Winlogon.exe and explorer.exe is infected

Viruses and worms
1

Hi guys,
For about a week I am getting the message from Avast that winlogon.exe and explorer.exe is infected by bamital-AE. It would not move to chest as it is a read only file. Probably because of that I could not update windows or even go to the Microsoft’s windows update site. My OS is windows XP SP3.

These are all what I tried to fix the issue:

  1. Malwarebytes scan (after updating the software)
  2. Combofix (seemed to have solved the issue but no!)
  3. Spybot search and destroy

All the efforts were in vain. I am new to this forum and such malware issues, please help me out guys.

Cheers
Jeith

2

You can try the following:

Norman Malware Cleaner http://www.norman.com/support/support_tools/58732/en

Hitman Pro 3 http://www.surfright.nl/en/hitmanpro

DrWeb CureIt http://www.freedrweb.com/cureit/?lng=en

How Do I Use Dr.Web CureIt!? http://www.freedrweb.com/cureit/how_it_works/

NOTE: Do not let it delete winlogon or explorer if you want your computer to run again.

Let us know how things work. Thank you.

3

Whatever you don’t delete or move/remove these files as it could have a serious impact on your system.

The only effective way to deal with this is to effectively replace the infected files with clean ones, but first you would have to find what infected them or it will do the same with the new files.

This requires specialist tools and someone experienced in their use and our resident malware expert is tucked up in bed, it being 3:30am in the UK.

4

Alright guys. Now am running Hitman pro. let you know the results in a while.

Thanks

5

I have run hitman pro. It identified winlogon.exe and explorer.exe as trojans. it also says click next to remove the malicious software. Across winlogon.exe and explorer.exe its marked as “delete” in the drop down menu. Should I click next with “delete” as an action (David just said not to delete). Or should I change it to “do not delete” or “quarantine”?

Wanted to make sure before I got any further.

6

Do NOT delete.

7

You can attach your HitmanPro log to your post (see below on how to attach a file).

Check the information on the first post of this thread under Virus/Worms for you to check your machine for malware: http://forum.avast.com/index.php?topic=53253.0.

Follow the directions for obtaining the OTL logs. Post the the two (2) OTL log as an attachment (Additional Options > Attach > Browse (the logs will be on your desktop > Post). I am going to contact a Certified Malware expert regarding your case. His name is Essexboy, and he will contact you in this thread, so make sure to check this thread at least daily for his instructions.

After completing the OTL logs, do not make any further changes to your machine. Do you have any questions?

8

I chose “do not delete” option for winlogon.exe and explorer.exe and proceeded. It removed few other suspicious entries. after reboot i got the threat from avast again saying that winlogon.exe file is infected.

Now i can go to the windows update website and download updates and stuff. I dont know if my problem is partly fixed?

Also i dont see a log file for hitman. usually it will appear on the desktop now i cant see it.

9

After I downloaded and installed the windows updates, i rebooted. Now avast says both the winlogon.exe and explorer.exe files are infected by bamital-AE.

10

I have attached the hitman log file, OTL file and extras file

11

Leave your machine as it is until Essexboy arrives to give you further instructions. Do not make any additional changes. Thank you for posting your logs.

12

Hi there lets start the ball rolling - Never ever let a programme delete or quarantine a vital system file such as winlogon or explorer

Download Dr Web from here http://www.freedrweb.com/?lng=en link on the top right of the page, tick the EULA and then download

It will download as an 8 digit file save it to your desktop

Restart in safe mode and run
Accept the enhanced version
Then run the quick scan
About halfway through you will be prompted to buy - just X the box closed
Once finished it will generate a log please attach that

13

Hi Essexboy,
I did as you said, at the end of the scan it said “scan complete-no viruses found”. I could not find any log file of the scan as well. The “save report” option under File menu was grayed.

Still I get the message from Avast that winlogon.exe and explorer.exe is infected.

14

Also one more problem that I had on and off is that when i do Google search and click on the search results I get redirected to some other site.

15

OK in that case it may be a slightly different infection

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

16

Hi Essexboy,
I tried running Combofix, as u mentioned it asked for microsoft recovery console to be installed. I click “yes” to download. After downloading the recovery console, a message comes up saying “boot partition cannot be enumerated properly”. Then this message comes “Whats next? Click “Yes” to continuing for malware, click “no” to exit”.

I did not get the message that “The recovery console was successfully installed”. So I did not go ahead with the scan. What do you say is it alright to go scan for Malware without installing the recovery console?

17

Yes run Combofix, that has given me a possible thought about the malware - could be a new variant, I’ll see what CF has to say first though

18

I have attached a log file of the Combofix scan.

Also lately i don’t see a threat with explorer.exe. Avast reports that only winlogon.exe is infected.

19

Lets see if we have a copy in your system restore that is good ;D

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:

SRPeek:: c:\windows\explorer.exe c:\windows\system32\winlogon.exe

  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt .
20

Hi Essexboy,
I did as u said. It did not ask for reboot. Here is the log