Download TrojanHunter Now
Free 30-day trial!
Latest TrojanHunter Version:
TrojanHunter 5.0
Order Now
License file delivered within minutes.
Welcome, Guest. Please Login or Register.
Oct 7th, 2008, 5:59am
   Mischel Internet Security Forum
   Malware
   Trojans (Moderators: Helena, Gavin_Coe, Magnus)
   [Fixed:] trojan agent winlogonhook		 « Previous topic | Next topic »
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print
   Author  Topic: [Fixed:] trojan agent winlogonhook  (Read 2646 times)
joshua_dsouza86
Newbie
*





   


Posts: 6
[Fixed:] trojan agent winlogonhook
« on: Mar 12th, 2006, 3:21pm »		 Quote Quote  Modify Modify
Hi,
 
when i do a sweep with spy sweeper it finds this trojan. after the sweep is over and i remove the trojan and i restart my computer and when i do a sweep it is back again. always happens. can any1 help me to remove this. plz thanks in advance
 
[Fixed:] added to topic by siliconman01
« Last Edit: Mar 14th, 2006, 4:09am by siliconman01 » IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5661
Re: trojan agent winlogonhook
« Reply #1 on: Mar 12th, 2006, 3:42pm »		 Quote Quote  Modify Modify
Welcome to the forum joshua_dsouza86  Cheesy
 
Other have had Spy Sweeper detect this specific winlogonhook.  Please see this thread:
 
http://forum.misec.net/board/TrojanHunter/1140816403
 
The last post directs the posters to a thread where a user was successful in removing the Spy Sweeper detection.  Please go there and see if you are successful in removing it for Spy Sweeper.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
joshua_dsouza86
Newbie
*





   


Posts: 6
Re: trojan agent winlogonhook
« Reply #2 on: Mar 12th, 2006, 7:17pm »		 Quote Quote  Modify Modify
on Mar 12th, 2006, 3:42pm, siliconman01 wrote:
Welcome to the forum joshua_dsouza86  Cheesy
 
Other have had Spy Sweeper detect this specific winlogonhook.  Please see this thread:
 
http://forum.misec.net/board/TrojanHunter/1140816403
 
The last post directs the posters to a thread where a user was successful in removing the Spy Sweeper detection.  Please go there and see if you are successful in removing it for Spy Sweeper.

 
going thru the forum the solution givin over there refers to a fix on the persons computer which will suerly be differnet on mine probably in registry entries or some or the other way. could anyguide me please. i really need to get done with this problem by today coz this is on some other personse pc i am tryin to remove. thanx
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5661
Re: trojan agent winlogonhook
« Reply #3 on: Mar 13th, 2006, 3:12am »		 Quote Quote  Modify Modify
Do you have TrojanHunter V4.2 on this system?  
 
If not, please download the trial version and manually update to the latest definitions (the trial version does not allow for automatic liveupate of the definitions).
 
http://forum.misec.net/board/FAQ/1142067076
 
Also I assume you have updated the Definitions in Spy Sweeper to the latest ruleset No. 630 before running a sweep by it.
 
- Open Spy Sweeper and temporarily disable all of its shields.  
- Uncheck the "Load on Startup" option in SS Options 
- Reboot the computer.
- Disable your antivirus program temporarily and close down all other programs running in the lower right systray.
- Open TH scanner and set all the items active that are under the OPTIONS icon on the left side bar of the TH window.
- Run a FULL scan.  
 
Does TH scanner find any malicious items?  
 
Also please go to C:\Documents and Settings\User Name\Application Data\Webroot\SpySweeper\Logs and open the logs folder.  Copy the latest scan log and paste it into this post so that we see what SS is finding.  
 
« Last Edit: Mar 13th, 2006, 3:17am by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
joshua_dsouza86
Newbie
*





   


Posts: 6
Re: trojan agent winlogonhook
« Reply #4 on: Mar 13th, 2006, 10:28am »		 Quote Quote  Modify Modify
Thanks for the reply....
 
trojan hunter says there r no trojans found here is the scan report:
 
