Infected with the winlogonhook trojan

Welcome to Majorgeeks!

Since winlogonhook often comes at the same time as Virtumonde infections and sometime even more, you really need to do the below.

NOTE: It is critical that you follow our directions for installing and renaming HijackThis.exe as stated in step 7 of the below sticky.


Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, renaming, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis​

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy - only for Windows XP, 2K, & NT users
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

First a couple questions:

1. Is Spy Sweeper a paid version or a free trial?
2. Did you configure the below settings yourself:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad/wpad.dat
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=http://webcache.sfbay.sun.com:8080;gopher=http://webcache.sfbay.sun.com:8080;http=http://webcache.sfbay.sun.com:8080;https=http://webcache.sfbay.sun.com:8080

 

Ok then I recommend that you uninstall AVG Antispyware now to avoid conflicts. I hope you will find us to be a lot more help.

Okay! I added the first two to my fix below.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 7
Java 2 Runtime Environment, SE v1.4.2_07
Java(TM) SE Runtime Environment 6

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Now run HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://wpad/wpad.dat
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm080YYUS
O16 - DPF: {00000005-0000-0000-0000-100009000004} - http://c.imputati.com/l/9d5807bd11a806b37f6e8618a8a0b4ff_35.exe
O20 - Winlogon Notify: awtqp - C:\WINDOWS\system32\awtqp.dll (file missing)
O20 - Winlogon Notify: awttq - C:\WINDOWS\system32\awttq.dll (file missing)
O20 - Winlogon Notify: ddcbx - C:\WINDOWS\system32\ddcbx.dll (file missing)
O20 - Winlogon Notify: ljjgh - C:\WINDOWS\system32\ljjgh.dll (file missing)
O20 - Winlogon Notify: pmnol - C:\WINDOWS\system32\pmnol.dll (file missing)
O20 - Winlogon Notify: urstq - C:\WINDOWS\system32\urstq.dll (file missing)
O20 - Winlogon Notify: wingob32 - wingob32.dll (file missing)
O20 - Winlogon Notify: wvuuvtq - wvuuvtq.dll (file missing)
O20 - Winlogon Notify: xxywtsp - xxywtsp.dll (file missing)

After clicking Fix, exit HJT.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now attach the below new logs and tell me how the above steps went.

1. Avenger
2. GetRunKey
3. ShowNew
4. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 8 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Well that makes no sense since if you look at the log from Avenger, it failed to delete everything. Are you sure you only ran what was requested? Did you run anything else at all? Even your log from ShowNew indicates that something remove all information on installed programs that was in the Uninstall key in your registry. You can see this by looking at the end of your current newfiles.txt log and comparing to the end of your first log.

Are you sure you were not playing with anything else including HJT on your own? Even your HJT log indicates some other items are now missing and we did not touch these.

 

I see some other malware on your PC. Looks like you winlogon.exe file is infected or has been replace by a fake process.

Also, all of the below just showed up in your newfiles.txt log. They were not there previously.

Code:

"C:\"
avexport.bat  Jul 17 2007        3984  "avexport.bat"
dhtjccsn.bat  Jul 17 2007        1080  "dhtjccsn.bat"
jiglhwgs.bat  Jul 17 2007        1080  "jiglhwgs.bat"
vddknvyi.bat  Jul 17 2007        1080  "vddknvyi.bat"
zip.exe       Jul 17 2007      126976  "zip.exe"

You should delete all of these files.

Also delete the below files:

Code:

"C:\WINDOWS\system32\drivers\"
idvbwejr.sys  Jul 17 2007       60416  "idvbwejr.sys"
tcdhlfig.sys  Jul 17 2007       60416  "tcdhlfig.sys"
xckouwdb.sys  Jul 17 2007       60416  "xckouwdb.sys"

Fixing the winlogon.exe file is going to take some special steps and we will also have to do it in safe mode. But first I wanted to try removing the above items. Let me know if you have any problems removing the above files.

 

Okay hangon while I try to put something together specifically to attempt to remove the winlogon.exe infection.

 

I'm going to have you run a procedure below which will attempt to delete the infected winlogon.exe file and also another system file that appears to be infected (ws2_32.dll )and replace them with a good copies from your ServicePackFiles folder.

