Winlogonhook And Respawning

First, your site has helped me to remove part of the malware my computer is infected with.
But it's not over yet...I'll describe it now:

- If I open IE, after a while a window pops up, disappears after a few fractions of seconds, and after a minute I get a message "Dialer (title of the window) Unable to connect. The program will be closed". The worst part is that once I open IE, this keeps happening about every 30 seconds. Even if I close it.

- My Temp folder is filled of files all the time. They have names like "win[insert number].tmp", and these run as processes. I needed Procexp to find out though, as Task Manager doesn't detect more than 2-3 of them. They once got up to more than 1200. They are created as I open any window, program or not.

- After opening IE, new programs with a grey and blue Earth icon pop out of nowhere in my Temp folder. I think they're the dialers. Needless to say, deleting them is useless as they keep respawning.

- SpySweeper detects a certain "trojan agent winlogonhook", deletes it, but as I reboot Windows and use SpySweeper again, that trojan is still detected. I have also disabled system restore points, so I don't know what's going on.

Help would be immensely appreciated.

 

Sorry for the double post but I don't know where the Edit button has gone in the above post.
I have Windows XP Home, Pentium 4 3.2 GHz and 1024MB RAM. One more thing, Zone Alarm lists those dialers as "Universa Applications".

 

Welcome to MajorGeeks.com, please follow the steps below:

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

Downloading, Installing, and Running HijackThis

When you return to make your next post make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)

 

Just wanted to see if anyone already knew what it could be. I've been working on those steps, so I posted. But I overlooked that the system had to be in safe mode! Oh well, I'll let you know. Thanks.

 

That's OK, post the logs and results from the Read Me, when you have finished.

 

I've scanned the system in safe mode with Spybot (that detected "Windows Security Center.FirewallDisableNotify"), SpySweeper (that detected the trojan I mentioned before + "5 traces") and Windows Defender. It has all been useless, as those win1, 2, 3... are still up and running. I'll try HijackThis later.

 

Here's what HijackThis had to say. So, what can it be?

Btw, why does the edit button go away after some minutes?

 

Please follow the direction I gave, you have skipped several steps. HijackTHis is being ran from the ZIP file. Both the BitDefender and Panda ActiveSacn; online scans have not been run.

Uninstall Messenger Plus! 3, this is an undersireable program.

Install HijackThis to the proper folder as per the tutorial.

Do Not skip any steps.

 

Well, for the online scans I have to use IE, which I don't use because I prefer Opera and because those stupid dialers would pop up if I do. Will the scans be still effective even if those things are running?
Btw, now HJT is in its place.

 

Run them in Safe Mode with Networking Support.

 

I am now i n safe mode, scanning, and they appear the same. :\

 

BitDefender detected a trojan:

C:\Windows\system32\winhoo32.dll

It can't be deleted because it's always running and, since it's a DLL, I can't kill it with procexp. How do I delete it?

 

I've tried Panda but after it's done it says I have to be connected to continue, even if I'm already online. I tried to refresh the connection, but it wouldn't work. It detected 6 spywares and 16 dialers (maybe I've deleted these ones). But nothing changed. What do I do now?

Here's a HJT log:

 

One more thing: CoolWebSearch keeps coming back. I'm tired of this...

 

In HJT Choose Open the Misc Tools Section choose Process Manager, Highlight:

Choose Kill Process

Now scan and have HJT Fix the following:

Download
- Pocket Killbox
- ExplorerXP

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click the RED X.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Run about:Buster twice and attach the log later.

Now run CCleaner. If you have Windows XP delete the contents of C:\WINDOWS\Prefetch.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Attach the about:Buster log and a fresh HijackThis log.

 

Oh yessssss!!! It worked! No more temp files or popups with IE! Thanks a lot!
Here's the A:B log, I'll post a new HJT log later.

Thanks again!

 

One thing, I still got that Firewall Disable thing and CoolWinRes or something like that in a spybot scan.

 

Please post a Fresh HijackThis log and the Sybot log.