windows cant find winlogon.exe

hi everyone need your help again

the print screen says it all really

http://i124.photobucket.com/albums/p...os/problem.jpg

when i log into my account i get that message

i do alot of virus/spywere and ccleaners and i think it has caused this problem

Some tools are very powerful and shouldn't be used unless instructed.

Have you tried System Restore?

thanks
evilfantasy

no i haven't used system restore as i try not to use it
i treat is as a sort of last resort

also ccleaner i have used for a while with no problems but i do no that they can remove files that shouldent

Actually there is a trojan that registers as winlogon.exe so this could be a malicious file. Can you post a Hijackthis log.

Download TrendMicro HijackThis™.exe (HJT)

Edit:

C:\WINDOWS\WINLOGON.EXE is indeed a trojan. The legitimate winlogon.exe does not run from the Windows folder.

Please post the Hijackthis log so we can get this taken care of.

I am moving this thread to the malware removal forum.

thanks again

evilfantasy

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:16:29, on 17/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.20733)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Styler\Styler.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\winlogon.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: Styler.lnk = ?
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: WUSB54GSv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe

--
End of file - 5907 bytes

also this is whats runing when windows loads from logging in
http://i124.photobucket.com/albums/p...os/startup.jpg

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Download Combofix by sUBs from one of the below links.

• Link #1
• Link #2

Important! Combofix.exe MUST be saved to and ran from the Desktop.

• Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting Combofix.
• Important! Temporarily disable your antivirus, script blocking and any antispyware real time protection before performing a scan.
  • Click this link to see a list of security programs that should be disabled and how to disable them.
  • If yours is not listed and you don't know how to disable it, please ask.
• Warning: Combofix disconnects your computer from the internet. The connection is automatically restored before Combofix completes its run.
• Double click combofix.exe & follow the prompts.
  • Choose Yes to accept the Disclaimers.
  
  Combofix should never take more that 20 minutes including the reboot if malware is detected.
  If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

• When finished, it will produce a log for you.
• Post that log in your next reply.

Warning: Do not mouseclick Combofix's window while it is running. That may cause it to stall

• If Combofix runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your computer.
• Important: Remember to re-enable your antivirus and antispyware before reconnecting to the Internet.

If needed, see this Combofix tutorial with screenshots that will detail more thoroughly the downloading and running of Combofix and installing the Recover Console.

Remember to re-enable your antivirus and antispyware protection.

----------

Next post add the combofix log.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
has been delited

ComboFix 08-07-15.4 - peter's PC 2008-07-17 10:35:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.245 [GMT -7:00]
Running from: C:\Documents and Settings\peter's PC\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\peter's PC\Application Data\.#

.
((((((((((((((((((((((((( Files Created from 2008-06-17 to 2008-07-17 )))))))))))))))))))))))))))))))
.

