winlogonhook - the malware that keeps giving and giving

Hi all.
I am in battle with winlogonhook. I have gone thru steps for removal, and nothing it touching it. I will post all of my logs. There are 9 in total, (I just combined them into 3, if you need them all separate I can do that too) as every time I finished with a scan I ran HJT.
I have some comments that maybe someone can address for me please.
1 - In msconfig the PCPitstop Optimize Registration Reminder ALWAYS checks itself off to run at startup, even though I do not have this on my machine, and it's been removed a dozen or so times in the registry!

2 - Right after running spysweeper, as I start to save the log, a doslike window pops up for about 1 second, like it does sometimes when new software is being installed!

3 - In c win temp. I del all the .tmp files.
There are also 11 remaining files.
I renamed what is left to .OLD
ASHeuristic.OLD - folder
CTZAPXX.OLD - folder

mpasbase.vdm.OLD
mpasdlta.vdm.OLD
MpCmdRun.log.OLD
MpEngine.dll.OLD
MpSigStub.log.OLD
Perflib_Perfdata_2c44.dat.OLD
removalfile.bat.OLD
WGAErrLog.txt.OLD
WGANotify.settings.OLD

If there is any other scan that needs to be run, please let me know. I will do I tomorrow, oops it is tomorrow, well when I wake up!
Thank you all in advance! 2:10am Night night ... zzzzzzzzz

 

Rename hijackthis.exe to xyz.exe. Post a fresh HijackThis log.

 

A simple problem turns into the worst nightmare possible! HELP!

My problem started out simply, then I accidently let the oceans open and the flood took me over
I did the most stupid thing anyone could do. I started out with that winlogon trojan (I did make a post for help but no answer), then coming out of safemode, I ran spysweeper, but I had disabled all the virusscans and blocker, then did my HJT and proceeded to go online to repost... GET THIS IMAGE? ACK! and then 'they' came rushing in... that was yesterday. I have gotten the machine back to having a 'silent roar' where I can actually open firefox, not IE cause I still have some nasties to be remove, and a securityscan URL that keeps taking over my IE.
That is why I am here. I have all the logs starting from this morning, what programs I have used, and I need to know what to do next please. I will post some of the logs combined, as there are only 3 places for attached files.
I also downloaded from your site the Spyquake, as I DID have it, but it seems that one of the scans already removed it. I did look for the files that were associated, as per web instructions, and I didnt see anything left over. I also used the !SysProtect Remover-WinAntiVirus_WinFixer.exe and it removed files. VirtumundoBeGone.exe and VundoFix.exe. The VirtumundoBeGone found and removed files.
When you look at the HJT, there is something that I have tried and tried to remove with NO success. That is this entry: O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] C:\Program Files2\PCPitstop\Optimize\Reminder.exe

Thank you all VERY much! For your help!

 

Error on avenger script

I ran the avenger script and it only rebooted 1 time and gave and error.
See attached please.
So I will wait for further instructions.
Thank you!

 

New log for the new problems

The reason for the separate post was that it is a totally different problem.

Here it is, newly posted and renamed.

 

THe BitDefender log you posted is the Scan Summary, I need the scan log. Also post a log from PandaActive Scan.

Yes, there are some issues in your HijackThis log that need to be addressed. I will post a fix after I see what is in the other logs I requested.

 

got it!
I have been on since 730 am. I have herniated disk in my back and I have to lay down.
I will be back in the morning 1st thing. Thank you thank you thank you!

 

It may take a while befoore I answer, expecially if your post in the morning. I won't be online till the evening.

 

I will try. I just uninstalled NSW and fixin to install the panda..
I guess I will BBL.
I don't need sleep, I need my machine!!!!!!!!!!! <eg>
laterzzzz

 

I just tried to install panda, I spoke to quickly. I did uninstall my ststem works, now it wants me to uninstall my firewall, and I have to much nasty stuff on my machine to be nekkid to the web again. That is how this whole 2nd round got started.
I am going to do the BD right now.
Sowwy that I could not comply.
I think I had that problem last time too, if I remember correctly

 

Post the logs when you get them. If there are problems with the sacns I need to know that.

 

Re: New log for the new problems

well guys,
I am up sh** creek without a paddle. My Norton System works was partially beaten up during this attack, and as I said, I couldn't install panda, so I tried to reinstall my nortons..
well.. I installed the whole package including go-back. Friggen go-back made my C drive totally disappear!!!
so, any virus is gonzo by the wayside, along with all the stuff I was working on
I called symantec and they said this happens sometimes. I said if it happens WHY DONT YOU SAY SO ON YOUR DISK??? damn them!
Can you tell I am ticked off? So I am off to the computer repair guy. Thanks for the help that you did offer!

 

Re: New log for the new problems

what do you guys recommend? I will NEVER use them again! Theye didnt even find but 1 of the virus/malwares that I had
Really stinks!

 

thanks!

