Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

explorer.exe and winlogon.exe infection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: explorer.exe and winlogon.exe infection

Unread postby biggt1976 » September 24th, 2010, 4:08 pm

here it is:

ComboFix 10-09-23.01 - me 24/09/2010 20:09:05.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.456 [GMT 1:00]
Running from: c:\documents and settings\me\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-08-24 to 2010-09-24 )))))))))))))))))))))))))))))))
.

2010-09-24 19:00 . 2008-04-14 04:42 507904 ----a-w- c:\windows\system32\dllcache\winlogon.exe
2010-09-24 19:00 . 2008-04-14 04:42 1033728 ----a-w- c:\windows\system32\dllcache\explorer.exe
2010-09-24 16:17 . 2010-09-24 16:21 -------- d-----w- C:\MRU
2010-09-24 13:38 . 2010-09-24 13:48 -------- d-----w- C:\sp3
2010-09-23 16:14 . 2010-09-23 16:15 -------- d-----w- c:\program files\QuickTime
2010-09-22 16:38 . 2010-09-22 16:38 109128 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-09-21 17:37 . 2010-09-21 17:37 -------- d-----w- c:\documents and settings\me\Application Data\VDownloader
2010-09-21 17:37 . 2010-09-21 17:37 -------- d-----w- c:\program files\VDownloader
2010-09-20 22:41 . 2010-09-20 22:42 -------- d-----w- c:\documents and settings\me\Application Data\DivX
2010-09-20 22:38 . 2010-09-21 15:15 -------- d-----w- c:\program files\DivX
2010-09-20 22:37 . 2010-09-20 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-09-15 17:37 . 2010-09-15 17:37 -------- d-----w- c:\program files\Trend Micro
2010-09-15 15:31 . 2010-09-15 17:36 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2010-09-11 16:06 . 2010-09-11 16:06 -------- d-----w- c:\documents and settings\me\Local Settings\Application Data\Sony
2010-09-11 16:03 . 2010-09-11 16:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
2010-09-11 16:02 . 2010-09-11 16:03 -------- d-----w- c:\program files\Sony
2010-09-11 16:01 . 2010-09-11 16:06 -------- d-----w- c:\documents and settings\me\Application Data\Sony
2010-09-09 21:46 . 2010-09-09 21:46 -------- d-----w- c:\windows\system32\tempdir
2010-09-09 21:46 . 2009-03-18 13:54 1103360 ----a-w- c:\windows\system32\cidfont.dll
2010-09-09 21:46 . 2005-05-31 02:25 1503232 ----a-w- c:\windows\system32\ptj.exe
2010-09-09 21:46 . 2007-06-27 15:15 4369408 ----a-w- c:\windows\system32\pdftk.exe
2010-09-09 21:46 . 2010-09-09 22:57 -------- d-----w- c:\program files\office Convert Pdf to Jpg Jpeg Tiff Free
2010-09-09 21:24 . 2010-09-09 21:30 -------- d-----w- c:\program files\PDF To Image Converter
2010-09-09 16:29 . 2010-09-09 17:36 -------- d-----w- c:\documents and settings\me\Application Data\Inscriptio
2010-09-09 16:22 . 2010-09-09 16:23 -------- d-----w- c:\program files\Burn CD Now
2010-09-02 17:00 . 2010-09-02 17:00 -------- d-----w- c:\program files\iPod
2010-09-02 17:00 . 2010-09-02 17:01 -------- d-----w- c:\program files\iTunes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-20 23:03 . 2010-09-20 22:42 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-09-20 22:59 . 2010-09-20 22:37 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-09-20 20:53 . 2009-11-02 23:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-09-17 03:54 . 2009-12-22 21:46 122 ----a-w- c:\documents and settings\me\Application Data\wklnhst.dat
2010-09-17 01:38 . 2010-08-20 23:10 -------- d-----w- c:\documents and settings\me\Application Data\vlc
2010-09-16 02:22 . 2009-11-03 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-09-15 17:37 . 2010-09-15 17:37 388096 ----a-r- c:\documents and settings\me\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-09 19:24 . 2010-05-24 21:02 -------- d-----w- c:\program files\NCH Swift Sound
2010-09-08 10:50 . 2009-11-03 00:11 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-07 15:12 . 2010-08-15 11:30 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2009-12-22 00:16 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2009-12-22 00:16 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2009-12-22 00:16 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2009-12-22 00:16 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2009-12-22 00:16 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2009-12-22 00:16 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:47 . 2009-12-22 00:16 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 14:46 . 2009-12-22 00:16 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-07 01:20 . 2010-04-10 19:01 -------- d-----w- c:\documents and settings\me\Application Data\dvdcss
2010-09-04 17:52 . 2009-12-10 12:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2010-09-02 17:00 . 2010-07-08 21:23 -------- d-----w- c:\program files\Common Files\Apple
2010-09-02 16:24 . 2010-09-02 16:24 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
2010-08-19 23:49 . 2010-05-15 22:59 -------- d-----w- c:\program files\PCFriendly
2010-08-18 19:00 . 2010-08-18 19:00 -------- d-----w- c:\program files\Common Files\Java
2010-08-18 18:57 . 2010-04-07 20:19 -------- d-----w- c:\program files\Java
2010-08-17 18:10 . 2010-09-01 02:37 372736 ------w- c:\documents and settings\All Users\Application Data\Dell\DSL\DSLCheck.exe
2010-08-17 13:17 . 2008-04-25 20:33 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-11 19:21 . 2009-11-02 23:55 -------- d-----w- c:\program files\Microsoft Works
2010-08-08 18:29 . 2010-08-08 18:29 503808 ----a-w- c:\documents and settings\me\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-794ccc99-n\msvcp71.dll
2010-08-08 18:29 . 2010-08-08 18:29 499712 ----a-w- c:\documents and settings\me\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-794ccc99-n\jmc.dll
2010-08-08 18:29 . 2010-08-08 18:29 61440 ----a-w- c:\documents and settings\me\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-16d4c80e-n\decora-sse.dll
2010-08-08 18:29 . 2010-08-08 18:29 348160 ----a-w- c:\documents and settings\me\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-794ccc99-n\msvcr71.dll
2010-08-08 18:29 . 2010-08-08 18:29 12800 ----a-w- c:\documents and settings\me\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-16d4c80e-n\decora-d3d.dll
2010-07-29 20:23 . 2010-05-24 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-07-29 19:36 . 2010-04-03 12:06 -------- d-----w- c:\documents and settings\me\Application Data\FlashgetSetup
2010-07-29 19:36 . 2010-05-24 19:29 3688936 ----a-w- c:\documents and settings\me\Application Data\FlashgetSetup\fgcn_7.exe
2010-07-22 15:49 . 2008-04-25 20:33 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-11-02 23:44 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 04:00 . 2010-04-26 14:10 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-30 12:31 . 2008-04-25 20:33 149504 ----a-w- c:\windows\system32\schannel.dll
2009-11-02 23:59 . 2009-11-02 23:59 75 --sh--r- c:\windows\CT4CET.bin
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys

[-] 2008-04-14 . E19C45BCC472139C279C6E0BFE303511 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[-] 2008-04-14 . 116813FA40809C0181496E0C6964E4B7 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\dllcache\winlogon.exe

[-] 2008-04-14 . D1697857D70DE75D05082538FE042DFD . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe
[-] 2008-04-14 . D2CA345B03BC15942ECE02AFF8717E85 . 1033728 . . [6.00.2900.5512] . . c:\windows\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-09 39408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-15 1434920]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-15 17529856]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-15 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-15 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-15 137752]
"OA012Mon"="c:\windows\OA012Mon.exe" [2009-05-11 24576]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-06 2289664]
"WSED"="c:\program files\WSED\WSED.exe" [2009-05-27 247080]
"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2009-07-22 623984]
"CapsLKNotify"="c:\program files\CapsLKNotify\CapsLKNotify.exe" [2009-02-23 320808]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"O2DA"="c:\program files\O2 Assistant\bin\sprtcmd.exe" [2010-04-23 206120]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-11-02 23:55 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Documents and Settings\\me\\Application Data\\FlashgetSetup\\fgmini.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [03/11/2009 00:51 14248]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [03/04/2010 17:54 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [22/12/2009 01:16 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [22/12/2009 01:16 17744]
R2 sprtsvc_O2DA;SupportSoft Sprocket Service (O2DA);c:\program files\O2 Assistant\bin\sprtsvc.exe [23/04/2010 15:04 206120]
R2 tgsrvc_O2DA;SupportSoft Repair Service (O2DA);c:\program files\O2 Assistant\bin\tgsrvc.exe [23/04/2010 15:04 185640]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [03/11/2009 00:57 143840]
R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [03/11/2009 02:18 134144]
R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [03/11/2009 02:18 133632]
R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [03/11/2009 02:18 272256]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [03/11/2009 02:18 162816]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [04/02/2010 16:52 1352832]
S2 Norton Internet Security;Norton Internet Security;"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1 --> c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [03/11/2009 02:17 1684736]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [22/01/2010 23:52 102656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-09-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 16:54]

2010-09-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]

2010-09-17 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-05-24 21:02]
.
.
------- Supplementary Scan -------
.
uStart Page = https://login.yahoo.com/config/login_verify2?&.src=ym
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Download all by FlashGet3 - c:\documents and settings\me\Application Data\FlashGetBHO\GetAllUrl.htm
IE: Download by FlashGet3 - c:\documents and settings\me\Application Data\FlashGetBHO\GetUrl.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: kuaiche.com\software
Trusted Zone: o2.co.uk\*.broadband
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-24 20:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\docume~1\me\LOCALS~1\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(868)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\System32\BCMLogon.dll

- - - - - - - > 'explorer.exe'(2740)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-09-24 20:58:53 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-24 19:58

Pre-Run: 40,171,466,752 bytes free
Post-Run: 40,124,633,088 bytes free

- - End Of File - - 0CA8B2428305E28DFAA787A3E9F91C99
biggt1976
Regular Member
 
Posts: 17
Joined: September 16th, 2010, 6:01 pm
Advertisement
Register to Remove

Re: explorer.exe and winlogon.exe infection

Unread postby deltalima » September 24th, 2010, 4:26 pm

Hi biggt1976,

We need to replace those two infected files with the clean versions that you downloaded, to make sure we can recover if things go wrong I need to check a couple of things.

When you first ran Combofix did you install the Recovery Console and when you boot do you have the option to boot into the Recovery Console?

If this computer becomes unbootable would you have access to another computer that you could use to download an ISO file and burn a bootable CD.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: explorer.exe and winlogon.exe infection

Unread postby biggt1976 » September 24th, 2010, 5:37 pm

Yeah i installed the Recovery Console, I remember it saying it was creating a recovery point or something. Im not sure about getting the option to boot into it though, although there is a black screen that appears briefly upon booting up where it selects the operating syatem I think. There is 3 options on that screen and it selects number 3 for windows xp i think.

Unfortunately this is the only machine i have at home at the minute. Whether i could borrow someones is a posibility if it is a last resort i could probably sort somethign out yes.

Thanks
biggt1976
Regular Member
 
Posts: 17
Joined: September 16th, 2010, 6:01 pm

Re: explorer.exe and winlogon.exe infection

Unread postby deltalima » September 24th, 2010, 5:43 pm

Hi biggt1976,

Process Explorer
Please download Process Explorer...by By Mark Russinovich.
Save it to your desktop.
  1. Right click on ProcessExplorer.zip and select "Extract All"....
  2. Click Next on the "Welcome to the Compressed (zipped) Folders Extraction Wizard."
  3. Click on the Browse...button, then click on Desktop, then click OK.
  4. Once done, check (tick) the Show extracted files box and click Finish.
  5. Double click procexp.exe to run Process Explorer.
  6. In the top window... find the Process (below) in the list of Processes:
    Winlogon.exe
  7. Right click on the identified process... choose Suspend.