2008-07-17 05:15 . 2008-07-17 05:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-14 14:26 . 2008-07-14 14:26 0 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-07-14 14:23 . 2008-07-14 14:23 <DIR> d-------- C:\Program Files\NeroInstall.bak
2008-07-14 14:18 . 2008-07-14 14:18 <DIR> d-------- C:\Program Files\Nero
2008-07-14 14:18 . 2008-07-14 14:20 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-07-12 16:36 . 2004-04-10 09:42 2,944 --a------ C:\WINDOWS\system32\mbmiodrvr.sys
2008-07-12 16:35 . 2008-07-12 16:35 <DIR> d-------- C:\Program Files\Motherboard Monitor 5
2008-07-12 06:28 . 2008-07-12 06:34 <DIR> d-------- C:\Program Files\101 AVI MPEG WMV Converter
2008-07-12 06:28 . 2004-06-24 15:37 57,344 --a------ C:\WINDOWS\system32\mpglib.dll
2008-07-09 15:14 . 2008-07-09 15:14 76 --a------ C:\WINDOWS\RegisterRSM.ini
2008-07-09 07:28 . 2008-07-09 08:01 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-07-07 09:42 . 2008-07-07 09:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-07-07 09:36 . 2008-07-07 09:36 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-07-07 09:28 . 2008-07-07 09:28 <DIR> d-------- C:\Documents and Settings\peter's PC\Application Data\DAEMON Tools
2008-07-06 17:33 . 2008-05-30 14:11 3,850,760 --a------ C:\WINDOWS\system32\D3DX9_38.dll
2008-07-06 17:33 . 2008-05-30 14:11 1,491,992 --a------ C:\WINDOWS\system32\D3DCompiler_38.dll
2008-07-06 17:33 . 2008-05-30 14:19 507,400 --a------ C:\WINDOWS\system32\XAudio2_1.dll
2008-07-06 17:33 . 2008-05-30 14:11 467,984 --a------ C:\WINDOWS\system32\d3dx10_38.dll
2008-07-06 17:33 . 2008-05-30 14:18 238,088 --a------ C:\WINDOWS\system32\xactengine3_1.dll
2008-07-06 17:33 . 2008-05-30 14:17 65,032 --a------ C:\WINDOWS\system32\XAPOFX1_0.dll
2008-07-06 17:33 . 2008-05-30 14:17 25,608 --a------ C:\WINDOWS\system32\X3DAudio1_4.dll
2008-07-06 17:31 . 2008-07-06 17:31 <DIR> d-------- C:\WINDOWS\Logs
2008-07-06 17:26 . 2008-07-07 02:55 <DIR> d-------- C:\WINDOWS\nview
2008-07-06 17:26 . 2006-10-22 12:22 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-07-06 17:26 . 2008-07-17 10:25 88,566 --a------ C:\WINDOWS\system32\nvapps.xml
2008-07-06 17:26 . 2006-10-22 12:22 17,056 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-07-06 17:21 . 2008-07-06 17:21 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-07-06 17:13 . 2008-07-06 17:13 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-07-06 17:02 . 2008-07-06 17:20 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-07-06 16:44 . 2006-10-22 12:22 88,691 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-07-06 16:41 . 2008-07-06 16:41 <DIR> d-------- C:\NVIDIA
2008-07-06 16:15 . 2008-07-06 16:15 <DIR> d-------- C:\Program Files\Lavalys
2008-07-04 16:30 . 2008-07-04 16:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-07-03 18:22 . 2008-07-03 18:22 <DIR> d-------- C:\Documents and Settings\peter's PC\Application Data\PlayFirst
2008-07-03 18:22 . 2008-07-03 18:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2008-07-03 16:36 . 2008-07-04 16:16 <DIR> d-------- C:\Program Files\Bricks Of Camelot
2008-07-03 00:10 . 2008-07-03 00:10 <DIR> d-------- C:\Documents and Settings\peter's PC\Application Data\.BitTornado
2008-07-02 08:35 . 2008-07-02 08:35 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll.prepare
2008-06-30 04:32 . 2008-07-01 13:59 <DIR> d-------- C:\Documents and Settings\peter's PC\Contacts
2008-06-29 14:52 . 2008-06-29 14:52 76 ---hs---- C:\Documents and Settings\Desktop.ini
2008-06-29 13:36 . 2008-06-29 13:36 531 --a------ C:\WINDOWS\SCRABOUT.INI
2008-06-28 14:35 . 2008-06-28 15:29 <DIR> d-------- C:\Program Files\Sniper Elite
2008-06-28 14:23 . 2008-06-28 14:23 49,152 --a------ C:\WINDOWS\system32\Setup_ver1.1336.0.exe
2008-06-28 12:15 . 2008-06-28 12:24 886 --a------ C:\WINDOWS\EntPack.dat
2008-06-28 12:12 . 2008-06-28 12:12 143 --a------ C:\WINDOWS\ytlat22b.dat
2008-06-28 12:10 . 2008-06-29 13:22 867 --a------ C:\WINDOWS\entpack.ini
2008-06-25 08:13 . 2008-06-25 08:13 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-06-25 05:33 . 2008-06-25 05:33 <DIR> d-------- C:\Documents and Settings\peter's PC\Application Data\Malwarebytes
2008-06-25 05:32 . 2008-06-25 05:32 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-25 05:32 . 2008-06-25 05:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-25 05:32 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-25 05:32 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-24 10:57 . 2008-06-29 14:50 <DIR> d-------- C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor
2008-06-23 08:41 . 2008-06-23 08:41 <DIR> d-------- C:\Documents and Settings\peter's PC\Application Data\DivX
2008-06-21 17:46 . 2008-07-03 00:55 <DIR> d-------- C:\Documents and Settings\peter's PC\Application Data\Winamp
2008-06-21 17:29 . 2008-03-07 01:21 32,128 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-06-21 17:29 . 2008-03-07 08:46 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-06-21 17:29 . 2008-03-07 01:14 14,592 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-06-21 11:30 . 2008-06-21 19:35 <DIR> d-------- C:\Program Files\DivX
2008-06-21 11:22 . 2008-07-04 20:14 5,120 --ahs---- C:\WINDOWS\system32\Thumbs.db
