Winloghook is killing me, please help me kill it!

Welcome to Major Geeks!

Please follow the instructions in the below link and attach the requested logs when you finish these instructions.

Read & RUN ME FIRST Before Asking for Support

 

You are using the wrong guide. Use the link I gave you in my first message. It is shorter and easier to run.

Yes they are very similar and often arrive at the same time.

 

You should complete the procedure and attach ALL of the requested logs. Vundo and Winlogonhook can scatter a lot of hidden files around your harddisk and any of them can cause the infection to reanimate. To be safe, we need to make sure all aspects have been removed and normal scans will not get everything. Depending of the exact form of infection you had, you may or may not have additional issues to deal with. If you attach the logs, we will know.

 

If you are running the older full READ & RUN ME, the below are the requested logs:

CounterSpy - only for Windows XP, 2K, & NT users
AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy. - only for Windows XP, 2K, & NT users
Bitdefender - from step 6
Panda Scan - from step 6
runkeys.txt - the log from GetRunKey.bat
newfiles.txt - the log from ShowNew.bat
HijackThis

 

I don't need all the others right now but I do need either a log from CounterSpy or from AVG Antispyware.

 

Your MGlogs.zip file is incomplete. We need to get a full log. The below will rerun the scans to create a new log.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this. Make sure you are not getting interference from your antivirus and also check for the error messages mentioned on the MGtools download page. Also make sure you let it run thru to completion.

 

You had to create it when you ran the scan as explain in the longer version of the READ ME. The shorter (new) version of the READ ME uses only AVG Antispyware and it also explains how to create a log with it.

 

Gotta run now! Be back late tonight

 

Yes thanks!! Thanksgiving dinner was great. How was yours?

What exactly did you do?? CounterSpy already fixed what it found and that was only a registry key. Your main problems are a Virtumonde and Winlogonhook infections. And we need the other logs to find all the issues.

Uninstall the CounterSpy trial program now since we are finished with it and it will conflict with SpySweeper. Then delete the below folders which may be left behind:
C:\Documents and Settings\Administrator\Application Data\Sunbelt Software
C:\Documents and Settings\Owner\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software

You also have AOL Antispyware running and you should not have this running if you are going to use SpySweeper.

Speaking of AOL, you need to uninstall all of the Viewpoint software as requested in step 0 of the READ ME.

Okay your MGlogs.zip file still shows that the tools are not running properly. We need to figure out why. It could be that you are getting one of the error messages mentioned on the MGtools download page. Or it could be that SpySweeper is getting in the way. Are you getting warnings from SpySweeper when you ran GetLogs.bat?? You could try shutting down Spy Sweeper to see if the logs are created properly. You

First let me ask a question, are you running a 64 bit version of Windows?

Now click Start, Run and enter cmd and click OK. This will open a command prompt window. In the command prompt window enter the below commands.

cd C:\MGtools
GetRunKey.bat

What happens when you run GetRunKey.bat?
Do you see any error messages in the window? What are the last few lines that you see in the window.

Now in the command prompt window, enter the below command.

ShowNew.bat

What happens when you run ShowNew.bat?
Do you see any error messages in the window? What are the last few lines that you see in the window.


Even though we do not have all the necessary logs, let's try to get started on fixing things. Again make sure SpySweeper is shutdown before you do the below.

Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Continue by downloading a tool we will need

- Process Explorer

Extract it to its own folder somewhere that you will be able to locate it later.

Make sure you have rebooted in Normal Mode (do not open any other processes)

Make sure that one and only one Internet Explorer browser is opened up

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of any of the below DLL files (if found) and then click the kill button.
ddcddbb.dll
winmdk32.dll
After you have killed all instances of any of the above DLLs under winlogon click ok.
(If you do not find these DLLS, just continue on.)

Next double click on explorer.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
ddcddbb.dll
winmdk32.dll

After you have killed all instances of any of the above DLLs under Explorer click ok.
(If you do not find these DLLS, just continue on.)

Next double click on iexplore.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
ddcddbb.dll
winmdk32.dll

After you have killed all instances of any of the above DLLs under iexplore click ok.
(If you do not find these DLLS, just continue on.)

Now just exit Process Explorer.


Copy the bold text below to notepad. Save it as fixme.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it
double click it and allow it to merge with the registry.

Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!


Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.


Make sure you tell me how things are working now!

 

In message # 18 I asked you to uninstall CounterSpy. I still see it in MGlogs (which is still incomplete). Also I still see AOL Antispyware and SpySweeper. Is SpySweeper a paid program or a free trial?

 

Attach the below log to your next message:

C:\MGtools\hijackthis.log

 

Uninstall it. See AOL Spyware Protection in Add/Remove Programs. But you only need to uninstall it if SpySweeper is a paid legitimate program that you get updates for and that can actually remove malware. Otherwise you need to uninstall SpySweeper and keep AOL' Spyware Protection to have something to protect you.

