Avast WEBforum

Other => Viruses and worms => Topic started by: gtc on August 19, 2010, 09:22:59 AM

Title: Avast keeps reporting a Bamital-X infection of winlogon.exe [RESOLVED]
Post by: gtc on August 19, 2010, 09:22:59 AM
I'm running Avast v5.0.594 with definition version 100818-1

Thanks to McAfee not catching it, my PC was recently infected with the trojan that Microsoft calls Win32/Bamital.A and Kepersky calls Win32.agent.bmkl

I have used various malware removal tools to get rid of the trojan, and McAfee Virus Removal staff have remotely accessed my PC and double-checked my work, but Avast occasionally pops up this warning:

MALWARE BLOCKED
Avast file system shield has blocked a threat.
No further action is required.

Object: C:\WINDOWS\system32\winlogon.exe
Infection: win32:Bamital-X
Action:
Process: C\program Files\Mozilla Firefox\firefox.exe

The threat was detected and blocked just before the file was executed.

My question is: if the trojan has been supposedly removed, why does Avast target my winlogon.exe program when I start a new firefox session?
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: Yanto.Chiang on August 19, 2010, 11:26:47 AM
Hi GTC,

Welcome to the avast forum,

By the way, you have a same problem with my friend which he used McAfee previously and the trojan smoothly can infected his machine.
After that the machined couldn't be accessed and each time after rebooted the machine always show blank display and didn't displayed login page. According to the forum information winlogon.exe is probably detected as spyware, please see the link : hxxp://filehippo.com/download_malwarebytes_anti_malware/

As what i ever got the information that this trojan will changed your registry especially on winlogon value. You may try to download and install avast! antivirus at safe mode and then do the boot-time scan. But if you still can't do that, you may try to download Dr.Web Scanner (http://www.freedrweb.com/cureit/?lng=en) and try to scans your system.

To completed the scans, you may download MalwareBytes (http://filehippo.com/download_malwarebytes_anti_malware/) and do re-scans with MBAM.

I hope you can solved your issues.

cheers,
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: SafeSurf on August 19, 2010, 11:36:45 AM
I need some more information from you:

- What is your OS (32 or 64-bit)?
- What other security software do you have on your system?  Do you have a Firewall?
- How did you remove McAfee?  Their uninstaller tool or some other way?
- Are you up to date with your MS Updates and software updates?

Quote from: gtc on August 19, 2010, 09:22:59 AM
I have used various malware removal tools to get rid of the trojan
- What other tools did you use?

Quote from: gtc on August 19, 2010, 09:22:59 AM
Object: C:\WINDOWS\system32\winlogon.exe
Infection: win32:Bamital-X
Action:
Process: C\program Files\Mozilla Firefox\firefox.exe
The threat was detected and blocked just before the file was executed.[/b]
This means that Avast is doing it's job...this is a good thing.

Trojan:Win32/Bamital.A patches and redirects the following functions of the Windows Socket module, which are used by the browser, to its malicious routine so it can monitor and modify Web search queries and offer its own online advertisements.

Have you run any Avast scans (Full or Boot-time scans)?
Is anything sitting in your Virus Chest?  If so, please give the exact name and spelling of the name of the item (or a clear screen shot).  If you have not run these scans, please do so and report back along with the above answers.  Thank you.




Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: SafeSurf on August 19, 2010, 11:40:42 AM
gtc,

MBAM is a good tool.  If anything comes up that is infected, put it into quarantine.  Please copy and paste your log results here in the forum for us to analyze and we can help you better.  Thank you.
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: gtc on August 19, 2010, 01:10:38 PM
Thank you for all of the responses. I'll reply to this one as it asks the most questions.

Quote from: SafeSurf on August 19, 2010, 11:36:45 AM
I need some more information from you:

- What is your OS (32 or 64-bit)?
- What other security software do you have on your system?  Do you have a Firewall?
- How did you remove McAfee?  Their uninstaller tool or some other way?
- Are you up to date with your MS Updates and software updates?

I'm running XP Pro SP3
Until the trojan struck I have been running McAfee Suite, which includes a firewall as I understand it.
I have not removed McAfee.
Yes, I have MS updates enabled

Quote
- What other tools did you use?

