• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Kudos0

Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

Norton is not able to remove these threats and I have been constantly notified that my computer is under attack.  I've run Malware Bytes and Spybot Search and Destroy.  Neither worked.  I also ran Norton Power Eraser and received a message that said the processes of explorer.exe, svchost.exe and winlogon.exe are Bad.  I think that this is where the Trojan's have attached themselves.

I was unable to run Norton for a few days and downloaded AVG.  Total Crap.  It allowed these to infect my computer after years of Norton keeping it clean.  I have upgraded Norton today and am running Norton Internet Security 2012.

My son used IE last night instead of Firefox to browse the internet (FB, Youtube and Pandora).  I believe this is when it happened and I've spent all day trying to get this off of my computer.

AND this "Adobe Flash Player Installer" keeps trying to load over and over but I think it's associated with the whole Trojan outbreak on my computer.

PLEASE!!!! Any help will be appreciated!!!

Replies

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2


mel032901 wrote:

Norton is not able to remove these threats and I have been constantly notified that my computer is under attack.  I've run Malware Bytes and Spybot Search and Destroy.  Neither worked.  I also ran Norton Power Eraser and received a message that said the processes of explorer.exe, svchost.exe and winlogon.exe are Bad.  I think that this is where the Trojan's have attached themselves.

I was unable to run Norton for a few days and downloaded AVG.  Total Crap.  It allowed these to infect my computer after years of Norton keeping it clean.  I have upgraded Norton today and am running Norton Internet Security 2012.

My son used IE last night instead of Firefox to browse the internet (FB, Youtube and Pandora).  I believe this is when it happened and I've spent all day trying to get this off of my computer.

AND this "Adobe Flash Player Installer" keeps trying to load over and over but I think it's associated with the whole Trojan outbreak on my computer.

PLEASE!!!! Any help will be appreciated!!!


Welcome,

I cannot help you. We do have an expert who specializes in this type of problem. A couple of cautions. First, do not attempt to run and more 'fixers'. At best they do nothing, at worst they may make it impossible to clean up. Second, when Quads starts helping please follow his instructions exactly. He is a volunteer. He may be in a different time zone so be patient and wait for his instructions.

Stay well and surf safe

DickWin7x64 SP1 current NIS V21
Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

Thanks!  Will do.

Kudos1

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

ANY other user other than the thread starter is not to use any instructions, scripts or proceedures,  The work though in cleaning a system is individual and only for that system due to a number of factors.


Please do not run any tools unless instructed to do so. 

  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability. Do as the instructions ask nothing extra or run things twice
  • If I ask a Question just answer it, don't run anything unless it states.
  • Major steps used:

1. Find

2. Break

3. Destroy

4. Cleanup  (including system as a whole)

Please read every post completely before doing anything. 

  • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forum, (sometimes )

  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.

 You have made a bigger hole for yourself,  Norton AVG, Spybot S&D............................  Uninstall Spybot and AVG,  then use AVG's Removal tool.

What is your operating system  and include whether 32 bit or 64 bit??

Quads

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

Thank you for your help.  I realize that loading AVG was a bad idea.  I still had Norton on my computer but just could not update it at the time.

I'm running Windows XP 32 bit.  I've removed Spybot and AVG (earlier) but whatever is going on with this computer, I'm unable to get to the AVG removal tool.  I'm being redirected like crazy on my browser (Firefox).

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

hxxp://www.avg.com/us-en/utilities

change the 'xx' to 'tt'

DickWin7x64 SP1 current NIS V21
Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

Awesome.  Thank you!  Downloading now.

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

AVG removal tool has finished running.

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

What is detected as Trojan.Gen.2  and Trojan.Gen etc.

Quads

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

Trojan.Gen
c:\windows\installer\{5fff96ff-f4b8-7d87-ec73-42df1fdf4954}\u\00000008.@

there are about 3 pages on my Quarantine/Blocked list of different instances of this using different ending variables:
00000004.@
000000cb.@
etc.

It is a long list and I didn't seen any .Gen2 at this time but I did see them earlier.

And a constant barrage of the System Infected: Bamital Trojan Activity 3 from differing Attacker URLs all stemming from my computer trying to access the internet (as Norton is detecting, thank goodness)

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

Are you using Norton 2011, 2012 +??

I have to seperate what is zeroaccess and what it being reported as Bamital.

Quads

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

I downloaded the free version of Norton Internet Security 2012 for the 30 day trial.  I am unable to renew my subscription until next month.  Things are a bit tight financially right now.  Hence, why I was stupid and downloaded AVG.

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

Also, it might help to know that everytime the "Adobe Installer" tries to load, Norton tells me the threat has been blocked.  That's the Trojan.Gen threat.

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

I will be out for a couple of hours, but.

Open notepad,  then open Norton and go into each detection listed and the details,  click the "copy to Clipboard"

you can then paste into Notepad the details,  one under yje next,   may end up long.

Then save the .txt document.

Then you can attach all the threat details .tx to a  post.

Quads

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

Ok...will do.  No problem on timing.  I'll just log off and get back on in the a.m. (I'll post the .txt file tonight).

