Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Oct 12th, 2008, 12:05am
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   I have a Winlogonhook Infection		 « Previous topic | Next topic »
Pages: 1 2  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: I have a Winlogonhook Infection  (Read 1220 times)
markd
Newbie
*





   


Posts: 11
I have a Winlogonhook Infection
« on: Oct 9th, 2006, 9:16am »		 Quote Quote  Modify Modify
Greetings! Unfortunately I have been infected! Below is my HT log. Any help greatly appreciated!
 
Logfile of HijackThis v1.99.1
Scan saved at 12:01:28 AM, on 10/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Lexmark 3300 Series\lxccmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\{F86EE79C-0BC6-3081-0902-04062005003d}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\lxcccoms.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Downloaded\letslook.exe
 
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E24427B-DF2A-40EB-980B-A819F5FF3DD0} - C:\WINDOWS\system32\tuvvusq.dll
O2 - BHO: (no name) - {40A301C3-C34B-4F2B-9CA9-308A9FF6759D} - C:\WINDOWS\system32\vtstq.dll
O2 - BHO: (no name) - {4A0857CB-B61D-2203-019A-01BD81DA11C0} - C:\WINDOWS\system32\qmstfun.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\tbqxaysf.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [wgosrej.dll] "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\wgosrej.dll,oxdzwwb
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wu web_site.cab?1148596071125
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: tuvvusq - C:\WINDOWS\SYSTEM32\tuvvusq.dll
O20 - Winlogon Notify: vtstq - C:\WINDOWS\system32\vtstq.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winuyw32 - C:\WINDOWS\SYSTEM32\winuyw32.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5668
Re: I have a Winlogonhook Infection
« Reply #1 on: Oct 9th, 2006, 12:50pm »		 Quote Quote  Modify Modify
Welcome to the forum markd  Cheesy
 
Sorry, but yes you have become infected.  
 
Please submit the following files to Mischel Internet Security for analysis:  
 
winuyw32.dll
vtstq.dll
tuvvusq.dll
qmstfun.dll
wgosrej.dll
 
The link below explains how to submit files;
 
http://www.misec.net/forum/board/FAQ/1139308293
 
Once you get these submitted, please go to the link below and download/install freebie  Unlocker.  Install it in its own folder on your hard drive.
 
http://ccollomb.free.fr/unlocker/
 
Then download the very latest rulesets for TrojanHunter.  
 
Reboot into SAFE MODE and do a full system scan with TrojanHunter.  Let it quarantine what it uncovers.
 
Reboot back into Normal Mode.
 
Post the log from TrojanHunter
 
Post a new HJT log
 
 
« Last Edit: Oct 9th, 2006, 12:51pm by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5668
Re: I have a Winlogonhook Infection
« Reply #2 on: Oct 9th, 2006, 3:06pm »		 Quote Quote  Modify Modify
After you post the two logs requested above, let's make sure a rootkit was not delivered with one of these infections.
 
Please go to the link below and download/install Blacklight Rootkit Detector.  Please read about rootkits and the use of this program while you are at the website.
 
Then run Blacklight.  If any rootkits are detected, let it try to remove them.  Be sure to reboot after it removes the rootkit.  
 
http://www.f-secure.com/blacklight/
 
Please post the results of the Blacklight scan.  Also if a detection was removed, please repost the HJT log.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
markd
Newbie
*





   


Posts: 11
Re: I have a Winlogonhook Infection
« Reply #3 on: Oct 10th, 2006, 7:46am »		 Quote Quote  Modify Modify
Thx siliconman01
 
Have done as instructed. The forum won't allow me to post the TrojanHunter report (says it's too long). Below is the HJT log.
 
Logfile of HijackThis v1.99.1
Scan saved at 10:23:28 PM, on 10/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Lexmark 3300 Series\lxccmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\{F86EE79C-0BC6-3081-0902-04062005003d}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\lxcccoms.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Downloaded\letslook.exe
 
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E24427B-DF2A-40EB-980B-A819F5FF3DD0} - C:\WINDOWS\system32\tuvvusq.dll
O2 - BHO: (no name) - {4A0857CB-B61D-2203-019A-01BD81DA11C0} - C:\WINDOWS\system32\qmstfun.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {72163F91-04DF-4F40-B732-E409CCF8974B} - C:\WINDOWS\system32\vtstq.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\system32\tbqxaysf.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [wgosrej.dll] "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\wgosrej.dll,oxdzwwb
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wu web_site.cab?1148596071125
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: tuvvusq - C:\WINDOWS\SYSTEM32\tuvvusq.dll
O20 - Winlogon Notify: vtstq - C:\WINDOWS\system32\vtstq.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winuyw32 - C:\WINDOWS\SYSTEM32\winuyw32.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5668
Re: I have a Winlogonhook Infection
« Reply #4 on: Oct 10th, 2006, 8:08am »		 Quote Quote  Modify Modify
Did TrojanHunter quarantine anything?  
 