Now open a command prompt window - (start - run - cmd)

Type move c:\windows\system32\winlogon.exe C:\Winlogon.bad and press enter
Type copy c:\mru\winlogon.exe c:\windows\system32\winlogon.exe and press enter

Use Windows Explorer to navigate to the file c:\windows\explorer.exe

Click on explorer.exe then drag it and drop it into the root folder of drive C:

Use Windows Explorer to navigate to the file c:\mru\explorer.exe

Right click on the file and select copy

Paste a copy into the folder c:\windows

Now you will need to reboot by removing power form the computer (remove the battery if a laptop).

Reboot and run a new scan with Combofix and post the log in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: explorer.exe and winlogon.exe infection

Unread postby biggt1976 » September 24th, 2010, 8:08 pm

hi - a couple of questions form your last message.

You said:

'Use Windows Explorer to navigate to the file c:\windows\explorer.exe

Click on explorer.exe then drag it and drop it into the root folder of drive C:

Use Windows Explorer to navigate to the file c:\mru\explorer.exe'

regarding the second and third line, do you mean drag and drop explorer.exe from c:\windows to c:\mru ?

Also when you put 'Now you will need to reboot by removing power form the computer (remove the battery if a laptop).'

Do you mean ive got to physically unscrew the back of my notebook and take the battery out?

Thanks
biggt1976
Regular Member
 
Posts: 17
Joined: September 16th, 2010, 6:01 pm

Re: explorer.exe and winlogon.exe infection

Unread postby deltalima » September 25th, 2010, 4:17 am

Hi biggt1976,

No, drag the original explorer from c:\windows to c:\ to keep a copy in c:\

Then copy the new explorer from c:\mru to c:\windows

I hope this is clear, please ask if not.

There should be a sliding latch to allow you to remove the battery, if not then remove the power and leave the laptop (do not use) until the battery discharges and the laptop goes off then put the power back on to reboot.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: explorer.exe and winlogon.exe infection

Unread postby biggt1976 » September 25th, 2010, 10:46 am

hi

so drag explorer.exe from c:\windows to just c:\, not in any folder or anything, just go to Start>My Computer>OS(C:) and drag to there?


Yes there is a sliding latch on each side, so just pull it out with those then?
biggt1976
Regular Member
 
Posts: 17
Joined: September 16th, 2010, 6:01 pm

Re: explorer.exe and winlogon.exe infection

Unread postby deltalima » September 25th, 2010, 11:45 am

so drag explorer.exe from c:\windows to just c:\


Yes, that is correct.

sliding latch on each side, so just pull it out with those then?


Yes, that should do it, if you are unsure then just let the battery discharge.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: explorer.exe and winlogon.exe infection

Unread postby biggt1976 » September 27th, 2010, 2:23 pm

Hi

Im not sure ive done the last bit correct. Basically I was on my laptop with the power lead plugged in. Going by your directions I then removed the battery completely and nothing happened. I then realised that obviously i still had power from the power lead so i removed this and the laptop turned off immediately. I then tried to reboot the machine by pressing the On button on the laptop but nothing happened so i had to plug the power lead back in and then press the On button again and it booted up. The battery was still out. I then ran ComboFix and this is the log I got:

ComboFix 10-09-26.04 - me 27/09/2010 18:50:46.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.420 [GMT 1:00]
Running from: c:\documents and settings\me\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\libem.INI

.
((((((((((((((((((((((((( Files Created from 2010-08-27 to 2010-09-27 )))))))))))))))))))))))))))))))
.

