Author Topic: Avast keeps reporting a Bamital-X infection of winlogon.exe [RESOLVED]  (Read 30750 times)

0 Members and 1 Guest are viewing this topic.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
« Reply #45 on: August 23, 2010, 08:34:58 PM »
@gtc the apparent conflict with MBAM is where you are offered the opportunity to remove it if you wish - but the recommendation is to keep it

@demofax sorry for the delay I appear to have lost notification

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    Quote
    :OTL
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522
    O2 - BHO: (no name) - {36AFEEAB-DCD9-4A9A-8CEB-EC6632A8D7E2} - No CLSID value found.
    O2 - BHO: (no name) - {4C98FE11-C0C6-4DA2-90C0-97D4B217AC10} - No CLSID value found.
    O2 - BHO: (no name) - {BF04C4E2-F769-4345-8C5B-867A35EF0298} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value found.
    O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
    O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value found.
    [2010/08/20 10:14:36 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Opiweyuz.bin
    [2010/08/16 17:55:07 | 000,002,960 | ---- | M] () -- C:\WINDOWS\lsrslt.ini
    [2010/08/16 17:33:53 | 000,000,005 | ---- | M] () -- C:\zrpt.xml
    [2010/08/16 17:35:23 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Tjoxalafunanerul.dat
    [2010/08/16 17:35:23 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Opiweyuz.bin
    [2009/01/10 12:25:11 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\duerokxm.ini
    [2009/01/09 00:03:55 | 001,254,442 | -HS- | C] () -- C:\WINDOWS\System32\swjwavgp.ini
    [2001/08/23 13:00:00 | 000,190,976 | ---- | C] () -- C:\WINDOWS\afekaqib.dll
    [2010/08/18 14:40:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TARA\Application Data\doffqsstj

    :Files
    ipconfig /flushdns /c

    :Commands
    [purity]
    [resethosts]
    [emptytemp]
    [EMPTYFLASH]
    [CREATERESTOREPOINT]
    [Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
On completion of this run then delete your current copy of Combofix and download a fresh copy then run .


If again it fails to run then run the following OTL scan

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
/md5start
explorer.exe
winlogon.exe
/md5stop


  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.

YoKenny

  • Guest
Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
« Reply #46 on: August 23, 2010, 09:41:44 PM »
@ gtc

I see that you now have more than 20 posts which will permit you to update your profile to include signature information.

Go to PROFILE then Modify Profile then Forum Profile Information then Signature: and put information about your system just like my signature about your system just like my signature so that the helpers can offer pertinent advice.

PORTS

  • Guest
Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
« Reply #47 on: August 24, 2010, 02:47:34 AM »
Hi Guys, I also had problems with this virus, apparently tried almost everything i saw to correct it, but keeps coming back reported by Avast as still active (both Explorer.exe and winlogon.exe)

Please help guys, been annoying as i only get a blank screen after windows log on.
Thanks and more power...

« Last Edit: August 24, 2010, 03:03:21 AM by PORTS »

PORTS

  • Guest
Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
« Reply #48 on: August 24, 2010, 03:04:26 AM »
here's the extras.txt

thanks again...

Jtaylor83

  • Guest
Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
« Reply #49 on: August 24, 2010, 03:15:09 AM »
There's a new version of Hitman Pro (3.5.6 Build 110) that can remove the Bamital/Drooptroop trojan.

PORTS

  • Guest
Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
« Reply #50 on: August 24, 2010, 03:34:16 AM »
Thanks mate, i will give it a try....

I ran Combofix, i did not saw it repair/replace the WINLOGON.EXE, only the EXPLORER.EXE was successfully repaired, and deleted a few number of files...
When it rebooted, the desktop is now back, but Avast is still reporting threat with winlogon.
Maybe i missed something...

thanks...

PORTS

  • Guest
Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
« Reply #51 on: August 24, 2010, 05:08:34 AM »
Okay, I downloaded the HITMAN and ran it...  It appears a lot of many ads etc.. infecting my pc, one of which showed the WINLOGON.EXE being infected... 
At the end of the scan, it asked for reboot to disinfect....  After reboot, my desktop appeared, and did a re-scan, at which the WINLOGON.EXE appeared infected, again...

Re-ran HITMAN and reboot...  Desktop now is gone, using task manager, i ran HITMAN once more and WINLOGON.EXE appeared infected.. Reboot....Re-scan and the WINLOGON.EXE is not anymore showing... however, my desktop is still not appearing.

Using task manager, I ran COMBOFIX, and the WINLOGON.EXE "did not" appear, however, the EXPLORER.EXE appeared as infected, CF successfully repaired and reboot.

After reboot, the desktop appeared and waited for the log.txt to come up.  Did a re-scan with HITMAN and nothing appeared anymore being infected...

Re-ran AVAST and nothing appeared infected...

Wow, so it was a combination of both...  So, thanks to all your posts guys, hopefully my problem is solved and will install additional anti-malware as you suggested. 

I got infected when visiting a site, and my Avast protection was disabled..

More power to you guys....

gtc

  • Guest
Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
« Reply #52 on: August 24, 2010, 06:49:48 AM »
Wow, so it was a combination of both...  So, thanks to all your posts guys, hopefully my problem is solved and will install additional anti-malware as you suggested.  

The desktop, the start button and the task bar is managed by explorer.exe, so when that is not running or is compromised, you get a black screen instead of your desktop.

I had to boot in safe mode (with or without networking) and run the various fixes in that mode.

For me, Hitman Pro was the tool that stopped the major symptoms of this Bamital thing and allowed me to regain some control of my PC again, but it didn't/couldn't remove the infected versions of explorer.exe and winlogon.exe.

ComboFix announced that it had installed new (valid) versions of those programs, sourcing them from the SP install folders on my C drive.

gtc

  • Guest
Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
« Reply #53 on: August 24, 2010, 06:52:24 AM »
@gtc the apparent conflict with MBAM is where you are offered the opportunity to remove it if you wish - but the recommendation is to keep it

Thanks, I will.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
« Reply #54 on: August 24, 2010, 06:37:46 PM »
Evening gents - it gets very confusing when you all post in the same thread, and is virtually impossible to keep track of who is who.  So if you have this problem could you start a new thread so that I know who I am talking to  ;D

gtc

  • Guest
Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
« Reply #55 on: August 24, 2010, 06:55:07 PM »
So if you have this problem could you start a new thread so that I know who I am talking to  ;D

As the original poster whose problems have been solved, and to eliminate confusion about other poster's issues, I ask the moderators to please close this thread. Thanks.  :)

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89006
  • No support PMs thanks
Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
« Reply #56 on: August 24, 2010, 07:47:27 PM »
Go back and click the Modify button in your original post, adding [Resolved] to the end of the title.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

YoKenny

  • Guest
Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
« Reply #57 on: August 24, 2010, 08:46:52 PM »
It would also help if gtc updated the signature:
http://forum.avast.com/index.php?topic=62962.msg533088#msg533088