When the trojan struck, McAfee reported that the trojan "Backdoor-DKI!env.b quarantined", however it was either too late or too little because it got through. I figure that McAfee noticed just a small part of this hydra-headed thing. Initial visible symptoms were a pop-up saying "Java Update in progress" (or words to that effect) and then a blank YouTube video screen was shown. After that the usual symptoms of these things: invented spyware alerts, all attempts to run applications were hijacked, I was routed to porn sites, and attempts to run IE or Firefox displayed a phony warning sign about infection and wanting me to purchase alleged spyware removal software.

I have never had this happen to me before, but I've seen it happen to other people. The trojan host was a car club forum that Google subsequently marked as unsafe.

McAfee support emailed me Stinger.exe which made no difference whatsoever. I noted that the build date for Stinger was March 18, 2010 -- five months ago.

So, I went to the internet cafe up the street and did some research on the symptoms. In the end I used the following ...

Avira
Avast!
Hitman Pro 3.5
Gmer
Malware Bytes
Window Security Scan
Windows Defender

... each of which took a slightly different and/or informed view of the problem and reported and/or took various actions. Hitman Pro was the tool that zapped the trojan hardest and let me get control back of my PC to the point when I could run the other stuff.

After doing full system scans by all tools numerous times, I involved McAfee Virus Team and by remote access to my PC they ran various tools as well. They found evidence of where the trojan had been, such as a left over but now empty directory, however I got the impression that I now knew more about this thing than they did. I'm not at all happy with McAfee -- but that's another story.

Quote
Trojan:Win32/Bamital.A patches and redirects the following functions of the Windows Socket module, which are used by the browser, to its malicious routine so it can monitor and modify Web search queries and offer its own online advertisements.

I think you intended to list some Winsock functions?

Avast reported that a proxy server was being used with the IP address of 127.0.0.1:6522 and suggested it be repaired, which I okayed. I don't know if Avast was successful in that so I used various DOS level net and msconfig commands to restore default network software settings. The trojan also enabled proxy server in IE and Firefox, which I manually removed.

Avast also reported that EXPLORER.EXE and WINLOGON.EXE were trojans and suggested action was delete. I don't know how they could be infected because I gather they are Windows protected files and Avast was unable to delete them.

Quote
Have you run any Avast scans (Full or Boot-time scans)?
Is anything sitting in your Virus Chest?  If so, please give the exact name and spelling of the name of the item (or a clear screen shot).  If you have not run these scans, please do so and report back along with the above answers.  Thank you.

Yes, I have Avast now running and have done both boot and full scans.

Where do I find the Virus Chest?

I can't be sure that I have every trace of this trojan removed. I'm wondering why Avast is showing the pop-up described in my initial post only sometimes. I'm wondering if it is now a false positive?

Thanks again for all advice on this.
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: gtc on August 19, 2010, 01:21:33 PM
By the way, I just got another Avast pop-up:

MALWARE BLOCKED
Avast file system shield has blocked a threat.
No further action is required.

Object: C:\WINDOWS\system32\winlogon.exe
Infection: win32:Bamital-X
Action:
Process: C\program Files\Google\Update\GoogleUpdate.exe

The threat was detected and blocked just before the file was executed.

I didn't even know I had a Google update app. I now read where it has something to do with Google Chrome -- which I don't use. Nonetheless, it appears to be a benign program which is triggering Avast to report Bamital-X again.
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: gtc on August 19, 2010, 02:56:46 PM
Attached is a full scan report.

Again, I don't know how Avast is associating EXPLORER.EXE and WINLOGON.EXE with the Bamital-X trojan as these are supposedly Windows-protected files -- so how can a virus replace them without Windows trapping it as a security violation?

Also, the suggested action of "Move" results in the error: "The specified file is read only"
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: raman on August 19, 2010, 03:12:22 PM
Please test one of the mentioned files at virustotal.com and post the Link to the Virustotal result. You may need to disable Avast while uploading the file.....
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: mkis on August 19, 2010, 03:30:52 PM
The threat was blocked by system shield so the files in the chest are the source of the threat. As called by avast.

Im not sure if this is a genuine detection but the ID does point to the system being infected and this is where the threat is sourced.
Eset call Win32/Bamital.X a trojan that redirects results of online search engines to web sites that contain adware.
This has already been said, the hack is like Bamital.A.
The execute would likely have generated rootkit type attack on the system. This what avast alerts to have blocked.

if this is the case, it does appear that google update app is compromised.
I'm a bit surprised. You might find that the updates are failing

Also, not a convincing enough message popup, so lets see what virustotal has to say.
Do you know how to retrieve from chest and send to virustotal?

