Winlogon infection

Actually it is pretty easy for us to fix. Just commercial antivirus programs don't have a clue when it comes to this stuff. We fix them all the time.

Run this ViewpointKiller to remove Viewpoint Media software.

HijackThis thinks the below file is missing and the it could be interfering with your Internet Connection:
O10 - Broken Internet access because of LSP provider 'handgrabberlsp.dll' missing

Did you install this HandGrabber program for some poker related stuff? Is it really missing.

Okay let's start fixing things up by removing an old service from Symantec!

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Symantec Network Drivers Service
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT, but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/pasteSNDSrvc into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Continue by downloading a tool we will need - Pocket KillBox

Save it to its own folder somewhere that you will be able to locate it later.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {285C46CA-F79C-473F-934F-832E2C651ED1} - C:\WINDOWS\system32\ypfkecmj.dll
O2 - BHO: (no name) - {C6A1AC9F-058E-4EB8-8B75-365E14CABAA8} - C:\WINDOWS\system32\wpvalybq.dll
O20 - Winlogon Notify: cpojghio - C:\WINDOWS\SYSTEM32\ypfkecmj.dll
O20 - Winlogon Notify: dssoundi - dssoundi.dll (file missing)
O20 - Winlogon Notify: hgtolxod - C:\WINDOWS\SYSTEM32\hgtolxod.dll
O20 - Winlogon Notify: tfusooeo - C:\WINDOWS\SYSTEM32\tfusooeo.dll

After clicking Fix, exit HJT.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\SYSTEM32\dsmrdbjj.exe
C:\WINDOWS\SYSTEM32\jersivau.exe
C:\WINDOWS\SYSTEM32\aolxwsme.dll
C:\WINDOWS\SYSTEM32\bkjbfmvd.dll
C:\WINDOWS\SYSTEM32\bppusict.dll
C:\WINDOWS\SYSTEM32\hgtolxod.dll
C:\WINDOWS\SYSTEM32\imobvvok.dll
C:\WINDOWS\SYSTEM32\kcndpdgq.dll
C:\WINDOWS\SYSTEM32\khrjuhpw.dll
C:\WINDOWS\SYSTEM32\kqbpnodp.dll
C:\WINDOWS\SYSTEM32\nyvgx.dll
C:\WINDOWS\SYSTEM32\okkutyqk.dll
C:\WINDOWS\SYSTEM32\qapmjasp.dll
C:\WINDOWS\SYSTEM32\tfusooeo.dll
C:\WINDOWS\SYSTEM32\vxmmtwcg.dll
C:\WINDOWS\SYSTEM32\wawnwcva.dll
C:\WINDOWS\SYSTEM32\wpvalybq.dll
C:\WINDOWS\SYSTEM32\xeimkhah.dll
C:\WINDOWS\SYSTEM32\ypfkecmj.dll
C:\WINDOWS\SYSTEM32\SETB4.tmp
C:\WINDOWS\SYSTEM32\SETC0.tmp

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But if this message occurs, please let me know!).

If Killbox does not reboot just reboot your PC yourself.

Also delete all files and subfolders in the below folders except ones from the current date (Windows will not let you delete the files from the current day).
C:\Documents and Settings\Mike\Local Settings\Temp

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

You're welcome but you are still infected. While I see that Pocket Killbox was able to delete all the files, they all seem to have reappeared. I'm not sure why. Some protection software like Kaspersky, WinPatrol....etc. may be getting in our way.

NOTE: You did not answer my question about HandGrabber!

You should not have done this until we determined you were clean which you are not.

We have more to do and will have to repeat some steps. However we are going to do some steps before getting started on the fixing. Complete each step in the order given and before moving on to the next step.

• First Run Pocket Killbox and select File, Cleanup, Delete All Backups
• You need to get a firewall install NOW to help block garbage like this. Please download and install ZoneAlarmFree now.
• Now I'm going to ask you to print or save this instructions locally so you can refer to them while phycically disconnected (unplug your cable) from the internet. So save them now and then Disconnect before continuing & do not reconnect until I tell you to do so.
• Uninstall CounterSpy
• Now shutdown WinPatrol and Kaspersky Internet Security
• Now continue with all of the below

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {285C46CA-F79C-473F-934F-832E2C651ED1} - C:\WINDOWS\system32\ypfkecmj.dll
O20 - Winlogon Notify: cpojghio - C:\WINDOWS\SYSTEM32\ypfkecmj.dll

