Author Topic: Got a virus need help (Read 193 times)

Sedit · « **on:** December 13, 2010, 05:54:22 AM »

I have been infected with a virus known as the Win 32:Bamital Virus and it is seriously fouling up my system with no normal means of cleaning it from the computer.

See what sets this apart from most is its infected my Explorer.exe and Winlogon.exe which are critical processes for running windows and there is no way to clean the infected file. I must delete these files then as a catch 22 I can't run windows. The only option im left with is to run a boot scan on my computer and delete the infected files and replace them with uninfected ones thru DOS mode.

That is where I need help, I do not have any uninfected copys of these files and was woundering if anyone running Windows XP would be a dear and send me a copy of theres. They are not really large files and it would be a snap to upload them.

Im pretty much at the end of my rope because if I let any antivirus handle it they don't know what they are doing and just block access to the programs meaning I cant use windows or even load it if they detect the virus. I can only use windows by shutting down my Antivirus and letting it do its thing.

Can anyone help. Once I get these files clean I can start tackling the registry issues it has caused. All it all due to the nature of the files its infected Im getting my ass kicked over hear.

wellbie · « **Reply #1 on:** December 13, 2010, 06:13:03 AM »

sent ya pm with link to some tool 's ."geek squad" best i can do on a xp is xp media center 2005 rollback
i think it is
welcome to it , it a gateway disk

Muso · « **Reply #2 on:** December 13, 2010, 03:23:08 PM »

I don't know if this is of any use but I'm pretty sure you can't send executable files with my email providers, and I couldn't see a link to upload via pm. These are the two .exe files from a clean XP machine.

lugh · « **Reply #3 on:** December 13, 2010, 04:40:58 PM »

A removal tool is attached:

h**p://hands-oncorp.com/2010/08/23/win32bamital-x-removal-instructions/

Instructions on using the Recovery Console in XP:

h**p://support.microsoft.com/kb/307654

If you can burn a CD/DVD or get a USB stick there are Linux tools that will allow you to boot from them if your computer isn't so old that's impossible:

h**p://forum.kaspersky.com/index.php?showforum=159

h**p://forum.bitdefender.com/index.php?&showtopic=16602

Sedit · « **Reply #4 on:** December 13, 2010, 09:50:25 PM »

Right away when attempting to DL Spyware doctor you uploaded Lugh the winlogon.exe attempted to infect it luckly I have advast running at the moment. I tryed to use the files Muso provided(thanks BTW)but unless I do them all at once the explorer.exe will just be reinfected by winlogon.exe. So I have to go into DOS mode which is a pain in the ass because the virus turned off all safeboot methods in the system registry and continues to do so when I attempt to reset them. Its possible but just a pain in the ass.

I have a feeling that there is a DLL somewhere involved that myself or the antivirus programs don't know about.

Lugh Im attempting to use the links and methods you'v provided but it won't be till later that I can do it properly.

Im having little faith in any antispyware application at the moment due to the fact that winlogon.exe is a readonly file and a critical application meaning repairing it and delating it while windows is running is out of the question.

BTW Lugh I can not run the spyware doctor without a registration key.

embezzler · « **Reply #5 on:** December 13, 2010, 10:23:49 PM »

Watch out for windows file protection too or else your work will be undone

Sedit · « **Reply #6 on:** December 13, 2010, 11:00:26 PM »

No worrys, spyware doctor notified me that the registry value for windows file protection has been set to SFPDisable IE: the virus turned off all protection that I have, I also checked my log file for windows update and the 22 of last month the icon for windows updater showing me that I needed updates was turned off and so was automatic protection telling me this is when I got the virus.

I got a bootvirus that loaded up when windows started telling me I had a virus. This screen even though professional looking was indeed a virus in itself known as the Thinkpoint virus. I started to get suspicious of the Thinkpoint program when it started to lock up my computer not allowing me to do a damn thing so I changed the hottfix.exe file associated with it and installed avast which is what informed me about the other issues on my system.

lugh · « **Reply #7 on:** December 14, 2010, 02:43:01 AM »

You should install something that can't be infected so easily, or change your browsing habits

There is a Linux edition that's been made more secure for the bees

Wizard X · « **Reply #8 on:** December 14, 2010, 02:57:02 AM »

Hi Sedit! If you continue to be infected PM me here or at The-Collective.

