Request for help ridding my system of malware (winlogonhook)

Hello, like everyone else here I'd really apprieciate some help in cleaning up my system

The system details are:
Processor: Intell Pentium M 1.86GHz
Ram : 1GHz
Operating System: Windows XP SP2 (Should be bang up to date with MS updates)
Virus/Online Security: Norton Internet Security 2006 (again everything is up to date)
Access to internet is broadband, through a router.

The problems:
When booting up the explorer.exe process consumes nearly 100% of the cpu all the time. I discovered that by booting with the network cable unplugged, and then plugging it in afterwards this doesn't happen. (The processes can also be killed in task manager, network cable unplugged and then explorer.exe restarted to get around the problem.) When I boot up without the cable plugged in I always get a standard Windows error box saying that a service can't start without connecting to the internet: I just kill the message box withough clicking any of the buttons.

I've done a bit of a trawl with many of the recommended malware detection programmes and between them they say I have the following problems.

Spy Sweeper found: Trojan Agent Winlogonhook and trojan_downloader-2pursuit

Spyware Doctor found: Trojan.Downloader.Samll.CQB, Ikitek Key Logger, Trojan.Downloader.Small.CML and Purity Scan.

Both programmes offer to remove the offending items if I pay for a license but I'm loath to do this since I'm already paying quite a lot of money to Norton to protect my system (even though it can't see any of the above nasties) and after looking around the support forums it appears that simply paying up for more anti-malware won't necessarily get rid of the problem and I'll still have to ask for help. If paying up is what I have to do then I will, but I thought it wise to ask first.

I've been through the READ & RUN ME FIRST sticky and believe that I've followed all of its instructions to the letter, even the one about turning off system restore that chaslang says everyone forgets. If I've got a step wrong please advise and I'll be happy to repeat it. Attached are three reports that the sticky asks for.

Thanks in advance for the help. I'm really impressed by the way there are folk out there who are happy to help others. It seems quite rare now-days.

Cheers,

Graeme

 

And I can assure you that your help is really appreciated. When I first realized that my laptop was infected with something I had a look online and was pretty surprised that there were so many forums offering support. When I looked a little further and realized how hard people were working to help each other, well, I was stunned.

As you requested, I've run the GetRunKey and ShowNew batch files. The logs are attached. The attached ones are with Windows running in normal mode. I did do a run under safe mode, but when I compared the files (using fc at the command line) there were no significant differences: a couple of the time indices were different and a couple of those long registry indices were slightly different in the GetRunKey log, but that was it. If you need the safe mode files let me know and I'll post again.

One thought I did have was that, as I described in my initial post, I'm booting up the laptop with the network cable unplugged to stop the malware getting control of my system. Will this affect the logs? I could probably run the scripts with the malware running if I fiddle about in task manager and reduce the explorer.exe priority so I can use the computer with it forced to the background.

Cheers,

Graeme

 

The system seems much, much better now. I tried booting the system up with the network cable in and killing and restarting the explorer.exe process in task manager, both of which had resulted in the 100% cpu usage issue, and everything seems as it should be. Explorer.exe generally has 0% of the cpu, occasionally leaping to 2 or 3% but that's it. I did notice that the install shield icon flashed up in the system tray briefly as Windows finished booting up. I'm not sure if that's important or not.

I found the steps OK to follow. The only thing that differed slightly was that killbox never asked me to confirm deletion, just asked if I wanted to reboot now. This didn't put me off, but I guess if I'd been an anxious, computerphobic parent with my child's A-level project stored on the PC it could have freaked me out a bit.

I've attached the new logs and I'd be grateful if you'd cast your eye over them to check if you can see anything untoward. I do know quite a bit about computers but all my experience is on custom made hardware and embedded software or scientific simulations; the workings of the Windows registry and processes leave me scratching my head. Thinking along those lines, which of the forums do you think would be best for getting advice about the processes Windows starts running during boot up? As we've been looking at the processes I've noticed lots of stuff in there that I don't understand why it's present--sure I use matlab.exe a lot, but I see no reason why it or its server should permanently have a processes running.

Thanx for the help.

 

All steps in the last posting went well. I've repeated the killing and restarting explorer.exe process and turning the laptop on and off and everythjing seems to be working well. As you requested I've attached another HJT log to this message.

I notice the following two lines in the HJT log:

Do you reckon that it's safe to get HJT to delete these too: they look to be related to the BitDefender scanner I used in the RUN & READ ME FIRST steps.

Thanks for the tips on sorting out the boot up stuff. Once I've got the all clear on this malware I'll get onto that .

 

Thanx ever so much chaslang. I can't tell you how greatful I am for your help getting this sorted out.

The good news is that I do almost everything in the How to protect yourself from malware! tutorial already. I was missing the Ccleaner step, although I've got it now, and the stuff about adding passwords to all account (I don't normally bother since I'm the only user).

Thanx again.