Author Topic: Avast keeps reporting a Bamital-X infection of winlogon.exe [RESOLVED]  (Read 30753 times)

0 Members and 1 Guest are viewing this topic.

gtc

  • Guest
Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
« Reply #30 on: August 20, 2010, 04:04:47 PM »
@demofax is there a log at C:\combofix.txt ?

No, I cannot see one in the folder and I can't find it in a search either.

I'll leave it to Essexboy to follow up with you, but in my case after ComboFix ran through some 40 stages, it rebooted my PC and after the reboot it said "Creating log file. Do not run any other programs", or words to that effect.  It then began deleting a lot of files and eventually opened Notepad and displayed the contents of the log file, which it saved to C:\ and my PC was immediately ready for use.

As I didn't already have System Restore installed, I allowed it to do that before it began the stages.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
« Reply #31 on: August 20, 2010, 05:04:12 PM »
@ gtc

Looking at that I am a happy bunny  :)

I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

 Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Quote
    :Commands
    [resethosts]
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done


Click Start > Run  and copy/paste the following bolded text into the Run box and click OK:

ComboFix /Uninstall

Run OTL and hit the cleanup button.  It will remove all the programmes we have used plus itself.  MBAM can be uninstalled via control panel add/remove

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not show hidden files and folders.
  • Click Yes to confirm.
  • Click OK.

   Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 21.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u21-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u21-windows-i586-p.exe and select "Run as an Administrator.")
SPRING CLEAN
 
Download and run Puran Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes: It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ?
Keep safe  :wave:

@ demofax

OTL - Download or alternative link here and here to your desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%PROGRAMFILES%\Internet Explorer\*.dat
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please attach both logs

demofax

  • Guest
Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
« Reply #32 on: August 20, 2010, 07:24:41 PM »
I'll leave it to Essexboy to follow up with you, but in my case after ComboFix ran through some 40 stages, it rebooted my PC and after the reboot it said "Creating log file. Do not run any other programs", or words to that effect.  It then began deleting a lot of files and eventually opened Notepad and displayed the contents of the log file, which it saved to C:\ and my PC was immediately ready for use.

As I didn't already have System Restore installed, I allowed it to do that before it began the stages.

Mine ran through 50 stages then after it restarted I would log in and wait for something to happen but nothing ever did. I tried about three times with the same result :(. I didn't have System Restore installed before either so it did pretty much the same as yours by the sounds but with less luck.

I have attched the files Essexboy. Thanks so much for your assistance!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
« Reply #33 on: August 20, 2010, 08:44:19 PM »
Not sure why CF did not fix it - so lets go the manual way

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Quote
    :OTL
    IE - HKU\S-1-5-21-73586283-1757981266-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522
    O2 - BHO: (no name) - {36AFEEAB-DCD9-4A9A-8CEB-EC6632A8D7E2} - No CLSID value found.
    O2 - BHO: (no name) - {4C98FE11-C0C6-4DA2-90C0-97D4B217AC10} - No CLSID value found.
    O2 - BHO: (no name) - {BF04C4E2-F769-4345-8C5B-867A35EF0298} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O3 - HKU\S-1-5-21-73586283-1757981266-839522115-1003\..\Toolbar\ShellBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
    O3 - HKU\S-1-5-21-73586283-1757981266-839522115-1003\..\Toolbar\ShellBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value found.
    O4 - HKLM..\Run: [Lrowiweyifegizut] C:\WINDOWS\afekaqib.DLL ()
    O20 - Winlogon\Notify\ddcASiih: DllName - ddcASiih.dll - File not found
    [2010/08/16 17:33:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TARA\Local Settings\Application Data\doffqsstj
    [2010/08/16 17:33:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\TARA\Application Data\doffqsstj
    [2010/08/20 17:44:51 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Tjoxalafunanerul.dat
    [2010/08/16 17:35:23 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Opiweyuz.bin
    [2010/08/16 17:33:53 | 000,000,005 | ---- | C] () -- C:\zrpt.xml
    [2009/01/10 12:25:11 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\duerokxm.ini
    [2009/01/09 00:03:55 | 001,254,442 | -HS- | C] () -- C:\WINDOWS\System32\swjwavgp.ini

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
THEN

Re-run OTL to locate good copies of the infected file
 
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
/md5start
winlogon.exe
explorer.exe
/md5stop


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    demofax

    • Guest
    Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
    « Reply #34 on: August 20, 2010, 09:40:59 PM »
    Here is the log as you instructed.

