[Split] Lothar

[lothar]

Yesterday, I managed to pick up a combo of Antimalware Doctor and the fake Microsoft Security Essentials virus. After a couple of go-rounds with MBAM and Spybot S&D, the above two seem to have been mostly nuked; however, I'm still experiencing some issues.

- To run MBAM at all, I had to rename the .exe, so something is blocking it from running.

- Running rkill.exe didn't turn up any malicious processes.

- Avast is preventing explorer.exe from launching, saying that it contains a virus; a scan with Avast reports that explorer.exe and C:\Windows\SysWOW64\wininit.exe are infected with the Win32/Bamital-AC trojan. (I can still run other processes via the task manager and cmd.exe, seemingly without issue.)

- However, running MBAM again turns up 0 infections detected.

Searching for "Bamital-AC" on the forums doesn't yield anything; a search for "Bamital" returns several threads, but none (so far as I can tell) for this incarnation of the virus, and all the instructions provided seemed pretty case-specific.

Any help you guys could provide would be much appreciated.

Thanks!

I am having the identical problem. Hope this gets updated soon - computer is virtually inusable with explorer.exe taken out.

[lothar]

I am having the identical problem. Hope this gets updated soon - computer is virtually inusable with explorer.exe taken out.

Actually - not exactly the same.

- Also picked up a number of the trojans you outlined above, but malwarebytes removed most

- Explorer.exe stopped running, and performing a bootup scan with Avast turned up infections in winlogon.exe and explorer.exe. Defined as Win32: Bamital-AC. However, no removal possible

- Malwarebytes is now coming up with all clear (when run through task-manager, with explorer not working)

Hope anyone has any hints on this - as searching the internet doesnt come up with much - what it does come up with is all fresh, so this must be a new item.

Of course, these things can hide out and activate - but the whole thing went off when I launced software downloaded from cnet.downloads.com

[lothar]

So, enclosed is the hijack this file, since this thing was posted in that thread. Dont know if it helps.

hijackthis.log

[kahdah]

Hello lothar

Welcome to Malwarebytes.

=====================

• Download OTL to your desktop.
  
• Double click on OTL to run it.
  
• When the window appears, underneath Output at the top change it to Minimal Output.
  
• Under the Standard Registry box change it to All.
  
• Under Custom scan's and fixes section paste in the below in bold
  

  
  

  netsvcs
  
  
  %SYSTEMDRIVE%\*.*
  
  
  /md5start
  
  
  explorer.exe
  
  
  winlogon.exe
  
  
  /md5stop
  
  
  %systemroot%\system32\*.dll /lockedfiles
  
  
  %systemroot%\Tasks\*.job /lockedfiles
  
  
  %systemroot%\System32\config\*.sav
  
  
  %systemroot%\system32\drivers\*.sys /90
  
  
  %systemroot%\system32\Spool\prtprocs\w32x86\*.dll

  
  

• Check the boxes beside LOP Check and Purity Check.
  
• Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.
    

====================

Please download Rootkit Unhooker and save it to your desktop.

• Double-click RKUnhookerLE.exe to run it.
  
• Click the Report tab, then click Scan
  
• Check Drivers, Stealth Code, Files, and Code Hooks
  
• Uncheck the rest, then click OK
  
• When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  
• Wait till the scanner has finished then go File > Save Report
  
• Save the report somewhere you can find it, typically your desktop. Click Close
  
• Copy the entire contents of the report and paste it in your next reply.
  

Note - You may get this warning it is ok, just ignore it."Rootkit Unhooker has detected a parasite inside itself!

It is recommended to remove parasite, okay?"

[Maurice Naggar]

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!