Concerning the TrojanHunter scan log-
 
1.  If you are seeing alerts that say that a program or file has an alternate data stream attached to it, wait for the TH scan to complete.  Then go through and click on the "Delete ADS stream" hot button for each one and let TH remove these ADS streams.  They will be removed and will not return for future scans unless you download a new version of that file.  You should always instruct TH scanner to remove these streams because they "can" have malicious content in them; however, this is not normally the case.  
 
2.  I suspect that you are seeing a lot of info alerts stating that specific files have a Double Extension.  You can stop the logging of these Double Extension files by clicking on the Options icon on the left side bar of TH scanning and unchecking the very last option "Log executable files with double extensions".  TH will still scan them for infections.  All other options should be checkmarked or active.  
 
Did you run Blacklight rootkit detector?
« Last Edit: Oct 10th, 2006, 8:09am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
markd
Newbie
*





   


Posts: 11
Re: I have a Winlogonhook Infection
« Reply #5 on: Oct 10th, 2006, 8:09am »		 Quote Quote  Modify Modify
Blacklight scan did not detect anything.  Below is the result.
 
10/10/06 22:52:54 [Info]: BlackLight Engine 1.0.47 initialized
10/10/06 22:52:54 [Info]: OS: 5.1 build 2600 (Service Pack 2)
10/10/06 22:52:54 [Note]: 7019 4
10/10/06 22:52:54 [Note]: 7005 0
10/10/06 22:53:05 [Note]: 7006 0
10/10/06 22:53:05 [Note]: 7011 224
10/10/06 22:53:05 [Note]: 7026 0
10/10/06 22:53:05 [Note]: 7026 0
10/10/06 22:53:13 [Note]: FSRAW library version 1.7.1020
10/10/06 22:57:11 [Note]: 2000 1012
10/10/06 23:02:40 [Note]: 7007 0
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5668
Re: I have a Winlogonhook Infection
« Reply #6 on: Oct 10th, 2006, 8:23am »		 Quote Quote  Modify Modify
Okay, good on no rootkits.  Now before we go through manual removal of these infections I would like you to run a remote Bit Defender scan and let it remove any infections it finds.
 
A.)  I am confident that your System Restore folder is infected and thus useless.  Please turn off System Restore before running the remote scan.
 
- START>SETTINGS>CONTROL PANEL>SYSTEM>SYSTEM RESTORE tab.
 
-  Checkmark the box that states to turn off System Restore on all discs.
 
-  Click on OK and Apply.
 
-  Reboot your computer.
 
B.)  Please clean up the temporary file junk from your system.  
 
-  Go to the site below and download/install CCleaner.  Run the Cleaner feature and let it clean out your temp files and folders.  DO NOT run the Issues component.  
 
http://www.ccleaner.com
 
This is a good freebie program to retain on your system and use frequently to clean up these temporary files/folders.
 
C.)  Run a Bit Defender remote scan.  
 
-  You will need to use IE (not FireFox) to run this remote scan because Bit Defender needs to download/install ActiveX controls.  
 
-  Also before running the scan, disable your resident anti-virus program so it does not conflict with Bit Defender.  
 
-  Please post back the scan log following the Bit Defender run.  
 
-  Please post a new HJT log.  
 
The link below contains the link to the Bit Defender remote scan site.
 
http://www.misec.net/forum/board/FAQ/1141894786
 
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
markd
Newbie
*





   


Posts: 11
Re: I have a Winlogonhook Infection
« Reply #7 on: Oct 10th, 2006, 8:33am »		 Quote Quote  Modify Modify
Quarantined files: wlzip32[1].exe - win46A.tmp.exe
 
Re TH scan:
You were correct on both points! Will make changes as instructed for future logs and have omitted the points mentioned leaving the remaining results of the scan below.
 
