Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Aug 8th, 2008, 2:10pm
   Mischel Internet Security Forum
   Malware
   Adware, Browser Hijackers and other Malware (Moderators: Helena, Gavin_Coe, Magnus)
   Winlogonhook		 « Previous topic | Next topic »
Pages: 1    Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: Winlogonhook  (Read 2042 times)
keithie46
Newbie
*





   


Posts: 6
Winlogonhook
« on: Aug 3rd, 2006, 10:44pm »
I have read what's here on the subject of winlogonhook.  I have run Spysweeper and TrojanHunter both in normal and in safe modes.   Both SS and TH find and delete the MSSMGR folder.   I have also used regedit to delete the MSSMGR folder, and still, no matter how I remove it, the MSSMGR folder shows up again in the registry after a reboot.  I do have Zone Alarm but I shut it down so I can changee the registry.  I also have system restore off.  I am going nuts trying to get this thing off my computer.  Any help would be greatly appreciated.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5576
Re: Winlogonhook
« Reply #1 on: Aug 3rd, 2006, 11:07pm »
Welcome to the forum keithie46   Cheesy
 
Please do this and we'll be able to determine where the problem resides.
 
1.  Go to the website below.  Download and install HiJackThis 1.99.1.  Install it in a dedicated folder on your Hard Drive...not on the Desktop.  
 
http://www.majorgeeks.com/download3155.html  
 
2.  Reboot your computer again.  Do NOT run any security program scans because they could block needed info for a HighJackThis scan.  
 
3.  Run a HighJackThis scan, save the log, and then post it in this thread.
« Last Edit: Aug 4th, 2006, 8:48am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
keithie46
Newbie
*





   


Posts: 6
Re: Winlogonhook
« Reply #2 on: Aug 4th, 2006, 11:27am »
Thank you very much for the help.   Here's what it shows:    
 
Logfile of HijackThis v1.99.1
Scan saved at 11:24:50 AM, on 8/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Palm\AlarmApp.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec  
 
Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security  
 
Center\SymWSC.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\TrojanHunter 4.5\TrojanHunter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\hijackthis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search  
 
Bar = http://g.msn.com/0SEENUS/SAOS10
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start  
 
Page = http://www.christiansciencemonitor.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local  
 
Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local  
 
Page =  
O2 - BHO: AcroIEHlprObj Class -  
 
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program  
 
Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WsftpBrowserHelper Class -  
 
{601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program  
 
Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO:   - {7593EC97-47A7-4907-95F9-B4C32AED3232} -  
 
C:\WINDOWS\lbbho.dll
O2 - BHO: AcroIEToolbarHelper Class -  
 
{AE7CD045-E861-484f-8273-0445EE161910} - C:\Program  
 
Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class -  
 
{BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program  
 
Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus -  
 
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program  
 
Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF -  
 
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program  
 
Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common  
 
Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE"  
 
C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor]  
 
C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Synchronization Manager]  
 
%SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy  
 
Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone  
 
Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter  
 
4.5\THGuard.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Alarm Manager.LNK = C:\Program  
 
Files\Palm\AlarmApp.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program  
 
Files\Palm\Hotsync.exe
O4 - Global Startup: InterVideo WinCinema  
 
Manager.lnk.disabled
O4 - Global Startup: NkbMonitor.exe.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet  
 
Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet  
 
Explorer\Control Panel present
O9 - Extra button: (no name) -  
 
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program  
 
Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -  
 
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program  
 
Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: NetMarks Manager -  
 
{4B3520B0-D518-4443-BA9E-2D4CE7F773C5} -  
 
C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: New &NetMark -  
 
{4B3520B0-D518-4443-BA9E-2D4CE7F773C5} -  
 
C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: AIM -  
 
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program  
 
Files\AIM\aim.exe
O9 - Extra button: Messenger -  
 
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program  
 
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -  
 
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program  
 
Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}  
 
(WUWebControl Class) -  
 
http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/e
 
n/x86/client/wuweb_site.cab?1095519469459
O18 - Protocol: msnim -  
 
{828030A1-22C1-4009-854F-8E305202313F} -  
 
"C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon -  
 
C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winawp32 -  
 
C:\WINDOWS\SYSTEM32\winawp32.dll
O20 - Winlogon Notify: WRNotifier -  
 
C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program  
 
Files\Common Files\Adobe Systems  
 
Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec  
 
Corporation - C:\Program  
 
Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec  
 
Corporation - C:\Program Files\Common Files\Symantec  
 
Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) -  
 
Symantec Corporation - C:\Program Files\Common Files\Symantec  
 
Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) -  
 
Symantec Corporation - C:\Program Files\Common Files\Symantec  
 
Shared\ccSetMgr.exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program  
 
Files\Expertcity\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: LiveUpdate - Symantec Corporation -  
 