2008-06-21 10:21 . 2008-06-21 10:21 <DIR> d-------- C:\Documents and Settings\peter's PC\Application Data\Nero
2008-06-21 10:06 . 2008-06-21 15:59 <DIR> d-------- C:\Documents and Settings\peter's PC\Application Data\LimeWire
2008-06-17 15:21 . 2008-06-21 16:04 <DIR> d-------- C:\Program Files\MagicISO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2008-07-13 03:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-09 22:34 --------- d-----w C:\Program Files\MSN Messenger
2008-07-08 15:36 --------- d-----w C:\Program Files\Steam
2008-07-07 16:31 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-07-04 23:20 --------- d-----w C:\Program Files\Windows Live
2008-07-04 23:20 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-07-03 08:01 --------- d-----w C:\Program Files\Winamp
2008-07-02 15:46 76,040 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-07-02 15:34 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-29 21:50 --------- d-----w C:\Program Files\LimeWire
2008-06-25 12:32 --------- d-----w C:\Program Files\Java
2008-06-24 17:57 17,801 ----a-w C:\WINDOWS\system32\drivers\AegisP.sys
2008-06-22 01:15 --------- d-----w C:\Program Files\Folder Lock
2008-06-22 01:14 35,363 ----a-w C:\WINDOWS\system32\windrvNT.sys
2008-06-22 00:39 --------- d-----w C:\Program Files\Trust
2008-06-22 00:31 --------- d-----w C:\Program Files\AVG
2008-06-22 00:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-22 00:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-06-22 00:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\CenerTCPMessenger
2008-06-22 00:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-22 00:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-06-21 22:05 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-21 22:04 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-06-21 17:11 --------- d-----w C:\Program Files\BitComet
2008-06-21 17:04 --------- d-----w C:\Program Files\TaskSwitchXP
2008-06-21 17:01 --------- d-----w C:\Program Files\LClock
2008-06-21 16:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg8
2008-06-16 22:12 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-08 23:28 --------- d-----w C:\Program Files\XBCD
2008-06-05 13:17 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-05-30 23:22 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-05-30 23:22 815,104 ----a-w C:\WINDOWS\system32\divx_xx0a.dll
2008-05-30 23:22 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-05-30 23:22 683,520 ----a-w C:\WINDOWS\system32\DivX.dll
2008-05-30 23:22 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-05-30 23:22 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-05-30 23:22 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-05-30 23:22 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-05-30 23:22 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-05-30 21:37 1,694,728 ----a-w C:\Documents and Settings\peter's PC\dsetup32.dll
2008-05-30 21:35 97,288 ----a-w C:\Documents and Settings\peter's PC\DSETUP.dll
2008-05-30 21:34 528,392 ----a-w C:\Documents and Settings\peter's PC\DXSETUP.exe
2008-05-27 00:54 --------- d-----w C:\Program Files\Stardock
2008-05-26 00:42 --------- d-----w C:\Program Files\ACE Mega CoDecS Pack
2008-05-24 23:25 --------- d-----w C:\Documents and Settings\peter's PC\Application Data\Styler
2008-05-24 23:16 89 ----a-w C:\WINDOWS\system32\config\systemprofile\Del20DA.b at
2008-05-24 23:16 89 ----a-w C:\Documents and Settings\peter's PC\Del20DA.bat
2008-05-24 23:16 89 ----a-w C:\Documents and Settings\Default User\Del20DA.bat
2008-05-24 02:01 2,560 ------w C:\WINDOWS\system32\bitcometres.dll
2008-05-22 22:58 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-22 22:22 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-05-22 22:22 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-05-22 22:20 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-05-22 22:20 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-05-22 22:19 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-05-22 22:19 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-05-22 22:19 161,096 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-22 22:18 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2008-05-19 13:33 4,445,184 ------w C:\WINDOWS\system32\dllcache\msi.dll
2008-05-19 13:33 332,800 ------w C:\WINDOWS\system32\dllcache\msihnd.dll
2008-05-19 13:33 18,944 ------w C:\WINDOWS\system32\dllcache\msisip.dll
2008-05-19 08:57 95,744 ------w C:\WINDOWS\system32\dllcache\msiexec.exe
2008-05-17 19:41 --------- d-----w C:\Program Files\Common Files\PAC207
2008-05-13 12:59 10,520 ------w C:\WINDOWS\system32\avgrsstx.dll
2008-05-13 09:54 89 ------w C:\Documents and Settings\Default User\Del20DE.bat
2008-05-13 01:53 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2008-05-13 01:53 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2008-05-13 01:53 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2008-04-17 08:43 2,560 ------w C:\WINDOWS\system32\dllcache\msimsg.dll
2008-03-19 20:55 113,664 -c--a-w C:\WINDOWS\inf\hdaudio.sys
2001-11-23 19:08 712,704 ------w C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.

