Winlogon.exe and Explorer.Exe Virus with AVG

Hi i am getting constant virus alerts from AVG. I have run COmbofix and attached the report, any help would be great thanks!

ComboFix 10-11-10.01 - Andrew 11/11/2010 13:53:12.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.895.505 [GMT 11:00]
Running from: c:\documents and settings\Andrew\Desktop\ComboFix.exe
..

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
..

c:\windows\system32\winlogon.exe . . . is infected!!

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

..
((((((((((((((((((((((((( Files Created from 2010-10-11 to 2010-11-11 )))))))))))))))))))))))))))))))
..

2010-11-10 03:02 . 2010-11-10 03:02 5460 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2010-11-10 00:43 . 2010-11-10 00:43 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-11-03 23:59 . 2010-11-11 01:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-02 02:11 . 2010-11-02 02:11 -------- d-----w- c:\documents and settings\Andrew\Application Data\AVG10
2010-11-02 02:07 . 2010-11-02 02:07 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2010-11-02 02:05 . 2010-11-11 02:34 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
2010-11-02 02:04 . 2010-11-02 02:04 -------- d-----w- c:\program files\AVG
2010-11-02 01:56 . 2010-11-11 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData

..
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
..
2009-01-10 04:30 . 2008-03-14 00:45 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-01-10 04:30 . 2008-03-14 00:45 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-01-10 04:30 . 2008-03-14 00:45 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-01-10 04:30 . 2008-03-14 00:45 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-01-10 04:30 . 2008-03-14 00:45 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
..

------- Sigcheck -------

[-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download.bak\cf8ec753e88561d2ddb53e183dc05c3e\winlogon.exe
[-] 2004-08-04 . 6E5AC6AEBDC9B080E8C1DCC2141F5539 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download.bak\cf8ec753e88561d2ddb53e183dc05c3e\explorer.exe
[-] 2007-06-13 . 04D9D3792735FE66B9A12D878F6EC355 . 1033216 . . [6.00.2900.3156] . . c:\windows\explorer.exe
[7] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[7] 2004-08-04 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
..
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
..
..
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-10 218032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-03-28 454656]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-19 925696]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-01-19 159744]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-10 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-10 86960]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-24 210472]
"{B179023B-6238-4499-8F26-CD73E9D90E0A}"="c:\program files\Mediafour\MacDrive 7\MacDrive.exe" [2007-07-12 179288]
"MDGetStarted.exe"="c:\program files\Mediafour\MacDrive 7\MDGetStarted.exe" [2007-06-13 139264]
"WinVNC"="c:\program files\TightVNC\WinVNC.exe" [2007-05-07 589824]
"EPSON Stylus CX4700 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIADP.EXE" [2005-02-02 98304]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-04-12 47392]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-04-28 142120]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2006-11-07 12451]

c:\documents and settings\Andrew\Start Menu\Programs\Startup\
Shortcut to netlogin.lnk - c:\documents and settings\Andrew\My Documents\netlogin.bat [2008-7-14 73]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\Soulseek-Test\\slsk.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Azureus\\Azureus.exe"=
"c:\\KAV\\KAV70\\English\\setup.exe"=
"c:\\Program Files\\Webcam\\NetCamCtr1\\WSRV.exe"=
"c:\\Program Files\\TightVNC\\WinVNC.exe"=
"c:\\Program Files\\IncredibleCharts\\IncredibleCharts.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"67:UDP"= 67:UDP:DHCP Discovery Service
"5400:TCP"= 5400:TCP:Cameras
"5400:UDP"= 5400:UDP:Cameras UDP

