Solved 8-Steps done, logs attached

[hellokitty[hk]]

Hello, I've got an infected computer here.
Avira and malwarebyte's have come up clean, but I'm still getting redirects.
consistently finds:
C:\WINDOWS\explorer.exe | Thread: Win32:Bamital-X | ERROR: The specific file is read only (6009)
C:\Windows\system32\winlogon.exe | Threat: Win32:Bamital-X | ERROR: The specific file is read only (6009)
C:\WINDOWS\explorer.exe | Thread: Win32:Bamital-X | ERROR: The specific file is read only (6009)
C:\Windows\system32\winlogon.exe | Threat: Win32:Bamital-X | ERROR: The specific file is read only (6009)

It errors like so with both delete and move to chest. Under repair, they all get an Error: The process cannot access the file because it is being used by another process (32)

 

[Broni]

Yep, we have a rootkit here (so far)....

Download TDSSKiller and save it to your desktop.

• Extract (unzip) its contents to your desktop.
• Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
• If an infected file is detected, the default action will be Cure, click on Continue.
• If a suspicious file is detected, the default action will be Skip, click on Continue.
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
• If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

 

[hellokitty[hk]]

Alright, thanks a lot.

 

[Broni]

I need to see, if it worked.
Re-run TDSSKiller and post new log.

 

[hellokitty[hk]]

Nothing, heres the log if you would like to see.

 

[Broni]

Good

I'm sure, we still have issues. Bamital trojan is a nasty one.

1. Delete your GMER, download fresh file, run it and post new log.

2. Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE. If Combofix asks you to install Recovery Console, please allow it.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[hellokitty[hk]]

Ok, done with logs.
Haven't noticed any redirects so far, but I haven't really tried much.

 

[Broni]

GMER log looks good


1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Folder::
c:\documents and settings\Anson\Local Settings\Application Data\uvtaqwxba

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride = <local>

3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[hellokitty[hk]]

Combofix done, logs attached.

 

[Broni]

I'm still little bit concerned about two crucial Windows files, so we'll scan them.

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to http://www.virustotal.com/ for security check:
- c:\windows\system32\winlogon.exe
- c:\windows\explorer.exe
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

 

[hellokitty[hk]]

http://www.virustotal.com/file-scan...56038a0d09c6e5a3e6862c5e26885ef455-1283649696
http://www.virustotal.com/file-scan...7dbf7199117afb3652ebf100d5f0429b1e-1283649879
If those links don't work, its coming up clean.

 

[Broni]

Good. I'm happy

How is computer doing?

Download OTL to your Desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Under the Custom Scan box paste this in:

netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[hellokitty[hk]]

Computer seems fine, its been fine for about a week, aside from redirects.

 

[Broni]

Are you saying, you're still getting redirected?
If so, which browser?

 

[hellokitty[hk]]

No, not since TDSSKiller.

 

[Broni]

Ahhh....you scared me

You're running two AV programs, Avast and Avira.
One of them has to go.

=====================================================================

Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.

=========================================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
  O4 - HKCU..\RunOnce: [Shockwave Updater] C:\WINDOWS\System32\Adobe\SHOCKW~1\SWHELP~1.EXE -Update -1100465 -Mozilla\5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit\530.1 (KHTML, like Gecko) Chrome\2.0.169.1 Safari\530.1 - File not found
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
  [6 C:\Documents and Settings\All Users\*.tmp files -> C:\Documents and Settings\All Users\*.tmp -> ]
  [2008/11/27 00:07:54 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
  @Alternate Data Stream - 487 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:05EE1EEF
  @Alternate Data Stream - 146 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:6DFF1A8A
  
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[hellokitty[hk]]

Avira's gone, kept AVAST. So is JQS.exe, didn't know you could turn it off.

 

[Broni]

Good

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

2. Download Temp File Cleaner (TFC)

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

3. Go to Kaspersky website and perform an online antivirus scan.

• Disable your active antivirus program.
• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
  • Archives
  • Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

 

[hellokitty[hk]]

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, September 6, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, September 06, 2010 01:44:32
Records in database: 4193067
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
I:\

Scan statistics:
Objects scanned: 339897
Threats found: 9
Infected objects found: 42
Suspicious objects found: 0
Scan duration: 08:11:17


