Win32:Bamital-X explorer.exe & winlogin.exe

Welcome to Major Geeks!

Note: You should never run fixes written for someone else like you were doing. You could break your PC. Fixes can contain specific details tailored to the individual. You can some CFScript.txt patches for ComboFix that have nothing to do with your PC or your problem.

I want to try a new fix so please do the below in preparation for the fix.

Now download and save this XPsp3bu.exe to your C:\ root folder ( or to your Desktop if you have a problem saving to the root). You must do this properly. Now run the XPsp2bu.exe program by double clicking on it. You may or may not notice a quick flash of a black window. This is normal. The program runs quickly and just extracts some files we need.


Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista or Win7, make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


Now attach the below log:

• C:\MGlogs.zip

NOTE: The above will not fix anything. These are necessary steps so that I can prepare the next fix.

 

Okay now click Start, Run, and enter cmd into the Run box and click OK. This will open a command prompt window. You should see the below prompt in the black window.

C:\Documents and Settings\Administrator>

At this prompt type the below command. There is a space after the cd and notice the \ before mgtools

cd \mgtools

The prompt should change to

C:\MGtools>


Now write this down or print if necessary because when you run the next steps your Internet Explore browsers will be closed and your Desktop will disappear for awhile during the execution of the command. Then you Desktop should hopefully reappear and an Internet Explorer session should reopen a connect to the main page of the Malware Removal forum. You will need to locate your thread to post the log.

Now at the C:\MGtools> prompt, enter the below command

BamFix.bat

After this runs, attach the C:\BamFix.txt log and DO NOT REBOOT your PC until you hear back from me. I will be gone for a while since I have to run out. But do note that the above fix will currently make it necessary for you to use the POWER DOWN button to shutdown your PC when we are ready. The normal logout/shutdown methods from the Start button will not work right now due to the above fix. It will work normally after the next reboot.

 

Okay I'm back for a few minutes and have to run out again so this will be a brief next step. Still do not reboot until I requested it.

That looks like it ran okay but I'm not sure whether we had 100 % success in replacing the infected files. When the BamFix.bat program was running, did you notice any error messages at all about trying to copy files?

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1

Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  Code:

  :filefind
  winlogon.*
  explorer.*

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. You can just close this notepad window since the log is already saved on your Desktop. Be patient! It may look like it is not doing anything, but it takes awhile for this to scan thru your whole system look for matches.
• Please attach the SystemLook.txt log found on your Desktop to next reply.

 

No that is Internet Explorer not Windows Explorer and not sure why it was in use since it should have been closed by BamFix

 

Okay based on your SystemLook log the infection intercepted the changes and infected to files we were trying to use to repair the infection. Something must have still been loaded in memory that contained the infection. Did you have FireFox open when you ran BamFix.bat? If so, close EVERYTHING down except the command prompt window where you ran BamFix.bat. Then in the command prompt window enter the below commands ( this assumes that you saved XPsp3bu.exe to the root folder as requested) Note: Do not use FireFox if possible! Just use Internet Explorer if it works okay.

C:\XPsp3bu.exe
BamFix.bat


Then attach the new c:\BamFix.txt log
And also rerun the same SystemLook scan again and attach this new log.

 

Okay if your Desktop is still showing and if Internet Explorer is still open then:

• close the command prompt window we opened to run BamFix.bat in.
• the run the below ESET scan
  • Using ESET's Online Scanner
• Attach the log from ESET when it is finished. If it tells you that your PC must be rebooted, then reboot your PC immediately and then attach the log after reboot.
• Then once you have booted up, run the ESET scan a second time and then attach the second log.

 

There is another user account named utec with administrator priviledges which may be the root cause of the infection. I see the below file in a temp folder for the utec user.

C:\Documents and Settings\utec\Local Settings\temp\explorer.exe 1033728 bytes [20:39 03/09/2010] [04:42 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923


This is not a location that should have explorer.exe

EDIT: OK on MD5 code. Just in wrong location.

 

Yes. Just don't do anything else on the problem PC except what is requested. By limiting what is run, we can contain the infection more.

 

You know..... in my haste to get a fix posted while running in an out, I think I misread some info in your MGlogs.zip and SystemLook.txt logs after the initial run of BamFix.bat. It looks like the files may have been replaced properly and the only infected files that remained were the backup copies I renamed to have .bad and also the ones from your ComboFix QooBox folderthat have the .vir extension.

However it does not hurt to run ESET since it will also check to see if other files besides winlogon.exe and explorer.exe have been infected.

 

Okay can you attach the first log and did it ask you to reboot?

It should have find the infected versions of the files. The below should have been flagged:

C:\WINDOWS\system32\winlogon.exe.bad
C:\WINDOWS\explorer.exe.bad
C:\Qoobox\Quarantine\C\WINDOWS\system32\winlogon.exe.vir
C:\Qoobox\Quarantine\C\WINDOWS\explorer.exe.vir

The key will still be to see if it remains clean after a reboot.

 

Okay it found the ones in Qoobox. The ones in System Restore are to be expected since we have not disabled System Restore yet. We will do that later.

Stop the current scan with ESET.

Then run a new scan with ComboFix while in Normal Boot Mode.

After ComboFix is run, now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista or Win7, don't double click, use right click and select Run As Administrator).



Then attach the below logs:

• C:\ComboFix.txt
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

That's okay! Sometimes it just gets confused and you have to run it anyway.

You're welcome. It is looking good now and I suggest that if you have no more apparent malware problems to do the below as soon as you can.


Delete the below two files:
C:\WINDOWS\explorer.exe.bad
C:\WINDOWS\system32\winlogon.exe.bad

Then empty your Recycle Bin.


Then if you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
9. If you are running Win 7, Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures pointed to by step 7 of the READ ME
     for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome. Surf safely!