------- Sigcheck -------

2008-03-19 13:55 361344 cef393e4697b14d310320a62c3643f77 C:\WINDOWS\system32\drivers\tcpip.sys

2008-03-19 13:59 2227072 0ee1df3c80ee02cf2bd1ef43ae443d80 C:\WINDOWS\system32\ntkrnlpa.exe

2008-03-19 13:54 2350208 6ca4f9e8435530a6791e40a62f0bcc8e C:\WINDOWS\system32\ntoskrnl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 13:58 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-07-02 08:49 1232152]
"MBM 5"="C:\Program Files\Motherboard Monitor 5\MBM5.EXE" [2004-06-12 09:40 594944]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"C-Media Mixer"="Mixer.exe" [2002-07-12 16:33 1581056 C:\WINDOWS\mixer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"TaskSwitchXP"="C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe" [2006-08-04 14:59 62976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]

C:\Documents and Settings\peter's PC\Start Menu\Programs\Startup\
Styler.lnk - C:\Documents and Settings\peter's PC\Application Data\Microsoft\Installer\{E9ECF354-2422-4FDB-9ABF-D8ADAC0EF941}\_585b207a.exe [5/24/2008 4:25:04 PM 15086]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-10-22 12:22 7700480 C:\WINDOWS\system32\nvcpl.dll

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\Steam\\SteamApps\\andy_birk\\day of defeat source\\hl2.exe"=
"C:\\Program Files\\Common Files\\Nero\\Nero Web\\SetupX.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"8054:TCP"= 8054:TCP:BitComet 8054 TCP
"8054:UDP"= 8054:UDP:BitComet 8054 UDP

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-07-02 08:34]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-13 05:59]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-07-02 08:46]
R3 PAC207;Trust WB-1400T Webcam;C:\WINDOWS\system32\DRIVERS\PFC027.SYS [2007-05-14 10:26]
S4 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-07-02 08:42]

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{D58F39FF-953E-4F45-898F-59F243B9A523}]
RUNDLL32 advpack.dll,LaunchINFSection Sidebar.inf,Register
.
************************************************** ************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-17 10:37:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

************************************************** ************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\RocketDock\RocketDock.dll
.
Completion time: 2008-07-17 10:38:30
ComboFix-quarantined-files.txt 2008-07-17 17:38:26

Pre-Run: 49,457,463,296 bytes free
Post-Run: 50,312,286,208 bytes free

222

Open Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\winlogon.exe

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

• Click START then RUN
• Now type Combofix /u in the runbox
• Make sure there's a space between Combofix and /u
• Then hit Enter.

----------

Download OTMoveIt2 by OldTimer

• Save it to your desktop.

• Double-click OTMoveIt2.exe to run it.
• Copy the lines in the codebox below.

• Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste

• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) and paste it in your next reply.
• Close OTMoveIt2

----------

Use the Kaspersky Online Scanner

• Click Accept.
• The program will then begin downloading the latest definition files.
• Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
• The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

• Next, in the Save as prompt, Save in area, select: Desktop.
• In the File name area use KScan, or something similar.
• In Save as type: click the drop arrow and select: Text file [*.txt]
• Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Also let me know how everything is now.

OTMoveIt2 results

Explorer killed successfully
File/Folder C:\WINDOWS\winlogon.exe not found.
C:\WINDOWS\system32\Setup_ver1.1336.0.exe moved successfully.
< EmptyTemp >
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 07172008_110528