Solved Win32:Bamital-X in computer. Can't make it go away.

[eraserboy]

Alright. Somehow I got a nasty bug on my computer. After scanning with AVG (found nothing) and Avast, I found that I had two viruses. They seem to be the same thing, and located at explorer.exe. This virus then tried to do something to my computer, which Avast alerted me to. It said the threat was blocked and that it was named Win32:Bamital-X.

I have no idea what to do in order to get rid of this problem and I'm not sure whether these are my only viruses. I have tried AVG, Avast, and Malwarebytes to no avail. Can somebody please help guide me through getting rid of this problem? I followed the 8 step removal process and attached my logs to this thread.

*First post, I'm still trying to understand the forums.
**I am running Windows 7 64bit (Not sure if this matters or not)

Thank you to whomever can help me.

 

[Broni]

Welcome aboard

You can't run two AV programs. One of them has to go.
If AVG (preferably), use AVG Remover: http://www.avg.com/us-en/download-tools

=======================================================================

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

========================================================================

Download TDSSKiller and save it to your desktop.

• Extract (unzip) its contents to your desktop.
• Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
• If an infected file is detected, the default action will be Cure, click on Continue.
• If a suspicious file is detected, the default action will be Skip, click on Continue.
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
• If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

=====================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[eraserboy]

I did everything you said and I am posting it like you wanted.

By the way, the AVG remover didn't seem to work. I would run it and it would get to a certain point and nothing would happen after that.

 

[Broni]

AVG remover didn't seem to work

We'll whack it manually.

TDSSKiller and MBRCheck logs look good

========================================================================

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Vista users:: Right click on SystemLook.exe, click Run As Administrator
• Copy the content of the following box into the main textfield:
  

  :filefind
  explorer.exe

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

========================================================================

Update your Java version here: http://www.java.com/en/download/installed.jsp

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

Now, we need to remove old Java version and its remnants...

Download JavaRa to your desktop and unzip it to its own folder

• Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
• Accept any prompts.