Quote
- avast5 - Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\* That will stop the File System Shield scanning any file you put in that folder. Now enter the chest again and Extract the file to the Suspect folder and upload it to VT.
http://forum.avast.com/index.php?topic=62072.msg524498#msg524498


Quote
Avast also reported that EXPLORER.EXE and WINLOGON.EXE were trojans and suggested action was delete.
This seems unlikely and avast does not suggest to delete at any time.
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: gtc on August 19, 2010, 05:39:30 PM
Quote from: mkis on August 19, 2010, 03:30:52 PM
if this is the case, it does appear that google update app is compromised.
I'm a bit surprised. You might find that the updates are failing
[

As I said, I wasn't previously aware of this program, so I have no idea if Google updates are failing and, as I don't use Google Chrome, it doesn't really matter to me.

Quote
Also, not a convincing enough message popup, so lets see what virustotal has to say.
Do you know how to retrieve from chest and send to virustotal?

- avast5 - Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\* That will stop the File System Shield scanning any file you put in that folder. Now enter the chest again and Extract the file to the Suspect folder and upload it to VT.
http://forum.avast.com/index.php?topic=62072.msg524498#msg524498

I'm aware of the Virustotal site. Note again that Avast cannot action Explorer.exe or Winlogon.exe as they are read-only system files, so they are not in the "chest". I'll try to upload them to Virustotal by other means, having regard for File System Shield.

Quote from: gtc
Avast also reported that EXPLORER.EXE and WINLOGON.EXE were trojans and suggested action was delete.
Quote
This seems unlikely and avast does not suggest to delete at any time.

Yes, I confused Avast with Hitman Pro there (have run so many tools in the last 2 days!). Hitman wants to delete them, but cannot as they are read-only.
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: gtc on August 19, 2010, 06:15:44 PM
Okay, I sent c:\windows\explorer.exe to Virustotal and it had 15 red hits out of 42 tests (see attachment, which I had to convert to text format in order to upload it to this site).

I then sent C:\Windows\ServicePackFiles\i386\explorer.exe and it had zero hits.

I tried to send c:\windows\system32\winlogon.exe but Virustotal didn't respond. It showed the 'Sending File' box, then returned to the main screen with no messages at all. Perhaps the file was locked as busy by Windows.

I then sent C:\Windows\ServicePackFiles\i386\winlogon.exe and it had zero hits.
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: essexboy on August 19, 2010, 06:21:40 PM
It may well be an ADS attached to those files or running as a netsvc

Hi there let me see what you have

(http://www.geekstogo.com/misc/guide_icons/gmer.png) GMER Rootkit Scanner - Download (http://www.gmer.net/gmer.zip) - Homepage (http://www.gmer.net/)
(http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif)
**Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

THEN

Download OTL (http://oldtimer.geekstogo.com/OTL.exe)  to your Desktop

netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%PROGRAMFILES%\Internet Explorer\*.dat
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs


Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: mkis on August 20, 2010, 04:37:46 AM
sorry should have said that there is a record of google update in Windows Event viewer
- right-click Computer and select Manage, in the list on the left you can see Event Viewer, click this and choose Applications
- if the updates are failing. you see them there in red lettering

the updater always has been a bit annoying
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: gtc on August 20, 2010, 05:27:04 AM
Quote from: mkis on August 20, 2010, 04:37:46 AM
sorry should have said that there is a record of google update in Windows Event viewer
- right-click Computer and select Manage, in the list on the left you can see Event Viewer, click this and choose Applications
- if the updates are failing. you see them there in red lettering

the updater always has been a bit annoying

Thanks for the clarification.

I used that event viewer (new to me) and although there are no Google update fails logged, there are plenty of warnings and errors, including many from Avira about explorer.exe and winlogon.exe mentioning TR/Spy.507904.8 and TR/Spy.1033728.1. Interestingly, one of those mentions dllcahe, so my cache is also suspect.

I'd love to be able to use scf to reinstall explorer.exe and winlogon.exe but, try as I might through following instructions on another site about modifying the Registry, I cannot get it to recognize the ServicePacks folder -- it keeps prompting me to inset the XP Pro distribution disk which is no use to me because it's dated 2002 and is probably SP1.

