 Winlogonhook Solution With Spysweeper, Removal of the trojan winlogonhook with SpySweeper |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.| Important Announcement: We have two terrific contests running on the site that I wanted all our members and guests to know about. The first contest is the HP Magic Giveaway, which is underway as of November 28th. More information can be found at this topic, which will be updated very soon with further information. The second contests, is for the chance to win two Seagate FreeAgent external hard drives. More information about this contest can be found here. These are both amazing contests and I suggest everyone submit an entry for them. - BleepingComputer Management |
  |
 Jul 31 2006, 12:09 AM
Post
#1
|
|
|
New Member  Group: Members Posts: 1 Joined: 31-July 06 Member No.: 78,644  |
http://support.microsoft.com/kb/322756 Also, before carrying out these instructions, please see the comments posted below.--PK I have just encountered the trojan winlogonhook found with spysweeper. After reading and searching for hours and downloading countless programs to rid my two systems of the trojan I accidently discovered a much easier way to remove the stubborn SOB 1. Run Spysweeper to find the trojan. 2. Click next - expand the trojan location folder which is a registry file. 3. Go to run - type "regedit" 4. Open HKEY_LOCAL_MACHINE 5. Find "Microsoft" and click on MSSGER (cant remember exactly but you'll see it in the spysweeper location, and delete the whole file. 6. In spysweeper check the trojan for removal and wala all done. This way was tested on two systems and rebooted and scanned again with no trojan. Hope it helps ppl because this %#^@ me to tears This post has been edited by Papakid: Aug 2 2006, 01:28 PM |
 |
 
|
|
Aug 2 2006, 03:18 PM
Post
#2
|
|
 Guru at being a Newbie Group: HJT Team Posts: 5,715 Joined: 8-April 04 Member No.: 96 |
Hi Mirken,
Thanks for your input. We do, however need to be very cautious when dealing with the registry. Please don't ask people to delete something without giving the exact details and spelling. Is it a key or a value? From what I know of this trojan the correct spelling may be msmssrv. http://research.sunbelt-software.com/threa...;threatid=44394 That is if this is the same version of what SpySweeper calls Winlogonhook. Some with this infection have this file: winmxw32.dll There are related trojans that have a file win***32.dll, where *** are three random numbers. http://www.bleepingcomputer.com/startups/i...&act=search Another related trojan may have this in the reg key you mentioned. MSSMGR http://www.sophos.com/security/analyses/trojdloadrtw.html I'm glad that this fix has worked for you and that you've got it cleared and we really appreciate you wanting to share this with everyone. But most likely this won't work for everyone. This is a family of trojans that changes often to avoid being defined. Not only do the infection files change, but file names vary from machine to machine by using randoom file names and the infectious programs can be configured remotely so that what it does is specific to each machine. For people who have run SpySweeper to clean up the other files and reg entries, your method may work. But this is a very sophisticated infection. The reason it is called Winogonhook is because it usually affects a registry key that loads the trojan as part of Windows Explorer, the shell of Windows itself that starts when you log on to Windows--before even those startups you see in the system tray that is controlled by msconfig. That reg key that does that is not the one you mentioned. The notify key and the file it is running must be treated carefully, else you may be unable to logon. The file resists deletion because it is "in use" and to unload it in the normal way you have to kill the Windows Explorer process, which will make your desktop disappear. For this and other reasons I suggest anyone with this infection--and BTW, it is called many other different things by different security software vendors--submit a HijackThis log for help with correct removal. Preparation Guide For Use Before Posting A Hijackthis Log One important reason for doing it this way is because this is a downloader/agent trojan. Which means that it is in contact with a website where it downloads all sorts of nasties to the infected computer. You might even consider doing this yourself. SpySweeper is a very effective program and may have cleaned it all up, but no one program can keep up with everything and you may still have some things to get rid of. -------------------- You know everybody is ignorant, only on different subjects.
Will Rogers To stay secure is to stay updated. Calendar of Updates. |
|
|
|
|
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 4th December 2008 - 04:10 PM |
© 2003-2008 All Rights Reserved Bleeping Computer LLC.