TechSpot

Bamital virus infected explorer.exe and wininit

By Coremack
Feb 18, 2011
  1. Hello there! I've recently been cleansing my HP laptop (running Vista, 32bit) after noticing that weird things were going on. I ran avast! and instantly BCOD popped up and I haven't been able to boot my computer normally ever since (even safe mode with networking has issues). I was finally able to run HouseCall and it discovered the Bamital that had infected explorer.exe and wininit. I tried to also install hijackthis, but the virus I believe is preventing this, along with any changes to the registry. I've been trying to browse the internet in safe mode, which has been working decently, though I get redirected to a lot of random "anti-virus" sites and I also get a pop-up quite often saying something along the lines that windows is running into errors and will reboot in 1 minutes (which it does).

    I haven't followed other people's threads for step by step guides on how to fix this. Wouldn't want unpredictable results. Help with this issue would be greatly appreciated, as my computer is basically useless till this is fixed.

    Thanks in advance.

    LOGS


    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5774

    Windows 6.0.6002 Service Pack 2 (Safe Mode)
    Internet Explorer 8.0.6001.19019

    16/02/2011 8:41:46 PM
    mbam-log-2011-02-16 (20-41-46).txt

    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 747729
    Time elapsed: 2 hour(s), 48 minute(s), 9 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 22
    Registry Data Items Infected: 1
    Folders Infected: 0
    Files Infected: 23

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\CE8SIIFGSU (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lvifiejlq+ (Malware.Packer.Gen) -> Value: Lvifiejlq+ -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lvifiejlq+ (Malware.Packer.Gen) -> Value: Lvifiejlq+ -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lvifiejlqe (Malware.Packer.Gen) -> Value: Lvifiejlqe -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lvifiejlqe (Malware.Packer.Gen) -> Value: Lvifiejlqe -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lvifiejlotc (Malware.Packer.Gen) -> Value: Lvifiejlotc -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lvifiejlotc (Malware.Packer.Gen) -> Value: Lvifiejlotc -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lvifiejlqse (Malware.Packer.Gen) -> Value: Lvifiejlqse -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lvifiejlqse (Malware.Packer.Gen) -> Value: Lvifiejlqse -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lvifiejloc (Malware.Packer.Gen) -> Value: Lvifiejloc -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lvifiejloc (Malware.Packer.Gen) -> Value: Lvifiejloc -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mquvc (Malware.Packer.Gen) -> Value: Mquvc -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mquvc (Malware.Packer.Gen) -> Value: Mquvc -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lvifiejlna (Malware.Packer.Gen) -> Value: Lvifiejlna -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Lvifiejlna (Malware.Packer.Gen) -> Value: Lvifiejlna -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqsZ (Malware.Packer.Gen) -> Value: MqsZ -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MqsZ (Malware.Packer.Gen) -> Value: MqsZ -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mqva (Malware.Packer.Gen) -> Value: Mqva -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mqva (Malware.Packer.Gen) -> Value: Mqva -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CE8SIIFGSU (Trojan.Agent) -> Value: CE8SIIFGSU -> Quarantined and deleted successfully.
    HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\eKoPcHa15400 (Rogue.Palladium) -> Value: eKoPcHa15400 -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Value: idstrf -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Value: NoFolderOptions -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (PUM.Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\Users\User\AppData\Local\Temp\win32.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    c:\Users\User\AppData\Local\Temp\setup.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    c:\Users\User\AppData\Local\Temp\hexdump.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    c:\Users\User\AppData\Local\Temp\winlogon.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    c:\Users\User\AppData\Local\Temp\avp.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    c:\Windows\setup.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    c:\Users\User\AppData\Local\Temp\login.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    c:\Windows\mdm.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    c:\Windows\win.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    c:\Users\User\AppData\Local\Temp\Jv3.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\programdata\ekopcha15400\ekopcha15400.exe (Rogue.Palladium) -> Quarantined and deleted successfully.
    c:\Users\Guest\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\gepyx.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
    c:\Users\User\AppData\Local\Temp\1492202684.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
    c:\Users\User\AppData\Local\Temp\Jv1.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\User\AppData\Local\Temp\Jv2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\User\AppData\Local\Temp\Jv4.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\User\AppData\Local\Temp\Jv5.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\User\AppData\Local\Temp\Jv6.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\User\AppData\Local\Temp\Jvz.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    c:\Users\User\AppData\Roaming\Akcyi\wiba.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
    c:\Users\User\AppData\Roaming\microsoft\Windows\start menu\Programs\Startup\gywob.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.
    c:\Users\User\documents\downloads\nightly.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
    c:\Windows\Jnujaa.exe (Trojan.Agent) -> Quarantined and deleted successfully.



    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-02-18 16:52:51
    Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Hitachi_ rev.BBFO
    Running: 7oie0lhx.exe; Driver: C:\Users\User\AppData\Local\Temp\ufldqpow.sys


    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs 86B6CB80

    AttachedDevice \Driver\tdx \Device\Tcp aswRdr.SYS (avast! TDI RDR Driver/ALWIL Software)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 kbdcap.SYS
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

    ---- Services - GMER 1.0.15 ----

    Service (*** hidden *** ) [BOOT] basia <-- ROOTKIT !!!

    ---- EOF - GMER 1.0.15 ----
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! Stop browsing the internet in Safe Mode! When you use Safe Mode with Networking, the security programs don't run- so you have an unprotected system. And the system is already badly infected.

    How did you download and run Malwarebytes and GMER? You are going to need a flash drive- a clean flash drive- to download the following and then install them on the problem system:

    While I don't want you to follow instructions given to others for removing malware, I would like for you to do as much of these steps as you can: Preliminary Virus and Malware Removal thread HERE.

    Go ahead and update, then rescan with Malwarebytes. You can skip GMER but the 2 logs from DDS will help me see what's running
    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...