Avast keeps reporting a Bamital-X infection of winlogon.exe [RESOLVED]

[gtc]

I'm running Avast v5.0.594 with definition version 100818-1

Thanks to McAfee not catching it, my PC was recently infected with the trojan that Microsoft calls Win32/Bamital.A and Kepersky calls Win32.agent.bmkl

I have used various malware removal tools to get rid of the trojan, and McAfee Virus Removal staff have remotely accessed my PC and double-checked my work, but Avast occasionally pops up this warning:

MALWARE BLOCKED
Avast file system shield has blocked a threat.
No further action is required.

Object: C:\WINDOWS\system32\winlogon.exe
Infection: win32:Bamital-X
Action:
Process: C\program Files\Mozilla Firefox\firefox.exe

The threat was detected and blocked just before the file was executed.

My question is: if the trojan has been supposedly removed, why does Avast target my winlogon.exe program when I start a new firefox session?

[Yanto.Chiang]

Hi GTC,

Welcome to the avast forum,

By the way, you have a same problem with my friend which he used McAfee previously and the trojan smoothly can infected his machine.
After that the machined couldn't be accessed and each time after rebooted the machine always show blank display and didn't displayed login page. According to the forum information winlogon.exe is probably detected as spyware, please see the link : hxxp://filehippo.com/download_malwarebytes_anti_malware/

As what i ever got the information that this trojan will changed your registry especially on winlogon value. You may try to download and install avast! antivirus at safe mode and then do the boot-time scan. But if you still can't do that, you may try to download Dr.Web Scanner and try to scans your system.

To completed the scans, you may download MalwareBytes and do re-scans with MBAM.

I hope you can solved your issues.

cheers,

[SafeSurf]

I need some more information from you:

- What is your OS (32 or 64-bit)?
- What other security software do you have on your system?  Do you have a Firewall?
- How did you remove McAfee?  Their uninstaller tool or some other way?
- Are you up to date with your MS Updates and software updates?

I have used various malware removal tools to get rid of the trojan

- What other tools did you use?

Object: C:\WINDOWS\system32\winlogon.exe
Infection: win32:Bamital-X
Action:
Process: C\program Files\Mozilla Firefox\firefox.exe
The threat was detected and blocked just before the file was executed.[/b]

This means that Avast is doing it's job...this is a good thing.

Trojan:Win32/Bamital.A patches and redirects the following functions of the Windows Socket module, which are used by the browser, to its malicious routine so it can monitor and modify Web search queries and offer its own online advertisements.

Have you run any Avast scans (Full or Boot-time scans)?
Is anything sitting in your Virus Chest?  If so, please give the exact name and spelling of the name of the item (or a clear screen shot).  If you have not run these scans, please do so and report back along with the above answers.  Thank you.

[SafeSurf]

gtc,

MBAM is a good tool.  If anything comes up that is infected, put it into quarantine.  Please copy and paste your log results here in the forum for us to analyze and we can help you better.  Thank you.

[gtc]

Thank you for all of the responses. I'll reply to this one as it asks the most questions.

I need some more information from you:

- What is your OS (32 or 64-bit)?
- What other security software do you have on your system?  Do you have a Firewall?
- How did you remove McAfee?  Their uninstaller tool or some other way?
- Are you up to date with your MS Updates and software updates?

I'm running XP Pro SP3
Until the trojan struck I have been running McAfee Suite, which includes a firewall as I understand it.
I have not removed McAfee.
Yes, I have MS updates enabled

- What other tools did you use?

When the trojan struck, McAfee reported that the trojan "Backdoor-DKI!env.b quarantined", however it was either too late or too little because it got through. I figure that McAfee noticed just a small part of this hydra-headed thing. Initial visible symptoms were a pop-up saying "Java Update in progress" (or words to that effect) and then a blank YouTube video screen was shown. After that the usual symptoms of these things: invented spyware alerts, all attempts to run applications were hijacked, I was routed to porn sites, and attempts to run IE or Firefox displayed a phony warning sign about infection and wanting me to purchase alleged spyware removal software.

I have never had this happen to me before, but I've seen it happen to other people. The trojan host was a car club forum that Google subsequently marked as unsafe.