R0 MDFSYSNT;MacDrive file system driver;c:\windows\system32\drivers\MDFSYSNT.SYS [5/09/2007 4:01 PM 277888]
R0 MDPMGRNT;MDPMGRNT;c:\windows\system32\drivers\MDPMGRNT.sys [28/02/2007 12:15 PM 19072]
R2 MacDriveService;MacDriveService;c:\program files\Mediafour\MacDrive 7\MacDriveService.exe [1/05/2007 3:55 PM 143360]
R3 keybmon;keybmon;c:\windows\system32\drivers\keybmon.sys [25/10/2008 12:07 PM 4934]
R3 mousmon;mousmon;c:\windows\system32\drivers\mousmon.sys [25/10/2008 12:07 PM 3491]
S2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe --> c:\program files\iolo\common\lib\ioloServiceManager.exe [?]
S3 hwcdcmdm0;HUAWEI Mobile Connect - 3G Modem;c:\windows\system32\drivers\ewusbmdm.sys [27/07/2008 3:21 PM 100992]
S3 hwusbapp;HUAWEI Mobile Connect - 3G PC UI Interface;c:\windows\system32\drivers\ewusbapp.sys [27/02/2008 12:21 PM 65152]
S3 hwusbser;HUAWEI Mobile Connect - 3G Application Interface;c:\windows\system32\drivers\ewusbser.sys [27/02/2008 12:21 PM 65152]
S3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\drivers\s816bus.sys [19/01/2008 1:29 PM 81832]
S3 s816mdfl;Sony Ericsson Device 816 USB WMC Modem Filter;c:\windows\system32\drivers\s816mdfl.sys [19/01/2008 1:29 PM 13864]
S3 s816mdm;Sony Ericsson Device 816 USB WMC Modem Driver;c:\windows\system32\drivers\s816mdm.sys [19/01/2008 1:29 PM 107304]
S3 s816mgmt;Sony Ericsson Device 816 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s816mgmt.sys [19/01/2008 1:29 PM 99112]
S3 s816nd5;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (NDIS);c:\windows\system32\drivers\s816nd5.sys [19/01/2008 1:30 PM 21928]
S3 s816obex;Sony Ericsson Device 816 USB WMC OBEX Interface;c:\windows\system32\drivers\s816obex.sys [19/01/2008 1:29 PM 97320]
S3 s816unic;Sony Ericsson Device 816 USB Ethernet Emulation SEMCMR7 (WDM);c:\windows\system32\drivers\s816unic.sys [19/01/2008 1:29 PM 97704]
S3 Webcam Corp. Service Starter;Webcam Corp. Service Starter;c:\program files\Webcam\NetCamCtr1\dogsvc.exe --> c:\program files\Webcam\NetCamCtr1\dogsvc.exe [?]
..
Contents of the 'Scheduled Tasks' folder

2010-11-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 02:34]
..
..
------- Supplementary Scan -------
..
uStart Page = hxxp://www.google.com.au/
uInternet Settings,ProxyOverride = *.local
IE: Add to AMV Convert Tool... - c:\program files\MP3 Player Utilities 4.00\AMVConverter\grab.html
IE: Add to Media Manager... - c:\program files\MP3 Player Utilities 4.00\MediaManager\grab.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {D3D7646F-90DD-477D-8C07-F9A2D7F7B70B} = 10.1.1.1,10.1.150.1
DPF: {15A02B79-60BB-42B8-814E-BF8364106B9E} - hxxp://images.commsec.com.au/downloads/pco3/Pco3X_Commsec.cab
FF - ProfilePath - c:\documents and settings\Andrew\Application Data\Mozilla\Firefox\Profiles\f0ve9pzv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
..
..
------- File Associations -------
..
JSEFile=NOTEPAD.EXE %1
..

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-11 14:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
..
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(908)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3168)
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\progra~1\WINZIP\WZSHLSTB.DLL
c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll
c:\windows\system32\browselc.dll
c:\program files\Common Files\Mediafour\MACFPROP.DLL
c:\program files\Common Files\Mediafour\MACDRAPI.DLL
c:\program files\Common Files\Mediafour\1033\MACFPROP.DL_
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\shdoclc.dll
..
------------------------ Other Running Processes ------------------------
..
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\hpq\Shared\HPQTOA~1.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\windows\system32\SearchProtocolHost.exe
c:\windows\system32\SearchFilterHost.exe
c:\windows\system32\SearchProtocolHost.exe
..
**************************************************************************
..
Completion time: 2010-11-11 14:05:06 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-11 03:05
ComboFix2.txt 2010-11-10 02:40
ComboFix3.txt 2010-11-10 00:23

Pre-Run: 2,640,130,048 bytes free
Post-Run: 2,657,452,032 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer

- - End Of File - - C0FF8178DBFF66115980E92BD858613C

Hello cakeman and welcome to G2G!

