I think it's a Win32 bamital-x in the winlogon.exe. Please help!
Printable View
I think it's a Win32 bamital-x in the winlogon.exe. Please help!
from avz Log
and HJT
[COLOR="Red"]
Upload result
File saved as 100823_184151_virusinfo_cure_4c7288afa8cc1.zip
File size 13139
MD5 1a594078d0d19b26b32e28fabc968871
File uploaded, thank you![/COLOR]
Hello,
Close/disable all the applications excluded AVZ and Internet Explorer.
- Disconnect your PC from network (internet/intranet)
- Disable antivirus, firewall and other memory resident security tools
- Disable System Restore
- [URL="http://virusinfo.info/showthread.php?t=9207"]Execute following script[/URL]
[CODE]begin
SearchRootkit(true, true);
SetAVZGuardStatus(True);
ClearQuarantine;
QuarantineFile('c:\windows\system32\winlogon.exe','');
QuarantineFile('c:\windows\system32\ec27ser.exe','');
QuarantineFile('c:\program files\common files\devicehelper\devicemanager.exe','');
QuarantineFile('C:\WINDOWS\V0470Mon.exe','');
ExecuteWizard('TSW', 3, 3, true);
ExecuteWizard('SCU', 2, 2, true);
BC_ImportAll;
ExecuteSysClean;
BC_Activate;
SetAVZPMStatus(True);
RebootWindows(true);
end.
[/CODE]
[COLOR="Red"]If the system after reboot would try to install any unknown hardware, abort the installtion and remove unknown hardware over hardware manager[/COLOR]
After reboot:
[URL="http://virusinfo.info/showthread.php?t=9207"]execute following script[/URL]
[code]begin
CreateQurantineArchive('C:\quarantine.zip');
end.
[/code]
- Upload the C:\quarantine.zip over the link [COLOR="Red"][B]Upload quarantined files[/B][/COLOR] on the top of this page.
Here is the quarantine.zip file. Thanks!
[COLOR="Red"]Upload result
File saved as 100823_195634_quarantine_4c729a323767f.zip
File size 398527
MD5 4bfc9f71351aa521525a954f2618812c
File uploaded, thank you![/COLOR]
[QUOTE=Rene-gad;693322]Upload the C:\quarantine.zip over the link [COLOR="Red"][B]Upload quarantined files[/B][/COLOR] on the top of this page.[/QUOTE]Pls. be sure, that you have [B]really understood[/B] the instruction :)
[B][COLOR="Red"]c:\windows\system32\winlogon.exe ===Trojan.Win32.Patched.kl [/COLOR][/B]
Pls. replace file
[CODE]c:\windows\system32\winlogon.exe[/CODE]from original Windows CD using recovery console: [url]http://support.microsoft.com/kb/314058[/url]
Don't [B]remove[/B] the infected file!!! [B]Replace[/B] it :)
After that pls. check your PC for another viruses using Dr.Web Live CD: [url]http://www.freedrweb.com/livecd/?lng=en[/url]
After that pls. make the new logs according to the rules: [url]http://virusinfo.info/showthread.php?t=9184[/url]
Статистика проведенного лечения:
[LIST][*]Получено карантинов: [B]2[/B][*]Обработано файлов: [B]13[/B][*]В ходе лечения обнаружены вредоносные программы:
[LIST=1][*] c:\\windows\\system32\\winlogon.exe - [B]Trojan.Win32.Patched.kl[/B] ( DrWEB: Win32.Dat.3, BitDefender: Win32.Loader.O, NOD32: Win32/Bamital.DX trojan )[/LIST][/LIST]