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service  
 
(navapsvc) - Symantec Corporation - C:\Program Files\Norton  
 
AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA  
 
Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp  
 
Helper) - Dantz Development Corporation - C:\Program  
 
Files\Dantz\Retrospect Express HD\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher  
 
(RetroExpLauncher) - Dantz Development Corporation -  
 
C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program  
 
Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec  
 
Corporation -  
 
C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Xpress Mail Personal Edition Service  
 
(SevenConnectionService) - Unknown owner - C:\Program  
 
Files\Xpress Mail\Personal Edition\ConnectionService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) -  
 
Symantec Corporation - C:\Program Files\Common Files\Symantec  
 
Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation -  
 
C:\Program Files\Common Files\Symantec  
 
Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation  
 
- C:\Program Files\Common Files\Symantec Shared\Security  
 
Center\SymWSC.exe
O23 - Service: TabletService - Wacom Technology, Corp. -  
 
C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone  
 
Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine  
 
(WebrootSpySweeperService) - Webroot Software, Inc. -  
 
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
 
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5576
Re: Winlogonhook
« Reply #3 on: Aug 4th, 2006, 11:53am »
Okay,  here is what needs to be done to get rid of this winlogonhook problem. The problem is the critter shown below:  
 
O20 - Winlogon Notify: winawp32.dll - C:\WINDOWS\SYSTEM32\winawp32.dll  
   
 
Please Do this:
 
1.)  Download KillBox from:  
 
http://www.subratam.org/main/index.php?option=com_content&task=view& amp;id=19&Itemid=41  
 
You can place Killbox on your desktop.      
Do not run Killbox yet.  
   
2.  Run another HJT scan.      
   
3.  Put a checkmark in the box for (checkmark ONLY this specific entry):    
   
O20 - Winlogon Notify: winawp32.dll- C:\WINDOWS\SYSTEM32\winawp32.dll  
 
4.  Close all open Windows except Hijackthis and click on "Fix Checked" at the bottom left of the HJT window.  Confirm the FIX.    
   
5.  Now run Killbox and select Delete on Reboot.  
   
6.  Paste the line below into the box and press the red X button.    
   
C:\WINDOWS\SYSTEM32\winawp32.dll    
   
7.  When it asks you if you want to reboot, say yes to reboot the Computer.    
     
8.  After the Computer reboots,  clean out all your temporary Internet files using Internet Options in the Control Panel.    
 
9.  Run another HJT log.  
 
If the "O20 - Winlogon Notify: winawp32.dll - C:\WINDOWS\SYSTEM32\winawp32.dll  (file missing)" shows up, put a checkmark next to it (check mark ONLY that entry) and click on FIX to let HJT remove the registry entry.  After it fixes it, close HJT and then open it back up and run another HJT scan.  
 
10.  Post a new HJT log back here please for further review.    
   
11.  Run a full scan with Spy Sweeper to ensure that the infection is gone.  
 
Please let us know whether SS scans clean now.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
keithie46
Newbie
*





   


Posts: 6
Re: Winlogonhook
« Reply #4 on: Aug 4th, 2006, 12:38pm »
Latest HJT log after instructions.  
 
C:\WINDOWS\SYSTEM32\winawp32.dll was removed from registry, however, I ran SpySweeper again and it still reports finding "winlogonhook" and deletes it.
 
Logfile of HijackThis v1.99.1
Scan saved at 12:31:51 PM, on 8/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\StartupMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Palm\AlarmApp.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\hijackthis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Messenger\msmsgs.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.christiansciencemonitor.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =  
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO:   - {7593EC97-47A7-4907-95F9-B4C32AED3232} - C:\WINDOWS\lbbho.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Alarm Manager.LNK = C:\Program Files\Palm\AlarmApp.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk.disabled
O4 - Global Startup: NkbMonitor.exe.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: NetMarks Manager - {4B3520B0-D518-4443-BA9E-2D4CE7F773C5} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: New &NetMark - {4B3520B0-D518-4443-BA9E-2D4CE7F773C5} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/clien t/wuweb_site.cab?1095519469459
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Expertcity\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Xpress Mail Personal Edition Service (SevenConnectionService) - Unknown owner - C:\Program Files\Xpress Mail\Personal Edition\ConnectionService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
 
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5576
Re: Winlogonhook
« Reply #5 on: Aug 4th, 2006, 1:14pm »
Okay,
 
Reboot your computer into SAFE MODE.
 
