Win32:Bamital-AQ affected explorer.exe and winlogon.exe

Hello guys…I am new to this forum…was finding a solution online for Win32:Bamital-AQ infection on explorer.exe and winlogon.exe so came through this forum…

I am using Avast Pro Antivirus 5.0.677 with following virus definitions:
Current Version: 110228-1
Release Date: 2/28/2011
Number of Definitions: 2,603,079

Operating System Info: Windows XP SP 3.

I full scaned my PC before posting this thread and detected the following three infections:

  1. C:\WINDOWS\explorer.exe
  2. C:\WINDOWS\system32\winlogon.exe
  3. C:\WINDOWS\explorer.exe

All the above three are infected by Win32:Bamital-AQ.

NOTE: C:\WINDOWS\explorer.exe shows twice!!

The same infection leads to frequent crashing of explorer.exe…which wipes away all desktop icon and task manager…for which I need to reboot my PC…

I managed to search for similar threads/topic on this forum and came across a few with solutions, but I want to get an advice from experts before attempting to follow those procedures.

Thanks and looking forward to any help.

Follow instructions :
http://forum.avast.com/index.php?topic=53253.0

Post your OTS log

Essexboy is notified

@sniper619

Download ComboFix from here and save it to your Desktop.
If you are unsure how ComboFix works please read this guide carefully.
note: ComboFix must be downloaded to your Desktop.

Temporarily disable your AntiVirus program.
If you are unsure how to do this please read this Instruction.

Run ComboFix.
ComboFix will check if there is a newer version of ComboFix available.
Click Yes if prompted to download.
ComboFix will display DISCLAIMER OF WARRANTY ON SOFTWARE.
Click Yes to allow ComboFix to continue.
If Recovery Console is not installed, ComboFix will offer download & installation.
Click Yes to allow ComboFix to install Recovery Console.

When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
Post log reports ( ComboFix.txt) back to topic.

Hey guys…thanks for your replies…I have all the tools handy, but would like to know which method should I actually use the MBAM and OTS or ComboFix ?

Combofix, (the expedited procedure) ;D

Please find the ComboFix.txt document attached as you requested.

Open notepad and copy/paste the text present inside the code box below:

File::
c:\windows\system32\fopbjgzcoxnjtg.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"phijwzrecye"="c:\windows\System32\regsvr32.exe"

RegLock::
[HKEY_USERS\S-1-5-21-1993962763-879983540-1177238915-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0d,8a,dc,46,61,60,0f,47,b0,46,4e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0d,8a,dc,46,61,60,0f,47,b0,46,4e,\




Save this as CFScript.

http://img213.imageshack.us/img213/1218/cfscript1.gif

Close all browser windows and refering to the picture above.
Drag CFScript.txt into Combofix.exe. ComboFix will re-run.

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run. When finished, it will produce a log for you.
Copy/paste the contents of the log in your next reply. (typical location: C:[b]ComboFix.txt[/b] )

Hello…please find the attached log file which I obtained after following the previous steps as instructed…Thanks. :slight_smile:

please do the following

Download the zip file from this link and extract it to C http://www.speedyshare.com/files/27524046/winlogon.zip

C:\explorer.exe
C:\winlogon.exe

Restart your computer and press button the F8

When menu appears you should choose Microsoft Windows XP.

Then menu will appear where you should choose Microsoft Windows Recovery Console.

Start the Recovery Console and you will be asked which installation you want to log. Type in 1 and confirm with Enter.

Similarly, you can be asked for password - type in it or just press Enter if you do not have password.

On display will appear the following:

C:\Windows>_

Next Type (all command / line confirm with Enter):

cd …

copy explorer.exe c:\windows\explorer.exe

will appear query: type in y

copy winlogon.exe c:\windows\system32\winlogon.exe

will appear query: Type the y

type in:

exit to restart the PC.

All of this will look like in the picture below (in the yellow boxes is what you knocking):


http://img209.imageshack.us/img209/118/20110119135814.jpg

Thereafter Run Combofix
Then post the resultant log .

All of these bills right on paper to know what to knocking.


Download gmer.zip from here to your Desktop

Run gmer.exe

[*] Click on Rootkit/Malware Tab.
[*] Click on Scan.
[*] When Scan is done click on Copy.
Then open Notepad and right click use options Paste. Save this notepad as file1

[*] Repeat this with >>> Autostart Tab.
Save this notepad as file2.txt.

Attach here file1 and file2 notepads.

…After this procedure download malwarebytes (http://www.malwarebytes.org/mbam-download.php) to your desktop and run a full scan. Send the log here

@danny96
Infection is complicated. :wink:
It takes a certain work&fix procedures in order to successfully dezinfection and remove for this malware.
They for argus give him to use additional diagnostic tools for some information abaut malware.
mbam can not do much in this case…

:wink:

ehm… read my post AFTER THIS PROCEDURE. So he should just check after procedure if the computer is clean now :stuck_out_tongue:

mbam can not do much in this case...

I understand you, but you do not understand me :wink:
MBAM can report that it is clean and in fact is still infected.

:stuck_out_tongue:

Yes,mbam is not designed to clean that kind of viruses.If i am not wrong bamital is a patching virus which can’t be cleaned by mbam,correct me if i am wrong magna86 ;D

Yes,its file patcher + There is one more thing (malware) in CF logs…

Malwarebytes is a great solution but even mbam can not help always :smiley:

Heyy argus, I downloaded the zip file as you instructed and tried to extract it to c drive but it denied access, then I shut down Avast and was successful to replace them, after which I restarted my PC.

Pressed F8 but did not get any choice about Microsoft REcovery Console,insteadt what I got is as follows:

Windows Advanced Options Menu:
Options:
Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt

Enable Boot Logging
Enable VGA Mode
Last Known Good Configuration
Directory Services Restore Mode
Debugging Mode
Disable automatic restart on system failure

Start windows normally
Reboot Return to OS choices Menu

Please let me know what to do as I have left the PC in that state without choosing anything.

winlogon.exe and explorer.exe must be in C

Download BlitzBlank and save it to your desktop.
http://download1.emsisoft.com/BlitzBlank.exe

icons look like this
http://img6.imageshack.us/img6/9824/icon48blitzblank.png

Click OK at the warning (and take note of it, this is a VERY powerful tool!).
Click the Script tab and copy/paste the following text there:

DeleteFile:
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\winlogon.exe

MoveFile:
c:\winlogon.exe c:\windows\system32\winlogon.exe
c:\explorer.exe c:\windows\explorer.exe

Click Execute Now.
Your computer will need to reboot in order to replace the files.

When done, post me the report created by Blitzblank C:\blitzblank.txt

Note: If a blue screen appear do not touch anything

So what should I select from the Advanced Menu Options which I am stuck on?..reboot ot start windows manually?

Still waiting on the same screen of Advanced Options, what option should I opt for?, though am ready with BlitzBlank (downloaded from laptop)…and wanted to be rest assured that the ‘Blue Screen’ is going to be temporary isn’t it?..

Choose Start windows normally and run BlitzBlank