==========================================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  PRC - [2010/07/23 08:52:19 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG9\avgemc.exe
  PRC - [2010/06/23 14:59:44 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe
  PRC - [2010/06/23 14:59:42 | 000,723,296 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG9\avgcsrvx.exe
  PRC - [2010/06/23 14:59:40 | 000,842,592 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files (x86)\AVG\AVG9\avgam.exe
  SRV - [2010/07/23 08:52:19 | 000,921,952 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files (x86)\AVG\AVG9\avgemc.exe -- (avg9emc)
  SRV - [2010/06/23 14:59:44 | 000,308,136 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files (x86)\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
  DRV:[b]64bit:[/b] - [2010/06/23 14:59:42 | 000,269,904 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Stop_Pending] -- C:\Windows\SysNative\drivers\avgldx64.sys -- (AvgLdx64)
  DRV:[b]64bit:[/b] - [2010/03/05 19:15:15 | 000,056,008 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\SysNative\drivers\avgrkx64.sys -- (AvgRkx64)
  IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
  IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522
  IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.ask.com/?o=13920&l=dis
  IE - HKCU\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files (x86)\AVG\AVG9\Toolbar\IEToolbar.dll ()
  FF - prefs.js..extensions.enabledItems: avg@igeared:4.504.019.002
  FF - HKLM\software\mozilla\Firefox\Extensions\\avg@igeared: C:\Program Files (x86)\AVG\AVG9\Toolbar\Firefox\avg@igeared [2010/05/26 18:32:23 | 000,000,000 | ---D | M]
  FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files (x86)\AVG\AVG9\Firefox [2010/07/23 08:53:12 | 000,000,000 | ---D | M]
  O2:[b]64bit:[/b] - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssiea.dll (AVG Technologies CZ, s.r.o.)
  O2 - BHO: (AskBar BHO) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll File not found
  O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
  O2 - BHO: (AVG Security Toolbar BHO) - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files (x86)\AVG\AVG9\Toolbar\IEToolbar.dll ()
  O3 - HKLM\..\Toolbar: (Ask Toolbar) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll File not found
  O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files (x86)\AVG\AVG9\Toolbar\IEToolbar.dll ()
  O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {3041D03E-FD4B-44E0-B742-2D9B88305F98} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll File not found
  O3 - HKCU\..\Toolbar\WebBrowser: (AVG Security Toolbar) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files (x86)\AVG\AVG9\Toolbar\IEToolbar.dll ()
  O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files (x86)\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
  O4 - HKLM..\Run: [UpdateLBPShortCut] c:\Program Files (x86)\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe File not found
  O4 - HKLM..\Run: [UpdateP2GoShortCut] c:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe File not found
  O4 - HKLM..\Run: [UpdatePDIRShortCut] c:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe File not found
  O4 - HKLM..\Run: [UpdatePSTShortCut] c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe File not found
  O4 - HKCU..\Run: [DAEMON Tools Lite] C:\Program Files (x86)\DAEMON Tools Lite\DTLite.exe File not found
  O4 - HKCU..\Run: [Google Update] C:\Users\home\AppData\Local\Google\Update\GoogleUpdate.exe File not found
  O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
  O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll File not found
  O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll File not found
  O18:[b]64bit:[/b] - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgppa.dll (AVG Technologies CZ, s.r.o.)
  O18:[b]64bit:[/b] - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
  O18:[b]64bit:[/b] - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
  O18:[b]64bit:[/b] - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
  O18:[b]64bit:[/b] - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - Reg Error: Key error. File not found
  O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
  O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll File not found
  O20:[b]64bit:[/b] - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
  O20 - HKLM Winlogon: VMApplet - (/pagefile) -  File not found
  O21:[b]64bit:[/b] - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
  O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
  O33 - MountPoints2\{73cf48db-b39a-11df-822e-aaa1f2f4ac95}\Shell - "" = AutoRun
  O33 - MountPoints2\{73cf48db-b39a-11df-822e-aaa1f2f4ac95}\Shell\AutoRun\command - "" = K:\AutoRun.exe -- File not found
  O33 - MountPoints2\{9d7671ee-554f-11de-b9aa-806e6f6e6963}\Shell - "" = AutoRun
  O33 - MountPoints2\{9d7671ee-554f-11de-b9aa-806e6f6e6963}\Shell\AutoRun\command - "" = E:\_AUTORUN\AUTORUN.EXE -- [1997/01/13 12:41:56 | 000,026,624 | R--- | M] (New World Computing)
  [2010/08/31 00:24:07 | 000,000,000 | ---D | C] -- C:\Users\home\AppData\Local\AVG Security Toolbar
  [2010/06/23 14:59:47 | 000,013,048 | ---- | C] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\avgrssta.dll
  [2010/08/31 08:57:46 | 064,052,916 | ---- | M] () -- C:\Windows\SysNative\drivers\Avg\incavi.avm
  [2010/06/23 14:59:48 | 000,317,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgtdia.sys
  [2010/06/23 14:59:47 | 000,013,048 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\avgrssta.dll
  [2010/06/23 14:59:42 | 000,269,904 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Windows\SysNative\drivers\avgldx64.sys
  
  
  :Services
  
  :Reg
  
  :Files
  C:\Program Files (x86)\AVG
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[eraserboy]

I did as you said once again.

I was having problems with Java though. I could not update it and I could not reinstall it after using JavaRa. I keep getting the message "The Installer cannot proceed with the current internet connection settings." Not exactly sure what is meant by that.

Everything else you asked for should be attached.

By the way, I had a malware stopped by Avast saying that it came from not explorer.exe this time, but firefox.exe. So I'm assuming I have a fight on multiple fronts now?

 

[Broni]

I need you to post exact Avast message, you're getting, especially infected file location.


Please run a free online scan with the ESET Online Scanner

• Disable your antivirus program
• Tick the box next to YES, I accept the Terms of Use
• IMPORTANT! UN-check Remove found threats
• Click Start
• Accept any security warnings from your browser.
• Check Scan archives
• Click Start
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, push List of found threats
• Push Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

 

[eraserboy]

I ran Eset and got the results. They are attached at the bottom.