I'm slowly going nuts here.

Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: gtc on August 20, 2010, 05:32:33 AM
Quote from: essexboy on August 19, 2010, 06:21:40 PM
It may well be an ADS attached to those files or running as a netsvc

What is an "ADS"?

Quote
  • Download GMER
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "ark.txt"  
    • Save the log where you can easily find it, such as your desktop.
    **Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
    Please copy and paste the report into your Post.
I tried running gmer twice, but after about 30 minutes each time it hung the system. I think I may have too many AV tools running at once.

I'll go ahead and try OTL.
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: gtc on August 20, 2010, 06:09:34 AM
Okay, I have run OTL. Forum won't allow me to attach both logs -- even though the total is 184Kb vs the 200BK limit (???), so I'll try attaching each in separate posts.

Here's extras.txt ...
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: gtc on August 20, 2010, 06:10:20 AM
... And here's OTL.txt ...
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: gtc on August 20, 2010, 07:19:46 AM
Hitman Pro still reports that a proxy server is in use with address 127.0.0.1:6522 yet it can't seem to repair that.

I should also note that at boot time when I log in to my XP account, I get a blank screen -- presumably because the c:\Windows\Explorer.exe is compromised as per numerous AV tool reports. The only way I can get a valid Windows explorer running is via Task Manager > Run using the explorer.exe image stored in Windows\ServicePacks folder.

So, I really need to replace explorer.exe and winlogon.exe. I'm desperately trying to avoid having to re-install XP Pro from scratch. Seems I'll have to try to buy a SP3 CD of some sort that sfc /scannow can use?
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: SafeSurf on August 20, 2010, 07:56:28 AM
Quote from: gtc on August 20, 2010, 05:32:33 AM
I think I may have too many AV tools running at once.

I'll go ahead and try OTL.
Can you clarify what you currently are running as resident AV's: Avast, McAfee Suite, Avira, Windows Defender (WD)...any others or did you uninstall any of these per the vendor's uninstall utility tools or another way?  On-demand items are fine to keep as is.

Your OTL logs did not come through on the postings.  You should have 2 separate logs since they are large.  You will need to attach the OTL logs to the post.  To attach the logs: go to the post screen > "Additional Options" > "Attach" > click in the box next to attach where you stored your OTL log and click browse to find it > post.  Do this for BOTH of your OTL logs (which hopefully you saved to your desktop to find easily).  Thank you.
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: gtc on August 20, 2010, 08:26:44 AM
Quote from: SafeSurf on August 20, 2010, 07:56:28 AM
Your OTL logs did not come through on the postings.  You should have 2 separate logs since they are large.  You will need to attach the OTL logs to the post.  To attach the logs: go to the post screen > "Additional Options" > "Attach" > click in the box next to attach where you stored your OTL log and click browse to find it > post.  Do this for BOTH of your OTL logs (which hopefully you saved to your desktop to find easily).  Thank you.

I don't understand that as I can see them as attachments to each of my above posts referring to OTL. They show as click-able links below the signature line next to the paperclip icon.

The only tool I have uninstalled (using its own uninstaller) is Hitman Pro because it was slowing down my logins and at the moment I have to reboot and login frequently.

In the logs you'll see what AV tools I have running.
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: SafeSurf on August 20, 2010, 08:40:04 AM
Your attachments are showing up now.  The server was slow and they were not showing up before. 

Tomorrow morning Essexboy will pick up with your malware removal process.  Thank you.
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: essexboy on August 20, 2010, 10:44:45 AM
Hi both winlogon and explorer are infected - so I will try to cure those first.  Also you have three AV's you need to decide which one to keep

Download ComboFix from one of these locations:


Link 1 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 2 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


(http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif)


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

(http://img.photobucket.com/albums/v706/ried7/whatnext.png)


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: gtc on August 20, 2010, 11:45:21 AM
Essexboy:

I have followed your instructions and I was so very happy to read these words from ComboFix:

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

Whoever wrote ComboFix deserves a medal. I'm happy to make a financial donation to the author if you can message me the details.

I have attached the log as requested.