Thanks for your help.  Very much appreciated.

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

Here is the .txt file.  There are just a ton of the System Infected: Bamital Trojan Activity 3.  It's constant.  I copied a lot of them into the .txt file...hoping it's enough to give you the info you need.

I also "halved" the text file and at the bottom put the Trojan.Gen and .Gen2 info. 

Again, thank you.  I will be on again in the a.m. (Central time).  Have a great night.

File Attachment: 
Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

Seein as Malware is auto loading as well I have an idea but XP makes this longer and harder.

Can you burn CD's??   And do you have a Flash Drive??

Quads

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

Good morning.  Yes, I can burn CDs and I also have a Flash Drive.

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

I will split this step

a)  Please download http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/   You need to download the 32bit version.


Transfer it on to the Flash Drive ready.

b)  Download  hxxp://oldtimer.geekstogo.com/OTLPENet.exe    to your desktop  (change the xx to tt)

Ensure that you have a blank CD in the drive

Double click OTLPENet.exe and this will then open imgburn to burn the file to CD for you ready.

Quads

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

Ok.  I've done both.  I apologize for the delay...I'm running Saturday errands in between being online.

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

a) Reboot your system using the boot CD you just created.


Note : If you do not know how to set your computer to boot from CD follow the steps here

As the CD needs to detect your hardware and load the operating system, I would recommend a nice cup of tea whilst it loads , it's all to do with system speed and hardware.

b) Your system should now display a Reatogo desktop. It looks sort of like you have loaded Windows but you area ctually using the bootCD.

Note : as you are running from CD it is not exactly speedy 

c) Insert the flash drive with FRST.exe on it .

d) Locate the flash drive and run FSRT,  Like you would with XP and using My Computer (Computer) to find the Flash drive, or any connected drive.

e) The tool will start to run. When the tool opens click Yes to disclaimer. 

f) Press Scan button. It will make a log (FRST.txt) on the flash drive. , Once done Restart the system Take out the CD and instead load Windows from Hard Drive and attach the log in a message reply.

Quads

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

Quads,

Here's the .txt file from FSRT.

Again, you are much appreciated.  Thank you.

File Attachment: 
Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

Well that is a bit of a mess.

Uninstall Malwarebytes as you have it in Realtime.

Quads

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

Oh...I knew that!  But I don't allow Malwarebytes to run.  I exit it everytime.  It wasn't realtime before yesterday.  When I tried to use it to scan (before coming to this forum) it downloaded the "trial" version of the protection module.  I should have just removed it then. 

I uninstalled it.

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

This could take a bit of fun to pull apart.

Download the script attached, needs to be the same file name as well (fixlist.txt), Copy across to flash drive

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Use the CD to load again and start FRST.exe (like before)

But  this time press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply

Quads

File Attachment: 
Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

Quads,

The log is attached.

I'm sorry to say I'm exhausted tonight and won't be able to stay online.  The heat where I live has been ridiculous and it took it out of me today running errands. 

I will be back online tomorrow afternoon.  Thank you so much for everything.  I will do the next step as soon as I log on tomorrow.

Have a great night.  Thanks again!

Mel

File Attachment: 
Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

Hopefully that has done enough to break zeroaccess except maybe services.exe,  and of course we still have bamital

Step 3.

Please read carefully Read all of this message first

Download Combofix http://www.bleepingcomputer.com/download/anti-virus/combofix


  • Ensure that Combofix is saved directly to the Desktop <--- Very important  (not in the download or temp folders)

  • Disable all security programs as they will have a negative effect on Combofix, Disabled for say 1 hour or more.
  • Close any open browsers and any other programs you might have running

Right click the combofix.exe on the desktop and select from the menu "Run as Administrator"  If required.

  • If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?" Please select yes & let it download the files it needs to do this. Once the recovery console is installed Combofix will then offer to scan for malware. Select continue or yes.
  • When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" for further review


****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

*EXTRA NOTES*

  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Quads

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

Good afternoon Quads!

I have done the next step and the ComboFix.txt file is attached.

File Attachment: 
Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

That is still a fair bit taken,  who knows how long the system has been infected.

I noticed that Combofix may have struggled or may have failed with Bamital, So I will do a MD5 check of files and locations

First,  Norton may still detect the files you had detected when you came to the forum, that is OK, because if all is going well the location would have changed for the detections,  as Combofix and FRST have their own Quarantine folders which I clean up at the end as part of step 4.  (See my first post)

Now 

Please download SystemLook from one of the links below and save it to your Desktop.

 hxxp://jpshortstuff.247fixes.com/SystemLook.exe   change the xx to tt

Disable Norton for say 30 mins

Double-click SystemLook.exe to run it.

Copy the content of the following codebox into the main textfield:  (don't forget the : in front of :filefind)



:filefind

\n

\@
*.@

services.exe

svchost.exe
explorer.exe
winlogon.exe

svchost.exe.vir
explorer.exe.vir
winlogon.exe.vir


Click the Look button to start the scan.

When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Quads

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

Wow!  Scary thinking this thing has been in my computer for a while.  Truly appreciate you taking your time to help me.