McAfee support emailed me Stinger.exe which made no difference whatsoever. I noted that the build date for Stinger was March 18, 2010 -- five months ago.

So, I went to the internet cafe up the street and did some research on the symptoms. In the end I used the following ...

Avira
Avast!
Hitman Pro 3.5
Gmer
Malware Bytes
Window Security Scan
Windows Defender

... each of which took a slightly different and/or informed view of the problem and reported and/or took various actions. Hitman Pro was the tool that zapped the trojan hardest and let me get control back of my PC to the point when I could run the other stuff.

After doing full system scans by all tools numerous times, I involved McAfee Virus Team and by remote access to my PC they ran various tools as well. They found evidence of where the trojan had been, such as a left over but now empty directory, however I got the impression that I now knew more about this thing than they did. I'm not at all happy with McAfee -- but that's another story.

Trojan:Win32/Bamital.A patches and redirects the following functions of the Windows Socket module, which are used by the browser, to its malicious routine so it can monitor and modify Web search queries and offer its own online advertisements.

I think you intended to list some Winsock functions?

Avast reported that a proxy server was being used with the IP address of 127.0.0.1:6522 and suggested it be repaired, which I okayed. I don't know if Avast was successful in that so I used various DOS level net and msconfig commands to restore default network software settings. The trojan also enabled proxy server in IE and Firefox, which I manually removed.

Avast also reported that EXPLORER.EXE and WINLOGON.EXE were trojans and suggested action was delete. I don't know how they could be infected because I gather they are Windows protected files and Avast was unable to delete them.

Have you run any Avast scans (Full or Boot-time scans)?
Is anything sitting in your Virus Chest?  If so, please give the exact name and spelling of the name of the item (or a clear screen shot).  If you have not run these scans, please do so and report back along with the above answers.  Thank you.

Yes, I have Avast now running and have done both boot and full scans.

Where do I find the Virus Chest?

I can't be sure that I have every trace of this trojan removed. I'm wondering why Avast is showing the pop-up described in my initial post only sometimes. I'm wondering if it is now a false positive?

Thanks again for all advice on this.

[gtc]

By the way, I just got another Avast pop-up:

MALWARE BLOCKED
Avast file system shield has blocked a threat.
No further action is required.

Object: C:\WINDOWS\system32\winlogon.exe
Infection: win32:Bamital-X
Action:
Process: C\program Files\Google\Update\GoogleUpdate.exe

The threat was detected and blocked just before the file was executed.

I didn't even know I had a Google update app. I now read where it has something to do with Google Chrome -- which I don't use. Nonetheless, it appears to be a benign program which is triggering Avast to report Bamital-X again.

[gtc]

Attached is a full scan report.

Again, I don't know how Avast is associating EXPLORER.EXE and WINLOGON.EXE with the Bamital-X trojan as these are supposedly Windows-protected files -- so how can a virus replace them without Windows trapping it as a security violation?

Also, the suggested action of "Move" results in the error: "The specified file is read only"

[raman]

Please test one of the mentioned files at virustotal.com and post the Link to the Virustotal result. You may need to disable Avast while uploading the file.....

[mkis]

The threat was blocked by system shield so the files in the chest are the source of the threat. As called by avast.

Im not sure if this is a genuine detection but the ID does point to the system being infected and this is where the threat is sourced.
Eset call Win32/Bamital.X a trojan that redirects results of online search engines to web sites that contain adware.
This has already been said, the hack is like Bamital.A.
The execute would likely have generated rootkit type attack on the system. This what avast alerts to have blocked.

if this is the case, it does appear that google update app is compromised.
I'm a bit surprised. You might find that the updates are failing

Also, not a convincing enough message popup, so lets see what virustotal has to say.
Do you know how to retrieve from chest and send to virustotal?

- avast5 - Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\* That will stop the File System Shield scanning any file you put in that folder. Now enter the chest again and Extract the file to the Suspect folder and upload it to VT.

http://forum.avast.com/index.php?topic=62072.msg524498#msg524498

Avast also reported that EXPLORER.EXE and WINLOGON.EXE were trojans and suggested action was delete.

