Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
May 16th, 2008, 2:46am
   Mischel Internet Security Forum
   Malware
   Adware, Browser Hijackers and other Malware (Moderators: Helena, Gavin_Coe, Magnus)
   assistance support request - WINLOGONHOOK		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: assistance support request - WINLOGONHOOK  (Read 272 times)
j.d.
Newbie
*





   


Posts: 3
assistance support request - WINLOGONHOOK
« on: Nov 23rd, 2007, 4:02pm »		 Quote Quote  Modify Modify
Hello again,
 
The WINLOGONHOOK chump thread initiator (22 nov 07) returns after following the recommended initial steps before requesting assistance.  Sorry for not doing it this way the first time.
My original thread can be deleted.
 
Here is my most recent HijackThis log. Following that, are the logs from the Trojan Hunter scan, the SuperAntiSpyware scan, and the Bit Defender scan.
 
I remain extremely grateful for your help and your time. --j.d.
 
////////////////////////////////////////////////////////////////////////  
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:20:43, on 23/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\USBDLM\USBDLM.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\vsnp2std.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://c:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.euro.dell.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {5fbc3291-fe8f-7759-9874-3500d9322869} - {9682239d-0053-4789-9577-f8ef1923cbf5} - C:\WINDOWS\system32\hosrfbqb.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [vptray] "C:\Program Files\NavNT\vptray.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.0\THGuard.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [2419ae4c] "rundll32.exe" "C:\WINDOWS\system32\nvmbdoli.dll",b
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O4 - HKUS\S-1-5-21-4274332873-1382639190-2521720531-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-4274332873-1382639190-2521720531-500\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: Shortcut to vptray.exe.lnk = C:\Program Files\NavNT\vptray.exe (User '?')
O4 - .DEFAULT Startup: Shortcut to vptray.exe.lnk = C:\Program Files\NavNT\vptray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Shortcut to vptray.exe.lnk = C:\Program Files\NavNT\vptray.exe (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: FirstClass® - {02011FE3-C22B-451d-9A25-BF4DBB38B8E7} - C:\WINDOWS\Downloaded Program Files\fcplugin.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {003FADA5-8FEE-11D6-AFB7-0004768F6183} (CryptoRSA Control) - https://www.p3.postbank.nl/sesam/CAX.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/install/hpobjinstaller_gmn.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (WficaCtl Object) - https://ebrdremote.ebrd.com/citrix/wfica.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bo nnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5F8A33E7-6A32-4EE0-887A-134C627CB052} (Easy Upload Tool Combo Control) - http://glasgow53.myphotoalbum.com/EasyUploadTool.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wu web_site.cab?1146341001218
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/ muweb_site.cab?1146341340218
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
O16 - DPF: {9C196458-4145-46AF-8A77-1506878DFECA} (FirstClass® Control) - http://campus.iss.nl/ClientDownloads/fcplugin.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (a-squared Scanner) - http://ax.emsisoft.com/asquared.cab
O16 - DPF: {D68E9D4E-B2D0-467C-985E-D0D341E554D6} - http://vidr.net/preg/activex/vidrinst.cab
O16 - DPF: {D83C1BD1-DCBB-11D4-9425-0050BF33FA6E} (CycloScopeLite Control) - https://www4.denhaag.nl/lgn/plugin/CycloScopeLite/V22320/CycloScopeLite. cab
O16 - DPF: {DE591B16-A452-11D6-AED1-0001030A4E46} (PBGNX Control) - https://gto.postbank.nl/GTO/PBGNX.cab
O16 - DPF: {DEB21AD3-FDA4-42F6-B57D-EE696A675EE8} (IPSUploader Control) - http://asp01.photoprintit.de/microsite/2663/defaults/activex/IPSUploader .cab
O16 - DPF: {E7687142-AAC1-11D6-8738-444553540000} (CycloMedia LeadDecompressor Plugin) - https://www4.denhaag.nl/lgn/plugin/CMDecomp/V21000/CMDecomp.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup132.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.hema.nl/site/xupload/XUpload.ocx
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?312
O16 - DPF: {EF58E341-49C3-4156-A3C4-5FFCA7C1EAB7} (EURAS_Portal.Gateway) - http://www.euras.com/euras/activex2/euras.CAB
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - https://www4.denhaag.nl/lgn/plugin/Acgm/V7112/Acgm.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15031/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F2041119-B7AC-413C-9DDD-76B39F513CC8} : NameServer = 194.109.6.66,194.109.9.99
O18 - Protocol: fcp - {B3133379-8789-4D3C-9593-C205D7297501} - C:\WINDOWS\Downloaded Program Files\fcplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c006DA44.dat
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset  - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: USBDLM - Uwe Sieber www.uwe-sieber.de - C:\Program Files\USBDLM\USBDLM.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
 