After clicking Fix, exit HJT.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\SYSTEM32\aolxwsme.dll
C:\WINDOWS\SYSTEM32\bkjbfmvd.dll
C:\WINDOWS\SYSTEM32\bppusict.dll
C:\WINDOWS\SYSTEM32\dsmrdbjj.exe
C:\WINDOWS\SYSTEM32\hgtolxod.dll
C:\WINDOWS\SYSTEM32\imobvvok.dll
C:\WINDOWS\SYSTEM32\jersivau.exe
C:\WINDOWS\SYSTEM32\kcndpdgq.dll
C:\WINDOWS\SYSTEM32\khrjuhpw.dll
C:\WINDOWS\SYSTEM32\kqbpnodp.dll
C:\WINDOWS\SYSTEM32\nyvgx.dll
C:\WINDOWS\SYSTEM32\okkutyqk.dll
C:\WINDOWS\SYSTEM32\qapmjasp.dll
C:\WINDOWS\SYSTEM32\SETB4.tmp
C:\WINDOWS\SYSTEM32\SETC0.tmp
C:\WINDOWS\backup\TB040702.DAT
C:\WINDOWS\SYSTEM32\tfusooeo.dll
C:\WINDOWS\SYSTEM32\vxmmtwcg.dll
C:\WINDOWS\SYSTEM32\wawnwcva.dll
C:\WINDOWS\SYSTEM32\wpvalybq.dll
C:\WINDOWS\SYSTEM32\xeimkhah.dll
C:\WINDOWS\SYSTEM32\ypfkecmj.dll

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

Now reconnect your cable to the internet.


Now attach the below new logs and tell me how the above steps went.

1. ShowNew
2. HJT

Make sure you tell me how things are working now!

 

Yes you are!! Nothing is changing even though Pocket Killbox is deleting files they are all coming back. I think you are going to have to UNINSTALL both WinPatrol and Kaspersky and then boot into safe mode and repeat all the steps from message # 5, and then reboot and attach new logs. If it looks better you can reinstall Kaspersky for now but leave WinPatrol uninstall until we finish with all removal. However, if these infected files and registry keys in HJT still come back, leave Kaspersky uninstalled and download, install, update and run a full scan with AVG Free Edition Let me know if it finds anything and what (attach a log if possible).

Okay let's fix it. Now download LSP - Fix

Run LSP-Fix.

Check the Box labeled "I know what I'm doing" and then click on the handgrabberlsp.dll file (in the “Keep” section) to select it.

Then, Select the >> button to move handgrabberlsp.dll into the Remove section.

Now, click the Finish Button. When the Repair Summary box appears, click OK.
If it is already in the Remove section, just click Finish.

When you re-scan with HJT and nothing changed, it means the fix did not work. Thus something is blocking the fix. It could be goodware (like WinPatrol or Kaspersky) getting in the way or the could be something related to the malware that you have that is noticing the attempted fix and respawing the infection. This remains to be seen.

Yes the !Killbox folder is normal. It is where Pocket Killbox stores backups just incase the wrong thing is deleted by mistake.


I want to see if a rootkit is hiding on your PC! Please download Blacklight Beta

• Download blbeta.exe and save it to the Desktop.
• Once saved... double click blbeta.exe to install the program.
• Click accept agreement and Click scan
  This app too may fire off a warning from antivirus. Let the driver load.
  Wait for it to finish.
• If it displays any items...don't do anything with them yet. Just hit exit (close)
• It will drop a log on Desktop that starts with fsbl....big number

Please post contents of the BlackLight log.

 

NOTE: You must not use the below version of HijackThis:

C:\Program Files\HijackThis\HijackThis.exe

Delete it and from now on only use
C:\Program Files\HijackThis\Analyse.exe

Well at least it was smart enough (compared to KAV) to find some of the infected files. Those three were on one of my first list of fixes.

It think the infection is causing Killbox to fail to complete remove the problems.

But the problem is that while you may not be experiencing any outward symptoms, the infection is still there and active. I'm not just referring to the files in system32, I referring to the fact that there are registry keys loading the infection as seen in HJT:

O2 - BHO: (no name) - {285C46CA-F79C-473F-934F-832E2C651ED1} - C:\WINDOWS\system32\ypfkecmj.dll
O20 - Winlogon Notify: cpojghio - C:\WINDOWS\SYSTEM32\ypfkecmj.dll

Thus yes, things could get worse!!

Let's take different approach.

