New Win32 virus

you will need your windows cd

there is a command called System File Checker that can replace your windows files which have been infected with stock ones (your winlogon)

go to run and type: sfc /scannow

it may not tell you if was sucessful or not. Just let it complete, then reboot.

==Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
[If you wish, save ATF Cleaner to your desktop or a cleaning folder somewhere as it is a fairly useful tool for occasional use.]
==Restart your computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account and password. NOTE: The password is blank by default unless you set a password.
===Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the removal process then display Finished; press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Restart the pc in normal mode. Post the contents of the file Report.txt here, along with the log of a fresh hijackthis scan run in normal mode.

J Bennet: Thank you very much for your suggestion, I'm going to attempt to fix the file without outright replacing it however. I will definitely use your suggestion as a last minute attempt.

Gerbil: To say the least, it sounded easier than it was. I successfully ran ATF Cleaner. As for SDFix, I ran it once, and then I ran it again. so here are both logs:

First:

SDFix: Version 1.88

Run by Administrator on Mon 06/18/2007 at 06:12 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services: 






Modified Winlogon.exe Found!

Winlogon Files Found:

C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\dllcache\winlogon.exe

Infected Files Listed Below:

C:\WINDOWS\system32\winlogon.exe 
C:\WINDOWS\system32\dllcache\winlogon.exe 


Restoring Windows Registry Values
Restoring Windows Default Hosts File 

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\AX.EXE - Deleted
C:\WINDOWS\system32\drivers\kcp.sys  - Deleted
C:\WINDOWS\system32\i  - Deleted
C:\WINDOWS\system32\ipv6monr.dll  - Deleted
C:\WINDOWS\system32\ipv6mons.dll  - Deleted
C:\WINDOWS\system32\mstscex.dll  - Deleted
C:\WINDOWS\system32\oleauth32.dll  - Deleted
C:\WINDOWS\system32\rpcc.exe  - Deleted
C:\WINDOWS\system32\spooIsv.exe  - Deleted
C:\WINDOWS\update.exe  - Deleted



Removing Temp Files...

ADS Check:

Checking C:\WINDOWS\
C:\WINDOWS
No streams found. 

Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found. 

Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



                                 Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Listing Files with Hidden Attributes:

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\ak.kayaker@hotmail.com\Sharing Folders\irrevsue@hotmail.com\Thumbs.db
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\ak.kayaker@hotmail.com\Sharing Folders\irrevsue@hotmail.com\New Folder\Thumbs.db
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\ak.kayaker@hotmail.com\Sharing Folders\irrevsue@hotmail.com\New Folder (2)\Thumbs.db
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\ak.kayaker@hotmail.com\Sharing Folders\irrevsue@hotmail.com\New Folder (2)\Live With the Vancouver Symphony\AlbumArtSmall.jpg
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\ak.kayaker@hotmail.com\Sharing Folders\irrevsue@hotmail.com\New Folder (2)\Live With the Vancouver Symphony\AlbumArt_{06BDA5A0-4508-413D-ACA1-6C17D5E8EA91}_Large.jpg
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\ak.kayaker@hotmail.com\Sharing Folders\irrevsue@hotmail.com\New Folder (2)\Live With the Vancouver Symphony\AlbumArt_{06BDA5A0-4508-413D-ACA1-6C17D5E8EA91}_Small.jpg
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\ak.kayaker@hotmail.com\Sharing Folders\irrevsue@hotmail.com\New Folder (2)\Live With the Vancouver Symphony\desktop.ini
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\ak.kayaker@hotmail.com\Sharing Folders\irrevsue@hotmail.com\New Folder (2)\Live With the Vancouver Symphony\Folder.jpg
C:\Documents and Settings\All Users\Application Data\Google Updater\cache\BIT1.tmp
C:\Documents and Settings\Owner\Local Settings\Temp\TCDD1.tmp\~$07 calendar.dot
C:\Documents and Settings\Owner\My Documents\~WRL0002.tmp
C:\Documents and Settings\Owner\My Documents\~WRL0003.tmp
C:\Documents and Settings\Owner\My Documents\~WRL0005.tmp
C:\Documents and Settings\Owner\My Documents\~WRL1833.tmp
C:\Documents and Settings\Owner\My Documents\~WRL3238.tmp
C:\Documents and Settings\Owner\My Documents\~WRL3462.tmp
C:\Documents and Settings\Owner\My Documents\~WRL3835.tmp
C:\Documents and Settings\Owner\My Documents\~WRL3836.tmp
C:\Documents and Settings\Owner\My Documents\~WRL4020.tmp
C:\Documents and Settings\Owner\My Documents\MAT\ED 620 Curriculum Development\~WRL0453.tmp
C:\Documents and Settings\Owner\My Documents\MAT\ED 620 Curriculum Development\~WRL0869.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL0004.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL0204.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL0252.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL0344.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL0622.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL0651.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL0981.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL1402.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL1430.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL1497.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL2042.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL2045.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL2103.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL2155.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL2403.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL2575.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL3117.tmp

Listing User Accounts:

User accounts for \\KAYDELL600M

Administrator            Guest                    HelpAssistant            
Owner                    SUPPORT_388945a0         


                                 Finished 

Second:

SDFix: Version 1.88

Run by Administrator on Mon 06/18/2007 at 06:58 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services: 






Modified Winlogon.exe Found!