My nick is maliprog and I'll will be your technical support on this issue. Before we start cleaning your PC you must print or save to Desktop (in .txt file) this instructions so you can access it in Safe Mode with no internet connection.

NOTE:

Be advised that I am still in training, so there may be a delay between replies. Each reply must be approved by a resident expert before I will be allowed to post them to you.
Malware removal is NOT instantaneous, most infections require several courses of action to completely eradicate.
Absence of symptoms does not always mean the computer is clean
Kindly follow my instructions in the order posted. Order is crucial in cleaning process.
Please DO NOT run any scans or fix on your own without my direction.
Please read all of my response through at least once before attempting to follow the procedures described. I would recommend printing them out, if you can, as you can check off each step as you complete it. If there's anything you don't understand or isn't totally clear, please come back to me for clarification.
Please do not attach any log files to your replies unless I specifically ask you. Instead please copy and paste so as to include the log in your reply. You can do this in separate posts if it's easier for you.

Do you have Windows XP Service pack 2 installation disk? Maybe we will need it to repair your system.

Step 1

Download OTL to your Desktop

Double click on the icon to run it (If running Vista or Windows 7, right click on it and select "Run as an Administrator")
. Make sure all other windows are closed and to let it run uninterrupted.
Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.*
%systemroot%system32*.wt
%systemroot%system32*.ruy
%systemroot%Fonts*.com
%systemroot%Fonts*.dll
%systemroot%Fonts*.ini
%systemroot%Fonts*.ini2
%systemroot%Fonts*.exe
%systemroot%system32spoolprtprocsw32x86*.*
%systemroot%REPAIR*.bak1
%systemroot%REPAIR*.ini
%systemroot%system32*.jpg 
%systemroot%*.jpg 
%systemroot%*.png 
%systemroot%*.scr
%systemroot%*._sy
%APPDATA%AdobeUpdate*.*
%ALLUSERSPROFILE%Favorites*.*
%APPDATA%Microsoft*.*
%PROGRAMFILES%*.*
%APPDATA%Update*.*
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%System32config*.sav 
%PROGRAMFILES%|bak;true;false;false /fp
%systemroot%system32|bak;true;false;false /fp
%ALLUSERSPROFILE%Start Menu*.lnk /x 
%systemroot%system32configsystemprofile*.dat /x
%systemroot%*.config
%systemroot%system32*.db
C:\winlogon.exe /s /MD5
C:\explorer.exe /s /MD5
HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsWindowsUpdateAU
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateAuto UpdateResultsInstall|LastSuccessTime /rs

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them if you need to start a new topic.

Step 2

Download GMER from Here. Note the file's name and save it to your root folder, such as C:.

Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection so your security program drivers will not conflict with this file.
Click on this link to see a list of programs that should be disabled.
Double-click on the downloaded file to start the program. (If running Vista, right click on it and select "Run as an Administrator")
Allow the driver to load if asked.
You may be prompted to scan immediately if it detects rootkit activity.
If you are prompted to scan your system click "No", save the log and post back the results.
If not prompted, click the "Rootkit/Malware" tab.
On the right-side, all items to be scanned should be checked by default except for "Show All". Leave that box unchecked.
Select all drives that are connected to your system to be scanned.
Click the Scan button to begin. (Please be patient as it can take some time to complete)
When the scan is finished, click Save to save the scan results to your Desktop.
Save the file as Results.log and copy/paste the contents in your next reply.
Exit the program and re-enable all active protection when done.

Step 3

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C: folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Step 4

Please make sure you include the following items:

OTL log
OTL Extras log
GMER log

It would be helpful if you could post each log in separate post

#1
cakeman

Posted 11 November 2010 - 12:11 AM

Advertisements

#2
maliprog

Posted 11 November 2010 - 12:56 AM

#3
maliprog

Posted 18 November 2010 - 01:09 AM

Similar Topics

0 user(s) are reading this topic

As Featured On:

Forums

Downloads

Members

Connect With Us