    Offline essexboy

    • Malware removal instructor
    • Avast Überevangelist
    • Probably Bot
    • *****
    • Posts: 40589
    • Dragons by Sasha
      • Malware fixes
    Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
    « Reply #35 on: August 20, 2010, 10:03:25 PM »
    I can also now see what files the infected ones are running.  On completion of this delete your current copy of combofix and download and run a fresh one

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Quote
      :OTL
      IE - HKU\S-1-5-21-73586283-1757981266-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522
      O4 - HKLM..\Run: [Lrowiweyifegizut] C:\WINDOWS\afekaqib.DLL ()
      O20 - Winlogon\Notify\ddcASiih: DllName - ddcASiih.dll - File not found
      [2010/08/20 20:02:05 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Tjoxalafunanerul.dat
      [2010/08/16 17:35:23 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Tjoxalafunanerul.dat
      [2010/08/16 17:35:23 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Opiweyuz.bin
      [2010/08/16 17:33:53 | 000,000,005 | ---- | C] () -- C:\zrpt.xml
      [2009/01/10 12:25:11 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\duerokxm.ini
      [2009/01/09 00:03:55 | 001,254,442 | -HS- | C] () -- C:\WINDOWS\System32\swjwavgp.ini
      [2001/08/23 13:00:00 | 000,190,976 | ---- | C] () -- C:\WINDOWS\afekaqib.dll
      2010/08/18 14:40:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TARA\Application Data\doffqsstj

      :Files
      C:\WINDOWS\system32\winlogon.exe|C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe /replace
      C:\WINDOWS\explorer.exe|C:\Documents and Settings\All Users\Documents\explorer.exe /replace

      :Commands
      [purity]
      [resethosts]
      [emptytemp]
      [EMPTYFLASH]
      [CREATERESTOREPOINT]
      [Reboot]

    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

    demofax

    • Guest
    Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
    « Reply #36 on: August 20, 2010, 10:24:37 PM »
    Ok just to make sure i've got this right: I run a scan of a freshly downloaded ComboFix AFTER i've run a Quick Scan in OTL and posted a new log, yes?

    I'm really sorry I get a little confused and I want to get this right :D. Thanks so very much for your patience and help!

    Offline essexboy

    • Malware removal instructor
    • Avast Überevangelist
    • Probably Bot
    • *****
    • Posts: 40589
    • Dragons by Sasha
      • Malware fixes
    Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
    « Reply #37 on: August 20, 2010, 10:26:40 PM »
    No problem - it is easy for me because I know what I want  ;D

    Yes run the OTL fix, Download and run a fresh copy of Combofix.  No need to run a fresh OTL scan unless combofix fails 

    demofax

    • Guest
    Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
    « Reply #38 on: August 20, 2010, 10:27:29 PM »
    Awesome, thanks so much i'll do that now! :)

    demofax

    • Guest
    Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
    « Reply #39 on: August 20, 2010, 10:36:30 PM »
    Ok here is the latest log. I'm just about to run ComboFix.

    EDIT: Just ran CF and I still can't find a log after reboot. :(
    « Last Edit: August 20, 2010, 10:52:57 PM by demofax »

    gtc

    • Guest
    Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
    « Reply #40 on: August 21, 2010, 03:28:01 AM »
    @ gtc

    Looking at that I am a happy bunny  :)

    I will remove my tools now and give some recommendations, but I would like you to run for 24 hours or so and come back if you have any problems

    Okay, I have updated Java and done all of those cleanups, except this ...

    Quote from: essexboy
    MBAM can be uninstalled via control panel add/remove

    ... because it seems to be at odds with this suggestion ...

    Quote from: essexboy
    Malwarebytes.  Run weekly to keep your system clean

    Another question: When the Avast! icon in the tray stops revolving -- as it does periodically -- what does that imply?

    Thanks again for all of your help.

    demofax

    • Guest
    Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
    « Reply #41 on: August 23, 2010, 12:44:33 AM »
    Hey guys, Avast just blocked another Bamital-X, except this time it's a little different to what i've seen before:



    As you can see this appeared as I was running a scan in MBAM. Forgive me if i've got this completely wrong but is it saying that it blocked an item already in quarantine? I thought things were safe once they were in there? Or is this something different?

    I'm just a tad worried since I don't understand these things too well and this seems strange to me. :(

    gtc

    • Guest
    Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
    « Reply #42 on: August 23, 2010, 05:56:45 AM »
    As you can see this appeared as I was running a scan in MBAM. Forgive me if i've got this completely wrong but is it saying that it blocked an item already in quarantine? I thought things were safe once they were in there? Or is this something different?

    I ended up with explorer.vir on my PC after one of the AV tools (I forget which) detected that explorer.exe was infected. I would term it a form of flagging rather than quarantining because the infected explorer.exe was still there until ComboFix fixed that situation for me. I have since deleted explorer.vir.

    Edit: fixed typo
    « Last Edit: August 23, 2010, 05:54:37 PM by gtc »

    demofax

    • Guest
    Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
    « Reply #43 on: August 23, 2010, 02:09:58 PM »
    Ah, I think I understand. Thanks for that. I'm gonna try and get ComboFix to work again since it seems to have worked wonders for you. I'm pretty envious :P Heheh.

    gtc

    • Guest
    Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
    « Reply #44 on: August 23, 2010, 05:59:09 PM »
    Ah, I think I understand. Thanks for that. I'm gonna try and get ComboFix to work again since it seems to have worked wonders for you. I'm pretty envious :P Heheh.

    Bear in mind (see my early posts) that I had already attacked the problem with a lot of heavy artillery before coming onto this forum seeking help, and when Essexboy put me onto ComboFix to finish off the job which was to get rid of the infected winlogon.exe and explorer.exe.

    OTL then cleaned up a bunch of stuff, too, I gather.

    I hope you that you eventually get a similar result.