Hello,

I have been recently infected by a number
of pesky spyware and an irritating trojan
called winlogonhook that just won't go
away. I have used quite a few antivirus
and syware programs. They include:

Winantivirus pro 2006
Adaware SE Professional
Spybot Search & Destroy
SpySweeper
Ewido
I've also scanned my computer using
Kaspersky
and Panda.

I am really at a loss of what to do next. I've
downloaded HiJackThis and scanned my
system, placed the log into the online text
editor and deleted various nasty entries.
There is one entry I did not delete as I
was unsure if this is a valid component of
Windows. The file is called winlogon.exe.
Anyways, if anyone can help me with this
issue it would be much appreciated.

One more thing. I 've also followed the
instructions that people in the past were
having with this problem but the solutions
don't seem to work for me. If you'd like to
see my HiJackThis log please let me
know.

Thanks in advance.

-Adam

try spyware doctor and housecall online antivirus, install zone alarm firewall to prevent acces to your computer

asaik

I would like to commend you for obviously reading through other posts and trying to solve this yourself before posting.
As far as winlogon.exe. goes, it is a legit process as long as it's in the proper directory.I am not qualified enough to ask for your whole log but how bout posting the entire path of this process.Also, try purging System Restore

You can also try running Ewido in Safe Mode

I would steer clear of the program Winantivirus pro 2006 .Haven't seen many solid opinions on it.

Comments on Winantivirus pro

Ok. So I've tried using spyware doctor and it just tells me I have to buy it in order to clean out the infected files. I don't really want to buy it so I just bypassed this. I ran housecall online and for some reason it keeps crashing my browser part way through. I could be doing something wrong but haven't figured out what yet. I also installed zone alarm which actually seems pretty good, especially the firewall.

I'll have to get rid of this Winantivirus pro when my comp is running more efficiently.
I've run Ewido in safemode with system restore turned off and it says it has cleaned the infections that it found. So I rebooted back into normal mode and when I am back at my desktop I've noticed that winlogon.exe is trying is to be accessed when I recieve a firwall popup from zone alarm. I deny access to it. I think this is the winlogonhook trojan trying to get through.

Under my running processes as per my HijackThis file the path for the winlogon.exe file is:

C:\WINDOWS\system32\winlogon.exe.

I also found another path in this log at:

O4 - HKCU\..\Run: [Kizvaeqy] C:\Documents and Settings\Adam\My Documents\?asks\winlogon.exe

Any ideas on how I should proceed?

Thanks,

-Adam

Un-install winantivirus pro first.Then Download, install and update a2squared

Turn off system restore again, reboot your computer and turn it back on and create a new restore point.This should complete the purging process.Turn off system restore again and re-boot into safemode again and run a2squared and let it delete what it finds.Once completed, boot into normal mode and enable restore again and create new restore point.

On your desktop, click 'start'/ 'run'/ and type 'msconfig' and look in the startup tab for any 'winlogon.exe' entries and post them here.

I uninstalled Winantivirus pro and after restart I recieve a Windows security alert that I am missing Virus Protection. What would you recommend as a good virus software to replace winantivirus pro?

I installed a2squared and followed your instructions. After deleting the files it found and starting back up in normal mode I brought up msconfig and under the start up tab I found this path for winlogon.exe

C:\Documents and Settings\Adam\My Documents\Tasks\winlogon.exe

-Adam

First of all, are you experiencing issues still.Winlogon.exe is supposed to be in the system32 folder so that one is a baddie.Reboot into safemode and run HJT again, and place a check by any of the winlogon entries that are 'Not in this directory'- C:\WINDOWS\system32\winlogon.exe.Close all open browsers and windows and click 'Fix checked'.

As for AV's, any of these will give you better protection than that one you were using.

Free- Antivir
Avast
AVG

Paid but offer Free Trial.

Kaspersky
F-secure
Nod32

Great! That seems to have gotten rid of
that nasty winlogonhook trojan as far as I
can tell. I downloaded Antivir and am
currently scanning my comp with this
program. Can you recommend any final
security measures to ensure that my
system is completely clean?