Here's the SystemLook.txt file.

File Attachment: 
Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

That's Ok.

On with step 4. (a)

Please read carefully and Slowly

 Please scan with ESET next 


I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the  button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on  to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the  icon on your desktop.
  • Check 
  • Click the  button.
  • Accept any security warnings from your browser.
  • Under scan settings, check  and DON'T (NO) check Remove found threats (reason for this is we don't want something deleted and then Windows won't load).
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • Attach the resulting log in your next reply


If you think a log should have been generated then go to C:\Program Files\ESET\ESET Online Scanner\log.txt to find it. 

Quads

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

Quads,

Is there a possibility of the scanner getting stuck on a particular file?  It's been running for over an hour and has been on a file entitled (for at least the past 30 minutes):

C:\Documents and Settings/Mel/My Documents/Downloads/ADBEFWKSCS4_LS1.7z

Right now the scan has stopped at 20% on the bar but the Total Scan time is running at 1:07:30 and going up.

Please let me know what, if anything, I should do.

Thank you!

Mel

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

Sometimes it looks like that scan is stuck but it isn't. and jump from 20% to 25% or more. It is an archive file so inside there may be a lot of objects to scan. Although one other malware removal forum had ESET take 22 hours, yes that is right. Quads
Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

I have looked up the file name and it looks like it could be a large compressed archive, anywhere from 420MB to 32GB (32GB if it's the megapack)  but highly possible it' s a torrent download.

Quads

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

Ok!  No problem.  I just wanted to make sure.  It is still on that same file and the total scan time is now 1:41:31.

:)

No worries.  I'll leave it running and post the log as soon as it's done (hopefully less than 22 hours LOL).

Thanks again.  It looks like it may be tomorrow at this rate.  If so, have a good night.

Mel

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

I hope it has moved past 20% by now. Quads
Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

Good afternoon!

Nope. Still chugging away.  However, we had a mishap last night.  A family member stopped the scan thinking something was wrong with it.  I know...I wasn't happy about it either.

Anyway, scan restarted this morning (brand new).  Still at 20% today at over 8 hours.  But it is working.  I'm sorry this is taking so long. 

I will post as soon as it's done.  But the way it looks, it may be more than 22 hours! LOL

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

Quads,

If there is something you want me to do differently, please advise.

Thank you!

Mel

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

I thought I might give you a picture of the size of my disk (somewhat of a pic)....

My Documents and Settings folder shows 153,771 files

My Program Files folder shows 80,516

I didn't look at any of the other folders but....ESET is at 9:13 on the timer, is still in the Documents and Settings folder and is only at 43,231 files scanned overall.

Hope that helps.

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

That's OK, you also have to remember that an archive can have lots of objects inside, So for instance if I grabbed every malware file I have or had in the past and zip compress it (so malware.zip) the number inside would run into the thousands.

I would say who ever is also downloading torrents or my other means is also not cleaning out the download(s) folder.

Quads

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

Thanks Quads!

I'll just let it continue.  Hoping it gets done at some point.

Have a nice day/night!

Mel

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

One more question....should I disable Norton while the scan runs?

And if this is a "duh"....well, I'll have to slap my head in frustration and have a "I should have known that" moment.

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

No it appears to users in the past here and on other forums to make no difference, although as ESET is about to scan a file Norton may detect it also,

Quads

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

Quads,

Just an update.  This scanner is still on 20%.  This time it's been in the Adobe CS3 folder that I have (online download of the Adobe Creative Suite....which is very large, I know).  Last night it was on file 43819 and this morning it's on 43932.

The scanner timer reset itself after 24 hours. 

At this rate, it could be scanning all week.

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

One more question....is the computer safe to use until the scan is complete?  I.e., are my passwords safe, etc.?

Mel

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

You may as well stop the scan., delete everything in the download(s) folder under every working account.

Quads

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

Done!  Cleaned up and restarted the scan.

Hopefully it won't be as long!

Thank you!

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

I hope you have first then deleted the files from in those folders from in the Recycle Bin also.

Quads

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

Yes, I did.

It's scanning quicker now but has slowed down considerably in the Application Data folder.  Hopefully it can finish overnight tonight.  I really would like to have my computer back!

Thanks again (I know I keep saying that but you have been awesome in your help).

Mel

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

Quads,

Just thought I'd update you today on the progress.  It came to a SLOW crawl at around 43000 files again last night (it's at 17% since before I went to bed at around midnight and is still there this morning).  This time it's in the Application Data files (Sun\Java).

We had a power outage last night so I had to restart the scan but it's been running overnight...12 hours right now.

Anyway, I won't be on again today as it is Independence Day here and we have plans with family. 

Can the computer be used safely during the scan (i.e., can I pay my bills, etc)....or is the malware still present and it wouldn't be a good idea to do anything until you're done cleaning?  Just wondering...I can make other arrangements if needed.

Thanks so much!  Have a good day/night.

Mel

Kudos0

Re: Cannot remove Bamital Trojan and Trojan.Gen & .Gen2

Is it still going??

Quads

Replies are locked for this thread.