--
End of file - 11501 bytes
 
////////////////////////////////////////////////////////////////////////  
 
TrojanHunter Scan Report - Saved 2007-11-23 08:13
 
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (matches Agent.100)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (matches Agent.100)
Removed registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR
 
////////////////////////////////////////////////////////////////////////  
 
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
 
Generated 11/23/2007 at 09:56 AM
 
Application Version : 3.9.1008
 
Core Rules Database Version : 3348
Trace Rules Database Version: 1349
 
Scan type  : Complete Scan
Total Scan Time : 01:40:26
 
Memory items scanned : 211
Memory threats detected   : 1
Registry items scanned    : 7949
Registry threats detected : 13
File items scanned   : 74244
File threats detected     : 48
 
Trojan.Unknown Origin/System
 
C:\WINDOWS\SYSTEM32\WINCQT32.DLL
 
C:\WINDOWS\SYSTEM32\WINCQT32.DLL
 
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\wincqt32
 
Adware.Vundo Variant
 
HKLM\Software\Classes\CLSID\{F5B034A3-4C2F-4108-B156-73A75F2C42A2}
 
HKCR\CLSID\{F5B034A3-4C2F-4108-B156-73A75F2C42A2}
 
HKCR\CLSID\{F5B034A3-4C2F-4108-B156-73A75F2C42A2}\InprocServer32
 
HKCR\CLSID\{F5B034A3-4C2F-4108-B156-73A75F2C42A2}\InprocServer32#Threadi ngModel
 
C:\WINDOWS\SYSTEM32\DDABA.DLL
 
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F5B034A3-4C2F-4108-B156-73A75F2C42A2}
 
Trojan.Unknown Origin
 
HKLM\SOFTWARE\Microsoft\MSSMGR
 
HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd
 
HKLM\SOFTWARE\Microsoft\MSSMGR#BSTV
 
HKLM\SOFTWARE\Microsoft\MSSMGR#SSTV
 
HKLM\SOFTWARE\Microsoft\MSSMGR#SCLIST
 
HKLM\SOFTWARE\Microsoft\MSSMGR#SSLIST
 
HKLM\SOFTWARE\Microsoft\MSSMGR#PSTV
 
Unclassified.Unknown Origin
 
C:\DOCUMENTS AND SETTINGS\ISIK\MY DOCUMENTS\IB2004U.EXE
 
Adware.Tracking Cookie
 
C:\Documents and Settings\Jeff\Cookies\jeff@ad.e-kolay[1].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@ad.zanox[1].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@ad1.clickhype[1].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@admarketplace[1].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@ads.cnn[1].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@ads.contactmusic[1].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@ads.foxkidseurope[1].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@ads.habbogroup[1].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@ads.habbohotel[1].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@ads.ims[1].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@ads.nationalenquirer[2].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@ads.paperdollheaven[2].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@ads.spele[2].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@ads.stardoll[2].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@adserver.adremedy[1].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@creativeby.viewpoint[1].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@e-2dj6wfkyugcjsco.stats.esomniture[2].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@e-2dj6wjk4khcpado.stats.esomniture[1].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@e-2dj6wjk4ogdzieo.stats.esomniture[2].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@e-2dj6wjkyeodzcdp.stats.esomniture[2].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@e-2dj6wjkyolcjoaq.stats.esomniture[2].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@e-2dj6wjkyulajibo.stats.esomniture[2].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@e-2dj6wjl4kgc5oco.stats.esomniture[2].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@e-2dj6wjl4oldpgho.stats.esomniture[2].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@e-2dj6wjl4uoczkap.stats.esomniture[2].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@e-2dj6wjlokmc5wco.stats.esomniture[2].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@e-2dj6wjloomczceo.stats.esomniture[2].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@e-2dj6wjloskdzigq.stats.esomniture[2].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@e-2dj6wjmyoicjobp.stats.esomniture[2].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@e-2dj6wjny-1ocjkb.stats.esomniture[1].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@e-2dj6wjnygmazskp.stats.esomniture[2].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@e-2dj6wjnyshdjmep.stats.esomniture[2].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@ehg-dig.hitbox[1].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@hitbox[2].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@vhost.oddcast[2].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@windowsmedia[1].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@www.mystats[1].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@www.searchenginetracking[1].txt
 