1.  Run a HJT scan.
 
2.  Checkmark the following entry and click on Fix Check and let HJT fix it.
 
O2 - BHO:   - {7593EC97-47A7-4907-95F9-B4C32AED3232} - C:\WINDOWS\lbbho.dll
 
3.  Close HJT.
 
4.  Do a Search for the file named   lbbho.dll
 
5.  Delete   lbbho.dll   from your system.
 
6.  Reboot into Normal Mode.
 
7.  Run HJT and post another log.
 
8.  Run another full scan with SS.  Be sure you have the latest definitions from Webroot for SS (spyware definitions verision 733).  If SS still finds a problem, please post its scan log so I can see what it is detecting.  
 
 
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5576
Re: Winlogonhook
« Reply #6 on: Aug 4th, 2006, 1:37pm »
Is Spy Sweeper finding this infection your C:\System Volume Information folder?
 
If so, it's in your System Restore folder.  The only way to get rid of it from the System Restore folder is to turn off System Restore.
 
1.  START-SETTINGS-CONTROL PANEL-SYSTEM-SYSTEM RESTORE tab.
 
2.  Put a checkmark in the turn off system restore box.
 
3.  Click on APPLY- OK.
 
4.  Reboot your Computer.
 
5.  START-SETTINGS-CONTROL PANEL-SYSTEM-SYSTEM RESTORE tab.
 
6.  Remove the checkmark in the turn off system restore box.
 
7.  Click on APPLY- OK.
 
8.  START- HELP and SUPPORT
 
9.  System Restore Section and Manually CREATE a new restore point.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
keithie46
Newbie
*





   


Posts: 6
Re: Winlogonhook
« Reply #7 on: Aug 4th, 2006, 2:16pm »
Deleted lbbho.dll from system as instructed.  Spysweeper scan reports no threats now.  I am going to reboot and scan again to be sure.  I will report results.  Thank you so much for your help.  By the way, Trojan Hunter is really FAST, I am definitely going to purchase.
 
Also, I noticed the system restore post above.  I have system restore OFF.
 
Here is the HJT Log after "fixing" lbbho.dll:
 
Logfile of HijackThis v1.99.1
Scan saved at 2:00:32 PM, on 8/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\StartupMonitor.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\TrojanHunter 4.5\THGuard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Palm\AlarmApp.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.christiansciencemonitor.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\PCHealth\HelpCtr\System\panels\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =  
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.5\THGuard.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk.disabled
O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
O4 - Global Startup: Alarm Manager.LNK = C:\Program Files\Palm\AlarmApp.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk.disabled
O4 - Global Startup: NkbMonitor.exe.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: NetMarks Manager - {4B3520B0-D518-4443-BA9E-2D4CE7F773C5} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: New &NetMark - {4B3520B0-D518-4443-BA9E-2D4CE7F773C5} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/clien t/wuweb_site.cab?1095519469459
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: GoToMyPC - Unknown owner - C:\Program Files\Expertcity\GoToMyPC\g2svc.exe" -service (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Retrospect Express HD Restore Helper (RetroExp Helper) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\rthlpsvc.exe
O23 - Service: Retrospect Express HD Launcher (RetroExpLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect Express HD\retrorun.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Xpress Mail Personal Edition Service (SevenConnectionService) - Unknown owner - C:\Program Files\Xpress Mail\Personal Edition\ConnectionService.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
 
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5576
Re: Winlogonhook
« Reply #8 on: Aug 4th, 2006, 2:20pm »
Great!  Cheesy
 
Your HJT log looks like you are clean.  Hopefully Spy Sweeper will report the same on the next scan.  
 
TrojanHunter will be a very good addition to your security arsenal.
 
BTW, a new Build of SS is "suppose" to be out today.  Wink  Hasn't been released yet, however.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
keithie46
Newbie
*





   


Posts: 6
Re: Winlogonhook
« Reply #9 on: Aug 4th, 2006, 4:02pm »
Yes it's gone.  Gone!    Thanks.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5576
Re: Winlogonhook
« Reply #10 on: Aug 4th, 2006, 4:33pm »
Awesome!
 
U B very welcome  Wink
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5576
Re: Winlogonhook
« Reply #11 on: Aug 15th, 2006, 2:07am »
Fixed and thread Locked.  Please create a new post if assistance is needed on this topic.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Pages: 1    Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register