Bamital-X infection on XP

Discussion in 'Malware Help (A Specialist Will Reply)' started by sleeplessinsale, Sep 19, 2010.

  1. sleeplessinsale

    sleeplessinsale Private E-2

    Hi

    I know others have had this infection in their explorer.exe and winlogon.exe files. I am posting also because of the way, after a reboot, it sticks at my desktop wallpaper but doesn't load up the icons or taskbar. it just shows the wallpaper and that's it. I get around that by running CMD from the task manager, going to C:\WINDOWS renaming the existing explorer.exe to something else and then copying an XP version of explorer.exe I know to be clean from my external HDD to C:WINDOWS. Then restart and it does load everything as normal but after a few minutes I can reboot and it'll have infected explorer.exe again somehow, even though my Avast, Prev-X and Zonealarm have all been running.

    This happened during my doing the clean up process and steps in the README, and I got around it using my method above, but it was all temporary because of what I wrote above.

    I've run deep scans with Avast today and cleaned and quarantined everything, but it couldn't repair or move to chest 4 entries
    C:\windows\explorer.exe
    C:\windows\system32\explorer.exe
    C:\windows\winlogon.exe
    C:\windows\system32\winlogon.exe

    in all 4 cases, it reports Win32:Bamital-X

    I am running XP SP2.

    I know I'm supposed to say what I think I was doing at the time to get it infected, but I don't know. It could have been a torrent, using BitTorrent client. I can't think of anything else.

    Please help!

    these are attached.
    # SASlog.txt log from SuperAntiSpyware.
    # Malwarebytes Anti-Malware log
    # ComboFix.txt (normally C:\ComboFix.txt)
    # RRlog.txt (from RootRepeal)
     

    Attached Files:

    sleeplessinsale, Sep 19, 2010
    #1
  2. sleeplessinsale

    sleeplessinsale Private E-2

    Attached is the MGlogs.zip
     

    Attached Files:

    sleeplessinsale, Sep 19, 2010
    #2
  3. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Let's start with this:

    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    After clicking Fix, exit HJT.

    Now copy just the bold text below to notepad (Do not include any space above the word REGEDIT). Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.
    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

Driver::
92CF7CE6
ntcdrdrv
erbnseh

File::
c:\windows\system32\drivers\erbnseh.sys
c:\windows\system32\DRIVERS\ntcdrdrv.sys
c:\windows\System32\92CF7CE6.EXE
c:\windows\Mnujericoxepo.bin
c:\windows\Jmoyuci.dat
C:\WINDOWS\system32\dbmsviqn.dat
C:\WINDOWS\system32\hotplng.dat
C:\WINDOWS\system32\inetmie1.dat
C:\WINDOWS\system32\pncrufml.dat

Folder::
c:\documents and settings\Admin\Local Settings\Application Data\fyihiaaar
c:\documents and settings\Admin\Local Settings\Application Data\kyrhiqaqp
c:\documents and settings\Admin\Local Settings\Application Data\mxyiinxnh
c:\documents and settings\Admin\Application Data\mxyiinxnh
C:\Documents and Settings\Admin\Application Data\1FE59226161679892519F9D17EF0717C
C:\Documents and Settings\Admin\Application Data\mxyiinxnh
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip

    Make sure you tell me how things are working now!
     
    TimW, Sep 19, 2010
    #3
  4. sleeplessinsale

    sleeplessinsale Private E-2

    Hi!

    Things seemed to go pretty good I think. I want to say I have Prev X and I go in and disable it. Even though I know I have disabled and it shows a disabled status, Combofix says it is 'Active' and gives me a warning message. Well being Active and Enabled may be 2 different things. But I know it's disabled so I carry on with all the cleaning.

    The registry merged fine. Yes it gave a successful message that it merged so that's good.

    ComboFix detected I had a corrupt winlogon,exe and explorer.exe and said it was attempted to repair them both. I was quite skeptical it would succeed after everything I've been through but then it said it had succeeded!!! After it rebooted my machine a couple of times, my desktop came up as expected and all my anti-virus and protection software started up. Then Avast report 4 processes were trying to run that caused Bamital-X to be detected again, all 4 in winlogon.exe.

