Winlogonhook or a weird Bandwidth-hog

Hey Guys,

I have a feeling That I have some malware but nothing seems to get rid of it. Your guidance is appreciated.

Thanks

 

Welcome to MajorGeeks

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat[/B]
  • CounterSpy - ONLY IF you were not able to run Windows Defender
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Hey Matt.Chugg,

So I followed the instructions........Here are the logs.

Thanks,

p.s. Windows defender didn't find anything and neither does ewido.

 

Hey Matt,

Here are the other two logs.

Sincerely,

amparsi

p.s. The only way I can explain what's happening is that my computers networking signal / internet connection looks like it is constantly sending something and I can't even enable windows firewall and when I try to send an e-mail the receive starts to work but as soon as OExpress tries to send it gets an error that my isp is blocking it and to call them. When I call they say the reset is at midnight but that something is sending out spam from my computer.

Sorry dude but I'm new to this....Thanks for the help.

 

Please post a fresh Hijack This log now you have run the steps in the procedure.

 

Here it is.

 

Did you run that HJT scan from normal mode ? It looks like it has come from safe mode to me or that you have edited it.

Please reboot to Normal Mode and post a full HJT log.

 

Hey Matt,

Here is the HT scan in Normal boot. I disabled Sys. Restore then immediately re-enabled system restore. My internet connection is on but it's not sending info to who knows where anymore so that's been solved for now. I will have to wait until midnight EST to see if my isp is still blocking my outgoing e-mail due to spam.

Thanks again

 

You shouldn't have done anything to system restore yet.

Now you have no old restore point and only have the one you have just made, which is infected with whatever you are infected with. DON'T do anything else with system restore now, an infected restore point is better than nothing at the moment.

The installed version of Java on this compter is out-dated.
Install Java Runtime Environment (JRE) 5.0 Update 8 available from http://java.sun.com/javase/downloads/index.jsp.
Uninstall all older versions of Java on your computer, before installing the latest version of Java.

Your HJT log still looks pretty slim and contains no malware. You seem to have edited your startup entries with MSConfig, rerun it and enable everything you disabled, reboot and post a FULL HJT log

I am having trouble understanding why you would disable ZoneAlarm... As a consequence you are running unprotected from the outside world. A properly configured firewall would probably have prevented you having the issues you are having now.

 

Matt,

Quick question.......I have Norton Systemworks 2006, Norton Inrenet security 2005, Zonealarm Pro, trend micro pc-cillin int. sec. 2006 and webroot spysweeper but I uninstalled all of them except ewido premium and avg free antivirus. Should I just leave things until after midnight to see if my spam problem is solved with my isp or install some or all of these programs?????

Thanks in advance for your reply.

amparsi

 

READ MY PREVIOUS POST

Renable ZA NOW. Delete all your preset program rules then only allow programs you know and trust to connect to the internet such as Internet Explorer and FireFox.

This will prevent anything on your computer accessing the internet and should stop anything that is sending spam until we can find the source of the problem.

DO NOT ALLOW OUTLOOK OR OUTLOOK EXPRESS TO ACCESS THE INTERNET as something could be using this to send the spam. To check your mail use your ISPs webmail facility.

Once we have found the problem we can reenable it later

 

Hey Matt,

How about I start over again.....I installed ZoneAlarm and only gave it permission for the programs that I know of. If u think i should follow the steps again and make sure I dont disable / enable system restore then I will start from scratch.

Thanks,

p.s. I don't know what to make of this but.....When I gave permission to firefox and IE to access the net I noticed that my programs running in the ZoneAlarm program control are firefox, IE, AVG AntiVirus and ewido. What is strange is that there are 2 instances of generic host process for win32 services running but in the program tree of all the names of programs and their trusted or server permission area the win32 services is only listed once. Does this explain anything????

 

Sorry for the delayed response, I have been a little busy

There is no point changing anything with your system restore now, Lets just make sure its enabled as a infected restore point is better than none at all.

Not really...

OK now that you have ZA installed properly we should be blocking anything from outgoing, if you don't know what a program is or are unsure about it then block it and ask me here, we can always unblock it later.

Can you please give me a list of all programs you have allowed for access to the internet.

Please run MSConfig and make sure the radio button for 'Normal Startup - load all device drivers and services' is selected and apply and reboot

Now we have changed msconfig to how it needs to be please post a fresh HJT log, newfiles and shownew log,

 

Hello Matt.chugg,

Thanks for all the help. I got tired of this trojan reappearing so I formatted my HD......I had to reformat anyways....Someone once said it's a good ideal to back-up weekly and format once every couple of years. Thanks for your guidance.

amparsi

 

Well sorry you had to resort to formatting.

Have a read of this thread on How To Protect Yourself From Malware and lets see if we can keep your system clean now.