Winlogon Files Found:

C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\dllcache\winlogon.exe

Infected Files Listed Below:

C:\WINDOWS\system32\winlogon.exe 
C:\WINDOWS\system32\dllcache\winlogon.exe 


Restoring Windows Registry Values
Restoring Windows Default Hosts File 

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

Checking C:\WINDOWS\
C:\WINDOWS
No streams found. 

Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found. 

Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



                                 Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------


Listing Files with Hidden Attributes:

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\ak.kayaker@hotmail.com\Sharing Folders\irrevsue@hotmail.com\Thumbs.db
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\ak.kayaker@hotmail.com\Sharing Folders\irrevsue@hotmail.com\New Folder\Thumbs.db
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\ak.kayaker@hotmail.com\Sharing Folders\irrevsue@hotmail.com\New Folder (2)\Thumbs.db
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\ak.kayaker@hotmail.com\Sharing Folders\irrevsue@hotmail.com\New Folder (2)\Live With the Vancouver Symphony\AlbumArtSmall.jpg
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\ak.kayaker@hotmail.com\Sharing Folders\irrevsue@hotmail.com\New Folder (2)\Live With the Vancouver Symphony\AlbumArt_{06BDA5A0-4508-413D-ACA1-6C17D5E8EA91}_Large.jpg
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\ak.kayaker@hotmail.com\Sharing Folders\irrevsue@hotmail.com\New Folder (2)\Live With the Vancouver Symphony\AlbumArt_{06BDA5A0-4508-413D-ACA1-6C17D5E8EA91}_Small.jpg
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\ak.kayaker@hotmail.com\Sharing Folders\irrevsue@hotmail.com\New Folder (2)\Live With the Vancouver Symphony\desktop.ini
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\ak.kayaker@hotmail.com\Sharing Folders\irrevsue@hotmail.com\New Folder (2)\Live With the Vancouver Symphony\Folder.jpg
C:\Documents and Settings\All Users\Application Data\Google Updater\cache\BIT1.tmp
C:\Documents and Settings\Owner\My Documents\~WRL0002.tmp
C:\Documents and Settings\Owner\My Documents\~WRL0003.tmp
C:\Documents and Settings\Owner\My Documents\~WRL0005.tmp
C:\Documents and Settings\Owner\My Documents\~WRL1833.tmp
C:\Documents and Settings\Owner\My Documents\~WRL3238.tmp
C:\Documents and Settings\Owner\My Documents\~WRL3462.tmp
C:\Documents and Settings\Owner\My Documents\~WRL3835.tmp
C:\Documents and Settings\Owner\My Documents\~WRL3836.tmp
C:\Documents and Settings\Owner\My Documents\~WRL4020.tmp
C:\Documents and Settings\Owner\My Documents\MAT\ED 620 Curriculum Development\~WRL0453.tmp
C:\Documents and Settings\Owner\My Documents\MAT\ED 620 Curriculum Development\~WRL0869.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL0004.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL0204.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL0252.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL0344.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL0622.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL0651.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL0981.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL1402.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL1430.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL1497.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL2042.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL2045.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL2103.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL2155.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL2403.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL2575.tmp
C:\Documents and Settings\Owner\My Documents\MAT\Portfolio\Goal 2\~WRL3117.tmp

Listing User Accounts:

User accounts for \\KAYDELL600M

Administrator            Guest                    HelpAssistant            
Owner                    SUPPORT_388945a0         


                                 Finished 

I then tried to run HJT however there was a process that was deleting the file before I could get to it. My solution, I had to kill every process I could before I was able to run it again via the command line... It may not have some of the processes that I killed down but here's what I have.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:28:26 PM, on 6/18/2007
Platform: Windows XP  (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\System32\cmd.exe
C:\SDFix\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: (no name) - {36345442-9475-2563-166A-467739208346} - C:\WINDOWS\System32\ipv6mons.dll (file missing)
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-18\..\Run: [WinMedia] svchost (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WinMedia] svchost (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170543649846[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170543641784[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6464 bytes

