Winlogon Hook, and other infections

Trojan agent winlogon hook, atlas dmt cookie, and more

Hello,
I have an IBM T42 Pentium M 1.8 1g ram, 60GB 7200 RPM HD, running windows XP Proffessional.

I managed to get rid of some of the crap that i was infected with but these keep coming back:
trojan agent winlogonhook
atlas dmt cookie
imrworldwide.com
2o7.net
tribalfusion cookie
I also had a hijacker found but it sometimes is found and sometimes isnt. This is what I found using webroot spy sweeper.
What ive done so far, I ran all possible anti spyware programs: spybot search and destroy, xoftspySE, webroot spy sweeper, Lavasoft ad-aware, and some others in safe mode. I am just unable to remove those listed on top.

This is the HiJack this log file:

inline log removed

Please advise
Thank you very much for your help
John

 

Re: Trojan agent winlogon hook, atlas dmt cookie, and more

Welcome to MajorGeeks John!

- Plase run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis


When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)

• Bitdefender
• Panda Scan
• HijackThis

 

Hello,
I have done everything in the READ & RUN ME FIRST Before Asking for Support and I still cant get rid of some of this stuff on my computer like the winlogon hook and some other cookies that keep coming back. spybot, CCleaner, and all other programs you listed didnt find anything. but the 2 online scans did find something but were unable to remove it. and the webroot spy sweeper keeps finding the hook and cookies after they are removed by it.

the following attachments are the bitdefender and panda scans, and hijack this log file.

Please help, its driving me crazy, i havent seen daylight for 3 days

thank you
John
System information: Windows XP Proffesional, IBM T42 Pentium M1.8, 1g Ram, 60GB HD 7200 RPM

 

Hello again John!

I have merged your threads together. Please, to avoid confusion keep your replies, logs etc. all in this, your original thread. If you have a second computer you need assistance with then for that you would start a new thread.

Someone will be along to assist you shortly with your logs.

Good luck!

 

Hello,
Ok, no problem.

Thank you very much
John

 

Follow the directions for the SpywareQuake & SpyFalcon Removal Procedure.

Post the log from SmitRem and a fresh HijackThis log.

 

Hello,
I did what you said. I couldnt find any of the files listed for deletion. I ran the smit and attached the log as well as a new hijack this log.
another thing I noticed is that the toolbar 888 that i uninstalled came back and a maxifiles warning and still the winlogon hook.

Please advise.

Thank You
John

 

Don't remove anything unless I tell you, yes Toolbar 888 is an unwanted app.

I am working through your log 1 infection at a time, instead of hitting you with a large removal procedure.

SmitRem appears to have removed the Smitfraud infection.

Follow the directions for Virtumonde aka Trojan Vundo Removal.

Vundo is being stubborn lately. So, don't be alarmed if this doesn't work.

Post a fresh HijackThis log when finished.

 

Hello,
I ran the vundofix but it didnt find any infected files.
With regards to not removing anything unless you tell me no problem but just so you know before i asked in this forum i already ran the anti smitfraud and thought i removed it before but apparently it came back.

but from now on ill wait for your instructions.

Thanks again
John

 

Forgot the hijackthis log

 

Download
- Pocket Killbox

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Now Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post a fresh HijackThis log.

 

done

Hijackthis log attached

Thanks
John

 

Hi,
Just ran the scan again and winlogon hook still shows up so does maxifiles.

Thanks

 

Follow the instructions in Winlogonhook Removal Procedure

 

Hello,
thank u thank u thank u!!!!

It worked, I couldnt believe it worked so i rebooted and scanned 5 times but ending the explorer.exe process did the trick for everything including the maxifiles, atmdt, and the winlogon hook thing.

Thanks a bunch
John

 

You're welcome.

Lets flush all your restore points and create a new clean one for your system.

Disable And Enable System Restore
How to Protect yourself from malware!

Safe surfing.