C:\Documents and Settings\Yasemin\Cookies\yasemin@www.uclick[2].txt
 
Unclassified.SpywareBot (Not A Threat)
 
C:\DOWNLOAD\ERRORSAFE REMOVE\SETUP.EXE
 
C:\DOWNLOAD\SETUP.EXE
 
Adware.Vundo Variant/Rel
 
C:\WINDOWS\SYSTEM32\ABADD.BAK1
 
C:\WINDOWS\SYSTEM32\ABADD.INI
 
Trojan.RunSrv32/System
 
C:\WINDOWS\SYSTEM32\RUNSRV32.DLL
 
Trojan.Downloader-Gen
 
C:\WINDOWS\SYSTEM32\WINSUB.XML
 
////////////////////////////////////////////////////////////////////////  
 
(original report in html)
 
BitDefender Online Scanner - Real Time Virus Report
Generated at: Fri, Nov 23, 2007 - 22:13:35
 
Scan Info
 
Scanned Files
956123
 
Infected Files
10
 
Virus Detected
 
Trojan.Mezzia.CY
1
 
DeepScan:Generic.Virtob.1.E8AAB7C7
2
 
Trojan.Downloader.VB.RE
1
 
Trojan.Generic.73637
2
 
Adware.Ncase.D
1
 
Win32.Magistr.B@mm
1
 
Win32.Sobig.F@mm
1
 
Trojan.PWS.Sinowal.K
1
 
////////////////////////////////////////////////////////////////////////  
end
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5270
Re: assistance support request - WINLOGONHOOK
« Reply #1 on: Nov 24th, 2007, 3:28am »		 Quote Quote  Modify Modify
Welcome back  Wink
 
First, please continuing posting in this thread instead of creating a new post.  That way everything will be together as we progress here.
 
As you can see, your system has been significantly infected. TrojanHunter, SuperAntispyware, and BitDefender have done much cleaning.  Your system is significantly cleaner now; however, I am not yet convinced you are totally clean.
 
Please do the following:
 
1.  Submit the following files to Mischel Internet Security for analysis.  They could be an infection problem.  The link below describes how to submit.
 
http://www.misec.net/forum/board/FAQ/1139308293
 
Files to submit (the file to submit is underlined):
 

C:\WINDOWS\system32\nvmbdoli.dll
 
C:\WINDOWS\Downloaded Program Files\fcplugin.dll
 
C:\WINDOWS\system32\__c006DA44.dat

 
-  Gavin/Magnus will analyze the files and, if necessary, incorporate cleaning rules in TrojanHunter.  
 
2.  Please immediately run the above files through Jotti to see what the various security scanners detect or say about them.  The link below is the Jotti website.
 
http://virusscan.jotti.org/
 
-  Please post back here whether any of these files appear to be infections.
 
3.  Because your system has been very infected, please run an online remote scan with Kaspersky.  It will detect infections but not remove any that it finds.  This will give us a big clue of whether problems still exist.
 
-  Be sure to disable your other security programs (except your firewall) prior to scanning with Kaspersky
 
-  Be sure to scan your entire system.  
 
-  Please post back here the results of the Kaspersky scan.
 
-  Link to Kaspersky:
 
http://www.kaspersky.com/virusscanner
 
4.  Please check your HOSTS file to see if it became infected during all this.
 
-  The HOSTS file is located at C:\Windows\System32\drivers\etc.  It is in folder etc and is displayed as HOSTS with no extension.
 
-  Right click on file HOSTS and open it with NotePad.
 
-  A # at the beginning of a line is a comment line.
 
-  The first executable entry should be:
127.0.0.1 localhost
 
-  All other executable entries should start with 127.0.0.1
 
-  If YOU did not intentionally load this file with entries over and above  127.0.0.1     localhost, then remove everything except  the 127.0.0.1    localhost entry.
 
-  Save any changes that you made and reboot your computer.
 
-  Please post back here as to whether you made changes to this file.
« Last Edit: Nov 24th, 2007, 3:38am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Gavin_Coe
Trojan Analyst
*****





   
WWW  

Posts: 1820
Re: assistance support request - WINLOGONHOOK
« Reply #2 on: Nov 25th, 2007, 5:56am »		 Quote Quote  Modify Modify
Thanks much, got a few things for TH registry scanner
IP Logged
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register