Author Topic: Winlogon.exe and explorer.exe is infected  (Read 29241 times)

0 Members and 1 Guest are viewing this topic.

jeith

  • Guest
Winlogon.exe and explorer.exe is infected
« on: October 21, 2010, 04:14:54 AM »
Hi guys,
For about a week I am getting the message from Avast that winlogon.exe and explorer.exe is infected by bamital-AE. It would not move to chest as it is a read only file. Probably because of that I could not update windows or even go to the Microsoft's windows update site. My OS is windows XP SP3.

These are all what I tried to fix the issue:

1. Malwarebytes scan (after updating the software)
2. Combofix (seemed to have solved the issue but no!)
3. Spybot search and destroy

All the efforts were in vain. I am new to this forum and such malware issues, please help me out guys.

Cheers
Jeith

SafeSurf

  • Guest
Re: Winlogon.exe and explorer.exe is infected
« Reply #1 on: October 21, 2010, 04:25:38 AM »
You can try the following:

Norman Malware Cleaner http://www.norman.com/support/support_tools/58732/en

Hitman Pro 3  http://www.surfright.nl/en/hitmanpro

DrWeb CureIt http://www.freedrweb.com/cureit/?lng=en

How Do I Use Dr.Web CureIt!? http://www.freedrweb.com/cureit/how_it_works/

NOTE:  Do not let it delete winlogon or explorer if you want your computer to run again.
 
Let us know how things work.  Thank you.
« Last Edit: October 21, 2010, 04:28:13 AM by SafeSurf »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89329
  • No support PMs thanks
Re: Winlogon.exe and explorer.exe is infected
« Reply #2 on: October 21, 2010, 04:30:20 AM »
Whatever you don't delete or move/remove these files as it could have a serious impact on your system.

The only effective way to deal with this is to effectively replace the infected files with clean ones, but first you would have to find what infected them or it will do the same with the new files.

This requires specialist tools and someone experienced in their use and our resident malware expert is tucked up in bed, it being 3:30am in the UK.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.5.6116 (build 24.5.9153.762) UI 1.0.808/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

jeith

  • Guest
Re: Winlogon.exe and explorer.exe is infected
« Reply #3 on: October 21, 2010, 04:34:21 AM »
Alright guys. Now am running Hitman pro. let you know the results in a while.

Thanks

jeith

  • Guest
Re: Winlogon.exe and explorer.exe is infected
« Reply #4 on: October 21, 2010, 04:48:03 AM »
I have run hitman pro. It identified winlogon.exe and explorer.exe as trojans. it also says click next to remove the malicious software. Across winlogon.exe and explorer.exe its marked as "delete" in the drop down menu. Should I click next with "delete" as an action (David just said not to delete). Or should I change it to "do not delete" or "quarantine"?

Wanted to make sure before I got any further.

SafeSurf

  • Guest
Re: Winlogon.exe and explorer.exe is infected
« Reply #5 on: October 21, 2010, 04:51:07 AM »
NOTE:  Do not let it delete winlogon or explorer if you want your computer to run again.
Do NOT delete.

SafeSurf

  • Guest
Re: Winlogon.exe and explorer.exe is infected
« Reply #6 on: October 21, 2010, 04:55:37 AM »
You can attach your HitmanPro log to your post (see below on how to attach a file).

Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0.  

Follow the directions for obtaining the OTL logs.  Post the the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post).  I am going to contact a Certified Malware expert regarding your case.  His name is Essexboy, and he will contact you in this thread, so make sure to check this thread at least daily for his instructions.

After completing the OTL logs, do not make any further changes to your machine.  Do you have any questions?
« Last Edit: October 21, 2010, 05:01:35 AM by SafeSurf »

jeith

  • Guest
Re: Winlogon.exe and explorer.exe is infected
« Reply #7 on: October 21, 2010, 05:14:29 AM »
I chose "do not delete" option for winlogon.exe and explorer.exe and proceeded. It removed few other suspicious entries. after reboot i got the threat from avast again saying that winlogon.exe file is infected.

Now i can go to the windows update website and download updates and stuff. I dont know if my problem is partly fixed?

Also i dont see a log file for hitman. usually it will appear on the desktop now i cant see it.
« Last Edit: October 21, 2010, 05:37:45 AM by jeith »

jeith

  • Guest
Re: Winlogon.exe and explorer.exe is infected
« Reply #8 on: October 21, 2010, 05:39:42 AM »
After I downloaded and installed the windows updates, i rebooted. Now avast says both the winlogon.exe and explorer.exe files are infected by bamital-AE.

jeith

  • Guest
Re: Winlogon.exe and explorer.exe is infected
« Reply #9 on: October 21, 2010, 06:16:46 AM »
I have attached the hitman log file, OTL file and extras file

SafeSurf

  • Guest
Re: Winlogon.exe and explorer.exe is infected
« Reply #10 on: October 21, 2010, 09:31:36 AM »
Leave your machine as it is until Essexboy arrives to give you further instructions.  Do not make any additional changes.  Thank you for posting your logs.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Winlogon.exe and explorer.exe is infected
« Reply #11 on: October 21, 2010, 08:31:08 PM »
Hi there lets start the ball rolling - Never ever let a programme delete or quarantine a vital system file such as winlogon or explorer

Download Dr Web from here http://www.freedrweb.com/?lng=en link on the top right of the page, tick the EULA and then download
 
It will download as an 8 digit file save it to your desktop

Restart in safe mode and run
Accept the enhanced version
Then run the quick scan
About halfway through you will be prompted to buy - just X the box closed
Once finished it will generate a log please attach that

jeith

  • Guest
Re: Winlogon.exe and explorer.exe is infected
« Reply #12 on: October 22, 2010, 06:53:54 AM »
Hi Essexboy,
I did as you said, at the end of the scan it said "scan complete-no viruses found". I could not find any log file of the scan as well. The "save report" option under File menu was grayed.

Still I get the message from Avast that winlogon.exe and explorer.exe is infected.

jeith

  • Guest
Re: Winlogon.exe and explorer.exe is infected
« Reply #13 on: October 22, 2010, 10:23:03 AM »
Also one more problem that I had on and off is that when i do Google search and click on the search results I get redirected to some other site.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Winlogon.exe and explorer.exe is infected
« Reply #14 on: October 22, 2010, 08:33:06 PM »
OK in that case it may be a slightly different infection

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.