2010-09-27 17:23 . 2008-04-14 04:42 1033728 ----a-w- c:\windows\explorer.exe
2010-09-27 17:20 . 2010-09-27 17:20 -------- d--h--w- c:\windows\PIF
2010-09-27 17:20 . 2008-04-14 04:42 507904 ----a-w- c:\windows\system32\winlogon.exe
2010-09-24 19:00 . 2008-04-14 04:42 507904 ----a-w- c:\windows\system32\dllcache\winlogon.exe
2010-09-24 19:00 . 2008-04-14 04:42 1033728 ----a-w- c:\windows\system32\dllcache\explorer.exe
2010-09-24 16:17 . 2010-09-24 16:21 -------- d-----w- C:\MRU
2010-09-24 13:38 . 2010-09-24 13:48 -------- d-----w- C:\sp3
2010-09-23 16:14 . 2010-09-23 16:15 -------- d-----w- c:\program files\QuickTime
2010-09-22 16:38 . 2010-09-22 16:38 109128 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-09-21 17:37 . 2010-09-21 17:37 -------- d-----w- c:\documents and settings\me\Application Data\VDownloader
2010-09-21 17:37 . 2010-09-21 17:37 -------- d-----w- c:\program files\VDownloader
2010-09-20 22:41 . 2010-09-20 22:42 -------- d-----w- c:\documents and settings\me\Application Data\DivX
2010-09-20 22:38 . 2010-09-21 15:15 -------- d-----w- c:\program files\DivX
2010-09-20 22:37 . 2010-09-20 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2010-09-15 17:37 . 2010-09-15 17:37 -------- d-----w- c:\program files\Trend Micro
2010-09-15 15:31 . 2010-09-15 17:36 -------- d-----w- c:\program files\Eusing Free Registry Cleaner
2010-09-11 16:06 . 2010-09-11 16:06 -------- d-----w- c:\documents and settings\me\Local Settings\Application Data\Sony
2010-09-11 16:03 . 2010-09-11 16:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Sony
2010-09-11 16:02 . 2010-09-11 16:03 -------- d-----w- c:\program files\Sony
2010-09-11 16:01 . 2010-09-11 16:06 -------- d-----w- c:\documents and settings\me\Application Data\Sony
2010-09-09 21:46 . 2010-09-09 21:46 -------- d-----w- c:\windows\system32\tempdir
2010-09-09 21:46 . 2009-03-18 13:54 1103360 ----a-w- c:\windows\system32\cidfont.dll
2010-09-09 21:46 . 2005-05-31 02:25 1503232 ----a-w- c:\windows\system32\ptj.exe
2010-09-09 21:46 . 2007-06-27 15:15 4369408 ----a-w- c:\windows\system32\pdftk.exe
2010-09-09 21:46 . 2010-09-09 22:57 -------- d-----w- c:\program files\office Convert Pdf to Jpg Jpeg Tiff Free
2010-09-09 21:24 . 2010-09-09 21:30 -------- d-----w- c:\program files\PDF To Image Converter
2010-09-09 16:29 . 2010-09-09 17:36 -------- d-----w- c:\documents and settings\me\Application Data\Inscriptio
2010-09-09 16:22 . 2010-09-09 16:23 -------- d-----w- c:\program files\Burn CD Now
2010-09-02 17:00 . 2010-09-02 17:00 -------- d-----w- c:\program files\iPod
2010-09-02 17:00 . 2010-09-02 17:01 -------- d-----w- c:\program files\iTunes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-20 23:03 . 2010-09-20 22:42 57344 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-09-20 22:59 . 2010-09-20 22:37 144696 ----a-w- c:\documents and settings\All Users\Application Data\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-09-20 20:53 . 2009-11-02 23:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-09-17 03:54 . 2009-12-22 21:46 122 ----a-w- c:\documents and settings\me\Application Data\wklnhst.dat
2010-09-17 01:38 . 2010-08-20 23:10 -------- d-----w- c:\documents and settings\me\Application Data\vlc
2010-09-16 02:22 . 2009-11-03 00:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-09-15 17:37 . 2010-09-15 17:37 388096 ----a-r- c:\documents and settings\me\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-09 19:24 . 2010-05-24 21:02 -------- d-----w- c:\program files\NCH Swift Sound
