win32:Bamital-AE in winlogon Help Please

[Pondus]

when you download Dr.Web save it to the desktop and run from there. you should see a green icon

[mkis]

Umsami you are running too much antivirus at the same time - Symantec, avast, to say the least.

There will be problems as different brands of antivirus are likely to compete when running at the same time - as has been explained as two dogs fighting over the one bone, there will be problems.

You need - in the least - to decide between running avast or Symantec.

[umsami]

Thanks. I had only Avast on, but my husband has added all of the ones he likes in hopes of fixing it.  He doesn't believe in Avast; whereas I'm quite happy with it. 

I think I'm just going to reformat everything.  It's easier.

[mkis]

I was reading you opening post, but now I've looked at some of the logs and I know what you mean.
The system is very cluttered, would be quite a job to tidy up anyway.

You could try to upload the file c:\windows\system32\winlogon.exe to Virustotal and see what results

http://www.virustotal.com/

click Choose File, browse to the winlogon.exe file on your computer, upload to Virustotal and click Send File
If you are able to do this, post the results here

[essexboy]

Winlogon and Explorer have data attached to them by the malware - if you run the version of Dr Web that I posted from safe mode that should cure it.  On completion we will then check for any remaining malware and look at giving your system a little TLC 

[mkis]

essexboy is best advise on this infection umsami

so well worth to follow his guidance rather than reformat, which is last resort

[umsami]

Thanks.  I Dr. Web didn't find anything.  I downloaded the full version... removed/disabled everything else...and it took over 4 hours to run... and didn't find a thing. I'm a bit confused.  Now, I'm rescanning just the System32 file to see if it's in there hiding or something.

I may reboot and see what happens.  Dr. Web didn't find anything with either the express or complete scans--which has me baffled.

[essexboy]

Download OTL to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Click on Minimal Output at the top
  
• Select All Users
  
• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and post them in your topic
    

[pepe2]

i can shed some light on this. one of my old desktops(xp sp3 with no patch, ie7, comodo firewall + avast free) got infected by this the other day.  infection came through from a link from Google i think (my mother was using it i don't know what she searched).  in the Avast warning it said "Avast BLOCKED... blah blah"  but the virus still came through.

anyways, the virus infects  Winlogon.exe in System32 folder, and explorer.exe + explorer.scf(the explorer file with no extension)  in System folder.    When infected, there're no symptoms at first. Upon reboot the logon  process will be VERY SLOW. And once you finally get into Windows, the desktop does not show anything. No taskbar, nothing.  Even if you don't reboot, it will still infect explorer.exe file when you close/reopen IE window. Taskbar and all open windows immediately disappear and you're left with the empty desktop. Avast is NOT ABLE to block this infection attempt. The only way to navigate through Windows is the Task Manager.

The virus will drop its payload files in the following folder:
C:\Documents and Settings\All Users\Documents\Server
The Server folder is hidden by default. The payload codes are in the file hlp.dat, so search for this file if it's not in the above mentioned folder. The virus also disables System Restore by modifying Windows Registry.

here are some links for similar viruses:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3AWin32%2FBamital.C

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3aWin32%2fBamital.G

according to the link, the Bamital series viruses are supposed to redirect online searches to show ads. But for some reason this -AE variant ,at least in my case, disabled file browsing in Windows.  how am i supposed to see your awesome ads if  i can't even find and open my internet browser.  LOL

I'm just going to reformat my pc since i've been putting it off for months now and this finally gave me a reason.

some links that might help the OP:
http://hitmanpro.wordpress.com/2010/08/19/bamital-trojan-infects-winlogon-exe-and-explorer-exe/

http://www.techspot.com/vb/topic154311.html

http://www.techspot.com/vb/topic151593.html

[mkis]

The Bamital-AE detection that avast is calling is particular in this case, and likely parallels a few closely similar detections that have been posted recently to virus and worms topics. But the general Bamital indicators will also be common across a range of infection cases, notably rootkit like character, with backdoor trojans, attempt to control key system files, boot process, network connection, compromise winlogon and explorer, grows worse over time but can be thwarted by intervention at an early stage. That said we haven't really had a decisive rule on this Bamital-AE call just as yet. Essexboy can write specific fixes for particular cases, but there so far from what I can gather nothing in the logs generated in this case that direct to obvious fix. Another OTL scan as requested by essexboy would be helpful.

In Bamital-AE detections, the following entry has popped up under services
SRV - (HidServ) -- C:\WINDOWS\System32\hidserv.dll File not found

But in XP, which is this case, Hidserv can be disabled
- and yet the dll should ordinarily be found, so needs resolving.

In this case, and as yet i found only in this this case, the following entry
SRV - (AppMgmt) -- C:\WINDOWS\System32\appmgmts.dll File not found

With the amount of apps running and others seemingly no longer installed but still carrying records, I would think some kind of app management in installation services would be pressing. The OP would be advised to follow up on the missing dll file, perhaps the file is corrupted, or the the service is now manipulated by malware.

from users point of view, some of these systems posted to the forum need to be tidied up through uninstall of old or surplus programs, and running of a single antivirus as resident, use ccleaner, mbam, virustotal to provide for different calls on suspect files can be useful, HijackThis is easy to use and can be helpful to tidy up removing of surface rubbish, and really some housework on the client desktops would make the log files generated by OTL a lot less time consuming to work through. And importantly allow Essexboy get the root of any infection a lot quicker and more comfortable to write fixes.

[AntiLock]

Hey guys, I've come here with what I think is the same problem as OP's. Showing as bamital-AE, infecting windows. I can still use my computer if i just run everything through task manager, and exploerer.exe will only run if i turn off my real time shields on avast. I figure it's already in it's not gunna do much worse eh? Maybe not the best idea but either way, I'm starting with Dr.Web to see what happens, is there any other tests you guys would like to me run so you can see what's going on and maybe give you some insight into this infection and how it can be cured?

[mkis]

As you are already limited to using Task Manager on your system, would be best to start on this immediately

http://forum.avast.com/index.php?topic=53253.0

run an mbam scan to see what comes up
- update mbam before scan and take action - that is, quarantine and remove - as mbam advises once scan is complete

OTL log and extras are helpful to analyze what exactly is happening inside your system