 

I have Mcafee firewall pay version, and spysweeper paid version.
No I don't mind paying for software, if I know it is going to do what it is suppose to do!
I will check out the NOD32 Antivirus System. My tech guy uses something, also that I have never heard of. When I pick up my machine tomorrow, I will let you know.

 

OK I am back on my feet, and everything nortons/symantec is gone!
I ran a new HJT and I think I still have some things hanging around, and would like to know my next best approach.
I do have a new virus scanner avast! And I need to reinstall my Mcafee Firewall, as my tech uninstalled it.

Is it advisable to have in the taskbar the spysweeper (pd version) and spysubtract/flytrap enabled, or only 1, and is it ok to use them both as they do different things?
Thanks again all!

 

I'm on it!
Thank you. I will run overnnight and post in the AM.
I have a very important question!
I disabled my system restore last week when this whole thing was in its infancy. Should I restore, and run scans at this point, or just leave it?
TY!

 

You shouldn't have turned off System Restore at the start. An infected Restore Point is better than no Restore Point. Turn System Restore back on.

 

There it is!
Read the other 1st LOL!!!
btw; I had turned it off because one of the programs that I used suggested that
live and learn. I am off to see a cleaning wizzard!

 

ACK!
I have now run bitdefender twice, as it again, has stalled out!
The 1st time it sat and sat and sat, I finally said F-it, and restarted again it in safemode and reran cclean, then I reran bitdefender. It now has been running for OVER 10 1/2 hours. I checked it at 6am and it had 21 minutes to go, now it has 25 minutes to go and has not moved as far as scanning anything. BUT, the good news is that it found 26 infected files, and actually removed 26.
I will let it run, until I hear from someone telling me if it is ok to continue without a log, to pandascan.
Time now is 7:47am

 

If BitDefender doesn't finish soon, give me the log of what it found up to that point.

 

Hi Hi!
There was no log capability with bitdefender, as it never finished. The save log feature was blacked out. What I did was d/l the desktop version, and I am scanning where I KNOW there are remaining virii. My email client
The ones where nortons is suppose to remove the traces (ha ha ha). GARBAGE!
I have a partial scan or should I say, part 1. I scanned my stationary drives where the online scanner missed, and now I am scanning my portable again. I will combine the 2, they are not very long, and I will post a new HJT file. I have renamed the HJT to analyse.
It is 11:45am, I will prolly be done in about 1 hour or so. Thanks Shadow_Puter_Dude!!! I appreciate your quick response! Back soon.
Finally smiling!

 

Ahhh that was a bit faster than I said
Here are the logs. The runkeys.txt, and newfiles.txt were from last night before scanning. The bdscan is from their desktop proggy, after having the online stall twice. The HJT will be in a 2nd post, and again, thank you!

 

part 2 HJT log

 

Since I have had problems with the online pandascan before, and also, since I have thousands of pictures and movies on my machine, I would like to know if I can download the desktop version of pandascan. That way I can tell the proggy NOT to scan the following files:
.jpg,.jpeg,.gif,.bmp,.png,.htm,.html,.shtml,.wav,.8bf,.mpg,.mpeg,.avi,.wmv,.asf,.chk,.txt,
.dir0021,.PspFrame,.pfr,.cpi,.pa,.ico,.mrb,.mgr,.tgm

thanks!

 

I ran XoftSpy scan while I was waiting and it found the Smitsfraud. I had run the fix earlier in this process and it didnt find anything. I also looked for the files and found none of them.
I have attached the XoftSpy log and a new HJT log.
TY

 

No, it will conflict with your installed AV software.

I'm looking at your logs now. Give my several minutes to analyze them.

 

OK, I'm here. Thank you!

 

OK, I want you to run these procedures again, post the logs when finished.

SpywareQuake & SpyFalcon Removal Procedure
Virtumonde aka Trojan Vundo Removal

You've got some stuff hanging around. I want to see if these will clear the remaining pieces, since we've already killed the main infection.

 

OK got it, TY!
Be back soon again LOL

 

I have returned. Not 1 file that had to be hand searched for, was found.
My homepage also changed, I guess back to default?
"IE Search Bar changing to http://search.msn.com/spbasic.htm"

Attached are the smitfiles.txt, VundoFix.txt, and a new HJT_3 log.

I have to reset my fonts an display as I can hardly see it. That's what happens when you get old LOL!

 

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Reboot

Post a fresh log from GetRunKeys and HijackThis

 

Here are the 2 logs.
SpySubtract is still picking thiis up:
Company Spyware_TRAK_PWStealer is in the registry, Path Software\RIT\TheBat! I have emailed the software producer already asking for advise.

IF everything is clear, I am going to need a REAL virus scanner/blocker and spyware blocker. What do you all recommend? I will purchace it!

Also, what is a good backup program. I used to use ghost, is it still any good?

 

OK, we're almost done.

Download
- Pocket Killbox
- ExplorerXP

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop. DO NOT run it as this time we will do that later in Safe Mode.