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FBamital&ThreatID=-2147329844

http://forums.malwarebytes.org/index.php?showtopic=69201

Process: System32\winlogon.exe
Infection: Win32:Bamital-x
Object: C:\windows\system32\winlogon.exe

http://www.seasonsecurity.com/a/how-do-i-remove-win32-bamital-x-21808.html

Knoppix (Linux) that run completely from CD/DVD disk. http://knopper.net/knoppix-mirrors/index-en.html

Sedit · « **Reply #9 on:** December 14, 2010, 04:16:37 AM »

Got it,

I had to dos mode the g'damn thing like I said but its cleaned it. It also brought up the root of the problem when a crazy humanoid robot from another forum insisted I get Microsoft securitys essential it was kind enough to block the trojan downloader that my advast would have missed or so it seems.

C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\49\1aaeb971-613b4b26->cpak/Crimepack.class

Attempted to run itself along with two other files at that time. It also reminded me that around the 22 of last month was the first time ever I have attempted to update Java on this computer. Im possitive that this virus came thru with java updates so everyone be very cautious about using such a service because its gonna get you. I have not had this computer that long so I could not figure out how I got infected because I rarely download from this comp since my other is better for that.

Well now its time for some registry cleaning.... wish me luck...

Wizard X · « **Reply #10 on:** December 14, 2010, 04:25:13 AM »

The Undeletable SafeBoot Key. http://blog.didierstevens.com/2010/01/01/the-undeletable-safeboot-key/

Restoring Safe Mode with a .REG file. http://blog.didierstevens.com/2007/02/19/restoring-safe-mode-with-a-reg-file/

Save SafeBoot. http://blog.didierstevens.com/2006/06/22/save-safeboot/

The Emsisoft Emergency Kit (http://download11.emsisoft.com/EmsisoftEmergencyKit.zip 107Mb) contains a collection of programs that can be used without a software installation to scan and clean infected computers for malware. http://www.emsisoft.com/en/software/eek/

Wizard X · « **Reply #11 on:** December 14, 2010, 04:30:41 AM »

Quote from: Sedit on December 14, 2010, 04:16:37 AM

Got it,

I had to dos mode the g'damn thing like I said but its cleaned it. It also brought up the root of the problem when a crazy humanoid robot from another forum insisted I get Microsoft securitys essential it was kind enough to block the trojan downloader that my advast would have missed or so it seems.

C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\6.0\49\1aaeb971-613b4b26->cpak/Crimepack.class

Attempted to run itself along with two other files at that time. It also reminded me that around the 22 of last month was the first time ever I have attempted to update Java on this computer. Im possitive that this virus came thru with java updates so everyone be very cautious about using such a service because its gonna get you. I have not had this computer that long so I could not figure out how I got infected because I rarely download from this comp since my other is better for that.

Well now its time for some registry cleaning.... wish me luck...

I've been seeing some Java infections lately. REF: http://forums.malwarebytes.org/index.php?showtopic=69201

Go here and follow the instructions to clear your Java Cache. http://www.java.com/en/download/help/plugin_cache.xml

Wizard X · « **Reply #12 on:** December 14, 2010, 04:59:07 AM »

Making a bootable USB pen drive http://www.bootdisk.com/pendrive.htm and http://www.youtube.com/watch?v=98xlSjTyCaQ

How To Make Bootable USB with Windows 7 or Vista. http://www.intowindows.com/bootable-usb/

Install Windows 7/Vista using bootable USB guide. http://www.intowindows.com/how-to-install-windows-7vista-from-usb-drive-detailed-100-working-guide/

Wizard X · « **Reply #13 on:** December 14, 2010, 05:26:31 AM »

How To Create Bootable Windows 7, Vista, or XP USB Flash/Pen Drive Quickly using WinToFlash tool (free). http://www.intowindows.com/how-to-create-bootable-windows-7-vista-or-xp-usb-flashpen-drive-with-a-single-click-must-try/

WinToFlash Homepage http://wintoflash.com/home/en/

What is WinToFlash. There may come a day that optical drives are as hard to find as 5.25 floppy drives are today.

WinToFlash starts a wizard that will help pull over the contents of a windows installation CD or DVD and prep the USB drive to become a bootable replacement for the optical drive. It can also do this with your LiveCD.

