I have used various malware removal tools to get rid of the trojan- What other tools did you use?
Object: C:\WINDOWS\system32\winlogon.exeThis means that Avast is doing it's job...this is a good thing.
Infection: win32:Bamital-X
Action:
Process: C\program Files\Mozilla Firefox\firefox.exe
The threat was detected and blocked just before the file was executed.[/b]
I need some more information from you:
- What is your OS (32 or 64-bit)?
- What other security software do you have on your system? Do you have a Firewall?
- How did you remove McAfee? Their uninstaller tool or some other way?
- Are you up to date with your MS Updates and software updates?
- What other tools did you use?
Trojan:Win32/Bamital.A patches and redirects the following functions of the Windows Socket module, which are used by the browser, to its malicious routine so it can monitor and modify Web search queries and offer its own online advertisements.
Have you run any Avast scans (Full or Boot-time scans)?
Is anything sitting in your Virus Chest? If so, please give the exact name and spelling of the name of the item (or a clear screen shot). If you have not run these scans, please do so and report back along with the above answers. Thank you.
- avast5 - Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\* That will stop the File System Shield scanning any file you put in that folder. Now enter the chest again and Extract the file to the Suspect folder and upload it to VT.http://forum.avast.com/index.php?topic=62072.msg524498#msg524498
Avast also reported that EXPLORER.EXE and WINLOGON.EXE were trojans and suggested action was delete.This seems unlikely and avast does not suggest to delete at any time.
if this is the case, it does appear that google update app is compromised.[
I'm a bit surprised. You might find that the updates are failing
Also, not a convincing enough message popup, so lets see what virustotal has to say.
Do you know how to retrieve from chest and send to virustotal?
- avast5 - Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\* That will stop the File System Shield scanning any file you put in that folder. Now enter the chest again and Extract the file to the Suspect folder and upload it to VT.
http://forum.avast.com/index.php?topic=62072.msg524498#msg524498
Avast also reported that EXPLORER.EXE and WINLOGON.EXE were trojans and suggested action was delete.
This seems unlikely and avast does not suggest to delete at any time.
sorry should have said that there is a record of google update in Windows Event viewer
- right-click Computer and select Manage, in the list on the left you can see Event Viewer, click this and choose Applications
- if the updates are failing. you see them there in red lettering
the updater always has been a bit annoying
It may well be an ADS attached to those files or running as a netsvc
I tried running gmer twice, but after about 30 minutes each time it hung the system. I think I may have too many AV tools running at once.
- Download GMER
- Extract the contents of the zipped file to desktop.
- Double click GMER.exe.
- If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
- In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
**Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
- Then click the Scan button & wait for it to finish.
- Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
- Save the log where you can easily find it, such as your desktop.
Please copy and paste the report into your Post.
I think I may have too many AV tools running at once.Can you clarify what you currently are running as resident AV's: Avast, McAfee Suite, Avira, Windows Defender (WD)...any others or did you uninstall any of these per the vendor's uninstall utility tools or another way? On-demand items are fine to keep as is.
I'll go ahead and try OTL.
Your OTL logs did not come through on the postings. You should have 2 separate logs since they are large. You will need to attach the OTL logs to the post. To attach the logs: go to the post screen > "Additional Options" > "Attach" > click in the box next to attach where you stored your OTL log and click browse to find it > post. Do this for BOTH of your OTL logs (which hopefully you saved to your desktop to find easily). Thank you.
It may well be an ADS attached to those files or running as a netsvc
What is an "ADS"?
ADS = Alternative Data Stream, I know you are none the wiser for that ;D
On NTFS formatted drives you have a file and that file also has an alternative data stream associated/linked to it that you can't see in windows explorer, but it can be used for legitimate purposes and unfortunately for malicious purposes. The Alternative Data Stream element of the file doesn't appear in the total file size for the file, the file could be 10KB with a virtually unlimited Alternative Data Stream size that is invisible to all intents and purposes without special tools.
@gtc no fair Combofix was deleting the ones that I was going to :)
Combofix is an exceptionally good tool, however, because of that it does get targeted by malware and can sometimes mess the system. But, there are safety tools built in which allow us to recover the situation. Obviously they are not publicised otherwise that would negate the effect
sUBs has a paypal link for donations at BC http://www.bleepingcomputer.com/combofix/how-to-use-combofix
How is your computer running now ?
"Running two or more real-time anti-virus monitors at the same time is very likely to cause a conflict."http://ask-leo.com/can_i_run_more_than_one_antivirus_program_antispyware_program_firewall_should_i.html
will using two anti virus program at the same time give better protection?http://answers.yahoo.com/question/index?qid=20080827094612AAMa1VT
NO! Having more then one Anti-Virus program installed on your computer can cause major program conflict such as freezing up your computer, greatly slowing it down, cause false positive when scanning for Viruses or just causing all kinds of strange behavior.
@demofax is there a log at C:\combofix.txt ?
@demofax is there a log at C:\combofix.txt ?
No, I cannot see one in the folder and I can't find it in a search either.
:Commands
[resethosts]
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]
I'll leave it to Essexboy to follow up with you, but in my case after ComboFix ran through some 40 stages, it rebooted my PC and after the reboot it said "Creating log file. Do not run any other programs", or words to that effect. It then began deleting a lot of files and eventually opened Notepad and displayed the contents of the log file, which it saved to C:\ and my PC was immediately ready for use.
