Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Winlogon.exe infected please help

  • This topic is locked This topic is locked
2 replies to this topic

#1 p1608


  • Members
  • 3 posts
  • Local time:09:36 PM

Posted 27 November 2009 - 04:53 PM

I appreciate any and all help I can receive. Here is my hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:51:39 PM, on 11/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
G:Program FilesCOMODOCOMODO Internet Securitycmdagent.exe
G:Program FilesSymantecSymantec Endpoint ProtectionSmc.exe
G:Program FilesCommon FilesSymantec SharedccSvcHst.exe
G:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
G:Program FilesBonjourmDNSResponder.exe
G:Program FilesGoogleUpdate1.2.183.13GoogleCrashHandler.exe
G:Program FilesSymantecSymantec Endpoint ProtectionRtvscan.exe
G:Program FilesAVGAVG8avgcsrvx.exe
G:Program FilesSymantecSymantec Endpoint ProtectionSmcGui.exe
G:Program FilesCommon FilesSymantec SharedccApp.exe
G:Program FilesCOMODOCOMODO Internet Securitycfp.exe
G:Program FilesSpybot - Search & DestroyTeaTimer.exe
G:Program FilesInternet Exploreriexplore.exe
G:Program FilesInternet Exploreriexplore.exe
G:Program FilesInternet Exploreriexplore.exe
G:Documents and SettingsPain-OneDesktopHiJackThis.exe
G:Program FilesInternet Exploreriexplore.exe

R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyServer =
R1 - HKCUSoftwareMicrosoftWindowsCurrentVersionInternet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - G:Program FilesAdobeAcrobat 7.0ActiveXAcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - G:Program FilesAVGAVG8avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - G:Program FilesSpybot - Search & DestroySDHelper.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - G:Program FilesJavajre6binjp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - G:Program FilesGoogleGoogle GearsInternet Explorer0.5.33.0gears.dll
O4 - HKLM..Run: [AsioReg] "REGSVR32.EXE" /S CTASIO.DLL
O4 - HKLM..Run: [NvCplDaemon] "RUNDLL32.EXE" G:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [NvMediaCenter] RUNDLL32.EXE G:WINDOWSsystem32NvMcTray.dll,NvTaskbarInit
O4 - HKLM..Run: [AVG8_TRAY] G:PROGRA~1AVGAVG8avgtray.exe
O4 - HKLM..Run: [ccApp] "G:Program FilesCommon FilesSymantec SharedccApp.exe"
O4 - HKLM..Run: [QuickTime Task] "G:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [COMODO Internet Security] "G:Program FilesCOMODOCOMODO Internet Securitycfp.exe" -h
O4 - HKCU..Run: [ctfmon.exe] G:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [NBJ] "G:Program FilesAheadNero BackItUpNBJ.exe"
O4 - HKCU..Run: [SpybotSD TeaTimer] G:Program FilesSpybot - Search & DestroyTeaTimer.exe
O4 - HKCU..Run: [EPSON Stylus Photo RX595 Series] G:WINDOWSSystem32spoolDRIVERSW32X863E_FATICLA.EXE /FU "G:WINDOWSTEMPE_SE8.tmp" /EF "HKCU"
O4 - HKUSS-1-5-18..Run: [DWQueuedReporting] "g:PROGRA~1COMMON~1MICROS~1DWdwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [DWQueuedReporting] "g:PROGRA~1COMMON~1MICROS~1DWdwtrig20.exe" -t (User 'Default user')
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - G:Program FilesGoogleGoogle GearsInternet Explorer0.5.33.0gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - G:Program FilesGoogleGoogle GearsInternet Explorer0.5.33.0gears.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - G:Program FilesaimCopy (2) of aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:Program FilesSpybot - Search & DestroySDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - G:Program FilesSpybot - Search & DestroySDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:Program FilesMessengermsmsgs.exe
O16 - DPF: bdsripcab - https://media.bdsrealtime.com/components/bdsripcab.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136165060171
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLMSystemCCSServicesTcpip..{BB0117EE-7A62-447F-AC59-3A07B6E7DE1C}: NameServer =,
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - G:Program FilesAVGAVG8avgpp.dll
O20 - AppInit_DLLs: G:WINDOWSsystem32guard32.dll
O20 - Winlogon Notify: !SASWinLogon - G:Program FilesSUPERAntiSpywareSASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - G:WINDOWSSYSTEM32avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - G:Program FilesLavasoftAd-Aware 2007aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - G:Program FilesCommon FilesAppleMobile Device SupportbinAppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - G:PROGRA~1AVGAVG8avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - G:PROGRA~1AVGAVG8avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - G:Program FilesBonjourmDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - G:Program FilesCommon FilesSymantec SharedccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - G:Program FilesCommon FilesSymantec SharedccSvcHst.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - G:Program FilesCOMODOCOMODO Internet Securitycmdagent.exe
O23 - Service: Google Update Service (gupdate1c91c643d560648) (gupdate1c91c643d560648) - Google Inc. - G:Program FilesGoogleUpdateGoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - G:Program FilesCommon FilesInstallShieldDriver11Intel 32IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - G:Program FilesiPodbiniPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - G:PROGRA~1SymantecLIVEUP~1LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - G:WINDOWSsystem32nvsvc32.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - G:Program FilesSymantecSymantec Endpoint ProtectionSmc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - G:Program FilesSymantecSymantec Endpoint ProtectionSNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - G:Program FilesSymantecSymantec Endpoint ProtectionRtvscan.exe

End of file - 8331 bytes

Also, Jotti's online malware scanner detects the virus to be: VirTool.Win32.Ursnif

Merged posts. ~ OB

Edited by Orange Blossom, 27 November 2009 - 10:34 PM.

BC AdBot (Login to Remove)


#2 p1608

  • Topic Starter

  • Members
  • 3 posts
  • Local time:09:36 PM

Posted 28 November 2009 - 01:11 PM

Nevermind-- I followed the instructions in this thread:

I'm making progress-- have already removed the winlogon.exe virus and its traces (via combofix and superantispyware) and am running additional eset , avg and mb scans.


#3 SifuMike


    malware expert

  • Members
  • 15,385 posts
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:06:36 PM

Posted 04 December 2009 - 07:39 PM

Since you are fixing it yourself, this thread is closed.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!

Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users