Thank you very much.  :)
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: demofax on August 20, 2010, 01:35:57 PM
Greetings, I am so sorry to bother you all but I have had exactly the same issue with Avast stating that Bamital-X has infected both explorer.exe and winlogon.exe. I've spent three days trying to find a solution and put off using ComboFix until now for I understand that it's not a tool to be used by someone who is not an expert at these things (which I am not, haha). I ran ComboFix following these instructions and it recognised that winlogon and explorer were infected but when it finishes it says "Deleting files", immediately restarts my system (is this normal?) and does not leave me a log.

When I log on I have to start explorer manually from a version that I put on here from my other computer else i'm left without a taskbar and icons and it won't allow me to start the porcess from the task manager.

When scanning the WINDOWS folder with Avast it is still telling me that explorer.exe and winlogon.exe are infected even after running ComboFix.

I hope you don't mind that i've posted in this thread and not in a new one. I'll be extremely grateful for any help you can offer. This has been driving me nuts for days!
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: DavidR on August 20, 2010, 02:27:30 PM
Quote from: gtc on August 20, 2010, 05:32:33 AM
Quote from: essexboy on August 19, 2010, 06:21:40 PM
It may well be an ADS attached to those files or running as a netsvc

What is an "ADS"?

ADS = Alternative Data Stream, I know you are none the wiser for that ;D

On NTFS formatted drives you have a file and that file also has an alternative data stream associated/linked to it that you can't see in windows explorer, but it can be used for legitimate purposes and unfortunately for malicious purposes. The Alternative Data Stream element of the file doesn't appear in the total file size for the file, the file could be 10KB with a virtually unlimited Alternative Data Stream size that is invisible to all intents and purposes without special tools.

See http://en.wikipedia.org/wiki/Fork_(filesystem) (http://en.wikipedia.org/wiki/Fork_(filesystem)) and http://www.windowsecurity.com/articles/Alternate_Data_Streams.html (http://www.windowsecurity.com/articles/Alternate_Data_Streams.html).
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: essexboy on August 20, 2010, 02:56:16 PM
@gtc no fair Combofix was deleting the ones that I was going to  :)

Combofix is an exceptionally good tool, however, because of that it does get targeted by malware and can sometimes mess the system.  But, there are safety tools built in which allow us to recover the situation. Obviously they are not publicised otherwise that would negate the effect

sUBs has a paypal link for donations at BC http://www.bleepingcomputer.com/combofix/how-to-use-combofix

How is your computer running now ?

@demofax is there a log at C:\combofix.txt ?
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: gtc on August 20, 2010, 03:16:05 PM
Quote from: DavidR on August 20, 2010, 02:27:30 PM

ADS = Alternative Data Stream, I know you are none the wiser for that ;D

On NTFS formatted drives you have a file and that file also has an alternative data stream associated/linked to it that you can't see in windows explorer, but it can be used for legitimate purposes and unfortunately for malicious purposes. The Alternative Data Stream element of the file doesn't appear in the total file size for the file, the file could be 10KB with a virtually unlimited Alternative Data Stream size that is invisible to all intents and purposes without special tools.

Thank you for those links. I understand the concept of extended file attributes form other operating systems, but I had no idea how pathetically slack it is on NTFS. The flimsy compatibility rationale for its existence is unsustainable when compared to the free kick it gives hackers. Why on earth Microsoft persists with it is beyond me ... but then I have never considered Microsoft a clever company. I think it was Steve Jobs who described Windows as a bug-ridden GUI for DOS.  Plus ça change!
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: gtc on August 20, 2010, 03:31:36 PM
Quote from: essexboy on August 20, 2010, 02:56:16 PM
@gtc no fair Combofix was deleting the ones that I was going to  :)

Combofix is an exceptionally good tool, however, because of that it does get targeted by malware and can sometimes mess the system.  But, there are safety tools built in which allow us to recover the situation. Obviously they are not publicised otherwise that would negate the effect

sUBs has a paypal link for donations at BC http://www.bleepingcomputer.com/combofix/how-to-use-combofix

How is your computer running now ?

Thanks to ComboFix, and your advice, my PC is running like normal again. For the first time on days I'm able to get some work done. As I said earlier I was slowly going mad trying to get explorer and winlogon replaced.

I'll now visit bleepingcomputer and pay my dues.

