I didn't know what to do, so I reset my computer after scheduling a boot scan. (I had been doing homework late, around 1:10 AM when this happened, but I was able to back it up on my external HDD) I ended up cancelling the boot scan because it was so late. The next day, I started up my computer and was greeted with a stupid looking window that said "Think Point, the world's leading innovator in blahblahblah," and two buttons: a greyed-out "Normal Startup" and a green "Safe Startup" which I did NOT click. Instead, I had my dad come in and look at it, and he almost clicked "safe startup," but I was wary and didn't let him. That's when I decided to do research on thinkpoint, and after a few clicks on my ipod touch, I found this site and the tutorial on how to remove malware, as well as several threads about a "Bamital-AC" and thinkpoint itself.

    So here I am, and I'm gonna start with the Malwarebytes log because I tried using TFC twice yesterday, and during the start of each scan it made my computer restart, so I'm skipping that step for now.

    Malwarebytes' Log: (First scan: yesterday)

    That scan was done yesterday, and today I did a new scan (and "My Computer" still has the windows-doesn't-know-what-this-is icon, aka the paper with three shapes on it) and these are the more recent results:

    Malwarebytes Log: (Second scan: today)

  2. jomon324

    jomon324 Newcomer, in training Topic Starter Posts: 40

    ***Sidenote: GMER has to be run while I'm disconnected from the internet, correct? If yes, then I'm going to need to know how to connect/disconnect from the internet via taskmanager, or should I just run the program while still connected to the internet?***

    Sorry for the double-post.
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Welcome to TechSpot! I'll help with the malware.

    ThinkPoint is a rogue anti-spyware program that comes bundled with the fake Microsoft Security Essentials Alert. It will block task manager, registry editor and other tools too claiming that these tools were block due the security reasons and might be infected with malicious code.

    Good for you overruling you dad about clicking on one of those choices. Good rule of thumb is not to click on anything if you don't know what it is. This is especially true when it comes to security. The malware authors try to mimic legitimate programs in looks and what the action will be> that's why so many users get drawn into these programs. The main entry we see is hotfix.exe so we will stop it:
    1. Boot into Safe Mode
      • Restart your computer and start pressing the F8 key on your keyboard.
      • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.
    2. End Task
      Click on Start> Run> type in taskmgr> OK.
      Double click on the frame at the top of the Processes column to sort
      Find hotfix.exe and click to Highlight
      Click on End Task
    3. Unhide
      Click on Start> Search> All Files and Folders
      Go up to Tools> Folder Options
      Click on the View tab
      Check 'Show hidden files and folders'
      Uncheck 'Hide protected operating system files (Recommended)'
      Click on OK> Apply> OK
    4. Search
      Go to Search> 'all or part of the name'
      Type in hotfix.exe
      (It should be found in this folder: C:\\Documents and Settings\\User\\Application Data\\hotfix.exe
      Do a right click> Delete on the file
    5. Rehide the files and folders.
    Close
    ===============================================
    Reboot the computer back into Normal Mode
    ==============================================
    Please download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..

    Let me know how this goes. After I see the Combofix log, I'll decide what comes next. If you have any problem along the way, stop and ask me about it.
  4. jomon324

    jomon324 Newcomer, in training Topic Starter Posts: 40

    Hotfix.exe wasn't running when I opened taskmanager, and the location of it is also different from what you said it was: mine are in C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\Updates and " "\v.1.1.4332\Updates. Should I still delete them? (typing from my iPod as I am currently running in safe mode, so sorry for any text errors)
  5. jomon324

    jomon324 Newcomer, in training Topic Starter Posts: 40

    Just tried to run combofix.exe, and my browser was already closed, but I had taskmanager open, and it made a blue command prompt box for 1/16 of a second, as well as an error with no text and an "i" in a word bubble with "Ok", which I clicked. My computer then restarted, and the blue command prompt appeared again with a message that said there is a parasite file that tried to attach itself to combofix, and it asked me to write down the file location and name, which I did and will now reiterate. C:\Program Files\Common Files\Logitech\LVMVFM\LVPrcInj.dll and it said it is going to disable the file for now. After I clicked ok, my desktop came back for the first time in two days. Now it is trying to create a system restore point apparently.
  6. jomon324

    jomon324 Newcomer, in training Topic Starter Posts: 40

    Um, slight problem. After scanning and deleting unnecessary files from my PC and fixing winlogon.exe and explorer.exe (thanks a million by the way), combofix came up and said it was creating a log, and told me not to open any programs until it was finished. That's fine, but trillian astra startd up automatically, and an error appeared saying "Error loading C:\WINDOWS\icayitegigusobo.dll The specified module could not be found" and combofix is now running indefinitely, it seems, on creating a log report. The label in the taskbar (start menu blue bar area) says "ComboFix - Find3M" ...and it's just kind of stuck there. Should I close and reopen it?
  7. jomon324

    jomon324 Newcomer, in training Topic Starter Posts: 40

    Log from ComboFix:

