Inactive I believe that its Win32:Bamital-X

Status
Not open for further replies.
SystemLook 04.09.10 by jpshortstuff
Log created at 13:06 on 20/09/2010 by Administrator
Administrator - Elevation successful

========== filefind ==========

Searching for "winlogon.exe"
C:\WINDOWS\system32\winlogon.exe --a---- 507904 bytes [16:16 25/04/2008] [12:00 14/04/2008] 6BA2B344AD063BB35ADA1D33EFF8FA2B

Searching for "explorer.exe"
C:\WINDOWS\explorer.exe --a---- 1033728 bytes [16:16 25/04/2008] [12:00 14/04/2008] 9AB873E5C3DE27BCDEA5343EA6EA95CB

-= EOF =-
 
Winlog:

Antivirus Version Last Update Result
AhnLab-V3 2010.09.22.00 2010.09.22 Win-Trojan/Patched.BT
AntiVir 8.2.4.60 2010.09.22 -
Antiy-AVL 2.0.3.7 2010.09.22 Trojan/Win32.Patched.gen
Authentium 5.2.0.5 2010.09.22 W32/Patched.B
Avast 4.8.1351.0 2010.09.22 -
Avast5 5.0.594.0 2010.09.22 Win32:Bamital-X
AVG 9.0.0.851 2010.09.23 Win32/Patched.FM
BitDefender 7.2 2010.09.23 Win32.Loader.O
CAT-QuickHeal 11.00 2010.09.21 Trojan.Patched.JW
ClamAV 0.96.2.0-git 2010.09.22 Trojan.Patched-148
Comodo 6166 2010.09.22 TrojWare.Win32.Patched.kl
DrWeb 5.0.2.03300 2010.09.23 Win32.Dat.3
eSafe 7.0.17.0 2010.09.21 Win32.Loader.O
eTrust-Vet 36.1.7871 2010.09.22 Win32/Patcher.F
F-Prot 4.6.2.117 2010.09.22 W32/Patched.B
F-Secure 9.0.15370.0 2010.09.22 Win32.Loader.O
Fortinet 4.1.143.0 2010.09.22 -
GData 21 2010.09.23 Win32.Loader.O
Ikarus T3.1.1.88.0 2010.09.22 Trojan.Win32.Patched
Jiangmin 13.0.900 2010.09.21 TrojanDownloader.Small.asus
K7AntiVirus 9.63.2582 2010.09.22 Virus
Kaspersky 7.0.0.125 2010.09.23 Trojan.Win32.Patched.kl
McAfee 5.400.0.1158 2010.09.22 -
McAfee-GW-Edition 2010.1C 2010.09.22 -
Microsoft 1.6201 2010.09.22 Virus:Win32/Bamital.C
NOD32 5471 2010.09.22 Win32/Bamital.DX
Norman 6.06.06 2010.09.22 W32/Patched.Q
nProtect 2010-09-22.02 2010.09.22 Trojan/W32.Bamital
Panda 10.0.2.7 2010.09.22 W32/Patched.AC
PCTools 7.0.3.5 2010.09.22 Trojan.Bamital
Prevx 3.0 2010.09.23 -
Rising 22.66.00.07 2010.09.21 Trojan.Win32.Generic.5222CCBB
Sophos 4.57.0 2010.09.22 Troj/Patched-O
Sunbelt 6912 2010.09.22 Trojan.Win32.Generic!BT
SUPERAntiSpyware 4.40.0.1006 2010.09.23 -
Symantec 20101.1.1.7 2010.09.22 Trojan.Bamital!inf
TheHacker 6.7.0.0.027 2010.09.21 -
TrendMicro 9.120.0.1004 2010.09.22 PE_PATCHED.AM
TrendMicro-HouseCall 9.120.0.1004 2010.09.23 PE_PATCHED.AM
VBA32 3.12.14.1 2010.09.22 Trojan.Patched.kl
ViRobot 2010.8.31.4017 2010.09.22 Win32.Patched.AF
VirusBuster 12.65.20.1 2010.09.22 -
Additional informationShow all
MD5 : 6ba2b344ad063bb35ada1d33eff8fa2b
SHA1 : cbebd2dfef87a87274c2d2dce7075e8d01d8198b
SHA256: 09dca849d31d55648f1694fdc0dac327027b4b109f93e99ff837368a48112aab
 
