Winlogonhook problem

jlogicbud · Oct 23, 2006

Hello:

I was wondering if some assistance can be provided please.
I have a problem with Trojan winlogonhook that my spysweeper found but I can seem to remove it. I did follow one of the older tread instructions (http://forums.majorgeeks.com/showthread.php?t=88615) ; but, it still didn't work, any assistance is greatly appreciated.
The message with spy sweeper is as follows:

Found Trojan Horse: trojan agent winlogonhook
9:04 PM: HKLM\software\microsoft\mssmgr\

During the scan Spy Sweeper say it removes it.

Quote:
9:48 PM: Removal process initiated
9:48 PM: Quarantining All Traces: trojan agent winlogonhook

Now, I've tried the new AVG software, sypdoctor, Nortons, ad-ware; but, I still can't get rid of this trojan.
Any assistance is greatly appreciated.

Thank You.

My apologies, here's my logs from running hijackthis:

EDIT: inline HJT log removed

jlogicbud · Oct 22, 2006

Update...ran spydoctor.....generated the following logs; but, shareware won't remove unless I purchase...help?!?!?

Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR## High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##Brnd High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##PSTV High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##SCLIST High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##SSLIST High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\MSSMGR##SSTV High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winkxe32 High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winkxe32## High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winkxe32##Asynchronous High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winkxe32##DllName High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winkxe32##Impersonate High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winkxe32##Shutdown High
Trojan.Downloader.Small.CML HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winkxe32##Startup High

DavidGP · Oct 23, 2006

Hi and welcome

Please follow the below guide and attach the requested logs.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.

When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:

[*]runkeys.txt - the log from GetRunKey.bat
[*]newfiles.txt - the log from ShowNew.bat

CounterSpy - ONLY IF you were not able to run Windows Defender

Bitdefender - from step 6

Panda Scan - from step 6

HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

jlogicbud · Oct 25, 2006

Hello Halo:

Thanks for your assistance; but, it appears that I have removed the trojan myself. For those of you who also have the same problem this is what I did:

1) logon in safe mode and found winkex32.dll in the system32 folder and renamed it to something else.
2) Went into the registry and deleted the two entries:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winkxe32
HKLM\SOFTWARE\Microsoft\MSSMGR
3) Restarted machine in safe mode again, deleted the renamed winkex32 file.
4) Rescanded system with Spysweeper, spybot and bitdefender online scanner and all appears to be clean.

I believe I've removed it.

Thanks

P.S. great site, lots of info...I'm glad I joined!

chaslang · Oct 26, 2006

That is part of what we do in our manual steps to remove winlogonhook. If you searched this forum you would see many threads where we do that. However, it is advisable that you complete the READ ME as requested. In greater than 90% of cases where winlogonhook has showed up, so have multiple other infections. Most frequently appearing with winlogonhook is one of the many forms of Virtumonde.

Log in or Sign up

Winlogonhook problem

jlogicbud Private E-2

jlogicbud Private E-2

DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

jlogicbud Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member