You don't have to worry about scratches on the disc or misplacing your original media discs once you transfer their contents to the flash drive. The optical drive is quickly becoming a thing of the past, especially in office environments, as media is shifted to the cloud.

Wizard X · « **Reply #14 on:** December 14, 2010, 05:40:57 AM »

Finally to minimize virus infections while surfing.

(1) NEVER SURF THE INTERNET IN ADMINISTRATOR ACCOUNT.
(2) Activate GUEST ACCOUNT IN CONTROL PANEL > ACCOUNTS.
(3) Log Off as ADMINISTRATOR and into GUEST ACCOUNT.
(4) For Internet Explorer (IE) disable ALL java scripting, active X, and IFrames, OR set all security setting to high (max). Disable AutoComplete as some viruses harvest this stored info.
(5) For Firefox use NoScript http://noscript.net/

Wizard X · « **Reply #15 on:** December 14, 2010, 10:39:23 PM »

Excellent tool for killing and deleting malware. KillBox is a tool to delete in-use files, if the file is running, KillBox will attempt to end the process (close the running file) and delete it.

http://www.killbox.net/
http://www.killbox.net/help.html

KillBox requires the component MSCOMCTL.OCX to function.

Sometime certain Microsoft Libraries can become unregistered when installing and uninstalling a lot of software. One very common problem is the MSCOMCTL.OCX.

To correct the error, first search your drive for MSCOMCTL.OCX to see if you have it. If not you can download it from HERE: http://www.majorgeeks.com/files/mscomctl.zip

The file should be placed in your C:\WINDOWS\SYSTEM directory. Or, if you are C:\WINDOWS\SYSTEM32 if you are using WinXP.

Once it is there click START--> RUN and type "REGSVR32 MSCOMCTL.OCX" (No quotes) in the box.

That should fix the problem.

Sedit · « **Reply #16 on:** December 14, 2010, 10:50:14 PM »

Wouldn't this in the case of explorer.exe and winlogon.exe just kill the entire windows process though?

I did get rid of the main virus however its not the one causing me issues and I still get pop-ups. Neither Microsoft security or Avast is detecting anything at all yet im sure something is still there.

Wizard X · « **Reply #17 on:** December 14, 2010, 11:40:33 PM »

Quote from: Sedit on December 14, 2010, 10:50:14 PM

Wouldn't this in the case of explorer.exe and winlogon.exe just kill the entire windows process though?

I did get rid of the main virus however its not the one causing me issues and I still get pop-ups. Neither Microsoft security or Avast is detecting anything at all yet im sure something is still there.

In such case the user can set Pocket KillBox to delete or replace specified files on system reboot. This usually works, as the tool runs before malicious files get chance to start any processes. Ref: http://www.2-spyware.com/review-pocket-killbox.html

Sedit · « **Reply #18 on:** December 15, 2010, 06:01:45 PM »

Im getting mixed signals about the legitness of this Registry value some examples stating I should be wary of the x- header because its used to run various MIME applications I should be wary of.

Whats the status of the application/x-msdownload

HKEY_CLASSES_ROOT\.exe = application/x-msdownload

akcom · « **Reply #19 on:** December 15, 2010, 07:55:08 PM »

First of all do not delete explorer or winlogon. Second "application/x-msdownload" for .exe is normal (at least for Windows XP). Use Process Explorer to determine what DLL's are loaded in explorer and winlogon. Figure out which one is the virus, reboot into recovery mode and delete the DLL, reboot and your done

edit: Also, try running HijackThis

Author Topic: Got a virus need help (Read 193 times)

Sedit

Got a virus need help

wellbie

Re: Got a virus need help

Muso

Re: Got a virus need help

lugh

Re: Got a virus need help

Sedit

Re: Got a virus need help

embezzler

Re: Got a virus need help

Sedit

Re: Got a virus need help

lugh

Re: Got a virus need help

Wizard X

Re: Got a virus need help

Sedit

Re: Got a virus need help

Wizard X

Re: Got a virus need help

Wizard X

Re: Got a virus need help

Wizard X

Re: Got a virus need help

Wizard X

Re: Got a virus need help

Wizard X

Re: Got a virus need help

Wizard X

Re: Got a virus need help

Sedit

Re: Got a virus need help

Wizard X

Re: Got a virus need help

Sedit

Re: Got a virus need help

akcom

Re: Got a virus need help