winlogonhook removal

Hi

I'm having problems removing a winlogonhook infested file, can you please help me?

I've scanned my computer with both Norton and Webroot Spy Sweeper in both normal and safe mode, but nothing helped.
I've attached my Hijackthis log to this post, and hope you me. I'm going crazy with this non-removable Trojan Horse.

 

Thanks for responding so quickly.
I've don all of the above, except for the Bitdefender, my computer crashes every time I try to run it. If it is very necessary to have the log from the scan, I will try again, but I'm not sure if it will work.

Here are two of the logs, the others will follow shortly.

 

Here is the alst two. Let me know if you really need the bitdefender log.

 

Okay, tries one more time to attach the logs

 

We are going to have to do a manual fix on one particular infection you have. First, let's get you started by following a simple fix.

Before you start this fix I need you to close Spy Sweeper and exit ALL browsers.

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Reboot to Safe Mode!

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: (no name) - {A251705C-5EC5-4A0D-8C20-E5FB8E3A0307} - C:\WINNT\system32\mljgf.dll
O2 - BHO: (no name) - {E521797A-22DE-4B46-8B2F-8E98AB77B942} - C:\WINNT\system32\ddcdeed.dll

O4 - HKLM\..\RunOnce: [Panda_cleaner_297500] C:\WINNT\system32\ActiveScan\pavdr.exe xPanda ActiveScan 297500

O20 - AppInit_DLLs: C:\WINNT\system32\wmfhotfix.dll
O20 - Winlogon Notify: ddcdeed - C:\WINNT\SYSTEM32\ddcdeed.dll
O20 - Winlogon Notify: mljgf - C:\WINNT\system32\mljgf.dll
O20 - Winlogon Notify: winmbj32 - C:\WINNT\SYSTEM32\winmbj32.dll

Again, make sure ALL browser windows are closed when you click FIX.

Next, run CCleaner to clean up cookies and temp files.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

Once you complete this post and have rebooted back to normal mode please attach a fresh HJT log.

 

I've done the above, but could not locate the:

O4 - HKLM\..\RunOnce: [Panda_cleaner_297500] C:\WINNT\system32\ActiveScan\pavdr.exe xPanda ActiveScan 297500

in the Hijack Scan, otherwise everything seems to have worked out okay.
Well more than okay actually, because the virus is gone.
Thank you so much for your help.

I'll attatch the new Hijack log in case there are more to be done before my computer is clean from infections.

 

Before we run the manual fix, I would like to see if this utility will be helpful. Please follow the thread below, once you have completed it, reboot and attach a fresh HJT log. Also if the utility shows a log try to attach it.

WinAntiVirus/WinFixer Removal

 

Done.

I got an error after rebooting after using the SysProtect remover utility saying "Could not load graphics .dll" or something, is that related to the SysProtect?

 

Okay let's start by downloading two tools we will need:

- Process Explorer 9.2

- Pocket KillBox

Extract them to there own folder somewhere that you will be able to locate them later.

Reboot in Safe Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of mljgf.dll once and then click the kill button. After you have killed all of the mljgf.dll's under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of mljgf.dll and kill it.

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {69E619CC-1B84-4FF6-BD9F-8C67E7CC6434} - C:\WINNT\system32\mljgf.dll

O20 - Winlogon Notify: mljgf - C:\WINNT\system32\mljgf.dll
O20 - Winlogon Notify: winmbj32 - winmbj32.dll (file missing)


Copy the bold text below to notepad. Save it as fixVundo.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note many of the file list below may not exist but we need to check for them anyway.

C:\WINNT\system32\mljgf.dll

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot post a new HJT log.

 

Done

 

Your log looks good, are you having any current problems?

 

I have no big problems.
But every time I start my computer I get an error message saying "Could not load graphics DLL". This has happened ever since I took the SysProtector test.
Do you know of any way to remove or fix the problem?

 

In the READ ME, go back and run GetRunKey and attach this log. I would like to see if there is anything loading at startup we can't see in HJT.

 

Done

 

Reboot into Safe Mode!

Click Start > Run > type in regedit

Manually navigate to the following key:

[HKEY_LOCAL_MACHINE\software\microsoft\mssmgr]

Right click on mssmgr and select "Permissions". In the list click on "Everyone" and at the bottom, check the box next to "Full Control. Click OK to exit. If you do not have "Everyone", add it and then check "Full Control".

Now right click on "mssmgr" and delete it. If you get any errors let me know!

Once your done reboot and attach a new GetRunKey and ShowNew logs.

 

I deleted mssmgr but the error is still there at startup.

Attached new GetrunKey and ShowNew logs.

 

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

Once you complete this post, reboot and attach a fresh HJT log. Also if possible please attach a screen shot of the error your getting on startup.

 

Ran Killbox, and the error is still there.

Added a screenshot of the error plus a new Hijack log.

 

Your log looks good, however this error I am not sure about. There is nothing showing in your startup that could be related.

Check the "Startup" folder in Start > All Programs, see if there is anything there related to this.

If there is nothing in that folder related then I will have to request this be posted in the Software Forum. Those guys may know something I don't regarding this error.

Let me know what they come up with.

 

The only program listed in the startup folder is the Logitech SetPoint, and I doubt that it has anything to do with that.

I'll head over to the software forum and see if they know what it might be.

Thanks for all your help.

 

Your Welcome!

I do not see anything in any of your logs that refers to that error message so I am not sure what's causing that. The guys over in Software should be able to take care of it.