The firefox.exe hasn't popped back up again so I'm not sure what to say to you about that message.

Is there any way you could be able to give me some sort of estimate about how badly my computer is doing? Scale of 1-10? Please?

 

[Broni]

Is there any way you could be able to give me some sort of estimate about how badly my computer is doing? Scale of 1-10? Please?

I have no idea, how I'd do this.
So far, MBAM found couple of trojans and one adware.
Eset found couple more trojans, which we're about to remove.

=====================================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  
  :Services
  
  :Reg
  
  :Files
  C:\ProgramData\WildTangent\528821fe-58e4-439c-81de-49f36a16aa12-extr.exe	
  C:\Users\All Users\WildTangent\528821fe-58e4-439c-81de-49f36a16aa12-extr.exe
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.

===================================================================

Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
Upload following files to http://www.virustotal.com/ for security check:
- C:\Windows\explorer.exe
- C:\Windows\System32\explorer.exe
- C:\Windows\SysWOW64\explorer.exe
IMPORTANT! If the file is listed as already analyzed, click on Reanalyse file now button.
Post scan results.

======================================================================

Update Avast, run full scan and report on any findings.

 

[eraserboy]

C:\Windows\explorer.exe Results

Antivirus Version Last update Result
AhnLab-V3 2010.08.29.00 2010.08.28 -
AntiVir 8.2.4.46 2010.08.29 -
Antiy-AVL 2.0.3.7 2010.08.26 -
Authentium 5.2.0.5 2010.08.29 -
Avast 4.8.1351.0 2010.08.29 -
Avast5 5.0.594.0 2010.08.29 Win32:Bamital-X
AVG 9.0.0.851 2010.08.29 -
BitDefender 7.2 2010.08.30 -
CAT-QuickHeal 11.00 2010.08.28 -
ClamAV 0.96.2.0-git 2010.08.30 -
Comodo 5903 2010.08.29 -
DrWeb 5.0.2.03300 2010.08.30 -
Emsisoft 5.0.0.37 2010.08.30 -
eSafe 7.0.17.0 2010.08.29 -
eTrust-Vet 36.1.7823 2010.08.27 -
F-Prot 4.6.1.107 2010.08.29 -
Fortinet 4.1.143.0 2010.08.29 -
GData 21 2010.08.30 -
Ikarus T3.1.1.88.0 2010.08.30 -
Jiangmin 13.0.900 2010.08.29 -
Kaspersky 7.0.0.125 2010.08.30 -
McAfee 5.400.0.1158 2010.08.30 -
McAfee-GW-Edition 2010.1B 2010.08.29 -
Microsoft 1.6103 2010.08.29 -
NOD32 5407 2010.08.29 -
Norman 6.05.11 2010.08.29 -
nProtect 2010-08-29.01 2010.08.29 -
Panda 10.0.2.7 2010.08.29 -
PCTools 7.0.3.5 2010.08.30 -
Prevx 3.0 2010.08.30 -
Rising 22.62.05.03 2010.08.28 -
Sophos 4.56.0 2010.08.29 -
Sunbelt 6811 2010.08.30 -
SUPERAntiSpyware 4.40.0.1006 2010.08.29 -
Symantec 20101.1.1.7 2010.08.30 -
TheHacker 6.5.2.1.358 2010.08.29 -
TrendMicro 9.120.0.1004 2010.08.29 -
TrendMicro-HouseCall 9.120.0.1004 2010.08.30 -
VBA32 3.12.14.0 2010.08.27 -
ViRobot 2010.8.28.4013 2010.08.29 Win32.Patched.AF
VirusBuster 5.0.27.0 2010.08.29 -