    So it seems like explorer.exe has been truly cleaned (I hope) but Avast has caused me to think winlogon.exe is not yet clean.

    By the way, after I had disabled all my anti-virus and anti-malware right at the beginning of your instructions, I then pulled out my internet connection cable from the back of my PC because I didn't think it needed to be on the internet for this, and leaving it in exposed it to potential harm.

    Hope I did the right thing.

    I plugged it back in after every single thing in your instructions was done.

    Logs are attached.

    The ComboFix log file was not in the C: root folder. It was in the C:\ComboFix folder.
    The MGLogs.zip file was in the root folder of the C: drive.
     

    Attached Files:

    sleeplessinsale, Sep 19, 2010
    #4
  5. sleeplessinsale

    sleeplessinsale Private E-2

    I should clarify that on reflection, I realise Combofix never claimed to have repaired winlogon.exe

    It did say it had successfully replaced/restored explorer.exe. This all seems consistent with what Avast has reported since. I did get back to the desktop ok but i think it's only a matter of time before my system becomes unstable again because winlogon.exe has not been able to be cleaned.

    Thanks for your help so far and hope we can finish the job off from here :)
     
    sleeplessinsale, Sep 20, 2010
    #5
  6. sleeplessinsale

    sleeplessinsale Private E-2

    Sorry to leave yet another reply but I just came home after being out for a few hours. I rebooted my PC to see if the explorer.exe was remaining immune to the infection. Well when i logged into XP as normal, it went to the desktop wallpaper and stayed there. It didn't load any desktop icons or the taskbar :(

    I ran task manager and winlogon.exe shows as running along with Avast PrevX and just about everything else I'd expect. explorer.exe isn't in the processes list.

    I have left it like that for now.

    :confused
     
    sleeplessinsale, Sep 20, 2010
    #6
  7. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Open task manager and in processes, type in explorer to start that process. That should give you your desktop back. DId you rename it to C:\WINDOWS\oldexplorer.exe?

    Do you have your xp cd? If so, I want you to go to start / run / and type:
    sfc /scannow.

    Run it twice.

    You are running 2 AV programs. Please uninstall PrevX.

    * Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
    If it is not on your Desktop, the below will not work.
    * Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    * If ComboFix tells you it needs to update to a new version, make sure you allow it to update.
    * Open Notepad and copy/paste the text in the below code box into it (make sure you scroll all the way down in the code box to get all lines selected ):
    Code:
    KILLALL::

FCopy::
C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe | C:\WINDOWS\explorer.exe
    * Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    * At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    * You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    If it asks you to overide the previous file with the same name, click YES.
    * Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
    * Follow the prompts.
    * When it finishes, a log will be produced named c:\combofix.txt
    * I will ask for this log below

    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
      Code:
      :filefind
winlogon,exe
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:

    * C:\ComboFix.txt
    * C:\MGlogs.zip
    * System look txt
     
    TimW, Sep 20, 2010
    #7
  8. sleeplessinsale

    sleeplessinsale Private E-2

    It wouldn't run explorer.exe when I typed it into task manager. It said it couldn't find it at the path or I do not have sufficient rights to run it.

    I don't have an XP CD so couldn't do that scanner thing.

    After this I rebooted into Safe Mode and logged in as Administrator and that brought the desktop up.

    Then I did all your instructions other than the stuff involving the XP CD. I uninstalled PrevX as well.

    In the SystemLook step, I changed winlogon,exe to winlogon.exe

    I think you put a comma by mistake in the filename. So I did that and then ran it.

    All logs attached.
     

    Attached Files:

    sleeplessinsale, Sep 20, 2010
    #8
  9. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    We are going to have a problem replacing that infected file without the xp cd. If you can, try to borrow one from someone that has the same version as you do. As in home or Pro.
     
    TimW, Sep 21, 2010
    #9

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds