Author Topic: Avast keeps reporting a Bamital-X infection of winlogon.exe [RESOLVED]  (Read 30940 times)

0 Members and 1 Guest are viewing this topic.

gtc

  • Guest
Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
« Reply #15 on: August 20, 2010, 06:09:34 AM »
Okay, I have run OTL. Forum won't allow me to attach both logs -- even though the total is 184Kb vs the 200BK limit (???), so I'll try attaching each in separate posts.

Here's extras.txt ...

gtc

  • Guest
Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
« Reply #16 on: August 20, 2010, 06:10:20 AM »
... And here's OTL.txt ...

gtc

  • Guest
Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
« Reply #17 on: August 20, 2010, 07:19:46 AM »
Hitman Pro still reports that a proxy server is in use with address 127.0.0.1:6522 yet it can't seem to repair that.

I should also note that at boot time when I log in to my XP account, I get a blank screen -- presumably because the c:\Windows\Explorer.exe is compromised as per numerous AV tool reports. The only way I can get a valid Windows explorer running is via Task Manager > Run using the explorer.exe image stored in Windows\ServicePacks folder.

So, I really need to replace explorer.exe and winlogon.exe. I'm desperately trying to avoid having to re-install XP Pro from scratch. Seems I'll have to try to buy a SP3 CD of some sort that sfc /scannow can use?
« Last Edit: August 20, 2010, 07:21:49 AM by gtc »

SafeSurf

  • Guest
Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
« Reply #18 on: August 20, 2010, 07:56:28 AM »
I think I may have too many AV tools running at once.

I'll go ahead and try OTL.
Can you clarify what you currently are running as resident AV's: Avast, McAfee Suite, Avira, Windows Defender (WD)...any others or did you uninstall any of these per the vendor's uninstall utility tools or another way?  On-demand items are fine to keep as is.

Your OTL logs did not come through on the postings.  You should have 2 separate logs since they are large.  You will need to attach the OTL logs to the post.  To attach the logs: go to the post screen > "Additional Options" > "Attach" > click in the box next to attach where you stored your OTL log and click browse to find it > post.  Do this for BOTH of your OTL logs (which hopefully you saved to your desktop to find easily).  Thank you.

gtc

  • Guest
Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
« Reply #19 on: August 20, 2010, 08:26:44 AM »
Your OTL logs did not come through on the postings.  You should have 2 separate logs since they are large.  You will need to attach the OTL logs to the post.  To attach the logs: go to the post screen > "Additional Options" > "Attach" > click in the box next to attach where you stored your OTL log and click browse to find it > post.  Do this for BOTH of your OTL logs (which hopefully you saved to your desktop to find easily).  Thank you.

I don't understand that as I can see them as attachments to each of my above posts referring to OTL. They show as click-able links below the signature line next to the paperclip icon.

The only tool I have uninstalled (using its own uninstaller) is Hitman Pro because it was slowing down my logins and at the moment I have to reboot and login frequently.

In the logs you'll see what AV tools I have running.

SafeSurf

  • Guest
Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
« Reply #20 on: August 20, 2010, 08:40:04 AM »
Your attachments are showing up now.  The server was slow and they were not showing up before. 

Tomorrow morning Essexboy will pick up with your malware removal process.  Thank you.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
« Reply #21 on: August 20, 2010, 10:44:45 AM »
Hi both winlogon and explorer are infected - so I will try to cure those first.  Also you have three AV's you need to decide which one to keep

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

gtc

  • Guest
Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
« Reply #22 on: August 20, 2010, 11:45:21 AM »
Essexboy:

I have followed your instructions and I was so very happy to read these words from ComboFix:

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe


Whoever wrote ComboFix deserves a medal. I'm happy to make a financial donation to the author if you can message me the details.

I have attached the log as requested.

Thank you very much.  :)

demofax

  • Guest
Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
« Reply #23 on: August 20, 2010, 01:35:57 PM »
Greetings, I am so sorry to bother you all but I have had exactly the same issue with Avast stating that Bamital-X has infected both explorer.exe and winlogon.exe. I've spent three days trying to find a solution and put off using ComboFix until now for I understand that it's not a tool to be used by someone who is not an expert at these things (which I am not, haha). I ran ComboFix following these instructions and it recognised that winlogon and explorer were infected but when it finishes it says "Deleting files", immediately restarts my system (is this normal?) and does not leave me a log.

When I log on I have to start explorer manually from a version that I put on here from my other computer else i'm left without a taskbar and icons and it won't allow me to start the porcess from the task manager.

When scanning the WINDOWS folder with Avast it is still telling me that explorer.exe and winlogon.exe are infected even after running ComboFix.

