Bamital infection

Hi,
Two days ago I picked up a virus which AVG 9 detected as patched.fm or bamital.
I decided to run a scan using hitman pro online and it detected winlogon and explorer.exe had been infected and the only way to fix it was reinstalling both files from the original xp disk which I was fortunate to have. After the removal I restarted the computer as instructed but again avg kept throwing up infection notices of explorer.exe and winlogon.exe. This time I ran MBam which detected 160 infections and i removed them and restarted, AVG still threw up infection notifications so I decided to run a scan with avg. As you could have probably guessed, AVG could not remove the files as they are whitelisted xp services. I analyzed with hijack this and sent the log for further analysis on hijackthis.de. Unfortunately there were no files in the log which users had flagged as potentially harmful and now I was back to square one.
Frustrated, I decided to "upgrade" windows xp pro SP2 as I thought this might solve the problem. Unfortunately it did not. All it did was change the way users logged on and didn't boot straight into xp without prompting a password which was how I had previously configured it. To me it looked like I was on a network, which I thought was the result of the virus and a hacker now had control over my pc, (paranoid) so I decided to follow steps in removing netware for clients to change how users logged on. This had no effect and I was still recieving a notification that netware for clients had to be disabled even though it was.
I was also unable to scan using AVG, I decided to uninstall/reinstall which went fine during uninstall but now when I went to install I got a cannot write to the registry type error ( can't remember exactly what it said).

Then I decided to install a fresh copy of xp pro sp2 on a partition and see if I could attack the virus on the C drive from the new installation. Again avg could not install so I was kind of stuck. I decided to boot into safe mode which seemed to do the trick, avg installed fine and I ran a scan. Rebooted but still having trouble.

I read somewhere that there was a fix for netware for client which I tried to install but I got an access denied message. I also got this message when trying to execute some other programs but again , I can't remember what exactly.
Another issue I noted is that when I go to particular forums like geek police firefox crashes. I tried this on a couple of different sites, Google, major geeks, and most other sites seem to be working fine but as soon as I go to a particular info page on a forum about my issue firefox crashes.

Anyway. Eventually I came here. I had no where else to turn and I was at my wits end. I read the READ and RUN thread and followed everything to the letter, So now I humbly ask for your help whoever you may be to rid my pc of this pest.

Please find attatched all relavent logs. I also added an mbam error.txt file that I found when looking for the mbam log which seems to coincide with the scan. I don't know what's going on.

:confused

 

Here are the remaining logs
Thanks in advance!

 

Thanks very much.
Just to note I'm currently running a boot time scan with avast. If you need anything else please let me know. Thanks again.

 

Ok, Decided to stay awake. Armed with a redbull and the will to destroy, I vow not to sleep till this pest has been eradicated.

One problem though, I cannot unstall the old version of Java as it's not showing up in the add and remove programs list.
Shall I proceed with the rest of the removal process?

 

Ok, I just figured out a way round. Oddly enough Revo Uninstaller found both outdated Java installations so I removed them, Not sure if I should have removed registry Items and leftovers but I thought it made sense to do so. Slap me on the wrist If I'm wrong.
Proceeding with attack plan.

 

Quick update,
Running combo fix was a real problem under my username (this is the ACC where I picked up the virus from in the first place), When restarting I kept getting windows messages saying basically that windows doesnt recognise filename "can't remember" (But it was definitely a CF file) do you want to browse for compatible programs or from the web. I browsed, located CF, clicked ok, CF began to run, Updated (Twice, as I have ran combo fix a dozen times at this stage, the other times I didn't even make it to the update stage as it kept crashing or cancelling) and then got a message saying CFscript.txt has been incorrectly spelled and that's where it's crashing at.
I decided to login using Admin acc, Ran combo fix with CFscript, everything went well, I decided to turn off my firewall at this point just before the restart. Comp restarted, (don't think CF updated but not too sure) then completed the scan. I have a log from the Admin account so I thought that maybe it was the firewall that was causing my problems on my own acc.

I decided to switch users, go through the whole process again on my own acc but kept failing in the same places. I'm not sure how consistent the log is going to be now or if switching the accs have upset the scanning process but for now I'm gonna skip the CF scan on my own acc, Run ESET, Run AVG, then Run MG tools on both accounts.

Will report back soon. Redbull wearing off, coffee wearing off, feeling kind of tired! :zzz Just putting the kettle on now!!!

 

Well I hope you had a nice sleep. Im heading into my 28th hour now:tired
Life looks different after 24 hours. Also please excuse any typos or ramblings that might find its way in to the text box. This is a side affect and is only temporary. If you get this little b***tard I'll owe you a beer/vodka/mountain dew or crab juice!