C:\Windows\System32\explorer.exe Results

Antivirus Version Last Update Result
AhnLab-V3 2010.08.29.00 2010.08.28 -
AntiVir 8.2.4.46 2010.08.29 -
Antiy-AVL 2.0.3.7 2010.08.26 -
Authentium 5.2.0.5 2010.08.29 -
Avast 4.8.1351.0 2010.08.29 -
Avast5 5.0.594.0 2010.08.29 -
AVG 9.0.0.851 2010.08.29 -
BitDefender 7.2 2010.08.30 -
CAT-QuickHeal 11.00 2010.08.28 -
ClamAV 0.96.2.0-git 2010.08.30 -
Comodo 5903 2010.08.29 -
DrWeb 5.0.2.03300 2010.08.30 -
Emsisoft 5.0.0.37 2010.08.30 -
eSafe 7.0.17.0 2010.08.29 -
eTrust-Vet 36.1.7823 2010.08.27 -
F-Prot 4.6.1.107 2010.08.29 -
F-Secure 9.0.15370.0 2010.08.30 -
Fortinet 4.1.143.0 2010.08.29 -
GData 21 2010.08.30 -
Ikarus T3.1.1.88.0 2010.08.30 -
Jiangmin 13.0.900 2010.08.29 -
Kaspersky 7.0.0.125 2010.08.30 -
McAfee 5.400.0.1158 2010.08.30 -
Microsoft 1.6103 2010.08.29 -
NOD32 5407 2010.08.29 -
Norman 6.05.11 2010.08.29 -
nProtect 2010-08-29.01 2010.08.29 -
Panda 10.0.2.7 2010.08.29 -
PCTools 7.0.3.5 2010.08.30 -
Prevx 3.0 2010.08.30 -
Rising 22.62.05.03 2010.08.28 -
Sophos 4.56.0 2010.08.29 -
Sunbelt 6809 2010.08.29 -
SUPERAntiSpyware 4.40.0.1006 2010.08.29 -
Symantec 20101.1.1.7 2010.08.30 -
TheHacker 6.5.2.1.358 2010.08.29 -
TrendMicro 9.120.0.1004 2010.08.29 -
TrendMicro-HouseCall 9.120.0.1004 2010.08.30 -
VBA32 3.12.14.0 2010.08.27 -
ViRobot 2010.8.28.4013 2010.08.29 -
VirusBuster 5.0.27.0 2010.08.29 -

C:\Windows\SysWOW64\explorer.exe Results

Antivirus Version Last update Result
AhnLab-V3 2010.08.29.00 2010.08.28 -
AntiVir 8.2.4.46 2010.08.29 -
Antiy-AVL 2.0.3.7 2010.08.26 -
Authentium 5.2.0.5 2010.08.29 -
Avast 4.8.1351.0 2010.08.29 -
Avast5 5.0.594.0 2010.08.29 -
AVG 9.0.0.851 2010.08.29 -
BitDefender 7.2 2010.08.30 -
CAT-QuickHeal 11.00 2010.08.28 -
ClamAV 0.96.2.0-git 2010.08.30 -
Comodo 5903 2010.08.29 -
DrWeb 5.0.2.03300 2010.08.30 -
Emsisoft 5.0.0.37 2010.08.30 -
eSafe 7.0.17.0 2010.08.29 -
eTrust-Vet 36.1.7823 2010.08.27 -
F-Prot 4.6.1.107 2010.08.29 -
F-Secure 9.0.15370.0 2010.08.30 -
Fortinet 4.1.143.0 2010.08.29 -
GData 21 2010.08.30 -
Ikarus T3.1.1.88.0 2010.08.30 -
Jiangmin 13.0.900 2010.08.29 -
Kaspersky 7.0.0.125 2010.08.30 -
McAfee 5.400.0.1158 2010.08.30 -
McAfee-GW-Edition 2010.1B 2010.08.29 -
Microsoft 1.6103 2010.08.29 -
NOD32 5407 2010.08.29 -
Norman 6.05.11 2010.08.29 -
nProtect 2010-08-29.01 2010.08.29 -
Panda 10.0.2.7 2010.08.29 -
PCTools 7.0.3.5 2010.08.30 -
Prevx 3.0 2010.08.30 -
Rising 22.62.05.03 2010.08.28 -
Sophos 4.56.0 2010.08.29 -
Sunbelt 6811 2010.08.30 -
SUPERAntiSpyware 4.40.0.1006 2010.08.29 -
Symantec 20101.1.1.7 2010.08.30 -
TheHacker 6.5.2.1.358 2010.08.29 -
TrendMicro 9.120.0.1004 2010.08.29 -
TrendMicro-HouseCall 9.120.0.1004 2010.08.30 -
VBA32 3.12.14.0 2010.08.27 -
ViRobot 2010.8.28.4013 2010.08.29 -
VirusBuster 5.0.27.0 2010.08.29 -