Hope this helps!
Thanks much,
Dan

Ok, eventually you will have to do what jb suggested, because your winlogon.exe is infected both in system32 and in the backup cache.
But first there is still some cleaning to do...
Panda Online Scan:

Please do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
AVG - AS:

GET AVG antispyware 7.5 here.. http://free.grisoft.com/doc/5390/lng/us/tpl/v5
or here.. http://free.grisoft.com/freeweb.php/doc/5390/lng/us/tpl/v5#avg-anti-spyware-free

-the link is almost at the bottom of the page , avgas 7.5.0.50. Install it and UPDATE it.
Good. Now restart in Safe Mode, start hijackthis and select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {36345442-9475-2563-166A-467739208346} - C:\WINDOWS\System32\ipv6mons.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKUS\S-1-5-18\..\Run: [WinMedia] svchost (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WinMedia] svchost (User 'Default user')

Start AVG a-s 7.5;
-under Scanner/ Settings please set Recommended actions to Quarantine, and run the scan.
-click Apply all actions and then save the log file.
Restart in Normal mode.
Change the name hijackthis.exe to imabunny.exe and then do another scan with logfile.
Please post the AVG, Panda and HT logs.
(Do you have an OEM or microsoft installation CD, or can you borrow one?)

To restart your computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes, press Yes to bypass System Restore.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using your account if an administrator, otherwise use the Administrator account and password. NOTE: The password is blank by default unless you set a password.

Awww shucks... Well I'm sure I can find one but I didn't want to hunt one down, I'll see if I have one with the correct SP... I'm working on all the other stuff right now.

Thanks for all the help!
--Dan

I tried to run the panda scan but I couldn't access the internet through that computer. This also meant that I couldn't update AVG. However, I was able to download version 7.5.1.43 and run that. The HJT scan and repair worked fine in Safe Mode. I wasn't able to get a report from AVG, however, here are the objects that were found:

Downloader.Ftp.ab
Trojan.Agent.If
Downloader.Agent.bnm
Proxy.Dlena.nam
Backdoor.Rbot
Trojan.Agent.alw
Trojan.Tanspy
Rootkid.Agent.eg
Trojan.Zapchast.ca
Adware.RogueSuspect
Not-A-Virus.SpanTool.Win32.Agent.am
Not-A-Virus.SpanTool.Win32.Agent.ah

All of them were successfully quarantined.

Again… the something deleted my HJTs even when I renamed the file. I again, had to kill all the processes and try it again. Here’s the log from that:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:58:38 PM, on 6/18/2007
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.5672\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program Files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\McAfee.com\Agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [IEFilter] C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Internet Explorer\Filters\IExpl32d.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1170543649846
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170543641784
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - Networks Associates Technology. Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6644 bytes

Thanks again!
--Dan

Hmm..... another pest has popped up, and I don't see hijackthis renamed, either - it may be important.
This will remove the pest meantime:
Combofix:
==Download this file to your desktop: http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
...or from here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
If it runs and shows deletions, run it again.
Next check some settings....In control panel select the Network and Internet Connections , rclick on your default connection, usually local area connection for cable and dsl, and lclick on properties. Click the Networking tab. Dclick on the Internet Protocol (TCP/IP) item and select Obtain DNS servers automatically. Press OK twice to get out of the properties screen and reboot if it asks.
Now we have to flush the DNS cache: Go Start > Run, type cmd and click OK.
In the command screen, type in cd\ and then press Enter. Now type in ipconfig /flushdns and then Enter. [space after ipconfig]. Type Exit.
Good. Now see if you can access the Panda online scan, then also update AVG AS and rerun it.
Change the name of hijackthis.exe as mentioned above and produce another scan please. And I'd like to see all the other logs too, please.

Hello,

Thank you for the very quick and helpful responses. I'm sorry to inform you, for anyone who was looking for solutions and for the excellent help from Gerbil, that the customer and I found it more appropriate to wipe the hard drive then to continue the cleaning extravaganza. Thank you very much for your time and hope you have a good weekend!

--Dan

Hello,

Thank you for the very quick and helpful responses. I'm sorry to inform you, for anyone who was looking for solutions and for the excellent help from Gerbil, that the customer and I found it more appropriate to wipe the hard drive then to continue the cleaning extravaganza. Thank you very much for your time and hope you have a good weekend!

--Dan

hi! i am from india ..i am facing the same problem New win32.and as u said u wiped the hard disk...well i laso reformated my hard disk but still this damn virus is keep coming back.

i wanted to know that.... have u wiped ur hard disk means that u reformated it or any other thing ....like physical way to clean it out.

if u reply me i will be thank full