Help Please!! - infected with Winlogonhook - Mischel Internet Security Forum

Jobs | About | Blog | Contact

Download TrojanHunter Now
Free 30-day trial!

Latest TrojanHunter Version:
TrojanHunter 5.0

Order Now
License file delivered within minutes.

Welcome, Guest. Please Login or Register.

Jul 4^th, 2008, 2:48pm

   Mischel Internet Security Forum
   Malware
   Adware, Browser Hijackers and other Malware (Moderators: Helena, Gavin_Coe, Magnus)
   Help Please!! - infected with Winlogonhook

« Previous topic | Next topic »

Pages: 1 2

Notify of replies

Send Topic

Author

Topic: Help Please!! - infected with Winlogonhook (Read 1838 times)

Sruk79
Newbie

Posts: 2

Help Please!! - infected with Winlogonhook
« on: Nov 20^th, 2006, 9:27am »

Quote

Modify

Please can you help me, I have run a Spy Sweeper scan and it reports I am infected with the Winlogonhook Trojan and bravesentry fakealert adaware.

How can I get rid of these?

Steve

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5462

Re: Help Please!! - infected with Winlogonhook
« Reply #1 on: Nov 20^th, 2006, 10:34am »

Quote

Modify

Welcome to the forum, sruk79 Cheesy

Sorry that you been zapped by the cyber criminals. Let's do some preliminary things to get to the point of where we can rid you of this.

During all this cleaning work, BE SURE you are logged on with an account that has full administrative privileges.

1. Change your Windows Explorer default settings so that you can view all files and folders. The link below describes how to do this.

http://www.misec.net/forum/board/FAQ/1139610900

2. Install the latest version of HiJackthis. The link below describes how to do this. DO NOT run the program at this point.

http://www.misec.net/forum/board/FAQ/1163329424

3. Download and install the trial version of TrojanHunter V4.6.930. The download link is at the top of this forum.
- Once you get TH installed, open TH scanner.
- Click on the OPTIONS icon on the left sidebar and checkmark ALL options except for the very last one which is "Log executable files with double extensions". Leave this specific option unchecked.
- Run LiveUpdate to obtain the very latest rulesets. Just click on the Update icon in the top menu bar and obtain the update from either the USA server or the European server.
- Then close TH scanner. DO NOT scan at this point.

4. Be sure your Spy Sweeper has the latest definitions and updates.

5. Clean up your system temporary files and folders. If you do not already have freebie program CCleaner to do this, go to http://www.ccleaner.com and download/install CCleaner on your system.
- Let it install in the default folder as per the install Wizard.
- Run the Cleaner tool to clean out all the temporary and unnecessary junk on your system. Do not run the Issues tool because this is a registry cleaner which may or may not be good to use at this time.

6. Reboot your computer into SAFE MODE.

7. Using TH scanner, run a FULL Scan of your system.
- Let it quarantine what it finds.
- Save a copy of the scan/cleaning log.

8. Reboot your computer, but reboot back into SAFE MODE.

9. Using your Spy Sweeper, run a FULL Scan of your system again.
- Let it quarantine and clean what it finds.
- Save a copy of the scan/cleaning log.

10. Now reboot back into NORMAL MODE.

11. Using HiJackthis (use the fake name you gave it), run a HiJackThis scan.
- DO NOT make any changes or fixes.
- Post the scan log back here for us to review.

12. Post your Spy Sweeper scan log.

13. Post your TrojanHunter scan log.

You may wish to print out these instructions so that you have them handy.

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

Sruk79
Newbie

Posts: 2

Re: Help Please!! - infected with Winlogonhook
« Reply #2 on: Nov 20^th, 2006, 12:37pm »

Quote

Modify

thanks for that, next stage all done, scan logs below:

Hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 18:31:11, on 20/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Belkin\F5D7051\WLService.exe
C:\Program Files\Belkin\F5D7051\WLanCfgG.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\Program Files\Common Files\Symantec Shared\DJSNETCN.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF04.exe
C:\Program Files\Yahoo!\NAV\navapsvc.exe
C:\Program Files\Yahoo!\NAV\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe

----------------------------------------------------------
Trojan Hunter:

Registry scan
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (matches Agent.100) (Regedit Jump)
Registry value exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CTDrive (matches Hoax.Renos.201) (Regedit Jump)
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Found NTFS alternate data stream: C:\DeepSightExtractorInstaller.exe:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\Steve&Karen\Desktop\cm2007_demo.exe:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\Steve&Karen\Desktop\R107671.EXE:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\Steve&Karen\Desktop\R126205.EXE:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\Steve&Karen\Desktop\rminstall-5.0.0.144-VNU0306.exe:Zone.Identi fier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\Steve&Karen\Desktop\rminstall.exe:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\Steve&Karen\My Documents\ht\TrojanHunterSetup.exe:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\Documents and Settings\Steve&Karen\My Documents\Webshots\wbsamp5.exe:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\drivers\video\APOSRC4.zip:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\drivers\video\dotnetfx.exe:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\drivers\video\infinst_autol.exe:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\drivers\video\Nokia_DKU-5_1_24.exe:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\drivers\video\R114282.EXE:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\KillBox.zip:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\musicmatch\mmsetup_10002058b_CNET.exe:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
C:\pagefile.sys Not scanned (in use by another application)
Found NTFS alternate data stream: C:\Program Files\EPSON\epson19773eu.exe:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\Program Files\Mario_Forever.exe:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\QuickTimeInstaller.exe:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\steve1\ccsetup134.exe:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found NTFS alternate data stream: C:\steve1\hijackthis.zip:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Found trojan file: C:\WINDOWS\system32\cyqvkpuc.dll (TrojanSpy.VBStat.100)
Found trojan file: C:\WINDOWS\system32\drvhuf.dll (Hoax.Renos.206)
Found adware file: C:\WINDOWS\system32\gebbaab.dll (Adware.Virtumonde.293)
Found trojan file: C:\WINDOWS\system32\oyrvgpfw.dll (TrojanSpy.VBStat.100)
Found trojan file: C:\WINDOWS\system32\xbjcefje.dll (TrojanSpy.VBStat.100)
5 files identified
16976 files scanned in 1629 seconds

Removed registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CTDrive

Quarantined file C:\WINDOWS\system32\cyqvkpuc.dll

Quarantined file C:\WINDOWS\system32\drvhuf.dll

Quarantined file C:\WINDOWS\system32\gebbaab.dll

Quarantined file C:\WINDOWS\system32\oyrvgpfw.dll

Quarantined file C:\WINDOWS\system32\xbjcefje.dll
Trojan cleaning finished.

-----------------------------------------------------------
Spysweeper:

18:21: Traces Found: 3
18:21: Custom Sweep has completed. Elapsed time 00:28:31
18:21: winazs32.dll (ID = 360877)
18:21: Detected running threat: winazs32.dll (ID = 360877)
18:21: File Sweep Complete, Elapsed Time: 00:26:19
18:21: Warning: Failed to access drive D:
17:55: Starting File Sweep
17:55: Cookie Sweep Complete, Elapsed Time: 00:00:00
17:55: Starting Cookie Sweep
17:55: Registry Sweep Complete, Elapsed Time:00:00:27
17:55: HKLM\software\microsoft\mssmgr\ (ID = 1776755)
17:55: Found Trojan Horse: trojan agent winlogonhook
17:54: Starting Registry Sweep
17:54: Memory Sweep Complete, Elapsed Time: 00:00:56
17:53: Starting Memory Sweep
17:53: Warning: Files are not scanned for viruses because AV engine failed to load.
17:53: Sweep initiated using definitions version 805
17:53: Spy Sweeper 5.2.3.2125 started
17:53: | Start of Session, 20 November 2006 |
********
17:53: | End of Session, 20 November 2006 |
17:52: Program Version 5.2.3.2125 Using Spyware Definitions 805
17:52: Warning: Virus definitions files are invalid, please update your virus definitions. 220
17:52: Spy Sweeper 5.2.3.2125 started
17:52: | Start of Session, 20 November 2006

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5462

Re: Help Please!! - infected with Winlogonhook
« Reply #3 on: Nov 20^th, 2006, 2:52pm »

Quote

Modify

Okay, TrojanHunter found and quarantined some real goodies. �It looks like SS found 3 traces also....hopefully these were removed.�

Your HiJackthis log is incomplete for some reason. �Please rescan with HiJackthis and post again. �An example of what a HJT scan log should look like is shown in the first post of the link below. �Be sure you have renamed HiJackthis.exe to something like AnalyzeMe.exe as described in the procedure for installing HiJackthis per my first post.

http://www.misec.net/forum/board/Trojans/1160403405

« Last Edit: Nov 20^th, 2006, 3:31pm by siliconman01 »