Thank you very much for your help!

-Adam

Play around with Antivir and get used to the settings.I think it auto updates it's definitions once per day so manually update once or twice a day in between this auto update.It also has 'heuristics' which make sure are set but not on the strongest settings as that will give you probably some false positives.Set it to low or medium.
I know your probably sick of scanning but i'd go run the Kaspersky online scan once more.
This is good for Spyware prevention - Spyware Blaster

One other thing i should of mentioned to keep you from using other rouge programs.Check this site first the next time you are thinking of adding another security program.It lists the programs that claim to remove malware but 'actually install it'or 'try to trick you' with false alerts to buy their product.

Spywarewarrior

Hey murr,

I did another Kaspersky scan and it seems I still have viruses and infected files on my system. 9 viruses and 34 infected files. Sorry to be a pain but how can I remove the rest of these viruses?

Btw, thanks for the advice on the Antivir settings and Spyware Blaster. I have so many security programs running now I don't think any real threat will show itself now.

-Adam

One other thing. I ran HiJackThis in safe mode and plugged my log into the online editor and deleted a nasty and some uneccessary entries. I restarted, went back into HijackThis and did a new scan to see if any of those entries came back. And one did. This is the path from my HJT log:

O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\system32\hp100.tmp

Apparently this is a nasty trojan, but it keeps reappearing on startup.

That entry says you have the zlob trojan which infact recreates and renames itself when re-booting.This is what i want you to do.Download and install CCleaner Basic

'Do Not' re-boot you computer during this process.Turn off system restore.Update and run Ewido again.Run HJT again and if still present, put a check by this entry- O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\system32\hp100.tmp close all open windows and browsers and click ' fix checked'.

Turn system restore back on again and create a new restore point.Once that is done, run CCleaner.

Run HJT again and see if that entry is gone.Hopefully so.Save this log.

Next, run this free online scan with also does removal BitDefender
Save this log.

Once finished, run the Kaspersky online scan again and hopefully it says clean.If not, save this log also and let us know what remains.

Asaik, murr has asked that help with this post as he will be out of pocket for a little while. The following scans are needed to find the offending files.

Run this free online scan from Kaspersky http://kaspersky.com/kos/english/kavwebscan.html
Click Accept
When the updates are finished downloading, click Next, Scan Settings
Under Scan using the following antivirus database:, select extended
Make sure the Scan Archives and Scan Mail Bases options are selected as well. Click OK
Click My Computer and wait for the scan to finish
Click Save Report As. Under Save as type:, select Text file. Save this log to your Desktop and post a copy of it here.

Next, run this free online scan from Panda

When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to the desktop, then copy/paste into the text editor and post it.

I see that you already have Hijack This but it needs to be in a file of its own so back-ups can be saved and when deleting temp files it does not get damaged.So install it this way even if you have to download it again.

Please post a Hijack This log so that the files associated with the virus/spyware/hijacker can be identified. You can download Hijack This at this link http://www.tomcoyote.org/hjt/ then place it into a folder of it's on, such as C:\HJT, so that back up copies can be made and not clutter your desktop or other folders and the backup copies of deleted items can be easily located if needed.

Once saved double click HijackThis.exe, and press "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, Ctrl-A to Select All, and copy its contents into the text editor at this forum.

Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly.

Hi jabuck,

I followed murr's last post and did everything he asked, but it still seems I have viruses when I do another Kaspersky scan. (see below for my log)

Next thing I'll do is a Panda scan and another HiJackThis scan as per your instructions and post my results here.

---------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, May 27, 2006 8:37:23 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 27/05/2006
Kaspersky Anti-Virus database records: 196782
---------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 161505
Number of viruses found: 8
Number of infected objects: 34
Number of suspicious objects: 6
Duration of the scan process: 02:11:40

Infected Object Name / Virus Name / Last Action
C:\Olddata\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet2.zip/asmend.exe Suspicious: Password-protected-EXE skipped
C:\Olddata\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet2.zip ZIP: suspicious - 1 skipped
C:\Olddata\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy2.zip/msexreg.exe Suspicious: Password-protected-EXE skipped
C:\Olddata\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy2.zip ZIP: suspicious - 1 skipped
C:\Olddata\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy5.zip/trkgif.exe Suspicious: Password-protected-EXE skipped
C:\Olddata\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy5.zip ZIP: suspicious - 1 skipped
C:\Olddata\Documents and Settings\Andrea Saik\Desktop\BSINSTALL.exe/WISE0024.BIN/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
C:\Olddata\Documents and Settings\Andrea Saik\Desktop\BSINSTALL.exe/WISE0024.BIN/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
C:\Olddata\Documents and Settings\Andrea Saik\Desktop\BSINSTALL.exe/WISE0024.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
C:\Olddata\Documents and Settings\Andrea Saik\Desktop\BSINSTALL.exe/WISE0024.BIN/data0002.cab/Weather.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ay skipped
C:\Olddata\Documents and Settings\Andrea Saik\Desktop\BSINSTALL.exe/WISE0024.BIN/data0002.cab/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.f skipped
C:\Olddata\Documents and Settings\Andrea Saik\Desktop\BSINSTALL.exe/WISE0024.BIN/data0002.cab Infected: not-a-virus:AdWare.Win32.SaveNow.f skipped
C:\Olddata\Documents and Settings\Andrea Saik\Desktop\BSINSTALL.exe/WISE0024.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.f skipped
C:\Olddata\Documents and Settings\Andrea Saik\Desktop\BSINSTALL.exe WiseSFX: infected - 7 skipped
C:\Olddata\Documents and Settings\Andrea Saik\Desktop\BSINSTALL.exe WiseSFX Dropper: infected - 7 skipped
C:\Olddata\Documents and Settings\Don Saik\Desktop\Hotl.Connect.v1.8.5\Downloads\HotlineConnectClient-1.9.1.exe/0001\F7\setup280.exe/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\Olddata\Documents and Settings\Don Saik\Desktop\Hotl.Connect.v1.8.5\Downloads\HotlineConnectClient-1.9.1.exe/0001\F7\setup280.exe/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\Olddata\Documents and Settings\Don Saik\Desktop\Hotl.Connect.v1.8.5\Downloads\HotlineConnectClient-1.9.1.exe/0001\F7\setup280.exe Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\Olddata\Documents and Settings\Don Saik\Desktop\Hotl.Connect.v1.8.5\Downloads\HotlineConnectClient-1.9.1.exe Tarma: infected - 3 skipped
C:\Olddata\Documents and Settings\Don Saik\Desktop\Hotl.Connect.v1.8.5\Downloads\HotlineConnectClient-1.9.1.exe UPX: infected - 3 skipped
C:\System Volume Information\_restore{2523149F-7E8C-4C43-AAC4-8D88F2474844}\RP94\A0308775.exe/0001\F7\setup280.exe/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\System Volume Information\_restore{2523149F-7E8C-4C43-AAC4-8D88F2474844}\RP94\A0308775.exe/0001\F7\setup280.exe/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\System Volume Information\_restore{2523149F-7E8C-4C43-AAC4-8D88F2474844}\RP94\A0308775.exe/0001\F7\setup280.exe Infected: not-a-virus:AdWare.Win32.Cydoor skipped
C:\System Volume Information\_restore{2523149F-7E8C-4C43-AAC4-8D88F2474844}\RP94\A0308775.exe Tarma: infected - 3 skipped
C:\System Volume Information\_restore{2523149F-7E8C-4C43-AAC4-8D88F2474844}\RP94\A0308775.exe UPX: infected - 3 skipped
C:\System Volume Information\_restore{2523149F-7E8C-4C43-AAC4-8D88F2474844}\RP94\A0309247.exe/WISE0024.BIN/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
C:\System Volume Information\_restore{2523149F-7E8C-4C43-AAC4-8D88F2474844}\RP94\A0309247.exe/WISE0024.BIN/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
C:\System Volume Information\_restore{2523149F-7E8C-4C43-AAC4-8D88F2474844}\RP94\A0309247.exe/WISE0024.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
C:\System Volume Information\_restore{2523149F-7E8C-4C43-AAC4-8D88F2474844}\RP94\A0309247.exe/WISE0024.BIN/data0002.cab/Weather.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ay skipped
C:\System Volume Information\_restore{2523149F-7E8C-4C43-AAC4-8D88F2474844}\RP94\A0309247.exe/WISE0024.BIN/data0002.cab/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.f skipped
C:\System Volume Information\_restore{2523149F-7E8C-4C43-AAC4-8D88F2474844}\RP94\A0309247.exe/WISE0024.BIN/data0002.cab Infected: not-a-virus:AdWare.Win32.SaveNow.f skipped
C:\System Volume Information\_restore{2523149F-7E8C-4C43-AAC4-8D88F2474844}\RP94\A0309247.exe/WISE0024.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.f skipped
C:\System Volume Information\_restore{2523149F-7E8C-4C43-AAC4-8D88F2474844}\RP94\A0309247.exe WiseSFX: infected - 7 skipped
C:\System Volume Information\_restore{2523149F-7E8C-4C43-AAC4-8D88F2474844}\RP94\A0309247.exe WiseSFX Dropper: infected - 7 skipped
C:\System Volume Information\_restore{DA6BF63E-A9ED-4211-BA5F-5CD629197948}\RP2\A0000094.exe Infected: Trojan-Downloader.Win32.Zlob.ps skipped
C:\WINDOWS\system32\1024\ld314.tmp Infected: Trojan-Downloader.Win32.Zlob.obfuscated skipped
C:\WINDOWS\system32\1024\ldD2.tmp Infected: Trojan-Downloader.Win32.Zlob.obfuscated skipped
C:\WINDOWS\system32\1024\ldFBD1.tmp Infected: Trojan-Downloader.Win32.Zlob.obfuscated skipped
C:\WINDOWS\system32\dcomcfg.exe Infected: Trojan-Downloader.Win32.Zlob.obfuscated skipped
C:\WINDOWS\system32\simpole.tlb Infected: Trojan-Downloader.Win32.Zlob.obfuscated skipped

Scan process completed.

You will need to do this first.

Please download SmitRemFix from this link http://siri.geekstogo.com/SmitfraudFix.php Then extract the contents to your desktop.

Next, please reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, a menu with options should appear;

Select the first option, to run Windows in Safe Mode, then press "Enter".

Choose your usual account.

Once in Safe Mode, open the "SmitfraudFix" folder again and double-click "smitfraudfix.cmd"
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing " Y " and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if "wininet.dll " is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing "Y" and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt.

Then post the Panda scan results and a HT log.

I downloaded SmitFraudFX and followed your instructions by deleting infected files and cleaned the registry. Below are the log results. Panda scan and HJT log to follow.

SmitFraudFix v2.49

Scan done at 23:27:16.51, Sat 05/27/2006
Run from C:\Documents and Settings\Adam\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\dcomcfg.exe Deleted
C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
C:\WINDOWS\system32\1024\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Reboot into safe mode:

Navigate to this folder "C:\Olddata\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery" check the boxes in that window>click purge selection.

Go to start>control panel>add/remove programs and uninstall these programs if found:

SaveNow

CashBack

BarginBuddy

BearShare

Altnet2

Run Ewido from safe mode and let it delete all that it finds.

run ccleaner from safe mode.

Post the Hijack This log and the Panda scan results.

I did everything you asked and finished the Panda scan and did another HJT scan and completed an online analysis. It seems that the zlob trojan is gone. So that's good. However, I am still left with a few infected files according to the Panda scan results. Below is the results from the Panda scan:

Incident Status Location

Potentially unwanted tool:application/winantivirus2006 Not disinfected c:\program files\common files\WinAntiVirus Pro 2006
Adware:adware/yazzlesudoku Not disinfected Windows Registry
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Adam\Application Data\Mozilla\Firefox\Profiles\mdqbm8ur.default\cookies.txt[.as-us.falkag.net/]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Adam\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Don Saik\Desktop\smitRem.exe[smitRem/Process.exe]
Spyware:Cookie/RealMedia Not disinfected C:\Olddata\Documents and Settings\Adam Saik\Application Data\Mozilla\Firefox\Profiles\vj2yse67.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Atwola Not disinfected C:\Olddata\Documents and Settings\Adam Saik\Application Data\Mozilla\Firefox\Profiles\vj2yse67.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Belnk Not disinfected C:\Olddata\Documents and Settings\Adam Saik\Cookies\adam saik@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Olddata\Documents and Settings\Adam Saik\Cookies\adam saik@dist.belnk[2].txt
Spyware:Cookie/Advnt Not disinfected C:\Olddata\Documents and Settings\Adam Saik\Cookies\adam saik@www.advnt01[1].txt
Spyware:Cookie/TopRebates.com Not disinfected C:\Olddata\Documents and Settings\Adam Saik\Cookies\adam saik@www.toprebates[2].txt
Spyware:Cookie/bravenetA Not disinfected C:\Olddata\Documents and Settings\Don Saik\Application Data\Mozilla\Firefox\Profiles\494a7mas.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/360i Not disinfected C:\Olddata\Documents and Settings\Don Saik\Application Data\Mozilla\Firefox\Profiles\494a7mas.default\cookies.txt[.ct.360i.com/]
Spyware:Cookie/Xiti Not disinfected C:\Olddata\Documents and Settings\Don Saik\Application Data\Mozilla\Firefox\Profiles\494a7mas.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Olddata\Documents and Settings\Don Saik\Application Data\Mozilla\Firefox\Profiles\494a7mas.default\cookies.txt[.maxserving.com/]
Spyware:Application/PRScheduler Not disinfected C:\Olddata\Documents and Settings\Don Saik\Start Menu\Programs\Startup\PowerReg Scheduler.exe
Potentially unwanted tool:Application/P2PNetworking Not disinfected C:\Olddata\System Volume Information\_restore{2523149F-7E8C-4C43-AAC4-8D88F2474844}\RP93\A0302140.exe
Potentially unwanted tool:Application/iWon Not disinfected C:\Olddata\WINDOWS\Downloaded Program Files\iwonslot1,0,2,5.inf
Potentially unwanted tool:Application/Winfixer2005 Not disinfected C:\Program Files\Common Files\WinAntiVirus Pro 2006\WAPPChk.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

Here is my HijackThis log also:

Logfile of HijackThis v1.99.1
Scan saved at 7:18:25 PM, on 5/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroDist.exe
C:\Documents and Settings\Adam\Desktop\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Program Files\Corel\Corel Graphics 12\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=060406 serial=DR12WRF-4397930-VLV lang=EN
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_7 -reboot 1
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1147888623030
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Reboot into safe mode.

Go to start>control panel>add/remove programs>scroll down to and uninstall WinAntiVirus Pro 2006 if found.

Navigate to and delete this folder if found:

C:\program files\common files\WinAntiVirus Pro 2006

Navigate to and delete the contents of this folder:

C:\Olddata\Documents and Settings\Adam Saik\Cookies

Navigate to and delete this folder/file if found:

C:\Olddata\WINDOWS\Downloaded Program Files\iwonslot1,0,2,5.inf (should just be a file but if there is a iwon folder delete it)

Purge system restore again.

Run Ccleaner from safe mode.

Run Ewido again from safe mode.When the scan has completed, Ewido will create a report.txt file. Click the "Save Report" button on the bottom of the screen and save the log to your desktop.

Please reboot into normal mode and post the ewido log.

Ok. I've completed the ewido scan. Below is the log. There seems to be only one infected entry that ewido apparently cleaned. Perhaps I should run Kaspersky again one final time to make sure?

ewido anti-malware - Scan report

+ Created on: 7:33:00 AM, 5/30/2006
+ Report-Checksum: 35C96F4C

+ Scan result:

HKU\S-1-5-21-2025429265-1500820517-682003330-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F79FD28E-36EE-4989-AA61-9DD8E30A82FA} -> Trojan.Small : Cleaned with backup

::Report End

Looks a lot better. Run a Kaspersky scan if you want to and post it.