Registry scan
No suspicious entries found
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
No trojans found in memory
File scan
Error: Directory not found: A:\
C:\pagefile.sys  Not scanned (in use by another application)
Warning: Executable file with double extensions found: C:\Program Files\Microsoft Office\OFFICE11\Microsoft.Office.Interop.InfoPath.Xml.dll
Warning: Unable to unpack UPX-packed file C:\Program Files\TrojanHunter 4.2\InstTimeUpdater.exe (Add to ignore list)
Warning: Unable to unpack UPX-packed file C:\WINDOWS\$NtServicePackUninstall$\usbuhci.sys (Add to ignore list)
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.InfoPath.Xml\11.0.0.0__ 71e9bce111e9429c\Microsoft.Office.Interop.InfoPath.Xml.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.VisualBasic.Vsa\7.0.5000.0__b03f5f7f11 d50a3a\Microsoft.VisualBasic.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\Microsoft.Vsa\7.0.5000.0__b03f5f7f11d50a3a\Micro soft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.W eb.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC\System.Xml\1.0.5000.0__b77a5c561934e089\System.X ML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.W eb.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f 11d50a3a\Microsoft.VisualBasic.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Mic rosoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System .XML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5 c561934e089_3e4942f2\System.Xml.dll
Warning: Executable file with double extensions found: C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5 c561934e089_add4af38\System.Xml.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.VisualBasic.Vsa.d ll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Microsoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.XML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Vsa. dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\System.XML.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\mscorrc.chs.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\mscorrc.cht.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\mscorrc.ger.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\mscorrc.kor.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\system.web.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\system.xml.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\vbc7ui.chs.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\vbc7ui.cht.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\vbc7ui.ger.dll
Warning: Executable file with double extensions found: C:\WINDOWS\ServicePackFiles\i386\vbc7ui.kor.dll
Found NTFS alternate data stream: C:\WINDOWS\system32\LegitCheckControl.dll:Zone.Identifier:$DATA (View ADS stream...) (Delete ADS stream)
Warning: Executable file with double extensions found: C:\WINDOWS\Temp\win1C.tmp.exe
Warning: Executable file with double extensions found: C:\WINDOWS\Temp\win25.tmp.exe
Warning: Executable file with double extensions found: C:\WINDOWS\Temp\win2D.tmp.exe
Warning: Executable file with double extensions found: C:\WINDOWS\Temp\win31.tmp.exe
Warning: Executable file with double extensions found: C:\WINDOWS\Temp\win36.tmp.exe
Warning: Executable file with double extensions found: C:\WINDOWS\Temp\win39.tmp.exe
Warning: Executable file with double extensions found: C:\WINDOWS\Temp\win42.tmp.exe
Warning: Executable file with double extensions found: C:\WINDOWS\Temp\winB.tmp.exe
Error: Directory not found: D:\
Error: Directory not found: E:\
No trojan files found
12668 files scanned in 1228 seconds
 
 
Spyware Sweeper log file says:
 
********
5:27 PM: |  Start of Session, Monday, March 13, 2006  |
5:27 PM: Spy Sweeper started
5:27 PM: Sweep initiated using definitions version 630
5:27 PM: Found Trojan Horse: trojan-downloader-zlob
5:27 PM: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || wininet.dll (ID = 1052561)
5:27 PM: dfrgsrv.exe (ID = 1052561)
5:27 PM: Starting Memory Sweep
5:40 PM: Memory Sweep Complete, Elapsed Time: 00:13:55
5:40 PM: Starting Registry Sweep
5:41 PM:   HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || wininet.dll (ID = 797671)
5:41 PM:   Found Trojan Horse: trojan agent winlogonhook
5:41 PM:   HKLM\software\microsoft\mssmgr\  (12 subtraces) (ID = 937101)
5:41 PM: Registry Sweep Complete, Elapsed Time:00:00:52
5:41 PM: Starting Cookie Sweep
5:41 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
5:41 PM: Starting File Sweep
5:54 PM:   Found Trojan Horse: trojan-downloader-aux
5:54 PM:   mullbin1[1].exe (ID = 256507)
5:54 PM:   win29.tmp.exe (ID = 256507)
6:11 PM:   Warning: Invalid Stream
6:11 PM: File Sweep Complete, Elapsed Time: 00:29:25
6:11 PM: Full Sweep has completed.  Elapsed time 00:44:19
6:11 PM: Traces Found: 18
6:31 PM: Removal process initiated
6:31 PM:   Quarantining All Traces: trojan-downloader-zlob
6:31 PM:   Quarantining All Traces: trojan agent winlogonhook
6:31 PM:   Quarantining All Traces: trojan-downloader-aux
6:31 PM: Removal process completed.  Elapsed time 00:00:10
********
 
Note: after doing the spysweeper sweep trojan-downloader-zlob and trojan-downloader-aux have been removed but trojan agent winlogonhook still reappears.  
 
Waiting for the next step. Thanx alot for ur help.
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5661
Re: trojan agent winlogonhook
« Reply #5 on: Mar 13th, 2006, 12:00pm »		 Quote Quote  Modify Modify
Please go to http://www.majorgeeks.com/download3155.html and download and install Hijackthis 1.99.1.  Put it in a folder under C:\Program Files....such as C:\Program Files\Hijackthis.
 
Be sure you have rebooted and have not run a scan with Spy Sweeper...
 
