Solved Infected with Bamital-w or something similar (Google redirect again... I guess)

Status
Not open for further replies.
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Vista users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    Code:
    :filefind
    hlp.dat
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 21:33 on 16/08/2010 by KJI (Administrator - Elevation successful)

========== filefind ==========

Searching for "hlp.dat"
C:\Windows\System32\hlp.dat --a--- 33797 bytes [23:24 13/07/2009] [01:16 14/07/2009] FFBEC1D0200755D3750BAF897930806A

-=End Of File=-

Also, I reran malwarebytes' and had 1 infected registry entry again:

Registry Keys Infected:
HKEY_CURRENT_USER\Software\WinServers (Malware.Trace) -> Quarantined and deleted successfully.
 
Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Code:
    :OTL
    
    :Services
    
    :Reg
    
    :Files
    C:\Windows\System32\hlp.dat
    
    :Commands
    [purity]
    [emptytemp]
    [emptyflash]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.
 
Okay. Hopefully it doesn't cause a BSoD, which I've read happened to other people when removing it.
 
All processes killed
========== OTL ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File move failed. C:\Windows\System32\hlp.dat scheduled to be moved on reboot.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: KJI
->Temp folder emptied: 1966688 bytes
->Temporary Internet Files folder emptied: 2529886 bytes
->Java cache emptied: 29626 bytes
->FireFox cache emptied: 0 bytes
->Google Chrome cache emptied: 31311654 bytes
->Apple Safari cache emptied: 0 bytes
->Opera cache emptied: 1312703 bytes
->Flash cache emptied: 3682 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2048 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 1295490 bytes

Total Files Cleaned = 37.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: KJI
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.9.1 log created on 08162010_215718

Files\Folders moved on Reboot...
File move failed. C:\Windows\System32\hlp.dat scheduled to be moved on reboot.

Registry entries deleted on Reboot...
 
SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 22:19 on 16/08/2010 by KJI (Administrator - Elevation successful)

========== filefind ==========

Searching for "hlp.dat"
C:\Windows\System32\hlp.dat --a--- 33797 bytes [23:24 13/07/2009] [01:16 14/07/2009] FFBEC1D0200755D3750BAF897930806A

-=End Of File=-
 
Stubborn sucker....

Update Malwarebytes and run FULL scan.
It may take a while and my bed time is coming, so we'll go back to it tomorrow.
 
It's still only finding that one thing:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4439

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

8/17/2010 2:02:40 PM
mbam-log-2010-08-17 (14-02-40).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 259455
Time elapsed: 1 hour(s), 6 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\WinServers (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
Make sure, your Avast is up to date and run full scan.
Report on any findings.

This is very strange situation, because Bamital should be removable either by your AV, or MBAM.
 
Just made sure it was updated and did a full scan... no results found.

And yes, this is a strange situation. This has to be the most evasive malware of the few I've ever gotten. This particular strand is probably new too, as the only other results I could find on google that have only the same files as I do were posted in August, and didn't include a solution.
 
Well, we'll have to try to find it by hand...

The scan listed below may take a while. Be patient...

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Vista users:: Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following box into the main textfield:
    Code:
    :filefind
    user32.dll
    ws2_32.dll
    ws2help.dll
    hlp.dat
    memory.tmp 
    explorer.dat 
    winlogon.dat 
    
    
    folderfind:
    Windows Server
    
    
    :reg
    HKCU\Software /s
    HKLM\SYSTEM\CurrentControlSet\Services\sr\Parameters /s
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /s
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
 
-link removed

I edited out a few usernames and other info...

Also, when I just tried to open Opera, avast detected it was Bamital-X and moved it to the virus chest. An update for avast just came out 6 hours ago, so I might try scanning the system again to see if it finds anything.
 
Well, I think the scan fixed the problem... in a roundabout way.

It found 3 files infected by Bamital-X: iexplorer.exe, wininit.exe, and firefox.exe. It tried to delete all of them, but couldn't delete any (permission denied/error). It caught wininit.exe again while I was checking to see if I could change permissions on it, and tried to delete it which caused a BSoD.

After a restart with another BSoD (from the start) Windows asked to do a "Startup Repair." It asked if I wanted to do a system restore, and I chose no thinking it might restore to a point with the virus. Eventually it restarted.

wininit.exe and iexplorer.exe seem to be replaced with non infected versions, hlp.dat is gone, and firefox.exe was caught and deleted after I manually deleted it.

Right now I'm doing a second scan with avast to make sure nothing else comes up.

Google links are also now working on IE, the only of the three browsers I can check on right now.
 
Wow! That's quite a journey, but with a positive ending :)

Let me know, when you're done, so we can run final steps.
Probably tomorrow...
 
Cool :)

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


2. Download Temp File Cleaner (TFC)
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.


3. Go to Kaspersky website and perform an online antivirus scan.

  • Disable your active antivirus program.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.
 
Here are the logs:

Results of screen317's Security Check version 0.99.5
Windows 7 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
avast! Free Antivirus
ESET Online Scanner v3
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
CCleaner
Java(TM) 6 Update 21
Adobe Flash Player 10.1.82.76
Adobe Reader 9.3.3
Japanese Fonts Support For Adobe Reader 9
````````````````````````````````
Process Check:
objlist.exe by Laurent

Alwil Software Avast5 AvastSvc.exe
Alwil Software Avast5 AvastUI.exe
````````````````````````````````
DNS Vulnerability Check:

Request Timed Out (Wireless Internet connection/Disconnected Internet/Proxy?)

``````````End of Log````````````



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, August 19, 2010
Operating system: Microsoft Professional (build 7600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, August 19, 2010 02:51:31
Records in database: 4135588
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 139409
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 04:18:52


File name / Threat / Threats count
winampa.exe\winampa.exe/winampa.exe\winampa.exe Infected: Worm.Win32.Qvod.anx 1

Selected area has been scanned.
 
OK, we scanned that file already, so no worries :)

OTL Clean-Up
Clean up with OTL:

* Double-click OTL.exe to start the program.
* Close all other programs apart from OTL as this step will require a reboot
* On the OTL main screen, press the CLEANUP button
* Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

=======================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

8. Run Temporary File Cleaner (TFC) weekly.

9. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

11. Run defrag at your convenience.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.
 
Cool
dancing_dude.gif

Good luck and stay safe :)
 
Status
Not open for further replies.
Back