As I didn't already have System Restore installed, I allowed it to do that before it began the stages.
:OTL
IE - HKU\S-1-5-21-73586283-1757981266-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522
O2 - BHO: (no name) - {36AFEEAB-DCD9-4A9A-8CEB-EC6632A8D7E2} - No CLSID value found.
O2 - BHO: (no name) - {4C98FE11-C0C6-4DA2-90C0-97D4B217AC10} - No CLSID value found.
O2 - BHO: (no name) - {BF04C4E2-F769-4345-8C5B-867A35EF0298} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKU\S-1-5-21-73586283-1757981266-839522115-1003\..\Toolbar\ShellBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\S-1-5-21-73586283-1757981266-839522115-1003\..\Toolbar\ShellBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value found.
O4 - HKLM..\Run: [Lrowiweyifegizut] C:\WINDOWS\afekaqib.DLL ()
O20 - Winlogon\Notify\ddcASiih: DllName - ddcASiih.dll - File not found
[2010/08/16 17:33:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TARA\Local Settings\Application Data\doffqsstj
[2010/08/16 17:33:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TARA\Application Data\doffqsstj
[2010/08/20 17:44:51 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Tjoxalafunanerul.dat
[2010/08/16 17:35:23 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Opiweyuz.bin
[2010/08/16 17:33:53 | 000,000,005 | ---- | C] () -- C:\zrpt.xml
[2009/01/10 12:25:11 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\duerokxm.ini
[2009/01/09 00:03:55 | 001,254,442 | -HS- | C] () -- C:\WINDOWS\System32\swjwavgp.ini
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
:OTL
IE - HKU\S-1-5-21-73586283-1757981266-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522
O4 - HKLM..\Run: [Lrowiweyifegizut] C:\WINDOWS\afekaqib.DLL ()
O20 - Winlogon\Notify\ddcASiih: DllName - ddcASiih.dll - File not found
[2010/08/20 20:02:05 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Tjoxalafunanerul.dat
[2010/08/16 17:35:23 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Tjoxalafunanerul.dat
[2010/08/16 17:35:23 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Opiweyuz.bin
[2010/08/16 17:33:53 | 000,000,005 | ---- | C] () -- C:\zrpt.xml
[2009/01/10 12:25:11 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\duerokxm.ini
[2009/01/09 00:03:55 | 001,254,442 | -HS- | C] () -- C:\WINDOWS\System32\swjwavgp.ini
[2001/08/23 13:00:00 | 000,190,976 | ---- | C] () -- C:\WINDOWS\afekaqib.dll
2010/08/18 14:40:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TARA\Application Data\doffqsstj
:Files
C:\WINDOWS\system32\winlogon.exe|C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe /replace
C:\WINDOWS\explorer.exe|C:\Documents and Settings\All Users\Documents\explorer.exe /replace
:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
@ gtc
Looking at that I am a happy bunny :)
I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems
MBAM can be uninstalled via control panel add/remove
Malwarebytes (http://www.malwarebytes.org/mbam-download.php). Run weekly to keep your system clean
As you can see this appeared as I was running a scan in MBAM. Forgive me if i've got this completely wrong but is it saying that it blocked an item already in quarantine? I thought things were safe once they were in there? Or is this something different?
Ah, I think I understand. Thanks for that. I'm gonna try and get ComboFix to work again since it seems to have worked wonders for you. I'm pretty envious :P Heheh.
:OTL
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522
O2 - BHO: (no name) - {36AFEEAB-DCD9-4A9A-8CEB-EC6632A8D7E2} - No CLSID value found.
O2 - BHO: (no name) - {4C98FE11-C0C6-4DA2-90C0-97D4B217AC10} - No CLSID value found.
O2 - BHO: (no name) - {BF04C4E2-F769-4345-8C5B-867A35EF0298} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value found.
[2010/08/20 10:14:36 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Opiweyuz.bin
[2010/08/16 17:55:07 | 000,002,960 | ---- | M] () -- C:\WINDOWS\lsrslt.ini
[2010/08/16 17:33:53 | 000,000,005 | ---- | M] () -- C:\zrpt.xml
[2010/08/16 17:35:23 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Tjoxalafunanerul.dat
[2010/08/16 17:35:23 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Opiweyuz.bin
[2009/01/10 12:25:11 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\duerokxm.ini
[2009/01/09 00:03:55 | 001,254,442 | -HS- | C] () -- C:\WINDOWS\System32\swjwavgp.ini
[2001/08/23 13:00:00 | 000,190,976 | ---- | C] () -- C:\WINDOWS\afekaqib.dll
[2010/08/18 14:40:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TARA\Application Data\doffqsstj
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[EMPTYFLASH]
[CREATERESTOREPOINT]
[Reboot]
Wow, so it was a combination of both... So, thanks to all your posts guys, hopefully my problem is solved and will install additional anti-malware as you suggested.
@gtc the apparent conflict with MBAM is where you are offered the opportunity to remove it if you wish - but the recommendation is to keep it
So if you have this problem could you start a new thread so that I know who I am talking to ;D