This seems unlikely and avast does not suggest to delete at any time.

[gtc]

if this is the case, it does appear that google update app is compromised.
I'm a bit surprised. You might find that the updates are failing

[

As I said, I wasn't previously aware of this program, so I have no idea if Google updates are failing and, as I don't use Google Chrome, it doesn't really matter to me.

Also, not a convincing enough message popup, so lets see what virustotal has to say.
Do you know how to retrieve from chest and send to virustotal?

- avast5 - Create a folder called Suspect in the C:\ drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect\* That will stop the File System Shield scanning any file you put in that folder. Now enter the chest again and Extract the file to the Suspect folder and upload it to VT.
http://forum.avast.com/index.php?topic=62072.msg524498#msg524498

I'm aware of the Virustotal site. Note again that Avast cannot action Explorer.exe or Winlogon.exe as they are read-only system files, so they are not in the "chest". I'll try to upload them to Virustotal by other means, having regard for File System Shield.

Avast also reported that EXPLORER.EXE and WINLOGON.EXE were trojans and suggested action was delete.

This seems unlikely and avast does not suggest to delete at any time.

Yes, I confused Avast with Hitman Pro there (have run so many tools in the last 2 days!). Hitman wants to delete them, but cannot as they are read-only.

[gtc]

Okay, I sent c:\windows\explorer.exe to Virustotal and it had 15 red hits out of 42 tests (see attachment, which I had to convert to text format in order to upload it to this site).

I then sent C:\Windows\ServicePackFiles\i386\explorer.exe and it had zero hits.

I tried to send c:\windows\system32\winlogon.exe but Virustotal didn't respond. It showed the 'Sending File' box, then returned to the main screen with no messages at all. Perhaps the file was locked as busy by Windows.

I then sent C:\Windows\ServicePackFiles\i386\winlogon.exe and it had zero hits.

[essexboy]

It may well be an ADS attached to those files or running as a netsvc

Hi there let me see what you have

GMER Rootkit Scanner - Download - Homepage

• Download GMER
• Extract the contents of the zipped file to desktop.
• Double click GMER.exe.

• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
  
  Click the image to enlarge it
  

• Then click the Scan button & wait for it to finish.
• Once done click on the [Save..] button, and in the File name area, type in "ark.txt" 
  
• Save the log where you can easily find it, such as your desktop.

**Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.

THEN

Download OTL  to your Desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select Scan all users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%PROGRAMFILES%\Internet Explorer\*.dat
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Post both logs

[mkis]

sorry should have said that there is a record of google update in Windows Event viewer
- right-click Computer and select Manage, in the list on the left you can see Event Viewer, click this and choose Applications
- if the updates are failing. you see them there in red lettering

the updater always has been a bit annoying

[gtc]

sorry should have said that there is a record of google update in Windows Event viewer
- right-click Computer and select Manage, in the list on the left you can see Event Viewer, click this and choose Applications
- if the updates are failing. you see them there in red lettering

the updater always has been a bit annoying

Thanks for the clarification.

I used that event viewer (new to me) and although there are no Google update fails logged, there are plenty of warnings and errors, including many from Avira about explorer.exe and winlogon.exe mentioning TR/Spy.507904.8 and TR/Spy.1033728.1. Interestingly, one of those mentions dllcahe, so my cache is also suspect.

I'd love to be able to use scf to reinstall explorer.exe and winlogon.exe but, try as I might through following instructions on another site about modifying the Registry, I cannot get it to recognize the ServicePacks folder -- it keeps prompting me to inset the XP Pro distribution disk which is no use to me because it's dated 2002 and is probably SP1.

I'm slowly going nuts here.

[gtc]

It may well be an ADS attached to those files or running as a netsvc

What is an "ADS"?

• Download GMER
• Extract the contents of the zipped file to desktop.
• Double click GMER.exe.
• If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
  
• In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
  • IAT/EAT
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt"  
    
  • Save the log where you can easily find it, such as your desktop.
  **Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
  Please copy and paste the report into your Post.

I tried running gmer twice, but after about 30 minutes each time it hung the system. I think I may have too many AV tools running at once.

I'll go ahead and try OTL.