Set up HiJackThis and run a scan of the system.  Save the log and then copy/paste the log results here.  It may take two separate posts because the log file may be longer than the allowed limit of each post on this forum.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5661
Re: trojan agent winlogonhook
« Reply #6 on: Mar 13th, 2006, 12:29pm »		 Quote Quote  Modify Modify
Then go here: http://forum.misec.net/board/FAQ/1141894786
 
and run a remote scan using Kaspersky and then Panda
 
to see if either of these can detect and remove this critter.
 
Before running these scans, be sure that:
 
1.  The resident AV scanner on the system is deactivated.
2.  That all shields in Spy Sweeper have been deactivated.
3.  The system is rebooted freshly so that this malicious file that Spy Sweeper detects has been regenerated.
 
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
joshua_dsouza86
Newbie
*





   


Posts: 6
Re: trojan agent winlogonhook
« Reply #7 on: Mar 13th, 2006, 12:47pm »		 Quote Quote  Modify Modify
Logfile of HijackThis v1.98.2
Scan saved at 9:41:20 PM, on 3/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\program files\advanced system optimizer\memtuneup.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\Documents and Settings\Walter Monteiro\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhom e
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [BDMCon] c:\progra~1\softwin\bitdef~1\bdmcon.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Systweak Memory Optimizer] c:\program files\advanced system optimizer\memtuneup.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/ muweb_site.cab?1142093734666
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
 
it all fits in a single post. anyways please keep me updated i am runnin the remote scans now
 
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5661
Re: trojan agent winlogonhook
« Reply #8 on: Mar 13th, 2006, 1:54pm »		 Quote Quote  Modify Modify
You have an old version of HiJackThis.  Please download version 1.99.1 from the majorgeeks link provided above and repost a scan from this current version of HJT.
 
Also do not install on the Desktop.  Put in a folder on the hard drive.
« Last Edit: Mar 13th, 2006, 1:57pm by siliconman01 » IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
joshua_dsouza86
Newbie
*





   


Posts: 6
Re: trojan agent winlogonhook
« Reply #9 on: Mar 13th, 2006, 3:24pm »		 Quote Quote  Modify Modify
This is kaspersky's report:
 
KASPERSKY ON-LINE SCANNER REPORT  
Tuesday, March 14, 2006 12:06:21 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 13/03/2006
Kaspersky Anti-Virus database records: 171217
 
 
Scan Settings  
Scan using the following antivirus database standard  
Scan Archives true  
Scan Mail Bases true  
 
Scan Target My Computer  
A:\
C:\
D:\
E:\  
 
Scan Statistics  
Total number of scanned objects 38153  
Number of viruses found 4  
Number of infected objects 18  
Number of suspicious objects 0  
Duration of the scan process 01:39:32  
 
Infected Object Name Virus Name Last Action  
C:\Documents and Settings\Walter Monteiro\Local Settings\Temporary Internet Files\Content.IE5\8NJFV2BY\winit64[1].exe  Infected: Trojan.Win32.Dialer.oy  skipped  
 
C:\Documents and Settings\Walter Monteiro\Local Settings\Temporary Internet Files\Content.IE5\E5GBY98H\winit64[1].exe  Infected: Trojan.Win32.Dialer.oy  skipped  
 
C:\Documents and Settings\Walter Monteiro\Local Settings\Temporary Internet Files\Content.IE5\E5GBY98H\winit64[2].exe  Infected: Trojan.Win32.Dialer.oy  skipped  
 
C:\Documents and Settings\Walter Monteiro\Local Settings\Temporary Internet Files\Content.IE5\HMBPXBD3\rdgKW2404[1].exe  Infected: Trojan-Downloader.Win32.Small.ayl  skipped  
 
C:\Documents and Settings\Walter Monteiro\Local Settings\Temporary Internet Files\Content.IE5\HMBPXBD3\winit64[1].exe  Infected: Trojan.Win32.Dialer.oy  skipped  
 
C:\Documents and Settings\Walter Monteiro\Local Settings\Temporary Internet Files\Content.IE5\WTUJ8TQB\srvlbin5[1].exe  Infected: Trojan.Win32.Dialer.oy  skipped  
 
C:\WINDOWS\system32\wintjv32.dll  Infected: Trojan-Downloader.Win32.Small.cml  skipped  
 