Registry scan
Registry key exists: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSMGR (matches Agent.100) (Regedit Jump)
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISearchTechYSB.zip
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsExplorer.zip
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SeachToolbarCorpToolbarVision.zip
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SeachToolbarCorpToolbarVision1.zip
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SeachToolbarCorpToolbarVision10.zip
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SeachToolbarCorpToolbarVision2.zip
Not scanning password-protected file VSToolBar.dll in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SeachToolbarCorpToolbarVision3.zip
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SeachToolbarCorpToolbarVision3.zip
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SeachToolbarCorpToolbarVision4.zip
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SeachToolbarCorpToolbarVision5.zip
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SeachToolbarCorpToolbarVision6.zip
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SeachToolbarCorpToolbarVision7.zip
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SeachToolbarCorpToolbarVision8.zip
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SeachToolbarCorpToolbarVision9.zip
Not scanning password-protected file isnotify.exe in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip
Not scanning password-protected file ishost.exe in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC10.zip
Not scanning password-protected file ixt0.dll in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC3.zip
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC4.zip
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC5.zip
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC6.zip
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC7.zip
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC8.zip
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC9.zip
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCToolbar.zip
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCToolbar1.zip
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Vcodec.zip
Not scanning password-protected file sbRecovery.ini in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloader.zip
Found adware file: C:\Temp\System\win46A.tmp.exe (Adware.Softomate.115)
Found adware file: C:\Temp\Temporary Internet Files\Content.IE5\OASYTHEZ\wlzip32[1].exe (Adware.Softomate.115)
Not scanning password-protected file winuyw32.dll in C:\WINDOWS\system32\winuyw32.zip
Not scanning password-protected file vtstq.dll in C:\WINDOWS\system32\winuyw32.zip
Not scanning password-protected file tuvvusq.dll in C:\WINDOWS\system32\winuyw32.zip
Not scanning password-protected file qmstfun.dll in C:\WINDOWS\system32\winuyw32.zip
Not scanning password-protected file wgosrej.dll in C:\WINDOWS\system32\winuyw32.zip
3 files identified
19789 files scanned in 2454 seconds
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5668
Re: I have a Winlogonhook Infection
« Reply #8 on: Oct 10th, 2006, 8:48am »		 Quote Quote  Modify Modify
Okay, it looks like SpyBot S&D tried to remove your infections and was unsuccessful.  Or you have had this same list of infection before.
 
When you make the changes to TH scanner, make another change to stop TH scanner from scanning the locked folder of SpyBot S&D.
 
-  Click on the Scan icon on the left icon bar of TH.
-  Expand the C:\ hard drive by clicking on the + sign.
-  Drill down to C:\Documents and Settings\All Users\Application Data\ Spybot - Search and Destroy\ .  
-  Uncheck the folder named Recovery.
 
TH scanner will no longer scan this locked folder named Recovery.
 
Just as a side observation.  I would just empty out that Recovery folder because it looks to me that you definitely would never want to restore the malicious files that are in them.  
 
« Last Edit: Oct 10th, 2006, 8:57am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Gavin_Coe
Trojan Analyst
*****





   
WWW  

Posts: 2043
Re: I have a Winlogonhook Infection
« Reply #9 on: Oct 10th, 2006, 5:18pm »		 Quote Quote  Modify Modify
All added ! update, run a full scan in Safe Mode, remove everything found. Hopefully that nails the lot Smiley
IP Logged
Gavin_Coe
Trojan Analyst
*****





   
WWW  

Posts: 2043
Re: I have a Winlogonhook Infection
« Reply #10 on: Oct 10th, 2006, 5:19pm »		 Quote Quote  Modify Modify
You can delete this file now:
 
Quote:

Not scanning password-protected file winuyw32.dll in C:\WINDOWS\system32\winuyw32.zip  
Not scanning password-protected file vtstq.dll in C:\WINDOWS\system32\winuyw32.zip  
Not scanning password-protected file tuvvusq.dll in C:\WINDOWS\system32\winuyw32.zip  
Not scanning password-protected file qmstfun.dll in C:\WINDOWS\system32\winuyw32.zip  
Not scanning password-protected file wgosrej.dll in C:\WINDOWS\system32\winuyw32.zip

IP Logged
markd
Newbie
*





   


Posts: 11
Re: I have a Winlogonhook Infection
« Reply #11 on: Oct 11th, 2006, 5:43am »		 Quote Quote  Modify Modify
siliconman01:
Have done everything as instructed. Below is the Bit Defender log and the latest HT log.
 
