Problem with winlohonhook trojan!!

  • Thread starter Thread starter matcom
  • Start date Start date
M

matcom

Welcome,

I had aproblem with this trojan winlogonhook on my computer.

I have the windows XP home eddition instaled on my comp. There were
some topics about this trojan but in order to other versions of the
windows. I'm not so keen on this matters. So please give me steb by
step advice what to do in this matter.

Thanks for all informations

Mateusz
 
From: "matcom" <[email protected]>

| Welcome,
|
| I had aproblem with this trojan winlogonhook on my computer.
|
| I have the windows XP home eddition instaled on my comp. There were
| some topics about this trojan but in order to other versions of the
| windows. I'm not so keen on this matters. So please give me steb by
| step advice what to do in this matter.
|
| Thanks for all informations
|
| Mateusz

It would help to define the AV software that decalred this Trojan and the fully qualified
name and path to the file(s) deemed to be infected with this Trojan.
 
Welcome,

I had aproblem with this trojan winlogonhook on my computer.

I have the windows XP home eddition instaled on my comp. There were
some topics about this trojan but in order to other versions of the
windows. I'm not so keen on this matters. So please give me steb by
step advice what to do in this matter.
Click to expand...

Let me guess since you've not supplied sufficient information. Spy
Sweeper detected and removed the malware but you keep on
getting reinfested because you failed to flush System Restore.
If that's the case then have Spy Sweeper or Ewido or whatever
you used to detect the Trojan remove it again. Then follow these
steps:

1. Right click the My Computer icon on the Desktop and click on
Properties.
2. Click on the System Restore tab.
3. Put a check mark next to 'Turn off System Restore on All Drives'.
4. Click the 'OK' button.
5. You will be prompted to restart the computer. Click Yes.

Now once you have rebooted the computer you will need to re-enable
System Restore.
To re-enable the Restore Utility, follow steps one to five and on step
three remove the check mark next to 'Turn off System Restore on All
Drives'.

Finally, run your antimalware program again to verify that the
Trojan is indeed gone.

Art
http://home.epix.net/~artnpeg
 
Art napisal(a):
Let me guess since you've not supplied sufficient information. Spy
Sweeper detected and removed the malware but you keep on
getting reinfested because you failed to flush System Restore.
If that's the case then have Spy Sweeper or Ewido or whatever
you used to detect the Trojan remove it again. Then follow these
steps:

1. Right click the My Computer icon on the Desktop and click on
Properties.
2. Click on the System Restore tab.
3. Put a check mark next to 'Turn off System Restore on All Drives'.
4. Click the 'OK' button.
5. You will be prompted to restart the computer. Click Yes.

Now once you have rebooted the computer you will need to re-enable
System Restore.
To re-enable the Restore Utility, follow steps one to five and on step
three remove the check mark next to 'Turn off System Restore on All
Drives'.

Finally, run your antimalware program again to verify that the
Trojan is indeed gone.

Art
http://home.epix.net/~artnpeg
Click to expand...



Ok I will do that as well today in the afternoon I will put here my log
that You will be able look at him and give addition info if require.

We will see what will happen
 
Art napisal(a):
Click to expand...
Ok I will do that as well today in the afternoon I will put here my log
that You will be able look at him and give addition info if require.
Click to expand...

We need to know _where_ your antimalware product finds the malware,
and which antimalware product is alerting. It may be that it's just
continually finding it in your System Restore. If so, it can't remove
the malware from there.

Art
http://home.epix.net/~artnpeg
 
Art napisal(a):
We need to know _where_ your antimalware product finds the malware,
and which antimalware product is alerting. It may be that it's just
continually finding it in your System Restore. If so, it can't remove
the malware from there.

Art
http://home.epix.net/~artnpeg
Click to expand...


Yes I did as You wrote step by step - point by point and after all when
I one more time start my Spy sweeper the trojan horse appeared again
here is the log part with this information:

19:34: Cookie Sweep Complete, Elapsed Time: 00:00:00
19:34: Starting Cookie Sweep
19:34: Registry Sweep Complete, Elapsed Time:00:00:15
19:33: HKLM\software\microsoft\mssmgr\ (ID = 937101)
19:33: Found Trojan Horse: trojan agent winlogonhook
19:33: Starting Registry Sweep
19:33: Memory Sweep Complete, Elapsed Time: 00:01:14
19:32: Starting Memory Sweep
19:32: Sweep initiated using definitions version 724
19:32: Spy Sweeper 5.0.5.1286 started
19:32: | Start of Session, 27 lipiec 2006 |


awaiting Yours next help :-)

Thank You in advance
 
Yes I did as You wrote step by step - point by point and after all when
I one more time start my Spy sweeper the trojan horse appeared again
here is the log part with this information:

19:34: Cookie Sweep Complete, Elapsed Time: 00:00:00
19:34: Starting Cookie Sweep
19:34: Registry Sweep Complete, Elapsed Time:00:00:15
19:33: HKLM\software\microsoft\mssmgr\ (ID = 937101)
19:33: Found Trojan Horse: trojan agent winlogonhook
19:33: Starting Registry Sweep
19:33: Memory Sweep Complete, Elapsed Time: 00:01:14
19:32: Starting Memory Sweep
19:32: Sweep initiated using definitions version 724
19:32: Spy Sweeper 5.0.5.1286 started
19:32: | Start of Session, 27 lipiec 2006 |
Click to expand...

First of all, I did a quick check on Spy Sweeper and it doesn't
turn up on a list of Rogue anti spyware apps. In fact, there
was some implication that it might be ok. But that doesn't
mean it won't false alarm.

Second, what does a sweep of Windows show? The empty
memory sweep indicates that Spy Sweeper doesn't find
any malware actively running.

The registry sweep alert on \mssmgr\ doesn't show entries
as I'd expect to see them, and that report means nothing
to me.

Have you run the usual recommended antispyware products
such as Spybot S&D, AdAware and SuoerAntispyware as
cross checks? Have you tried anti Trojans such as Ewido?
Which antivirus products do you use? Which ones have
you tried?

Sorry I can't help you any more than that. I'd try other
known good scanners to see if they find anything. BTW,
it's best to scan in Safe mode. Are you doing that?

Art
http://home.epix.net/~artnpeg
 
From: "Art" <[email protected]>

|
| First of all, I did a quick check on Spy Sweeper and it doesn't
| turn up on a list of Rogue anti spyware apps. In fact, there
| was some implication that it might be ok. But that doesn't
| mean it won't false alarm.
|
| Second, what does a sweep of Windows show? The empty
| memory sweep indicates that Spy Sweeper doesn't find
| any malware actively running.
|
| The registry sweep alert on \mssmgr\ doesn't show entries
| as I'd expect to see them, and that report means nothing
| to me.
|
| Have you run the usual recommended antispyware products
| such as Spybot S&D, AdAware and SuoerAntispyware as
| cross checks? Have you tried anti Trojans such as Ewido?
| Which antivirus products do you use? Which ones have
| you tried?
|
| Sorry I can't help you any more than that. I'd try other
| known good scanners to see if they find anything. BTW,
| it's best to scan in Safe mode. Are you doing that?
|
| Art
| http://home.epix.net/~artnpeg

I concure with Art.

No substantiating information provided in the LOG snippet.


Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *
 
Back
Top