So heres the story so far. ESET has been running for 6 hours and 43 minutes, I probably shouldn't have selected scan archived files but it's too late now. I'm pleased to say that during this scan it has detected bamital.dz trojan which I suspect was the cause of my heartache in the beginning,along with 50 other various nasty pieces of code.

So back to Combo Fix, Will I still have to run it successfully under my username aswell as Admin? Also, will I need to rescan my pc with ESET again after?

 

No problem, whatever needs to be done to get this fixed. Will I scan again with the same preference settings or can I turn off archived files?


I'm also running ESET on the affected account at the moment anyway, I only switched to Admin to run combo fix. Everything else outlined in your removal process have all been run on the affected account.

Thanks again comrade.
Coffee on the way, served in an udder!!!:yum

 

Cool,
Will post logs when they become available.

 

Ran Three scans with ESET, First turned up 53 infections, second and third ame up clean, but I'm not getting my hopes up just yet.
I've attached the logs, Not sure whether I should run CF just yet or wait for your recommendation.

 

Good afternoon to you too.
Understand the deletion of the posts, plus I realised that "Bumping Hurts"

I just wanted to clarify, Do I need to first run CF normally and then with CFScript or do I need to run MGTools straight after the first run of CF.

I've attached the log for CF's first run anyway.

 

Was having problems initially, had to click "Run As" > Admin to get it to scan.
Not sure if that makes any difference.

 

Registry Item added successfully, Continuing with the remaining steps.

 

Ok, I'm running into a problem with kapersky online scanner

Using chrome, was asked to install java plugin, clicked install but got a message saying that java was already installed on my computer, do I want to reinstall? I clicked no and opened up firefox, went through the whole install process but still didn't work. I double checked settings in both Chrome and FF and java options were activated for both. I'm a bit apprehensive using IE as my default browser had changed from chrome to IE and I was getting notifications from SuperAntiSpyware that the homepage change requests were detected which sounds like the work of spyware to me.
Should I just run IE and see if I can get kapersky's online scanner to work through that or is there another alternative, What about another browser download?

 

IE is also asking for java installations for kapersky online to work.
Safe mode with networking?

 

Ok, here's the logs

 

Just thought I'd post to let you know that my email account was accessed from a site called kolo.net

I'm off all day today (Monday) so I can finally get rid of this pain in the ***. Hopefully.

 

Hey Kestrel, No worries. It was the weekend anyway so I wasn't expecting too much support anyways:-D

Haven't run any additional scans, just wanted to see if you picked anything up in the logs. the pc seems to be the same it's a little sluggish for a quad core with 3gb of ram.
Plus I haven't tried to change how users log on yet so I'm not too sure. I'm going to run a scan with avast, decided to get rid of avg as it didn't get great feedback in the "protecting yourself against malware" post plus I'll run an eset scan and see if anything comes up. I'll let you know how I get on anyway.

 

Ok ran a quick scan with avast, no threats found. Also Eset has found no threats but when I started up the pc this morning SuperAntiSpyware pro had warned of home page changes.
Not sure if this is still something to worry about.

 

No I don't remember renaming anything like that, Scan it or delete it or both?

Didn't set any proxies up by myself apart from open dns which, if I can remember correctly, isn't that address.

Absolutely nothing from what I can see, (show hidden files is enabled)

Completed the rest of the steps below, Virus total didn't detect anything suspicious in either explorer.exe or winlogon.exe.
What's next? (this is looking positive )

 

Sorry, Just checked that file. It's GMER, Never ran it though, I think

 

Yeah I fixed it but I think outlook express was dependant on it as I was getting connection errors. but That's easily fixable.

Some other behaviour I've noted but never mentioned until now. I've got two OS's on my pc, Usually at startup I can select which O.S to boot but after I ran CF the first time, I need to bring up the boot options for safemode, start windows normally and then select the O.S. If I was to let it boot automatically it would boot into xp64.
I still can't change the way users login from the UAC settings. Still, even after I have uninstalled netware for clients I get a notification saying that netware for clients needs to be disabled before I can proceed. Complete head scratcher if you ask me.
Anyway, that's besides the point. What's the next step in the exorcism Major?

 

Sounds good, Thanks very much for all your help. Regarding "disabling System Restore and re-enabling it", Does it matter that I have already shut the pc down? Should I do another scan and then disable and re-enable?

 

Thanks very much for all your help again.
I appreciate it. :clap

 

Thanks, One can a day is all I have, Don't want to become addicted!:-D

Can you point me in the right direction for fixing the last couple of issues I was having with boot-up and UAC settings please.

Thanks a Million