Try using this FileASSASSIN to delete the below list of files. Follow the directions in the download link and choose the Attempt FileAssassion's methos of file removal. Make sure the three check boxes below his option are checked and click Delete

List of Files to delete

C:\WINDOWS\SYSTEM32\aolxwsme.dll
C:\WINDOWS\SYSTEM32\bkjbfmvd.dll
C:\WINDOWS\SYSTEM32\bppusict.dll
C:\WINDOWS\SYSTEM32\dsmrdbjj.exe
C:\WINDOWS\SYSTEM32\hgtolxod.dll
C:\WINDOWS\SYSTEM32\imobvvok.dll
C:\WINDOWS\SYSTEM32\jersivau.exe
C:\WINDOWS\SYSTEM32\kcndpdgq.dll
C:\WINDOWS\SYSTEM32\khrjuhpw.dll
C:\WINDOWS\SYSTEM32\kqbpnodp.dll
C:\WINDOWS\SYSTEM32\nyvgx.dll
C:\WINDOWS\SYSTEM32\okkutyqk.dll
C:\WINDOWS\SYSTEM32\qapmjasp.dll
C:\WINDOWS\SYSTEM32\SETB4.tmp
C:\WINDOWS\SYSTEM32\SETC0.tmp
C:\WINDOWS\backup\TB040702.DAT
C:\WINDOWS\SYSTEM32\tfusooeo.dll
C:\WINDOWS\SYSTEM32\vxmmtwcg.dll
C:\WINDOWS\SYSTEM32\wawnwcva.dll
C:\WINDOWS\SYSTEM32\wpvalybq.dll
C:\WINDOWS\SYSTEM32\xeimkhah.dll
C:\WINDOWS\SYSTEM32\ypfkecmj.dll

After running FileAssassin and rebooting, run HJT and fix the below lines if the still appear:

O2 - BHO: (no name) - {285C46CA-F79C-473F-934F-832E2C651ED1} - C:\WINDOWS\system32\ypfkecmj.dll
O20 - Winlogon Notify: cpojghio - C:\WINDOWS\SYSTEM32\ypfkecmj.dll

Then attach new logs from ShowNew and HJT. Tell me how the steps went and if you ran into any problems.

 

Not completely true! Actually a bunch of items that we were trying to remove are now gone. The only items remaing are

And the two files in C:\windows\System32

Code:

kcndpdgq.dll  Dec 24 2006       97792  "kcndpdgq.dll"
ypfkecmj.dll  Dec 24 2006       59392  "ypfkecmj.dll"

So now that we have removed all these other files, perhaps we can now finally do the below to fix the O2 and O20 line that you see in HJT. Let's give it a try.


Start by downloading two tools we will need

- Process Explorer

- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of ypfkecmj.dll once and then click the kill button. After you have killed all of the ypfkecmj.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs(If you do not find the dll, just continue on):
kcndpdgq.dll

Next double click on explorer.exe and again click once on each instance of ypfkecmj.dll and kill it. (If you do not find the dll, just continue on.)

Now repeat the above step for the below DLLs (If you do not find the dll, just continue on):
kcndpdgq.dll

Now just exit Process Explorer.

Please run HijackThis and click on the Open the Misc Tools Section button on the open page. Then select Open process manager on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click Kill process. Then click yes.
C:\WINDOWS\system32\b8aae146.exe
C:\WINDOWS\system32\f3d4c18.exe
C:\DOCUME~1\Owner\APPLIC~1\SKS~1\javaw.exe
C:\WINDOWS\??mantec\winlogon.exe
C:\WINDOWS\TEMP\win32.tmp.exe

After killing all the above processes, click Back.
Then please click Scan and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {285C46CA-F79C-473F-934F-832E2C651ED1} - C:\WINDOWS\system32\ypfkecmj.dll
O20 - Winlogon Notify: cpojghio - C:\WINDOWS\SYSTEM32\ypfkecmj.dll

After clicking Fix, exit HJT.

Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click Delete Selected Temp Files.
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue.

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\kcndpdgq.dll
C:\WINDOWS\system32\ypfkecmj.dll

• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt.

If you receive a PendingFileRenameOperations prompt, just click OK to continue (But please let me know if you receive this message!).

If Killbox does not reboot just reboot your PC yourself.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey - download the new version first
2. ShowNew - download the new version first
3. HJT

Make sure you tell me how things are working now!

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Sorry about that. This was something I was supposed to edit out of the instructions for you. You did not have any of these processes.
​

Yes it definitely could have.

Rerun them with only one user account running also shut down all unnecessary processes and inaddition, instead of just looking at winlogon.exe and explorer.exe for copies of those DLLs, please look at ALL running processes. I think you have a new form of this trojan that may be hooking into more processes.

 

Good job! Was iexplorer.exe the only other process that had instances of these trojans in them?

You're welcome and yes!

If you are not having any other malware problems, it is time to do our final steps:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix you can delete the ComboFix.exe file and associated C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
8. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!

 

You're welcome Mike. No solution is abosolutely fool proof but the tips in that thread go along way to keeping a PC clean. Remember nothing can protect you from you. If you decide to do something that should not be done, the security applications are basically being overruled by you. Thus an educated surfer is the best defense.

Surf safely!