 

[eraserboy]

I am in the process of doing the Avast full run scan now. I wasn't sure where to find the hidden files and folders. I didn't see anything like that where you told me to look so I did the scans without that. I posted the 3 results. However they don't seem to have showed up. It said I needed an administrator to approve the post. Just in case the scans do not show up, the C:\Windows\explorer.exe was said to have a virus by Avast5 and ViRobot. The other two you asked me to scan had nothing pop up and were called "Goodware". I will repost scans if they do not show if you would like me to.

 

[Broni]

I got them.

 

[Broni]

Only two engines found explorer.exe as a bad file, but just in case, we'll replace it with a healthy file as soon, as you're done with Avast.

 

[eraserboy]

Alright, my Avast scan has finished. It is saying the same thing that it has been. That I have two bad files C:\Windows\explorer.exe and it is infected with Win32:Bamital-X. The second file is the same exact thing in the Avast window.

 

[Broni]

The second file is the same exact thing in the Avast window.

I'm not sure, if I understand the above....

 

[eraserboy]

Alright. The infected file pops up twice in the Avast window. It literally says the EXACT same thing. There are two "C:\Windows\explorer.exe"s and they are both infected with Wind32:Bamital-X. I'm not sure why this appears twice.

 

[Broni]

OK. Let's fix it...

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  
  :Services
  
  :Reg
  
  :Files
  C:\Windows\explorer.exe|C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_adc508f19359a007\explorer.exe /replace
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.

 

[eraserboy]

Alright, I followed your steps. I have attached the file you wanted.

 

[eraserboy]

Sorry, I wasn't sure if I posted the attachment or not. I'm doing it again just in case.

 

[Broni]

Did you reboot?
If not, do so now and....

Re-run SystemLook with very same script like in my reply #4.

 

[eraserboy]

Yes Broni, I did restart. I am attaching the system look log.
If this problem is solved, how can I make sure there is nothing else hiding in my system that will come back to get me?

 

[Broni]

This looks good
We're not totally done, so you'll have time to let me know, in case Avast complains again.

As for the prevention, I'll give you some hints in my last post of this topic.

Now, last scans....

1. Download Security Check from HERE, and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

2. Download Temp File Cleaner (TFC)

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

3. Go to Kaspersky website and perform an online antivirus scan.

• Disable your active antivirus program.
• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
  • Archives
  • Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

 

[eraserboy]

Hey. I've uploaded the SecurityCheck log and ran the TFC.
However, I can not run the Kaspersky Virus Check.
It says I do not have Java support on my browser. This is strange because I do have Java enabled and Javascript enabled. I also have the newest version of Java.
I am running Mozilla Firefox. Any ideas on why it won't let me use Kaspersky?

 

[Broni]

Update Adobe Reader

You can download it from https://www.techspot.com/downloads/2083-adobe-reader-dc.html
After installing the latest Adobe Reader, uninstall all previous versions.
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or other garbage.

=================================================================

Instead of Kaspersky...

Please run a free online scan with the ESET Online Scanner

• Disable your antivirus program
• Tick the box next to YES, I accept the Terms of Use
• IMOPRTANT! UN-check Remove found threats
• Click Start
• Accept any security warnings from your browser.
• Check Scan archives
• Click Start
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, push List of found threats
• Push Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

 

[eraserboy]

Alright, I'm running the ESET scanner as I type this. I uninstalled my old Adobe and installed the newest version too. Anything else that needs to be done as I'm running the scan (only 30% and 15 minutes in)?

 

[Broni]

I can only tell you, when I see Eset results. That will be our very last step.