Avast keeps reporting a Bamital-X infection of winlogon.exe [RESOLVED]

[essexboy]

@gtc the apparent conflict with MBAM is where you are offered the opportunity to remove it if you wish - but the recommendation is to keep it

@demofax sorry for the delay I appear to have lost notification

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:6522
  O2 - BHO: (no name) - {36AFEEAB-DCD9-4A9A-8CEB-EC6632A8D7E2} - No CLSID value found.
  O2 - BHO: (no name) - {4C98FE11-C0C6-4DA2-90C0-97D4B217AC10} - No CLSID value found.
  O2 - BHO: (no name) - {BF04C4E2-F769-4345-8C5B-867A35EF0298} - No CLSID value found.
  O3 - HKLM\..\Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - No CLSID value found.
  O3 - HKLM\..\Toolbar: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
  O3 - HKLM\..\Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value found.
  O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
  O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
  O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No CLSID value found.
  [2010/08/20 10:14:36 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Opiweyuz.bin
  [2010/08/16 17:55:07 | 000,002,960 | ---- | M] () -- C:\WINDOWS\lsrslt.ini
  [2010/08/16 17:33:53 | 000,000,005 | ---- | M] () -- C:\zrpt.xml
  [2010/08/16 17:35:23 | 000,000,120 | ---- | C] () -- C:\WINDOWS\Tjoxalafunanerul.dat
  [2010/08/16 17:35:23 | 000,000,000 | ---- | C] () -- C:\WINDOWS\Opiweyuz.bin
  [2009/01/10 12:25:11 | 000,000,120 | -HS- | C] () -- C:\WINDOWS\System32\duerokxm.ini
  [2009/01/09 00:03:55 | 001,254,442 | -HS- | C] () -- C:\WINDOWS\System32\swjwavgp.ini
  [2001/08/23 13:00:00 | 000,190,976 | ---- | C] () -- C:\WINDOWS\afekaqib.dll
  [2010/08/18 14:40:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\TARA\Application Data\doffqsstj
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.
  

On completion of this run then delete your current copy of Combofix and download a fresh copy then run .


If again it fails to run then run the following OTL scan

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
  
• Under the Custom Scan box paste this in

/md5start
explorer.exe
winlogon.exe
/md5stop

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.
    

[YoKenny]

@ gtc

I see that you now have more than 20 posts which will permit you to update your profile to include signature information.

Go to PROFILE then Modify Profile then Forum Profile Information then Signature: and put information about your system just like my signature about your system just like my signature so that the helpers can offer pertinent advice.

[PORTS]

Hi Guys, I also had problems with this virus, apparently tried almost everything i saw to correct it, but keeps coming back reported by Avast as still active (both Explorer.exe and winlogon.exe)

Please help guys, been annoying as i only get a blank screen after windows log on.
Thanks and more power...

[PORTS]

here's the extras.txt

thanks again...

[Jtaylor83]

There's a new version of Hitman Pro (3.5.6 Build 110) that can remove the Bamital/Drooptroop trojan.

[PORTS]

Thanks mate, i will give it a try....

I ran Combofix, i did not saw it repair/replace the WINLOGON.EXE, only the EXPLORER.EXE was successfully repaired, and deleted a few number of files...
When it rebooted, the desktop is now back, but Avast is still reporting threat with winlogon.
Maybe i missed something...

thanks...

[PORTS]

Okay, I downloaded the HITMAN and ran it...  It appears a lot of many ads etc.. infecting my pc, one of which showed the WINLOGON.EXE being infected... 
At the end of the scan, it asked for reboot to disinfect....  After reboot, my desktop appeared, and did a re-scan, at which the WINLOGON.EXE appeared infected, again...

Re-ran HITMAN and reboot...  Desktop now is gone, using task manager, i ran HITMAN once more and WINLOGON.EXE appeared infected.. Reboot....Re-scan and the WINLOGON.EXE is not anymore showing... however, my desktop is still not appearing.

Using task manager, I ran COMBOFIX, and the WINLOGON.EXE "did not" appear, however, the EXPLORER.EXE appeared as infected, CF successfully repaired and reboot.

After reboot, the desktop appeared and waited for the log.txt to come up.  Did a re-scan with HITMAN and nothing appeared anymore being infected...

Re-ran AVAST and nothing appeared infected...

Wow, so it was a combination of both...  So, thanks to all your posts guys, hopefully my problem is solved and will install additional anti-malware as you suggested. 

I got infected when visiting a site, and my Avast protection was disabled..

More power to you guys....

[gtc]

Wow, so it was a combination of both...  So, thanks to all your posts guys, hopefully my problem is solved and will install additional anti-malware as you suggested.  

The desktop, the start button and the task bar is managed by explorer.exe, so when that is not running or is compromised, you get a black screen instead of your desktop.

I had to boot in safe mode (with or without networking) and run the various fixes in that mode.

For me, Hitman Pro was the tool that stopped the major symptoms of this Bamital thing and allowed me to regain some control of my PC again, but it didn't/couldn't remove the infected versions of explorer.exe and winlogon.exe.

ComboFix announced that it had installed new (valid) versions of those programs, sourcing them from the SP install folders on my C drive.

[gtc]

@gtc the apparent conflict with MBAM is where you are offered the opportunity to remove it if you wish - but the recommendation is to keep it

Thanks, I will.

[essexboy]

Evening gents - it gets very confusing when you all post in the same thread, and is virtually impossible to keep track of who is who.  So if you have this problem could you start a new thread so that I know who I am talking to 

[gtc]

So if you have this problem could you start a new thread so that I know who I am talking to  

As the original poster whose problems have been solved, and to eliminate confusion about other poster's issues, I ask the moderators to please close this thread. Thanks. 

[DavidR]

Go back and click the Modify button in your original post, adding [Resolved] to the end of the title.

[YoKenny]

It would also help if gtc updated the signature:
http://forum.avast.com/index.php?topic=62962.msg533088#msg533088