Explorer.exe

Antivirus Version Last Update Result
AhnLab-V3 2010.09.22.00 2010.09.22 Win-Trojan/Patched.BT
AntiVir 8.2.4.60 2010.09.22 -
Antiy-AVL 2.0.3.7 2010.09.22 Trojan/Win32.Patched.gen
Authentium 5.2.0.5 2010.09.22 W32/Patched.B
Avast 4.8.1351.0 2010.09.22 -
Avast5 5.0.594.0 2010.09.22 Win32:Bamital-X
AVG 9.0.0.851 2010.09.23 Win32/Patched.FL
BitDefender 7.2 2010.09.23 Win32.Loader.O
CAT-QuickHeal 11.00 2010.09.21 Trojan.Patched.JW
ClamAV 0.96.2.0-git 2010.09.22 Trojan.Patched-149
Comodo 6166 2010.09.22 TrojWare.Win32.Patched.kl
DrWeb 5.0.2.03300 2010.09.23 Win32.Dat.3
Emsisoft 5.0.0.37 2010.09.22 Virus.Win32.Bamital!IK
eSafe 7.0.17.0 2010.09.21 Win32.Loader.O
eTrust-Vet 36.1.7871 2010.09.22 Win32/Patcher.F
F-Prot 4.6.2.117 2010.09.22 W32/Patched.B
F-Secure 9.0.15370.0 2010.09.22 Win32.Loader.O
Fortinet 4.1.143.0 2010.09.22 -
GData 21 2010.09.23 Win32.Loader.O
Ikarus T3.1.1.88.0 2010.09.22 Virus.Win32.Bamital
Jiangmin 13.0.900 2010.09.21 -
K7AntiVirus 9.63.2582 2010.09.22 Virus
Kaspersky 7.0.0.125 2010.09.23 Trojan.Win32.Patched.kl
McAfee 5.400.0.1158 2010.09.22 -
McAfee-GW-Edition 2010.1C 2010.09.22 -
Microsoft 1.6201 2010.09.22 Virus:Win32/Bamital.C
NOD32 5471 2010.09.22 Win32/Bamital.DX
Norman 6.06.06 2010.09.22 W32/Patched.Q
nProtect 2010-09-22.02 2010.09.22 Trojan/W32.Bamital
Panda 10.0.2.7 2010.09.22 W32/Patched.AC
PCTools 7.0.3.5 2010.09.22 Trojan.Bamital
Prevx 3.0 2010.09.23 -
Rising 22.66.00.07 2010.09.21 Trojan.Win32.Generic.522811B8
Sophos 4.57.0 2010.09.22 Troj/Patched-O
Sunbelt 6912 2010.09.22 Virus.Win32.Bamital.c (v)
SUPERAntiSpyware 4.40.0.1006 2010.09.23 -
Symantec 20101.1.1.7 2010.09.22 Trojan.Bamital!inf
TheHacker 6.7.0.0.027 2010.09.21 -
TrendMicro 9.120.0.1004 2010.09.22 PE_PATCHED.AM
TrendMicro-HouseCall 9.120.0.1004 2010.09.23 PE_PATCHED.AM
VBA32 3.12.14.1 2010.09.22 Trojan.Patched.kl
ViRobot 2010.8.31.4017 2010.09.22 Win32.Patched.AF
VirusBuster 12.65.20.1 2010.09.22 -
Additional informationShow all
MD5 : 9ab873e5c3de27bcdea5343ea6ea95cb
SHA1 : 67d39b2553ca272f277d95239c68c56e1b07d5f0
SHA256: 16f37a7c2146c6789dbceddd7cd0af36d331fd726073125b3979369460c938c9
 
OK, apparently the infection will not allow us to replace those two files in normal way.

Please, go back to my reply #17 and repeat following process:
Download zipped explorer.exe and winlogon.exe files from HERE

Unzip both files and copy both of them to your C:\ folder.

Now...

Restart computer
When you reboot you will see an option to boot into the Recovery Console or the normal Windows installation.
You have to use the up/down arrows to choose the Recovery Console. Then press Enter but you only have 2 seconds by default.

(If you find this hard to do then you can go into Control Panel, System, Advanced, Startup and Recovery, Settings. Where it says Time to Display List of Operating Systems, change it to 10 or more seconds. OK Then reboot.)

You must enter which Windows installation to log onto. Type 1 and press enter.

It will then prompt you for the Administrator's password. If there is no password, simply press Enter.

You should get a black screen with a C:\>Windows prompt.

xp_src_console.gif



Type the bolded text below, pressing Enter after each line:

copy C:\winlogon.exe C:\WINDOWS\system32\winlogon.exe (<---- watch for "spaces")

(If it asks you if you are sure then say "Y".)

copy C:\explorer.exe C:\WINDOWS\explorer.exe

Reboot computer.

Post new SystemLook log.
 
Status
Not open for further replies.
Back