• Print or save the below instructions locally because you need to close all browsers later.
• Download the attached gman123.zip file to your Desktop.
• Now double click on gman123.zip and extract the contents to your Desktop.
• This should create two files on your Desktop. gman123.bat and process.exe.
• Note some antivirus programs may falsely detect process.exe as malware. It is not malware. Don't worry about it if you see a message about process.exe. Allow it to run later when we run the procedure.
• Now you need to boot into safe mode to run the below. It is necessary that when you login to safe mode that you login to the same user account where you just extracted the above files on the Desktop or else you will not find them.
• Once in safe mode, shutdown ALL unnecessary applications including browsers
• Now double click on the gman123.bat file to run the fix.
• It will create a log file named: c:\FixWL.txt
• After running this you will not be able to shutdown or restart your PC in the normal fashion. You will have to hold in the power button on your PC until it powers down.
• Close ALL open windows now!!!!! Then continue!
• Power down your PC now by holding in the power button. Wait about 15 seconds and then power back up.
• Come back here and attach the c:\FixWL.txt file
• After attach the C:\FixWL.txt file here.
• Also attach new logs from ShowNew and HJT.

 

That seems to have fixed the winlogon.exe file but not the other file. We will have to try another fix. Why do I now see the below in your newfiles.txt log?


"DisplayName"="Microsoft Baseline Security Analyzer 1.2.1"
"DisplayName"="Update for Windows XP (KB936357)"
"DisplayName"="Windows Genuine Advantage Validation Tool (KB892130)"
"DisplayName"="Windows Genuine Advantage Validation Tool (KB892130)"

They were not there before!

 

Did you run the last procedure in safe mode as requested? This is important.

I'm going to have you run a procedure below which will attempt to delete the infected winlogon.exe file and also another system file that appears to be infected (ws2_32.dll )and replace them with a good copies from your ServicePackFiles folder.

• Print or save the below instructions locally because you need to close all browsers later.
• Download the attached gman2.zip file to your Desktop.
• Now double click on gman2.zip and extract the contents to your Desktop.
• This should create two files on your Desktop. gman2.bat and process.exe.
• Note some antivirus programs may falsely detect process.exe as malware. It is not malware. Don't worry about it if you see a message about process.exe. Allow it to run later when we run the procedure.
• Now you need to boot into safe mode to run the below. It is necessary that when you login to safe mode that you login to the same user account where you just extracted the above files on the Desktop or else you will not find them.
• Once in safe mode, shutdown ALL unnecessary applications including browsers
• Now double click on the gman2.bat file to run the fix.
• It will create a log file named: c:\FixWS2.txt
• After running this you will not be able to shutdown or restart your PC in the normal fashion. You will have to hold in the power button on your PC until it powers down.
• Close ALL open windows now!!!!! Then continue!
• Power down your PC now by holding in the power button. Wait about 15 seconds and then power back up.

Now after reboot continue with the below.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

• Come back here and attach the c:\FixWS2.txt file
• Also attach new logs from ShowNew and HJT.

What problems are you still seeing?

 

Sorry here it is!

 

Did you run the gman2.bat procedure in safe mode as requested? It did not work and that is the only way it will work. Are you sure that you extracted ALL files fom the original gman123.zip to your Desktop? Do you see the process.exe file on your Desktop? Do you see it when you are in safe boot mode? Based on your newfiles.txt log, the gman123.bat and the process.exe file are not on your Desktop. gman2.bat is on your Desktop.

Also the registry patch did not work properly. Did you get a success message? Did Spy Sweeper block it? Did Symantec block it? You should shutdown Spy Sweeper and Symantec and try the fixME.reg patch again. Tell me if you get a success message.

Also you have not stated how things are currently running.

 

You mean MS Office does not work at all? I have seen this get broken many times for unknown reasons. If is possible that malware did something and when the malware is removed it leaves the application in a broken state. It may be necessary to run this: Windows Installer CleanUp Utility

You also had said this:

Is this still occurring?

 

Is the Start button there at all?
Does your Desktop appear (like all icons, the taskbar, etc)?

 

I wonder if they were uninstalled? Remember when I commented on your uninstall list changing at the end of the newfiles.txt log. See the newfiles.txt logs in message # 4 and then compare it to the end of the newfiles.txt log in message # 9.


Do you know what the below file is for? If not, attach it here.
C:\Documents and Settings\ikdcspap.txt

Do you know what the beloe file is for?

Code:

C:\Documents and Settings\ngallego\Desktop\
oajinit.sh    Jun 19 2007     9203967  "oajinit.sh"

What is in the below folders? These are not valid Windows folders!

Code:

"C:\WINDOWS\system32\"
%COMMO~1      Jul 17 2007              "%commonprogramfiles%"
%PROGR~1      Jul 17 2007              "%programfiles%"

 

You may want to consider doing a System Restore to a point just before where your All Programs stuff disappeared. Hopefully that will fix this issue. Even if any malware comes back, we can always fix it again.

 

Then please attach the first file I requested and also tell me what you see in those two folders I asked about.