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5462

Re: Help Please!! - infected with Winlogonhook
« Reply #4 on: Nov 22^nd, 2006, 6:18am »

Quote

Modify

I guess everything is okay now. Would surely like to see a full HiJackthis scan log just to be sure. Wink

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

lr1611
Newbie

Posts: 6

Re: Help Please!! - infected with Winlogonhook
« Reply #5 on: Jan 18^th, 2007, 2:33pm »

Quote

Modify

Hi, I think I am infected with the Winlogonhook virus too. I have the registry value
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR

and

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winjvd32

plus, I keep getting this premium access dialup program trying to access the internet!

Can you help me?

Thanks!!

IP Logged

lr1611
Newbie

Posts: 6

Re: Help Please!! - infected with Winlogonhook
« Reply #6 on: Jan 18^th, 2007, 9:14pm »

Quote

Modify

My TH and HijackThis log are as follows:

Trojan Hunter:

Registry scan
Registry key exists: HKEY_LOCAL_MACHINE\Software\AdwareDisableKey3 (matches Agent.100) (Regedit Jump)
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (matches Agent.100) (Regedit Jump)
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Lirong Lim\Desktop\SmitfraudFix\GenericRenosFix.exe (Add to ignore list)
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Lirong Lim\Desktop\SmitfraudFix\SrchSTS.exe (Add to ignore list)
C:\pagefile.sys Not scanned (in use by another application)
Warning: Unable to unpack UPX-packed file C:\Program Files\Hamachi\hamachi.exe (Add to ignore list)
While scanning C:\WINDOWS\system32\alg.exe: File C:\WINDOWS\system32\ALLFSAF5a.ocx not found
Found trojan file: C:\WINDOWS\Temp\idd17E.tmp.exe/cK97399C.exe (Dialer)
Found trojan file: C:\WINDOWS\Temp\idd17E.tmp.exe (Dialer)
Found trojan file: C:\WINDOWS\Temp\iddF.tmp.exe/JoOsPu.exe (Dialer)
Found trojan file: C:\WINDOWS\Temp\iddF.tmp.exe (Dialer)
Found trojan file: C:\WINDOWS\Temp\win173.tmp.exe (Klone.166)
5 files identified
13997 files scanned in 766 seconds

HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 11:16:17 AM, on 1/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\WIBUKEY\Server\WkSvW32.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4C1.EXE
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HJT\analyse.exe.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6828A40C-B243-156D-5373-015323429B97} - C:\WINDOWS\system32\mlhtev.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [DetectorApp] "C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
O4 - HKLM\..\Run: [Cpqset] "C:\Program Files\HPQ\Default Settings\cpqset.exe"
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [DeleteLog] c:\windows\system32\oobe\DeleteLog.exe
O4 - HKLM\..\Run: [dnqxisd.dll] "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\dnqxisd.dll,prtunpd
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [EPSON Stylus C63 Series] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4C1.EXE" /P23 "EPSON Stylus C63 Series" /O6 "USB001" /M "Stylus C63"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_SG&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.shockwave.com/content/tumblebugs/sis/axhost.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: winjvd32 - C:\WINDOWS\SYSTEM32\winjvd32.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RaySat_3dsmax8 Server (RaySat_3dsmax8Server) - Unknown owner - C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WIBU-KEY Server (WkSvW32.exe) - WIBU-SYSTEMS AG - C:\Program Files\WIBUKEY\Server\WkSvW32.exe

Thanks!

« Last Edit: Jan 18^th, 2007, 9:19pm by lr1611 »

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5462

Re: Help Please!! - infected with Winlogonhook
« Reply #7 on: Jan 18^th, 2007, 11:09pm »

Quote

Modify

Welcome to the forum lr1611 � Wink

Please do the following:

1. �Download/Install freebie CCleaner from http://www.ccleaner.com

2. �Go the link below and follow the procedure to make all your files and folders visible. �

http://www.misec.net/forum/board/FAQ/1139610900

3. �Open TH scanner and do the following. �Then close TH scanner.

- �Run LiveUpdate to obtain the very latest rulesets. �If you are not licensed, please manually update the rulesets via the link below. �

http://www.misec.net/trojanhunter/updating/

- �Click on the Options icon on the left side of TH scanner. �Checkmark all options to make them active.