I realise that running multiple AV tools simultaneously is not recommended but at the moment for me it's a case of "once bitten twice shy", so I'll run both Avast and McAfee for the time being as they don't seem to be fighting each other and my system response is fine. Ironically I had just renewed my annual subscription to McAfee before I was bitten by the trojan and the new version I just downloaded contains quite a bit more functionality. However, in my direct experience McAfee's Virus Removal Team (based in Bangalore, India from what I gathered over the phone) were out of their depth with this particular trojan.

Thank you to all who have offered information and advice. You guys are like Red Cross medics to the battle wounded.
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: YoKenny on August 20, 2010, 03:45:16 PM
Read what AskLeo has to say about running 2 anti virus applcations
Quote
"Running two or more real-time anti-virus monitors at the same time is very likely to cause a conflict."
http://ask-leo.com/can_i_run_more_than_one_antivirus_program_antispyware_program_firewall_should_i.html

Quote
will using two anti virus program at the same time give better protection?

NO! Having more then one Anti-Virus program installed on your computer can cause major program conflict such as freezing up your computer, greatly slowing it down, cause false positive when scanning for Viruses or just causing all kinds of strange behavior.
http://answers.yahoo.com/question/index?qid=20080827094612AAMa1VT
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: demofax on August 20, 2010, 03:47:40 PM
Quote from: essexboy on August 20, 2010, 02:56:16 PM
@demofax is there a log at C:\combofix.txt ?

No, I cannot see one in the folder and I can't find it in a search either.
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: gtc on August 20, 2010, 04:04:47 PM
Quote from: demofax on August 20, 2010, 03:47:40 PM
Quote from: essexboy on August 20, 2010, 02:56:16 PM
@demofax is there a log at C:\combofix.txt ?

No, I cannot see one in the folder and I can't find it in a search either.

I'll leave it to Essexboy to follow up with you, but in my case after ComboFix ran through some 40 stages, it rebooted my PC and after the reboot it said "Creating log file. Do not run any other programs", or words to that effect.  It then began deleting a lot of files and eventually opened Notepad and displayed the contents of the log file, which it saved to C:\ and my PC was immediately ready for use.

As I didn't already have System Restore installed, I allowed it to do that before it began the stages.
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: essexboy on August 20, 2010, 05:04:12 PM
@ gtc

Looking at that I am a happy bunny  :)

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

 Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Run OTL


Click Start > Run  and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button.  It will remove all the programmes we have used plus itself.  MBAM can be uninstalled via control panel add/remove

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

(http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif)   Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:
SPRING CLEAN
 
Download and run Puran Disc Defragmenter (http://www.puransoftware.com/Puran-Defrag-Download.html)

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes: It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)
Keep safe  :wave:

@ demofax

(http://www.geekstogo.com/misc/guide_icons/OTLI.gif) OTL - Download (http://oldtimer.geekstogo.com/OTL.exe) or alternative link here (http://www.itxassociates.com/OT-Tools/OTL.exe) and here (http://www.itxassociates.com/OT-Tools/OTL.com) to your desktop

netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%PROGRAMFILES%\Internet Explorer\*.dat
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs


Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: demofax on August 20, 2010, 07:24:41 PM
Quote from: gtc on August 20, 2010, 04:04:47 PM
I'll leave it to Essexboy to follow up with you, but in my case after ComboFix ran through some 40 stages, it rebooted my PC and after the reboot it said "Creating log file. Do not run any other programs", or words to that effect.  It then began deleting a lot of files and eventually opened Notepad and displayed the contents of the log file, which it saved to C:\ and my PC was immediately ready for use.

As I didn't already have System Restore installed, I allowed it to do that before it began the stages.

Mine ran through 50 stages then after it restarted I would log in and wait for something to happen but nothing ever did. I tried about three times with the same result :(. I didn't have System Restore installed before either so it did pretty much the same as yours by the sounds but with less luck.

I have attched the files Essexboy. Thanks so much for your assistance!
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: essexboy on August 20, 2010, 08:44:19 PM
Not sure why CF did not fix it - so lets go the manual way

Run OTL
THEN

Re-run OTL to locate good copies of the infected file
 
/md5start
winlogon.exe
explorer.exe
/md5stop

Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: demofax on August 20, 2010, 09:40:59 PM
Here is the log as you instructed.
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: essexboy on August 20, 2010, 10:03:25 PM
I can also now see what files the infected ones are running.  On completion of this delete your current copy of combofix and download and run a fresh one

Run OTL
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: demofax on August 20, 2010, 10:24:37 PM
Ok just to make sure i've got this right: I run a scan of a freshly downloaded ComboFix AFTER i've run a Quick Scan in OTL and posted a new log, yes?