2010-09-08 10:50 . 2009-11-03 00:11 -------- d-----w- c:\program files\Microsoft Silverlight
2010-09-07 15:12 . 2010-08-15 11:30 38848 ----a-w- c:\windows\avastSS.scr
2010-09-07 15:11 . 2009-12-22 00:16 167592 ----a-w- c:\windows\system32\aswBoot.exe
2010-09-07 14:52 . 2009-12-22 00:16 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-09-07 14:52 . 2009-12-22 00:16 165584 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-09-07 14:47 . 2009-12-22 00:16 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-09-07 14:47 . 2009-12-22 00:16 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-09-07 14:47 . 2009-12-22 00:16 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-09-07 14:47 . 2009-12-22 00:16 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-09-07 14:46 . 2009-12-22 00:16 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-09-07 01:20 . 2010-04-10 19:01 -------- d-----w- c:\documents and settings\me\Application Data\dvdcss
2010-09-04 17:52 . 2009-12-10 12:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2010-09-02 17:00 . 2010-07-08 21:23 -------- d-----w- c:\program files\Common Files\Apple
2010-09-02 16:24 . 2010-09-02 16:24 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe
2010-08-19 23:49 . 2010-05-15 22:59 -------- d-----w- c:\program files\PCFriendly
2010-08-18 19:00 . 2010-08-18 19:00 -------- d-----w- c:\program files\Common Files\Java
2010-08-18 18:57 . 2010-04-07 20:19 -------- d-----w- c:\program files\Java
2010-08-17 18:10 . 2010-09-01 02:37 372736 ------w- c:\documents and settings\All Users\Application Data\Dell\DSL\DSLCheck.exe
2010-08-17 13:17 . 2008-04-25 20:33 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-11 19:21 . 2009-11-02 23:55 -------- d-----w- c:\program files\Microsoft Works
2010-08-08 18:29 . 2010-08-08 18:29 503808 ----a-w- c:\documents and settings\me\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-794ccc99-n\msvcp71.dll
2010-08-08 18:29 . 2010-08-08 18:29 499712 ----a-w- c:\documents and settings\me\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-794ccc99-n\jmc.dll
2010-08-08 18:29 . 2010-08-08 18:29 61440 ----a-w- c:\documents and settings\me\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-16d4c80e-n\decora-sse.dll
2010-08-08 18:29 . 2010-08-08 18:29 348160 ----a-w- c:\documents and settings\me\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-794ccc99-n\msvcr71.dll
2010-08-08 18:29 . 2010-08-08 18:29 12800 ----a-w- c:\documents and settings\me\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-16d4c80e-n\decora-d3d.dll
2010-07-29 20:23 . 2010-05-24 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-07-29 19:36 . 2010-04-03 12:06 -------- d-----w- c:\documents and settings\me\Application Data\FlashgetSetup
2010-07-29 19:36 . 2010-05-24 19:29 3688936 ----a-w- c:\documents and settings\me\Application Data\FlashgetSetup\fgcn_7.exe
2010-07-22 15:49 . 2008-04-25 20:33 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-11-02 23:44 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-17 04:00 . 2010-04-26 14:10 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-06-30 12:31 . 2008-04-25 20:33 149504 ----a-w- c:\windows\system32\schannel.dll
2009-11-02 23:59 . 2009-11-02 23:59 75 --sh--r- c:\windows\CT4CET.bin
.