4. �Reboot your computer into SAFE MODE. �If you do not know how, please follow the instructions in the link below.

http://www.misec.net/forum/board/FAQ/1144043085

5. �Run the Cleaner component of CCleaner. �This will clean out all your temporary and junk files. �Do NOT run the Issues component as this is a registry cleaner. �

6. �Run a FULL SCAN with TrojanHunter and let it clean/quarantine all that it finds. �Save a Log Report (under FILE in the top menu bar).

7. �Reboot into Normal Mode.

8. �Run a REMOTE Scan with Bit Defender. �The link below will guide you to Bit Defender's remote scan site. �You will need to use IE because downloading an ActiveX component is required. �BE SURE to disable your normal anti-virus program prior to starting the remote scan. �Let Bit Defender clean what it finds.

http://www.misec.net/forum/board/FAQ/1141894786

9. �Following the Bit Defender scan, immediately reboot. �

10. �Post a new HiJackthis log, the TH scan log, and the Bit Defender scan log back here please. �

« Last Edit: Jan 18^th, 2007, 11:51pm by siliconman01 »

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

lr1611
Newbie

Posts: 6

Re: Help Please!! - infected with Winlogonhook
« Reply #8 on: Jan 19^th, 2007, 2:30am »

Quote

Modify

hi, thanks for the quick reply... for some reason, after doing the scans and stuff, I now get this pop up when i enter windows:

Error Loading C:\Windows\System32\dnqxisd.dll
The specified module could no be found

Did something that was not supposed to get deleted get deleted?

And here are the logs:

Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 4:22:28 PM, on 1/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\WIBUKEY\Server\WkSvW32.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\HJT\analyse.exe.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6828A40C-B243-156D-5373-015323429B97} - C:\WINDOWS\system32\mlhtev.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [DetectorApp] "C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
O4 - HKLM\..\Run: [Cpqset] "C:\Program Files\HPQ\Default Settings\cpqset.exe"
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [DeleteLog] c:\windows\system32\oobe\DeleteLog.exe
O4 - HKLM\..\Run: [dnqxisd.dll] "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\dnqxisd.dll,prtunpd
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_SG&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.shockwave.com/content/tumblebugs/sis/axhost.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: winjvd32 - winjvd32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RaySat_3dsmax8 Server (RaySat_3dsmax8Server) - Unknown owner - C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WIBU-KEY Server (WkSvW32.exe) - WIBU-SYSTEMS AG - C:\Program Files\WIBUKEY\Server\WkSvW32.exe

Trojan Hunter:

Registry scan
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (matches Agent.100) (Regedit Jump)
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Lirong Lim\Desktop\SmitfraudFix\GenericRenosFix.exe (Add to ignore list)
Warning: Unable to unpack UPX-packed file C:\Documents and Settings\Lirong Lim\Desktop\SmitfraudFix\SrchSTS.exe (Add to ignore list)
C:\pagefile.sys Not scanned (in use by another application)
Warning: Unable to unpack UPX-packed file C:\Program Files\Hamachi\hamachi.exe (Add to ignore list)
Warning: Executable file with double extensions found: C:\Program Files\HJT\analyse.exe.exe
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.VisualBasic.Vsa\7.0.5000.0__b03f5f7f11 d50a3a\Microsoft.VisualBasic.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.Vsa\7.0.5000.0__b03f5f7f11d50a3a\Micro soft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.W eb.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\System.Xml\1.0.5000.0__b77a5c561934e089\System.X ML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.W eb.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f 11d50a3a\Microsoft.VisualBasic.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Mic rosoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System .XML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5 c561934e089_24f7c7b4\System.Xml.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualBasic.Vsa.d ll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.XML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Vsa. dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.XML.dll
While scanning C:\WINDOWS\system32\alg.exe: File C:\WINDOWS\system32\ALLFSAF5a.ocx not found
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\zlsvc.zip.dll
Warning: Executable file with double extensions found: C:\WINDOWS\system32\ZoneLabs\lib\zpy.zip.dll
No trojan files found
14173 files scanned in 778 seconds

Bit Defender:
BitDefender Online Scanner

Scan report generated at: Fri, Jan 19, 2007 - 16:11:29

Scan path: C:\ Grin

:\;E:\;

Statistics

Time

00:50:25

Files

346253

Folders

4542

Boot Sectors

4

Archives

9796

Packed Files

35316

Results

Identified Viruses

2

Infected Files

2

Suspect Files

0

Warnings

0

Disinfected

0

Deleted Files

1

Engines Info

Virus Definitions

383887

Engine build

AVCORE v1.0 (build 2371) (i386) (Dec 13 2006 11:16:42)