I'm really sorry I get a little confused and I want to get this right :D. Thanks so very much for your patience and help!
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: essexboy on August 20, 2010, 10:26:40 PM
No problem - it is easy for me because I know what I want  ;D

Yes run the OTL fix, Download and run a fresh copy of Combofix.  No need to run a fresh OTL scan unless combofix fails 
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: demofax on August 20, 2010, 10:27:29 PM
Awesome, thanks so much i'll do that now! :)
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: demofax on August 20, 2010, 10:36:30 PM
Ok here is the latest log. I'm just about to run ComboFix.

EDIT: Just ran CF and I still can't find a log after reboot. :(
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: gtc on August 21, 2010, 03:28:01 AM
Quote from: essexboy on August 20, 2010, 05:04:12 PM
@ gtc

Looking at that I am a happy bunny  :)

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

Okay, I have updated Java and done all of those cleanups, except this ...

Quote from: essexboy
MBAM can be uninstalled via control panel add/remove

... because it seems to be at odds with this suggestion ...

Quote from: essexboy
Malwarebytes (http://www.malwarebytes.org/mbam-download.php).  Run weekly to keep your system clean

Another question: When the Avast! icon in the tray stops revolving -- as it does periodically -- what does that imply?

Thanks again for all of your help.
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: demofax on August 23, 2010, 12:44:33 AM
Hey guys, Avast just blocked another Bamital-X, except this time it's a little different to what i've seen before:

(http://www.fileden.com/files/2008/5/3/1894307//strange explorer.PNG)

As you can see this appeared as I was running a scan in MBAM. Forgive me if i've got this completely wrong but is it saying that it blocked an item already in quarantine? I thought things were safe once they were in there? Or is this something different?

I'm just a tad worried since I don't understand these things too well and this seems strange to me. :(
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: gtc on August 23, 2010, 05:56:45 AM
Quote from: demofax on August 23, 2010, 12:44:33 AM
As you can see this appeared as I was running a scan in MBAM. Forgive me if i've got this completely wrong but is it saying that it blocked an item already in quarantine? I thought things were safe once they were in there? Or is this something different?

I ended up with explorer.vir on my PC after one of the AV tools (I forget which) detected that explorer.exe was infected. I would term it a form of flagging rather than quarantining because the infected explorer.exe was still there until ComboFix fixed that situation for me. I have since deleted explorer.vir.

Edit: fixed typo
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: demofax on August 23, 2010, 02:09:58 PM
Ah, I think I understand. Thanks for that. I'm gonna try and get ComboFix to work again since it seems to have worked wonders for you. I'm pretty envious :P Heheh.
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: gtc on August 23, 2010, 05:59:09 PM
Quote from: demofax on August 23, 2010, 02:09:58 PM
Ah, I think I understand. Thanks for that. I'm gonna try and get ComboFix to work again since it seems to have worked wonders for you. I'm pretty envious :P Heheh.

Bear in mind (see my early posts) that I had already attacked the problem with a lot of heavy artillery before coming onto this forum seeking help, and when Essexboy put me onto ComboFix to finish off the job which was to get rid of the infected winlogon.exe and explorer.exe.

OTL then cleaned up a bunch of stuff, too, I gather.

I hope you that you eventually get a similar result.
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: essexboy on August 23, 2010, 08:34:58 PM
@gtc the apparent conflict with MBAM is where you are offered the opportunity to remove it if you wish - but the recommendation is to keep it

@demofax sorry for the delay I appear to have lost notification

Run OTL
On completion of this run then delete your current copy of Combofix and download a fresh copy then run .


If again it fails to run then run the following OTL scan

/md5start
explorer.exe
winlogon.exe
/md5stop


Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: YoKenny on August 23, 2010, 09:41:44 PM
@ gtc

I see that you now have more than 20 posts which will permit you to update your profile to include signature information.