You must remember to always do steps in the order written. Sometimes it can be critical. Also you need to andwer questions. A few messages back you mentioned trying to fix BiFrost and I ask the below and you did not answer.

What version is it and when it finds malware does it fix it? If not, it is just a trial.

Your explorer issues may not be due to malware and you cannot just assume that the problem is due to other things you see running like rundll32.exe or imapi.exe which are both valid processes for your Windows OS.


Uninstall the below software:
J2SE Runtime Environment 5.0 Update 2
Viewpoint Media Player <-- should have been uninstalled in step 0 of the READ ME
Also uninstall CounterSpy if you still have not uninstalled it.


Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Make sure you reboot doing the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Now delete the below files if found:
C:\avexport.bat
C:\ffusiiev.bat


Also delete the below folder which CounterSpy may have left behind after uninstalling.
C:\Documents and Settings\Owner\Application Data\Sunbelt Software
C:\Documents and Settings\All Users\Application Data\Sunbelt Software
C:\Program Files\Sunbelt Software


After you get all of the above worked out, rerun GetRunKey, ShowNew and then run the C:\MGlogs\analyse.exe program which is HijackThis. Do a scan and save a new log. Attach the new MGlogs.zip file and also attach the log from HijackThis.

 

Before we worry about explorer not running properly, we must get all evidence of malware removed. Your problems with explorer may or may not be due to malware so we must get the malware removed first to know what to do next.

I still see CounterSpy and Viewpoint trying to load. We will have to fix them manually.

I suggest that you uninstall SpySweeper immediately since it could be causing problems for malware removal and in addition (as you stated) it is broken anyway. Leaver it uninstall for now. Do this while I work thru your logs.

By the way, the GetLogs.bat file ran 100% this time and all the logs including HijackThis are in the MGlogs.zip files this time.

 

If you don't have your disk and do not have a copy of the installation file, you would have to contact Webroot to download a new copy. That is assuming your subscription is currently paid up. If it is not, then SpySweeper is out of date and not much use to you anyway especially since you said it will not update anyway. If you don't want to uninstall it then at least shut it down before doing the below. Do this now or uninstall (your choice) before continuing.


It's possible that your tcpip.sys file has become corrupted or infected. It was changed around Sep 18th. Do you have your Windows XP SP2 boot CD?

Let's continue with your malware removal.

Run Process Explorer (previously downloaded)

In the top section of the Process Explorer screen double click on lsass.exe to bring up the lsass.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of any of the below DLL files (if found) and then click the kill button.
vtstr.dll
After you have killed all instances of any of the above DLLs under winlogon click ok.
(If you do not find these DLLS, just continue on.)

Next double click on explorer.exe and again click once on each instance of any of the below DLL files (if found) and then click the kill button.
vtstr.dll

After you have killed all instances of any of the above DLLs under Explorer click ok.
(If you do not find these DLLS, just continue on.)


Now just exit Process Explorer.

Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {5753E9E1-8851-4B0E-9FA1-7ABE59F81D24} - C:\WINDOWS\system32\vtstr.dll
O4 - HKLM\..\Run: [MSKDetectorExe] "C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" /uninstall
O4 - HKLM\..\Run: [SBRegRebootCleaner] C:\Program Files\Sunbelt Software\CounterSpy\SBRC.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O23 - Service: Viewpoint Manager Service - Unknown owner - C:\Program Files\Viewpoint\Common\ViewpointService.exe (file missing)

After clicking Fix, exit HJT.


Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

Now run Ccleaner!

Now run the C:\MGtools\GetLogs.bat file by double clicking on it. Then attach the new C:\MGlogs.zip file that will be created by running this and also attach the log from Avenger.

Make sure you tell me how things are working now!

 

One more item still left over. Shutdown SpySweeper and have HijackThis fix the below line:
O2 - BHO: (no name) - {E7541605-A09E-412D-AC78-778823B0FA10} - C:\WINDOWS\system32\vtstr.dll (file missing)

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, C:\combofix.txt and C:\ComboFix-quarantined-files.txt logs that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If we had you run Avenger, you can delete all files related to Avenger now.
8. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
10. If you are running Windows XP or Windows ME, do the below:
    • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome. Surf safely!

 

Based on what we fixed, this should have nothing to do with anything we removed. You had the same kind of Vundo type problems that we remove on many PCs per day and none of them ever resulted in "screen flip out" what ever that really means. Perhaps you are on the verge of hardware issues with your graphics card or memory. Malware would not cause issues like this, especially intermittantly.

How do you close what? The thread? We don't close threads.

 

You're welcome.

We don't see the need to waste the time on it. And the possible additional time and PM messages that would result in order to reopen a thread. Or even worse the fact that if we close a thread and the user comes back a very short time later and starts a new thread because his thread was close......yadda yadda. It just could be more trouble than it is worth.

Also an important difference in this forum is that ONLY you and one the Mods/Admins can post in your thread which is not the case in many other forums. Thus that could result in someone else trying to work their problems in your thread.