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\explorer.exe.vir Infected: Trojan.Win32.Patched.kl 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon.exe.vir Infected: Trojan.Win32.Patched.kl 1
C:\System Volume Information\_restore{9B9B2D1D-E46D-4DA8-BF21-A0DC8436EF7F}\RP13\A0003957.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ad 1
C:\System Volume Information\_restore{9B9B2D1D-E46D-4DA8-BF21-A0DC8436EF7F}\RP13\A0003958.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ad 1
C:\System Volume Information\_restore{9B9B2D1D-E46D-4DA8-BF21-A0DC8436EF7F}\RP13\A0004126.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ac 1
C:\System Volume Information\_restore{9B9B2D1D-E46D-4DA8-BF21-A0DC8436EF7F}\RP13\A0004366.exe Infected: not-a-virus:RiskTool.Win32.MBRFix.a 1
C:\System Volume Information\_restore{9B9B2D1D-E46D-4DA8-BF21-A0DC8436EF7F}\RP13\A0004810.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
C:\System Volume Information\_restore{9B9B2D1D-E46D-4DA8-BF21-A0DC8436EF7F}\RP13\A0004812.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1
C:\System Volume Information\_restore{9B9B2D1D-E46D-4DA8-BF21-A0DC8436EF7F}\RP40\A0018765.exe Infected: Trojan.Win32.Patched.kl 1
C:\System Volume Information\_restore{9B9B2D1D-E46D-4DA8-BF21-A0DC8436EF7F}\RP40\A0019830.exe Infected: Trojan.Win32.Patched.kl 1
C:\System Volume Information\_restore{9B9B2D1D-E46D-4DA8-BF21-A0DC8436EF7F}\RP40\A0019832.exe Infected: Trojan.Win32.Patched.kl 1
I:\Documents and Settings\Anson\My Documents\WTF\PROGRAM\chaos.zip Infected: Trojan-Downloader.Win32.Adload.rsc 1
I:\Documents and Settings\Anson\My Documents\WTF\PROGRAM\Chaoslauncher.zip Infected: Trojan-Downloader.Win32.Adload.rsc 1
I:\Documents and Settings\Anson\My Documents\WTF\PROGRAM\Starcraft\APMAlert.bwl Infected: Trojan-Downloader.Win32.Adload.rsc 1
I:\Documents and Settings\Anson\My Documents\WTF\PROGRAM\Starcraft\Logos' StarCraft CD KEY-NUMBER Grabber for 1.16.0.exe Infected: P2P-Worm.Win32.Darby.v 1
I:\Documents and Settings\Anson\My Documents\WTF\Programs\Crossloop\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
I:\Documents and Settings\Anson\My Documents\WTF\Programs\Crossloop\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1
I:\Documents and Settings\Anson\My Documents\WTF\Programs\mbrfix\MbrFix.exe Infected: not-a-virus:RiskTool.Win32.MBRFix.a 1
I:\Documents and Settings\Anson\My Documents\WTF\Programs\ultravnc\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ac 1
I:\Documents and Settings\Anson\My Documents\WTF\Programs\vncserver\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ad 1
I:\Documents and Settings\Anson\My Documents\WTF\Programs\vncserver\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ad 1
I:\Downloads\Logos_StarCraft_CD_KEY_NUMBER_Grabber_for_1_16_0.zip Infected: P2P-Worm.Win32.Darby.v 1
I:\Downloads\setupWin32_BigSol3D_1.4\setup.exe Infected: Hoax.Win32.Agent.of 1
I:\Downloads\setupWin32_BigSol3D_1.4.zip Infected: Hoax.Win32.Agent.of 1
I:\Downloads\UBCD4WinV350.exe Infected: not-a-virus:RiskTool.Win32.MBRFix.a 1
I:\Downloads\UBCD4WinV350.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
I:\Downloads\UBCD4WinV350.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1
I:\Program Files\Starcraft\APMAlert.bwl Infected: Trojan-Downloader.Win32.Adload.rsc 1
I:\Program Files\Starcraft\Logos' StarCraft CD KEY-NUMBER Grabber for 1.16.0.exe Infected: P2P-Worm.Win32.Darby.v 1
I:\UBCD4Win\BartPE\PROGRAMS\Crossloop\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
I:\UBCD4Win\BartPE\PROGRAMS\Crossloop\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1
I:\UBCD4Win\BartPE\PROGRAMS\mbrfix\MbrFix.exe Infected: not-a-virus:RiskTool.Win32.MBRFix.a 1
I:\UBCD4Win\BartPE\PROGRAMS\ultravnc\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ac 1
I:\UBCD4Win\BartPE\PROGRAMS\vncserver\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ad 1
I:\UBCD4Win\BartPE\PROGRAMS\vncserver\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ad 1
I:\UBCD4Win\plugin\Disk\Partition\MbrFix\MbrFix.exe Infected: not-a-virus:RiskTool.Win32.MBRFix.a 1
I:\UBCD4Win\plugin\Network\CrossLoop\files\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
I:\UBCD4Win\plugin\Network\CrossLoop\files\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h 1
I:\UBCD4Win\plugin\Network\ultravnc\files\sfx\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ac 1
I:\UBCD4Win\plugin\Network\ultravnc\files\winvnc.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ac 1
I:\UBCD4Win\plugin\Network\VNCServer\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ad 1
I:\UBCD4Win\plugin\Network\VNCServer\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ad 1

Selected area has been scanned.


Eh...I believe everything listed on the I:\ drive is a false positive...

 

[Broni]

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  
  :Services
  
  :Reg
  
  :Files
  I:\Documents and Settings\Anson\My Documents\WTF\PROGRAM\chaos.zip 
  I:\Documents and Settings\Anson\My Documents\WTF\PROGRAM\Chaoslauncher.zip 
  I:\Documents and Settings\Anson\My Documents\WTF\PROGRAM\Starcraft\APMAlert.bwl 
  I:\Documents and Settings\Anson\My Documents\WTF\PROGRAM\Starcraft\Logos' StarCraft CD KEY-NUMBER Grabber for 1.16.0.exe
  I:\Downloads\Logos_StarCraft_CD_KEY_NUMBER_Grabber_for_1_16_0.zip 
  I:\Downloads\setupWin32_BigSol3D_1.4\setup.exe 
  I:\Downloads\setupWin32_BigSol3D_1.4.zip
  I:\Program Files\Starcraft\APMAlert.bwl 
  I:\Program Files\Starcraft\Logos' StarCraft CD KEY-NUMBER Grabber for 1.16.0.exe
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.

======================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

• Double-click OTL.exe to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. Run defrag at your convenience.

11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

12. Please, let me know, how is your computer doing.

 

[hellokitty[hk]]

But really...my friend helped programmed chaos loader along with ICCUP anti-hack...

 

[hellokitty[hk]]

Computer is running great, installing updates now.
Thanks very much!

 

[Broni]

Way to go!!

Good luck and stay safe