Close Notepad.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files

Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.
Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post fresh logs from GetRunKeys and HijackThis.

 

OK. Here are the 2 logs.
I WAS NOT able to use the explorerxp. Every time I clicked on a directory, it crashed, so I deleted what every I found in safemode. Here is the crash:
Event Type: Error
Event Source: Application Error
Event Category: None
Event ID: 1000
Date: 8/6/2006
Time: 8:20:40 AM
User: N/A
Computer: THEBEAST
Description:
Faulting application explorerxp.exe, version 1.0.53.381, faulting module explorerxp.exe, version 1.0.53.381, fault address 0x0001a617.

=============
=============
I have a question about my HJT log, entry O23 next to last from the bottom, is that an OK entry? Other than that question, everything else went well!
Thanks!

 

Your logs are clean.

When HijackThis says file missing, it's usually not missing. Especially on teh O23 lines.

You still have a couple processes from BitDefender. DId you uninstall everything from BitDefender?

 

Hi,

I have a few questions before I break communications.
In the runkeys log, there is a line that comes from the registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/YazzleActiveX.ocx]
Is that Yazzle and ok program?? I thought it was spyware?!

In a previous post I wrote "SpySubtract is still picking this up:
Company Spyware_TRAK_PWStealer is in the registry, Path Software\RIT\TheBat! I have emailed the software producer already asking for advise."
Should I place that on my whitelist?

Bit defender is still installed. I was thinking of possible purchasing it, and dumping the free scan I have. I was really impressed with what is found. It was way far superior to almost every other proggy I have run.
If that is not recommended as the virus scanner of choice, what do you guys recommend?
Lastly, LOL ...
What software is recommended for hard drive backups?

Now that I am clean, I want to tell you how greatful I am to you for really going out on a limb and taking the time to do what you do. It is a wonderful service. I don't know if you all volunteer for this, or get paid, It is really non of our business, but if you don't get paid, I think you should! You get paid in thankyou's BIG time from me!

thankyouthankyouthankyou!
Mistress Rene®

 

Yazzle can be removed, it is considered Spyware by some.

SpySubtract isn't that good of a program, The free ones we have you run are better. Can you post the SpySubtract log so I can see exactly what it is reporting?

There are better AV packages then BitDefender, but if your happy keep it. If you want a commercial solution then NOD32, Kaspersky or AVG Professional would be the route to go.

Firewall, if you are looking for one, Zone Alarm

For backup software Acronis True Image.

Flush all your restore points and create a new clean one for your system.

Disable And Enable System Restore
How to Protect yourself from malware!

Safe surfing.

 

I just remembered something... did you see, in one of my past posts that the
explorerxpsetup crashed every time I used it! I don't know if that makes any difference in the process or not....

OMG this log is way to big... I am cutting it. in between most of the lines in this log, are:
[SSENGINE] [1236] CFileSystem::Enumerate - EXIT
[SSENGINE] [1236] CFileSystem::Enumerate - ENTRY

I have deleted them.

This is what the 'for more info' says about thebat error, I was reading on the net that a few a/v and spyware proggies are giving false positives about this. So I need to hear it from the devolopers, for a definitive answer:
Details
Name n/a
Database ID 136440
Location
Detected In Windows Registry

Path Software\RIT\The Bat!
Description Privacy threats can create entries in your registry, so that they can store such things as configuration and personal information.

Threat
Threat Trackware
Description Trackware is a generic term that describes software that collects a computers demographic and usage information and sends it to some remote server via the Internet, where it can be used by other people in a variety of different ways including marketing.

Produced By
Company Spyware_TRAK_PWStealer
==
==
I am off to sleep!
zzzzzzzzzzzzzzz

 

Is The Bat! your email client?

 

Yes it is!

I am deleting all of the programs that I am not going to be using, and I think I have decided to go with the AVG Pro for virus scanning. I have used them before and I was very impressed with them. (that was about 4 years ago) I am going to try the Zone Alarm Pro, and I am going to keep my anti-spamware programs.
That sounds as good as double bagging!!! LOL!

 

Then I would classify the SpySubtract alert as a false positive.

Flush all your restore points and create a new clean one for your system.

Disable And Enable System Restore
How to Protect yourself from malware!

Safe surfing.

 

Well I am a few days out, and NO MORE BUGZ!

I emailed TheBat's developers, and I actually got yelled at for using software that reports false positives
So I emailed him back, and told him that I rather have a false positive, and email YOU, and be told it is a false reading. It's a heck of a lot better than having my damn machine taken over by malware or virii just because no body cares!
UNREAL!!
Hey Shadow_Puter_Dude, hehe did I say thank you?
THANK YOU! thank you!! thankyou!!!

 

You're wlecome. Personally I would do business with a compy who's customer support is lacking. False Positives are a fact of life, and the developers of TheBat should be working with Anti-Spyware vendor to correct this issue.