I hope you don't mind that i've posted in this thread and not in a new one. I'll be extremely grateful for any help you can offer. This has been driving me nuts for days!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89217
  • No support PMs thanks
Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
« Reply #24 on: August 20, 2010, 02:27:30 PM »
It may well be an ADS attached to those files or running as a netsvc

What is an "ADS"?

ADS = Alternative Data Stream, I know you are none the wiser for that ;D

On NTFS formatted drives you have a file and that file also has an alternative data stream associated/linked to it that you can't see in windows explorer, but it can be used for legitimate purposes and unfortunately for malicious purposes. The Alternative Data Stream element of the file doesn't appear in the total file size for the file, the file could be 10KB with a virtually unlimited Alternative Data Stream size that is invisible to all intents and purposes without special tools.

See http://en.wikipedia.org/wiki/Fork_(filesystem) and http://www.windowsecurity.com/articles/Alternate_Data_Streams.html.
« Last Edit: August 20, 2010, 02:30:59 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
« Reply #25 on: August 20, 2010, 02:56:16 PM »
@gtc no fair Combofix was deleting the ones that I was going to  :)

Combofix is an exceptionally good tool, however, because of that it does get targeted by malware and can sometimes mess the system.  But, there are safety tools built in which allow us to recover the situation. Obviously they are not publicised otherwise that would negate the effect

sUBs has a paypal link for donations at BC http://www.bleepingcomputer.com/combofix/how-to-use-combofix

How is your computer running now ?

@demofax is there a log at C:\combofix.txt ?

gtc

  • Guest
Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
« Reply #26 on: August 20, 2010, 03:16:05 PM »

ADS = Alternative Data Stream, I know you are none the wiser for that ;D

On NTFS formatted drives you have a file and that file also has an alternative data stream associated/linked to it that you can't see in windows explorer, but it can be used for legitimate purposes and unfortunately for malicious purposes. The Alternative Data Stream element of the file doesn't appear in the total file size for the file, the file could be 10KB with a virtually unlimited Alternative Data Stream size that is invisible to all intents and purposes without special tools.

Thank you for those links. I understand the concept of extended file attributes form other operating systems, but I had no idea how pathetically slack it is on NTFS. The flimsy compatibility rationale for its existence is unsustainable when compared to the free kick it gives hackers. Why on earth Microsoft persists with it is beyond me ... but then I have never considered Microsoft a clever company. I think it was Steve Jobs who described Windows as a bug-ridden GUI for DOS.  Plus ça change!

gtc

  • Guest
Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
« Reply #27 on: August 20, 2010, 03:31:36 PM »
@gtc no fair Combofix was deleting the ones that I was going to  :)

Combofix is an exceptionally good tool, however, because of that it does get targeted by malware and can sometimes mess the system.  But, there are safety tools built in which allow us to recover the situation. Obviously they are not publicised otherwise that would negate the effect

sUBs has a paypal link for donations at BC http://www.bleepingcomputer.com/combofix/how-to-use-combofix

How is your computer running now ?

Thanks to ComboFix, and your advice, my PC is running like normal again. For the first time on days I'm able to get some work done. As I said earlier I was slowly going mad trying to get explorer and winlogon replaced.

I'll now visit bleepingcomputer and pay my dues.

I realise that running multiple AV tools simultaneously is not recommended but at the moment for me it's a case of "once bitten twice shy", so I'll run both Avast and McAfee for the time being as they don't seem to be fighting each other and my system response is fine. Ironically I had just renewed my annual subscription to McAfee before I was bitten by the trojan and the new version I just downloaded contains quite a bit more functionality. However, in my direct experience McAfee's Virus Removal Team (based in Bangalore, India from what I gathered over the phone) were out of their depth with this particular trojan.

Thank you to all who have offered information and advice. You guys are like Red Cross medics to the battle wounded.

YoKenny

  • Guest
Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
« Reply #28 on: August 20, 2010, 03:45:16 PM »
Read what AskLeo has to say about running 2 anti virus applcations
Quote
"Running two or more real-time anti-virus monitors at the same time is very likely to cause a conflict."
http://ask-leo.com/can_i_run_more_than_one_antivirus_program_antispyware_program_firewall_should_i.html

Quote
will using two anti virus program at the same time give better protection?

NO! Having more then one Anti-Virus program installed on your computer can cause major program conflict such as freezing up your computer, greatly slowing it down, cause false positive when scanning for Viruses or just causing all kinds of strange behavior.
http://answers.yahoo.com/question/index?qid=20080827094612AAMa1VT

demofax

  • Guest
Re: Avast keeps reporting a Bamital-X infection of winlogon.exe
« Reply #29 on: August 20, 2010, 03:47:40 PM »
@demofax is there a log at C:\combofix.txt ?

No, I cannot see one in the folder and I can't find it in a search either.