------- Sigcheck -------

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[-] 2008-06-20 . 4AFB3B0919649F95C1964AA1FAD27D73 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-09 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-15 1434920]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-15 17529856]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-02-15 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-02-15 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-02-15 137752]
"OA012Mon"="c:\windows\OA012Mon.exe" [2009-05-11 24576]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2009-01-06 2289664]
"WSED"="c:\program files\WSED\WSED.exe" [2009-05-27 247080]
"BTMeter"="c:\program files\Battery Meter\BTMeter.exe" [2009-07-22 623984]
"CapsLKNotify"="c:\program files\CapsLKNotify\CapsLKNotify.exe" [2009-02-23 320808]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-06-17 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"O2DA"="c:\program files\O2 Assistant\bin\sprtcmd.exe" [2010-04-23 206120]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-01 421160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-27 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-11-02 23:55 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Documents and Settings\\me\\Application Data\\FlashgetSetup\\fgmini.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 EMSC;COMPAL Embedded System Control;c:\windows\system32\drivers\EMSC.sys [03/11/2009 00:51 14248]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [03/04/2010 17:54 64288]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [22/12/2009 01:16 165584]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [22/12/2009 01:16 17744]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [04/02/2010 16:52 1352832]
R2 sprtsvc_O2DA;SupportSoft Sprocket Service (O2DA);c:\program files\O2 Assistant\bin\sprtsvc.exe [23/04/2010 15:04 206120]
R2 tgsrvc_O2DA;SupportSoft Repair Service (O2DA);c:\program files\O2 Assistant\bin\tgsrvc.exe [23/04/2010 15:04 185640]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [03/11/2009 00:57 143840]
R3 OA012Afx;Provides a software interface to control audio effects of OA012 camera.;c:\windows\system32\drivers\OA012Afx.sys [03/11/2009 02:18 134144]
R3 OA012Ufd;Creative Camera OA012 Upper Filter Driver;c:\windows\system32\drivers\OA012Ufd.sys [03/11/2009 02:18 133632]
R3 OA012Vid;Creative Camera OA012 Function Driver;c:\windows\system32\drivers\OA012Vid.sys [03/11/2009 02:18 272256]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [03/11/2009 02:18 162816]
S2 Norton Internet Security;Norton Internet Security;"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe" /s "Norton Internet Security" /m "c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll" /prefetch:1 --> c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [03/11/2009 02:17 1684736]
S3 hwusbfake;Huawei DataCard USB Fake;c:\windows\system32\drivers\ewusbfake.sys [22/01/2010 23:52 102656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2010-09-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 16:54]