Go to PROFILE then Modify Profile then Forum Profile Information then Signature: and put information about your system just like my signature about your system just like my signature so that the helpers can offer pertinent advice.
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: PORTS on August 24, 2010, 02:47:34 AM
Hi Guys, I also had problems with this virus, apparently tried almost everything i saw to correct it, but keeps coming back reported by Avast as still active (both Explorer.exe and winlogon.exe)

Please help guys, been annoying as i only get a blank screen after windows log on.
Thanks and more power...

Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: PORTS on August 24, 2010, 03:04:26 AM
here's the extras.txt

thanks again...
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: Jtaylor83 on August 24, 2010, 03:15:09 AM
There's a new version of Hitman Pro (3.5.6 Build 110) (http://www.surfright.nl/en/hitmanpro) that can remove the Bamital/Drooptroop trojan (http://hitmanpro.wordpress.com/2010/08/22/bamital-drooptroop-remediation/).
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: PORTS on August 24, 2010, 03:34:16 AM
Thanks mate, i will give it a try....

I ran Combofix, i did not saw it repair/replace the WINLOGON.EXE, only the EXPLORER.EXE was successfully repaired, and deleted a few number of files...
When it rebooted, the desktop is now back, but Avast is still reporting threat with winlogon.
Maybe i missed something...

thanks...
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: PORTS on August 24, 2010, 05:08:34 AM
Okay, I downloaded the HITMAN and ran it...  It appears a lot of many ads etc.. infecting my pc, one of which showed the WINLOGON.EXE being infected... 
At the end of the scan, it asked for reboot to disinfect....  After reboot, my desktop appeared, and did a re-scan, at which the WINLOGON.EXE appeared infected, again...

Re-ran HITMAN and reboot...  Desktop now is gone, using task manager, i ran HITMAN once more and WINLOGON.EXE appeared infected.. Reboot....Re-scan and the WINLOGON.EXE is not anymore showing... however, my desktop is still not appearing.

Using task manager, I ran COMBOFIX, and the WINLOGON.EXE "did not" appear, however, the EXPLORER.EXE appeared as infected, CF successfully repaired and reboot.

After reboot, the desktop appeared and waited for the log.txt to come up.  Did a re-scan with HITMAN and nothing appeared anymore being infected...

Re-ran AVAST and nothing appeared infected...

Wow, so it was a combination of both...  So, thanks to all your posts guys, hopefully my problem is solved and will install additional anti-malware as you suggested. 

I got infected when visiting a site, and my Avast protection was disabled..

More power to you guys....
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: gtc on August 24, 2010, 06:49:48 AM
Quote from: PORTS on August 24, 2010, 05:08:34 AM
Wow, so it was a combination of both...  So, thanks to all your posts guys, hopefully my problem is solved and will install additional anti-malware as you suggested.  

The desktop, the start button and the task bar is managed by explorer.exe, so when that is not running or is compromised, you get a black screen instead of your desktop.

I had to boot in safe mode (with or without networking) and run the various fixes in that mode.

For me, Hitman Pro was the tool that stopped the major symptoms of this Bamital thing and allowed me to regain some control of my PC again, but it didn't/couldn't remove the infected versions of explorer.exe and winlogon.exe.

ComboFix announced that it had installed new (valid) versions of those programs, sourcing them from the SP install folders on my C drive.
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: gtc on August 24, 2010, 06:52:24 AM
Quote from: essexboy on August 23, 2010, 08:34:58 PM
@gtc the apparent conflict with MBAM is where you are offered the opportunity to remove it if you wish - but the recommendation is to keep it

Thanks, I will.
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: essexboy on August 24, 2010, 06:37:46 PM
Evening gents - it gets very confusing when you all post in the same thread, and is virtually impossible to keep track of who is who.  So if you have this problem could you start a new thread so that I know who I am talking to  ;D
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: gtc on August 24, 2010, 06:55:07 PM
Quote from: essexboy on August 24, 2010, 06:37:46 PM
So if you have this problem could you start a new thread so that I know who I am talking to  ;D

As the original poster whose problems have been solved, and to eliminate confusion about other poster's issues, I ask the moderators to please close this thread. Thanks.  :)
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: DavidR on August 24, 2010, 07:47:27 PM
Go back and click the Modify button in your original post, adding [Resolved] to the end of the title.
Title: Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
Post by: YoKenny on August 24, 2010, 08:46:52 PM
It would also help if gtc updated the signature:
http://forum.avast.com/index.php?topic=62962.msg533088#msg533088