Scan plugins

14

Archive plugins

38

Unpack plugins

6

E-mail plugins

6

System plugins

1

Scan Settings

First Action

Disinfect

Second Action

Delete

Heuristics

Yes

Enable Warnings

Yes

Scanned Extensions

*;

Exclude Extensions

Scan Emails

Yes

Scan Archives

Yes

Scan Packed

Yes

Scan Files

Yes

Scan Boot

Yes

Scanned File

Status

C:\Documents and Settings\Lirong Lim\Local Settings\Application Data\Mozilla\Firefox\Profiles\889faml3.default\Cache\F3598EBCd01

Infected with: Trojan.Clicker.AC

C:\Documents and Settings\Lirong Lim\Local Settings\Application Data\Mozilla\Firefox\Profiles\889faml3.default\Cache\F3598EBCd01

Disinfection failed

C:\Documents and Settings\Lirong Lim\Local Settings\Application Data\Mozilla\Firefox\Profiles\889faml3.default\Cache\F3598EBCd01

Deleted

C:\I386\DRIVER.CAB=>hp1200bp.icm

Clean

C:\I386\DRIVER.CAB=>hp1200c.gpd

Clean

C:\I386\DRIVER.CAB=>hp1200c1.ppd

Clean

C:\I386\DRIVER.CAB=>hp1200nd.icm

Clean

C:\I386\DRIVER.CAB=>hp1200np.icm

Clean

C:\I386\DRIVER.CAB=>hp1200p.icm

Clean

C:\I386\DRIVER.CAB=>hp1200_7.ppd

Clean

C:\I386\DRIVER.CAB=>hp1220_7.ppd

Clean

C:\I386\DRIVER.CAB=>hp1600bd.icm

Clean

C:\I386\DRIVER.CAB=>hp1600bg.icm

Clean

C:\I386\DRIVER.CAB=>hp1600bp.icm

Clean

C:\I386\DRIVER.CAB=>hp1600c.gpd

Clean

C:\I386\DRIVER.CAB=>hp1600c1.ppd

Clean

C:\WINDOWS\system32\mlhtev.dll

Infected with: Trojan.Busky.2.Gen

C:\WINDOWS\system32\mlhtev.dll

Disinfection failed

C:\WINDOWS\system32\mlhtev.dll

Delete failed

------------------------------------------------------

Thanks!

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5462

Re: Help Please!! - infected with Winlogonhook
« Reply #9 on: Jan 19^th, 2007, 3:21am »

Quote

Modify

There is still an infection on your system....a dialer named mlhtev.dll.

Please submit this file to Mischel Internet Security so Gavin can incorporate it in the rulesets of TrojanHunter. The link below explains how to submit a file.

http://www.misec.net/forum/board/FAQ/1139308293

Then, please download VundoFix.exe to your desktop.

http://www.atribune.org/ccount/click.php?id=4

- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
- Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Quote:

Error Loading C:\Windows\System32\dnqxisd.dll
The specified module could no be found

This file was an infection and was removed by Bit Defender. Let's see how VundoFix works to remove the other infection and then we will address this issue.

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

lr1611
Newbie

Posts: 6

Re: Help Please!! - infected with Winlogonhook
« Reply #10 on: Jan 19^th, 2007, 9:51am »

Quote

Modify

hello, here are the logs:

VundoFix:

VundoFix V6.3.2

Checking Java version...

Java version is 1.5.0.6

Scan started at 10:39:14 PM 1/19/2007

Listing files found while scanning....

C:\WINDOWS\system32\mlhtev.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\mlhtev.dll
C:\WINDOWS\system32\mlhtev.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.2

Checking Java version...

Java version is 1.5.0.6

Scan started at 11:20:57 PM 1/19/2007

Listing files found while scanning....

No infected files were found.

Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 11:45:40 PM, on 1/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\WIBUKEY\Server\WkSvW32.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\HJT\analyse.exe.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6828A40C-B243-156D-5373-015323429B97} - C:\WINDOWS\system32\mlhtev.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [DetectorApp] "C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
O4 - HKLM\..\Run: [Cpqset] "C:\Program Files\HPQ\Default Settings\cpqset.exe"
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [DeleteLog] c:\windows\system32\oobe\DeleteLog.exe
O4 - HKLM\..\Run: [dnqxisd.dll] "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\dnqxisd.dll,prtunpd
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_SG&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.shockwave.com/content/tumblebugs/sis/axhost.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: winjvd32 - winjvd32.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RaySat_3dsmax8 Server (RaySat_3dsmax8Server) - Unknown owner - C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WIBU-KEY Server (WkSvW32.exe) - WIBU-SYSTEMS AG - C:\Program Files\WIBUKEY\Server\WkSvW32.exe

Vundo hasn't reappeared after bootup, but I still have this key in my registry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winjvd32
is it supposed to be a trojan? Some websites have listed this key as linked to a trojan.

Thanks again

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5462

Re: Help Please!! - infected with Winlogonhook
« Reply #11 on: Jan 19^th, 2007, 11:43am »

Quote

Modify

GREAT

VundoFix took care of the main critter. Now let's do some cleanup.

1. Please run another HJT scan.

2. When the scan is completed, please place a checkmark in the box next to each of the following items. Be Sure that these are the only items checkmarked.

O2 - BHO: (no name) - {6828A40C-B243-156D-5373-015323429B97} - C:\WINDOWS\system32\mlhtev.dll (file missing)

O4 - HKLM\..\Run: [dnqxisd.dll] "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\dnqxisd.dll,prtunpd

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O20 - Winlogon Notify: winjvd32 - winjvd32.dll (file missing)

Then click on Fix Checked at the bottom left of the HJT window. Confirm that you want these items fixed and let HJT fix them.

Close the HJT window after the fixes are completed.

Reboot your computer

Run another HJT scan and post it back here please.

Quote:

Error Loading C:\Windows\System32\dnqxisd.dll
The specified module could no be found

Did the above error message go away?

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

lr1611
Newbie

Posts: 6

Re: Help Please!! - infected with Winlogonhook
« Reply #12 on: Jan 19^th, 2007, 10:03pm »

Quote

Modify

Yay! the error message went away! Cheesy

you're a genius! *cheer*
Here's the Hijack This log:

Logfile of HijackThis v1.99.1
Scan saved at 12:00:15 PM, on 1/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\WIBUKEY\Server\WkSvW32.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HJT\analyse.exe.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [DetectorApp] "C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\DetectorApp.exe"
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [eabconfg.cpl] "C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [DeleteLog] c:\windows\system32\oobe\DeleteLog.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_SG&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.shockwave.com/content/tumblebugs/sis/axhost.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RaySat_3dsmax8 Server (RaySat_3dsmax8Server) - Unknown owner - C:\Program Files\Autodesk\VIZ2007\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: WIBU-KEY Server (WkSvW32.exe) - WIBU-SYSTEMS AG - C:\Program Files\WIBUKEY\Server\WkSvW32.exe

« Last Edit: Jan 19^th, 2007, 10:03pm by lr1611 »

IP Logged

siliconman01
Global Moderator

Trojans! Chew 'em Up, Spit 'em Out...

Gender: male

Posts: 5462

Re: Help Please!! - infected with Winlogonhook
« Reply #13 on: Jan 20^th, 2007, 12:47am »

Quote

Modify

Okay, your last HJT scan looks like you are cleaned up. A couple of things that you should persue further.

1. Your Java plug-in is significantly out-of-date and should be updated to the latest V1.6.0.b105 for security reasons. You currently have C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll.

- Go to START>SETTINGS>CONTROL PANEL>JAVA>Update tab and it will guide you to the latest updated version.

- Update to the latest version.

- Go to START>SETTINGS>CONTROL PANEL>ADD or REMOVE PROGRAMS and remove the old version. Removal will leave the new version in tact.

2. Your System Restore is most likely tainted with the just removed infections. Please follow the procedure below to obtain a clean System Restore.

http://www.misec.net/forum/board/FAQ/1139255588

3. You should test to see if you have a possible rootkit. There is no evidence that I can see which says you do; however, it is safest to make sure. BlackLight Rootkit Detector is a good freebie tester

http://www.misec.net/forum/board/FAQ/1164990581

That should fix you up. Holler if you need further assistance. Thanks for following the instructions and providing the needed info to assist in getting your system disinfected. Wink

IP Logged

______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!

lr1611
Newbie

Posts: 6

Re: Help Please!! - infected with Winlogonhook
« Reply #14 on: Jan 20^th, 2007, 5:58am »