2010-09-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]

2010-09-17 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-05-24 21:02]
.
.
------- Supplementary Scan -------
.
uStart Page = https://login.yahoo.com/config/login_verify2?&.src=ym
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Download all by FlashGet3 - c:\documents and settings\me\Application Data\FlashGetBHO\GetAllUrl.htm
IE: Download by FlashGet3 - c:\documents and settings\me\Application Data\FlashGetBHO\GetUrl.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
Trusted Zone: kuaiche.com\software
Trusted Zone: o2.co.uk\*.broadband
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-27 19:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(864)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\windows\System32\BCMLogon.dll
.
Completion time: 2010-09-27 19:12:37
ComboFix-quarantined-files.txt 2010-09-27 18:12
ComboFix2.txt 2010-09-24 19:58

Pre-Run: 39,278,977,024 bytes free
Post-Run: 39,257,571,328 bytes free

- - End Of File - - AEFDBB6AB8328805D6F8652E4291F25B

I still have the battery removed from my laptop, can you please let me know asap on when i can put it back in.

I look forward to your latest advice and opinion on the infection!

Cheers
T
biggt1976
Regular Member
 
Posts: 17
Joined: September 16th, 2010, 6:01 pm

Re: explorer.exe and winlogon.exe infection

Unread postby deltalima » September 27th, 2010, 2:58 pm

Hi biggt1976,

I still have the battery removed from my laptop


OK, put the battery back, the job has been completed successfully.

Im not sure ive done the last bit correct


It looks like you did it correct. Well done! The infections have been removed.

The next job is to re-install Windows Service Pack 3, this can be done by double clicking on the file you downloaded c:\sp3\WindowsXP-KB936929-SP3-x86-ENU.exe then follow the instructions. This may take a while and will require a reboot.

When complete then –

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply and also let me know how your computer is running now.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: explorer.exe and winlogon.exe infection

Unread postby biggt1976 » September 28th, 2010, 6:22 am

Hi

here ius the log from kaspergy or whatever its called lol:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, September 28, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, September 27, 2010 19:42:30
Records in database: 4244539
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\

Scan statistics:
Objects scanned: 123885
Threats found: 1
Infected objects found: 4
Suspicious objects found: 0
Scan duration: 08:27:05


File name / Threat / Threats count
C:\System Volume Information\_restore{64534B76-601D-4598-8429-4DF73C537AF3}\RP10\A0011116.exe Infected: Trojan.Win32.Patched.kl 1
C:\System Volume Information\_restore{64534B76-601D-4598-8429-4DF73C537AF3}\RP10\A0011117.exe Infected: Trojan.Win32.Patched.kl 1
C:\System Volume Information\_restore{64534B76-601D-4598-8429-4DF73C537AF3}\RP10\A0011118.exe Infected: Trojan.Win32.Patched.kl 1
C:\winlogon.bad Infected: Trojan.Win32.Patched.kl 1

Selected area has been scanned.