C:\WINDOWS\Temp\ciedmkmd.exe  Infected: Trojan.Win32.Dialer.ay  skipped  
 
C:\WINDOWS\Temp\kcnigomd.exe  Infected: Trojan.Win32.Dialer.ay  skipped  
 
C:\WINDOWS\Temp\win13.tmp.exe  Infected: Trojan.Win32.Dialer.oy  skipped  
 
C:\WINDOWS\Temp\win19.tmp.exe  Infected: Trojan.Win32.Dialer.oy  skipped  
 
C:\WINDOWS\Temp\win1C.tmp.exe  Infected: Trojan.Win32.Dialer.oy  skipped  
 
C:\WINDOWS\Temp\win2D.tmp.exe  Infected: Trojan.Win32.Dialer.oy  skipped  
 
C:\WINDOWS\Temp\win31.tmp.exe  Infected: Trojan.Win32.Dialer.oy  skipped  
 
C:\WINDOWS\Temp\win36.tmp.exe  Infected: Trojan.Win32.Dialer.oy  skipped  
 
C:\WINDOWS\Temp\win39.tmp.exe  Infected: Trojan.Win32.Dialer.oy  skipped  
 
C:\WINDOWS\Temp\win42.tmp.exe  Infected: Trojan.Win32.Dialer.oy  skipped  
 
C:\WINDOWS\Temp\winB.tmp.exe  Infected: Trojan.Win32.Dialer.oy  skipped  
 
Scan process completed.  
 
This is hijackthis report:
 
Logfile of HijackThis v1.99.1
Scan saved at 12:16:38 AM, on 3/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
 
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\progra~1\softwin\bitdef~1\bdmcon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\program files\advanced system optimizer\memtuneup.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender9\vsserv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\hijack this\HijackThis.exe
 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhom e
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchcust.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [BDMCon] c:\progra~1\softwin\bitdef~1\bdmcon.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Systweak Memory Optimizer] c:\program files\advanced system optimizer\memtuneup.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/ muweb_site.cab?1142093734666
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C3A2A44-C6A1-4E83-BFCD-9B5E7E241E35} : NameServer = 195.226.224.72 195.226.224.74
O17 - HKLM\System\CS1\Services\Tcpip\..\{6C3A2A44-C6A1-4E83-BFCD-9B5E7E241E35} : NameServer = 195.226.224.72 195.226.224.74
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: wintjv32 - C:\WINDOWS\SYSTEM32\wintjv32.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
 
Please guide me with the next step. thanx
 
 
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5661
Re: trojan agent winlogonhook
« Reply #10 on: Mar 13th, 2006, 4:27pm »		 Quote Quote  Modify Modify
Go here http://forum.misec.net/board/FAQ/1139610900 and make sure all your files/folders are visible to you.  Be sure you are booted as a user with full administrative privileges.
 
Close down Internet Explorer  
 
Go to START-SETTINGS-CONTROL PANEL-INTERNET OPTIONS and clean out all your temporary internet files and cookies and history.
 
Using Windows Explorer, go to C:\Windows\Temp and clean out this folder.  You may have to boot into SAFE MODE to remove all the files in this Temp folder.
 
Run another remote scan with Kaspersky to see if the dialer files are gone.
 
I'm looking at the HJT log.
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5661
Re: trojan agent winlogonhook
« Reply #11 on: Mar 13th, 2006, 4:48pm »		 Quote Quote  Modify Modify
After the scan with Kaspersky is completed, download KillBox from http://www.subratam.org/main/index.php?option=com_content&task=view& amp;id=19&Itemid=41
 
You can place it on your desktop.  
Do not run Killbox yet.
 
Run another HJT scan.  
 
Put a checkmark in the box for:
O20 - Winlogon Notify: wintjv32 - C:\WINDOWS\SYSTEM32\wintjv32.dll  
 
Close all open Windows except Hijackthis and click on "fix Checked".
 
Now run Killbox and select Delete on Reboot.  
Paste the line below into the box and press the red X button.  
When it asks you if you want to reboot, say yes to reboot the Computer.  
 
C:\WINDOWS\SYSTEM32\wintjv32.dll  
 
After the Computer reboots take another HJT scan and post a new log.
 
 
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
joshua_dsouza86
Newbie
*





   


Posts: 6
Re: trojan agent winlogonhook
« Reply #12 on: Mar 13th, 2006, 7:06pm »		 Quote Quote  Modify Modify
I have successfully got the trojan out of my system. I got the hint as soon as i got the kaspersky scan results. deleted the file usin hijackthis delete on boot up function emptied all the temp folder. scanned again everything is perfect my internet speed has gt faster so has my computer. thanx alot for your help. really appriciate it. thank u
IP Logged
siliconman01
Global Moderator
*****



Trojans! Chew 'em Up, Spit 'em Out...

   


Gender: male
 Posts: 5661
Re: trojan agent winlogonhook
« Reply #13 on: Mar 13th, 2006, 7:37pm »		 Quote Quote  Modify Modify
Great!  Glad you are all fixed and back to normal operating speed.  Cheesy
IP Logged
______
TrojanHunter V5.0.962...No. 1 AT in my Book and on my Box!
Pages: 1  Reply Reply  Notify of replies Notify of replies   Send Topic Send Topic   Print Print

« Previous topic | Next topic »
Search
Members
Login
Register