    (Actually, the first time it tried to create a log, it hanged (hung?), and I couldn't get it to move. So, this is the second log from it. My apologies.)

  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Okay, a couple of things: You don't need to put the logs in Quotes. This actually cuts down on the screen space available.

    Run the script below, save the logs as instructed and include it in the next reply. When you have finished, please go on to my next reply with online AV scan instructions. I followed that with some comments ans suggestions.

    Please run this Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    e:\fxdrv.sys
    c:\windows\system32\drivers\usb6xxxkl.sys
    c:\windows\dacfddfcadbca.exe /s
    c:\windows\system32\GameMon.des -service
    
    Extra::
    File::
    c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
    c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
    Firefox::
    Firefox-: - Profile- c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\64rcuxax.default\
    Firefox-: prefs.js - SEARCH.DEFAULTURL 
    
    RegNull::
    [HKEY_USERS\S-1-5-21-1390067357-1767777339-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5AFADB1B-327F-CFDA-C903-91EC12F1671A}*]
    [HKEY_USERS\S-1-5-21-1390067357-1767777339-839522115-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    
    Driver::
    FXDRV
    usb6xxxk
    dacfddfcadbca
    npggsvc
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.

    Please go on go the next Reply.
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Following the run of the script in Combofix:
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ============================================
    Freez Online TV Toolbar
    You have several Registry processes loading the Freez Online TV Toolbar for BHO (Browser Helper Object, Toolbar and 'Shell Execute Hooks' (SH). This type of toolbar, Conduit toolbars are reputed to have a certain trackware functionality. The name of the program and site, Free-Downloads.net, is all for freeware and shareware. While the program itself is legitimate, most of these programs are bundled with a generous amount of adware and some with spyware. I recommend that his be removed. I can do most of it using script again in Combofix.

    National Instruments Driver Software
    It looks like you installed a large number of drivers for National Instruments Driver Software in July of 2007. It has been known to cause Blue Screen or Continuous Reboots. This is legitimate software but requires a great number of drivers to run. You can read more about that on their Knowledge Base HERE. Consider removing these entries unless you are still actively using them. I can also do that with script.

    hotfix.exe
    No, these are legitimate processes. This is not the same process for that would have been located in (It should be found in this folder: C:\\Documents and Settings\\User\\Application Data\\hotfix.exe. It is possible that the malware hotfix.exe didn't start in Safe Mode.

    Scheduled Tasks
    Most of these are usually for are auto-updates scheduled for programs that do not need them. They will make numerous internet connections every day, looking for updates that you can find manually. You want to keep these connection attempts as few as possible and then only if needed for the system. The only[/b[ auto-update I get is for the AV program.
    Opening scheduled tasks to modify or delete them:
    Access Scheduled Tasks with Click on Start> All Programs> Accessories> System Tools> Scheduled Tasks.
    To change the settings for a task: right-click the Task> click Properties> do any of the following:
    1. To change the schedule for the task, click the Schedule tab.
    2. To customize the settings for the task, such as the maximum run time, idle time requirements, and power management options, click the Settings tab.
    3. To delete a task> right-click the task> click Delete.
    4. To prevent a task from running until you want to let it run again> right-click the task> Properties> On the General tab> clear the Enabled check box. Select the check box again to enable the task when you are ready to let the task scheduler run it again.

    Suggest deleting these tasks:
    RealUpgradeScheduledTask
    RealUpgradeLogonTask
    VersionCheck.job
    c:\documents and settings\All Users\Application Data\WSTB\drv8.0.3.exe> radio station
    These last 2 are part of the NCH Software for "Video Converter, Capture Streaming Video, Video Broadcast Software and more..."
    videopadSevenDaysInit.
    videopadShakeIcon


    Maintenance scheduled tasks are a separate category.
    ====================================
    One more scan after this and you should be okay.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.