I notice it says there are still infections, do we need to do anhythign about those?

When I asked for your help a few days ago I was getting warnings from Avast every few minutes saying they had blocked a virus etc but now I am not getting anything from them so the machine is definately running better! Thanks for that. I just remembered, what about that setting we changed earlier that was 'show all files' or somethign liek that and I messaged you because i got a message up saying that it could make the machine unoperable. You said we would put this setting back to normal but i dont think it has been done has it? Please let me knwo about this. The browser re-direct from the search results in google etc also seems to have been solved, i am actually getting to the sites i should do when i click the links, so again, thank you very much.
biggt1976
Regular Member
 
Posts: 17
Joined: September 16th, 2010, 6:01 pm

Re: explorer.exe and winlogon.exe infection

Unread postby deltalima » September 28th, 2010, 7:24 am

Hi biggt1976,

I notice it says there are still infections, do we need to do anhythign about those?


One is a copy we made of one of the infected files and we will remove now, the others are in the System Restore are and will be removed later.

Using Windows Explorer (to get there right-click your Start button and go to Explore), please delete these files (if present):

C:\winlogon.bad

what about that setting we changed earlier that was 'show all files' or somethign liek that


Yes that will be done further down these instructions.

  • Click Start, point to Settings, and then click Control Panel.
  • In Control Panel, double-click Add or Remove Programs.
  • In Add or Remove Programs,
    highlight Advertising Center
    click Remove
    highlight Ask Toolbar
    click Remove
  • Close the Add or Remove Programs and the Control Panel windows.

You should Download and Install the newest version of Adobe Reader for reading pdf files, due to the vulnerabilities in earlier versions.
All versions numbered lower than 9.3 are vulnerable.
  • Go HERE, UNCHECK any Free Add-Ons, and click Download to install the latest version of Adobe Acrobat Reader.
  • After it completes the Installation, close the Download Manager.

Now that you are clean, please follow these steps in order to keep your computer clean and secure


Uninstall ComboFix

  • Click START then RUN
  • Now type Combofix /Uninstall in the runbox and click OK


Remove all used tools

Please download OTC and save it to desktop.
  • Double-click OTC.exe..
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.


Update your AntiVirus Software and keep your other programs up-to-date
Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Security Updates for Windows, Internet Explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab or visit the Microsoft Update site on a regular basis.


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety


Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: explorer.exe and winlogon.exe infection

Unread postby biggt1976 » September 28th, 2010, 1:33 pm

Hey

Ive done all that. One thing, you said:

In Add or Remove Programs,
highlight Advertising Center
click Remove
highlight Ask Toolbar
click Remove

But neither of these programmes were in the list?

I just want to say thanks again. Do you guys get paid for doing this cos you should do, it must be a full time job judging by the new problems every day on here!

Cheers
T
biggt1976
Regular Member
 
Posts: 17
Joined: September 16th, 2010, 6:01 pm

Re: explorer.exe and winlogon.exe infection

Unread postby deltalima » September 28th, 2010, 2:10 pm

Hi biggt1976,

But neither of these programmes were in the list?


They often do not appear in add / remove, we can manually stop them using HijackThis.

Please re-open HijackThis and select Scan. Check the boxes next to all the entries listed below (if present):

O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll


Now close all other open windows and then click on Fix Checked. Close HijackThis.

I just want to say thanks again. Do you guys get paid for doing this cos you should do


You are very welcome!

The service is provided on a voluntary basis, however if you wish to contribute there is a page here with details.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: explorer.exe and winlogon.exe infection

Unread postby muppy03 » September 30th, 2010, 4:16 am

As your problems appear to have been resolved, this topic is now closed.
We are pleased we could help you resolve your computer's malware issues.

If you are satisfied with our assistance and wish to donate to help with the costs of this volunteer site, please read :
Donations For Malware Removal
User avatar
muppy03
MRU Emeritus
MRU Emeritus
 
Posts: 4782
Joined: December 4th, 2007, 5:30 am
Location: Australia
Advertisement
Register to Remove

Previous

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 22 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware