antimalware doctor- combo fix log

[k9mom007]

Hi,
My dad's computer has the antimalware doctor virus. Was able to run Combofix prog and now will post the log. Running Windows xp pro/service pack 3. Any and all thoughts and suggestions appreciated.
ComboFix 10-09-08.01 - Administrator 09/09/2010 21:01:24.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1615 [GMT -4:00]
Running from: F:\ComboFix.exe
AV: PC Tools AntiVirus 6.1.0.25 *On-access scanning disabled* (Updated) {832E7172-E406-4bb2-8B19-6D29F2C93A98}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Local Settings\Application Data\jvmfraslp\asqnrrpuqiw.exe
c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server
c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server\admin.txt
c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server\server.dat
c:\documents and settings\Administrator\Local Settings\Application Data\Windows Server\uses32.dat
c:\documents and settings\Administrator\Start Menu\Programs\Antimalware Doctor
c:\documents and settings\Administrator\Start Menu\Programs\Antimalware Doctor\Antimalware Doctor.lnk
c:\documents and settings\Administrator\Start Menu\Programs\Antimalware Doctor\Uninstall.lnk
c:\documents and settings\Administrator\Start Menu\Programs\Startup\auditusr.exe
c:\windows\anomecus.dll
c:\windows\awawojiyerezuq.dll
c:\windows\drvfxs.dll
c:\windows\edugefimifet.dll
c:\windows\edujecux.dll
c:\windows\egoxixibabud.dll
c:\windows\eqalihiwe.dll
c:\windows\esefatufoqi.dll
c:\windows\etiyalog.dll
c:\windows\etutecoqa.dll
c:\windows\eyoseveg.dll
c:\windows\iruriquyiwifa.dll
c:\windows\itibovis.dll
c:\windows\odocecisuwaq.dll
c:\windows\ogedahig.dll
c:\windows\owilugawopik.dll
c:\windows\system32\drivers\hwinterface.sys
c:\windows\system32\zip32.dll
c:\windows\system32\zlibwapi.dll
c:\windows\udadukem.dll
c:\windows\ukomoxobuzogaz.dll

Infected copy of c:\windows\system32\drivers\cdrom.sys was found and disinfected
Restored copy from - Kitty had a snack
c:\windows\system32\winlogon.exe . . . is infected!!

c:\windows\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_HWINTERFACE
-------\Service_hwinterface


((((((((((((((((((((((((( Files Created from 2010-08-10 to 2010-09-10 )))))))))))))))))))))))))))))))
.

2010-09-07 20:40 . 2010-09-07 20:40 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-09-07 20:39 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-07 20:39 . 2010-09-07 20:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-07 20:39 . 2010-09-07 20:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-07 20:39 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-06 15:21 . 2010-09-10 01:10 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\jvmfraslp
2010-09-06 15:19 . 2010-09-06 21:57 -------- d-----w- c:\documents and settings\Administrator\Application Data\#66C9C6D07CA95FDE03A21B8837A16E6F
2010-09-01 21:07 . 2010-09-01 21:14 -------- d-----w- c:\program files\AACircuit1_28_6
2010-09-01 21:05 . 2010-09-01 21:05 -------- d-----w- C:\AACircuit1_28_6
2010-08-30 22:43 . 2010-08-30 22:45 -------- d-----w- c:\program files\Pi Filter Calculator
2010-08-30 00:56 . 2010-08-30 01:04 -------- d-----w- c:\program files\lcc
2010-08-15 23:12 . 2010-08-15 23:18 -------- d-----w- c:\program files\WSPR2a
2010-08-14 22:16 . 2010-08-14 22:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Schematica
2010-08-14 22:16 . 2010-08-14 23:55 -------- d-----w- c:\program files\Filter Wiz PRO 5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-09-10 01:15 . 2009-04-18 23:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-09-10 01:13 . 2009-04-30 15:33 -------- d-----w- c:\program files\PC Tools AntiVirus
2010-09-07 16:16 . 2009-11-20 23:12 -------- d-----w- c:\program files\WSPR2
2010-09-06 15:20 . 2010-09-06 15:19 1063424 ----a-w- c:\documents and settings\Administrator\Application Data\#66C9C6D07CA95FDE03A21B8837A16E6F\mediafix707 00en02.exe
2010-09-04 14:47 . 2009-04-02 13:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Dell
2010-09-04 02:18 . 2009-04-05 03:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\Skype
2010-08-29 15:45 . 2009-04-28 15:25 -------- d-----w- c:\program files\Cadrail 7
2010-08-21 20:53 . 2009-12-01 00:51 1 ----a-w- c:\documents and settings\Administrator\Application Data\OpenOffice.org\3\user\uno_packages\cache\stam p.sys
2010-08-21 01:37 . 2009-04-03 17:47 5008 ----a-w- c:\documents and settings\Administrator\Application Data\wklnhst.dat
2010-08-17 18:10 . 2010-09-01 02:37 372736 ------w- c:\documents and settings\All Users\Application Data\Dell\DSL\DSLCheck.exe
2010-08-17 12:12 . 2010-08-04 19:58 -------- d--h--r- c:\documents and settings\Administrator\Application Data\Microchip
2010-08-13 01:47 . 2009-03-26 15:31 -------- d-----w- c:\program files\Microsoft Works
2010-08-10 20:52 . 2010-08-10 20:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\ESBCalc
2010-08-10 20:50 . 2010-08-10 20:50 -------- d-----w- c:\program files\hamcalc
2010-08-10 20:42 . 2010-08-10 20:21 -------- d-----w- c:\program files\Filter
2010-08-05 11:40 . 2009-09-03 20:12 -------- d-----w- c:\program files\Google
2010-08-04 19:59 . 2010-08-04 19:59 -------- d-----w- c:\program files\HI-TECH Software
2010-08-04 19:58 . 2009-03-26 15:24 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-08-04 19:58 . 2010-08-04 19:54 -------- d-----w- c:\program files\MPLAB
2010-08-04 19:55 . 2010-08-04 19:55 -------- d-----w- c:\program files\Microchip
2010-07-18 15:20 . 2010-07-13 02:22 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
2010-07-16 23:56 . 2010-07-16 23:54 -------- d-----w- c:\program files\SKCCloggerK2RFP
2010-07-13 02:21 . 2010-07-13 02:21 -------- d-----w- c:\program files\VLC
2010-07-12 14:17 . 2010-05-15 11:33 -------- d-----w- c:\program files\SpectraVue
2010-07-12 03:10 . 2010-07-12 03:10 -------- d-----w- c:\program files\Recuva
2010-06-30 12:31 . 2008-04-25 16:16 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-30 11:56 . 2009-03-26 15:34 168032 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-06-24 12:22 . 2008-04-25 16:16 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-24 02:14 . 2008-04-25 16:16 1861120 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2008-04-25 16:16 354304 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2008-04-25 16:16 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2008-04-25 21:27 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-06-14 07:41 . 2008-04-25 16:16 1172480 ----a-w- c:\windows\system32\msxml3.dll
2009-08-20 08:15 . 2009-08-20 08:15 135630545 ----a-w- c:\program files\openofficeorg1.cab
2009-08-20 08:13 . 2009-08-20 08:13 9815040 ----a-w- c:\program files\openofficeorg31.msi
2009-08-19 08:31 . 2009-08-19 08:31 336 ----a-w- c:\program files\setup.ini
2002-03-11 09:06 . 2002-03-11 09:06 1822520 ----a-w- c:\program files\instmsiw.exe
2002-03-11 08:45 . 2002-03-11 08:45 1708856 ----a-w- c:\program files\instmsia.exe
.

------- Sigcheck -------

[-] 2008-04-14 . FC0657669ED0CD9443308E6052B8D69C . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe

[-] 2008-04-14 . DFFFBEFF9461E500611A918236EF34CD . 1033728 . . [6.00.2900.5512] . . c:\windows\explorer.exe

[k9mom007]

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"AdesClrPicker.exe"="c:\program files\AdesClrPicker\AdesClrPicker.exe" [2009-04-29 1865216]
"mediafix70700en02.exe"="c:\documents and settings\Administrator\Application Data\BD9893E50E0E7AFA63D18D850C4E03D8710BDDAF40D24 BCF5EFBEE80165A5D887CAC6D657D77EA515FABBE1D5DD938D D5F8BDAD927C928497A2916FC86045D396C9C6D07CA95FDE03 A21B8837A16E6F\mediafix70700en02.exe" [2010-09-06 1063424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-17 16132608]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 90112]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-11-13 1807600]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"PCTAVApp"="c:\program files\PC Tools AntiVirus\PCTAV.exe" [2009-04-16 1505168]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[hkey_local_machine\software\microsoft\windows\curr entversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-03-26 15:32 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\PCTAVSvc]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Peak Systems\\UI-View32\\Uiview32.exe"=
"c:\\Program Files\\DXLab Suite\\DXKeeper\\DXKeeper.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"85:TCP"= 85:TCP:BroadWave Web Server

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [9/19/2009 10:41 AM 206256]
R2 DXSOFTIO;DXSOFTIO;c:\windows\system32\drivers\DXSO FTIO.SYS [2/24/2010 1:07 PM 7616]
S2 gupdate1ca2cd2ef1eae00;Google Update Service (gupdate1ca2cd2ef1eae00);c:\program files\Google\Update\GoogleUpdate.exe [9/3/2009 4:12 PM 133104]
S3 F5U103BD;Belkin F5U103 USB-RS232 Bus Driver;c:\windows\system32\drivers\F5U103BD.SYS [8/9/2001 10:39 AM 16528]
S3 F5U103UD;Belkin F5U103 USB-RS232 Port Driver;c:\windows\system32\drivers\F5U103UD.SYS [8/9/2001 10:39 AM 25569]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv
.
Contents of the 'Scheduled Tasks' folder

2010-09-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-03 20:12]

2010-09-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-03 20:12]
.
.

[k9mom007]

------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uInternet Settings,ProxyOverride = <local>
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\6ww3kzy7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.d ll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

BHO-{B1BA40A2-75F2-51BD-F413-04B13A2C8953} - (no file)
HKCU-Run-Msomesuzupi - c:\windows\drvfxs.dll
HKCU-Run-MKeta - c:\windows\services.exe
HKCU-Run-lyaahqpf - c:\documents and settings\Administrator\Local Settings\Application Data\jvmfraslp\asqnrrpuqiw.exe
HKLM-Run-MKeta - c:\windows\services.exe
HKLM-Run-lyaahqpf - c:\documents and settings\Administrator\Local Settings\Application Data\jvmfraslp\asqnrrpuqiw.exe
AddRemove-TimeSync - c:\program files\TimeSync\DeIsL1.isu



************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-09 21:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1491366257-3077111548-3362418281-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:0 1,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b3,1e,40 ,06,7f,e1,71,46,bb,c5,27,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:0 1,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b3,1e,40 ,06,7f,e1,71,46,bb,c5,27,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(752)
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
c:\program files\PC Tools AntiVirus\PCTAVHook.dll

- - - - - - - > 'lsass.exe'(812)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
c:\program files\PC Tools AntiVirus\PCTAVHook.dll

- - - - - - - > 'explorer.exe'(2512)
c:\windows\system32\WININET.dll
c:\program files\PC Tools AntiVirus\PCTAVHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\LEXPPS.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\PC Tools AntiVirus\PCTAVSvc.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\RTHDCPL.EXE
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\windows\system32\SearchIndexer.exe
c:\documents and settings\Administrator\Application Data\#66C9C6D07CA95FDE03A21B8837A16E6F\mediafix707 00en02.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\ATI Technologies\ATI.ACE\cli.exe
.
************************************************** ************************
.
Completion time: 2010-09-09 21:21:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-10 01:21

Pre-Run: 288,590,663,680 bytes free
Post-Run: 288,635,228,160 bytes free

- - End Of File - - CBF6F5B505DF36A30E7652742FBB8864

[k9mom007]

I hope I got this all copied and pasted correctly...if not, give me a shout. I appreciate the help.

[touch]

Hello k9mom007


You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.

Speech over


Download this small tool, save it on your desktop: SystemLook

Double-click systemlook.exe - a small window pop up where you must copy the bolded text in:


: Filefind
*explorer.exe*
*winlogon.exe*


Click the Look button. The program will now search your computer.
When the scan are done, there will pop notepad window up with a log from the System Look. Please copy it here in the forum in your next reply.

The log can also be found on your desktop with the name: SystemLook.txt.

[k9mom007]

ok....sorry I jumped the gun. I misunderstood. I had posted a reply in another person's thread (they had the exact same problem) and I was told to start a new topic, and I just followed the instructions you had given him. I will know better next time.
My Dad has registered here at the boards, and he's watching this thread, so I will have him follow your directions for the next step.
Thanks for the reply and help.

[touch]

Quote:

sorry I jumped the gun. I misunderstood

No problem

[k9mom007]

thanks. another 2 cents before I walk out the door for work. Dad's computer was rendered virtually useless unless in safe mode. could not run any programs..antimalware doc would shut everything down. I'll let him finish this task. Thanks for not yelling at me too bad! Enjoy your day.

[Jintan]

My apologies Touch, for intruding here. k9mom007, is this system the same one as this one (meaning two new requests for the exact same system)?

[k9mom007]

A bit confusing, I believe.

k9mom007 is my daughter. She was busy yesterday. It is 'MY' computer. She thought I could pick up where she left off. All the log info is from my computer on this thread (the one you started fore me) and the one k9mom007 started. I apologize for any confusing I created.

Still like any support you can offer for my problem.

TU

[k9mom007]

yes, all the reports are from 1 computer, my Dad's. I started the thread, and I created the oonfusion. My Dad was not registered at the boards, so I posted his computer problem for him.
I apologize for the confusion. He was requested to run the SystemLook and he posted the results in this thread, but I believe they were moved by the moderators.
I'm respectfully asking that you help him with this antimalware doctor problem and in the future only one of us will post with a problem in a single thread.
Thanks

[touch]

Post the results from SystemLook in this topic, and we´ll continue here.

[Vern]

Now logged in properly....I think.

Vern
- - - - - - - - - - - - - - - - - -

SystemLook 04.09.10 by jpshortstuff
Log created at 09:05 on 11/09/2010 by Administrator
Administrator - Elevation successful

========== Filefind ==========

Searching for "*explorer.exe*"
C:\WINDOWS\explorer.exe --a---- 1033728 bytes [16:16 25/04/2008] [12:00 14/04/2008] DFFFBEFF9461E500611A918236EF34CD
C:\WINDOWS\explorer.exe# --a---- 1033728 bytes [16:16 25/04/2008] [12:00 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923
C:\WINDOWS\Prefetch\EXPLORER.EXE-02121B1A.pf --a---- 80972 bytes [20:54 07/09/2010] [01:20 10/09/2010] 985C19DA0DF47028FAD8703D4B42F956

Searching for "*winlogon.exe*"
C:\WINDOWS\system32\winlogon.exe --a---- 507904 bytes [16:16 25/04/2008] [12:00 14/04/2008] FC0657669ED0CD9443308E6052B8D69C

-= EOF =-

[touch]

c:\windows\system32\winlogon.exe . . . is infected!!
c:\windows\explorer.exe . . . is infected!!


I´ll therefore suggest you replace them.

To do this simply go to the Run box on the Start Menu and type/copy in:

sfc /scannow

This command will immediately initiate the Windows File Protection service to scan all protected files and verify their integrity, replacing any files with which it finds a problem.

When done, please post new combofix log.

[Vern]

I ran sfc /scannow 3 times. It did not provide a report. It did run through the full progress bar all 3 times. I looked for the report in my C: drive and searched for it with Start/Search. Sorry!

What next?

TU Vern