 
Gavin_Coe:
Sorry but I don't understand your instructions.
 
 
Bit Defender Log
C:\Temp\System\b116.exe=>(NSIS o)=>lzma_solid_nsis0002
 Infected with: Trojan.Downloader.PurityScan.AR
 
C:\Temp\System\b116.exe=>(NSIS o)=>lzma_solid_nsis0002
 Disinfection failed
 
C:\Temp\System\b116.exe=>(NSIS o)=>lzma_solid_nsis0002
 Deleted
 
C:\Temp\System\b116.exe=>(NSIS o)
 Update failed
 
C:\Temp\System\mst4B0.tmp
 Infected with: Trojan.Agent.TEX
 
C:\Temp\System\mst4B0.tmp
 Disinfection failed
 
C:\Temp\System\mst4B0.tmp
 Deleted
 
C:\WINDOWS\system32\ismini.exe
 Infected with: Trojan.Zlob.DX
 
C:\WINDOWS\system32\ismini.exe
 Disinfection failed
 
C:\WINDOWS\system32\ismini.exe
 Deleted
 
C:\WINDOWS\system32\tuvvusq.dll
 Infected with: DeepScan:Generic.Malware.SYddldg.6AD3E836
 
C:\WINDOWS\system32\tuvvusq.dll
 Disinfection failed
 
C:\WINDOWS\system32\tuvvusq.dll
 Delete failed
 
C:\WINDOWS\system32\winuyw32.dll
 Infected with: Trojan.Klone.H
 
C:\WINDOWS\system32\winuyw32.dll
 Disinfection failed
 
C:\WINDOWS\system32\winuyw32.dll
 Delete failed
 
 
Ht Log
Logfile of HijackThis v1.99.1
Scan saved at 8:27:33 PM, on 11/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Lexmark 3300 Series\lxccmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\system32\lxcccoms.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Downloaded\letslook.exe
 
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0E24427B-DF2A-40EB-980B-A819F5FF3DD0} - C:\WINDOWS\system32\tuvvusq.dll
O2 - BHO: (no name) - {4A0857CB-B61D-2203-019A-01BD81DA11C0} - C:\WINDOWS\system32\qmstfun.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8C83FF8E-2B72-42F0-B1E5-38383E1D4027} - C:\WINDOWS\system32\vtstq.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [LXCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxccmon.exe] "C:\Program Files\Lexmark 3300 Series\lxccmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [wgosrej.dll] "C:\WINDOWS\system32\rundll32.exe" C:\WINDOWS\system32\wgosrej.dll,oxdzwwb
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wu web_site.cab?1148596071125
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: tuvvusq - C:\WINDOWS\SYSTEM32\tuvvusq.dll
O20 - Winlogon Notify: vtstq - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winuyw32 - C:\WINDOWS\SYSTEM32\winuyw32.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: lxcc_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxcccoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5668
Re: I have a Winlogonhook Infection
« Reply #12 on: Oct 11th, 2006, 5:49am »		 Quote Quote  Modify Modify
Okay, Bit Defender found the infection but was unable to delete it.
 
1.  Update the rulesets of TrojanHunter to the very latest rules issued over night.  After you update, if you open TH scanner and click on the Trojans icon on the left side bar, you should have 87562 rulesets.
 
2.  Then reboot your computer into SAFE MODE.
 
3.  Run TrojanHunter scanner and let it remove/quarantine what it finds.
 
4.  Boot back into Normal Mode.  
 
Please post back the TH scan log and also a new HJT after you boot back into Normal mode.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
markd
Newbie
*





   


Posts: 11
Re: I have a Winlogonhook Infection
« Reply #13 on: Oct 11th, 2006, 5:57am »		 Quote Quote  Modify Modify
Gavin_Coe:  
Sorry, with you now on your second post and have deleted 'winuyw32.zip'.
 
On your first post, do you mean update TrojanHunter and after a full 'safe mode' scan it should remove all of the problem files?
 
Thx for your help BTW.
IP Logged
markd
Newbie
*





   


Posts: 11
Re: I have a Winlogonhook Infection
« Reply #14 on: Oct 11th, 2006, 6:00am »		 Quote Quote  Modify Modify
Thx siliconman01. You answered my question as I was asking it! I will update and scan.
IP Logged
Pages: 1 2  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register