Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winlogonhook


  • Please log in to reply
5 replies to this topic

#1 LuKeY

LuKeY

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 26 May 2006 - 06:15 AM

Hi, I was wondering if someone could help me, as I'm tearing my hair out (and I haven't got enough to lose)

A couple of days ago, my Anti Virus software (F-Prot 3.16f) started telling me that I had infected files. (this was just the start of the trouble).

The files it mentioned were -

C:\WINDOWS\TEMP\winB.tmp.exe and many others of the same kind but with the letter changed (I.E winE.tmp.exe)

I wasn't overly concerned as I've never had too much trouble in getting rid of nasties before. However, upon looking in the temp folder there were thousands of files like "win5.tmp" and a few more variants of the original suspicious file.

I scanned the system with F-Prot and it found only the file winB.tmp.exe type files and deleted them.

I restarted my computer, and F-Prot again started warning me that these temp files "could be infected with an unknown virus". I checked the temp directory again and found it full once again of these mixture of temp files. In fact they were appearing before my eyes.

I then ran SpySweeper, and it Identified a "Winlogonhook" Trojan Virus, and removed it.

I Restarted ran it again (as F-Prot continued to come up with warnings) and SpySweeper again found the Trojan. I then ran spysweeper in safemode and it again found the Trojan. I ran F-Prot, Smitrem, TrojanHunter, and MS nasty software remover (sorry I can't spell maliscious or whatever it is), and thought "Ha ha take that nasty virusy thing."

Upon restarting my PC, F-Prot told me that not only were the usual .tmp files back again, but also a file called -

C:\WINDOWS\SYSTEM32\WINOFA32.DLL is a security risk named W32/Agent.AOK

"Argh" (some hair went there). I'd somehow become more riddled than I had at the start.

Any idea's please?

Pretty please?

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:42 PM

Posted 26 May 2006 - 07:39 AM

I have read that others have complained that SpySweeper keeps reporting that it has found winlogonhook again after reporting it was deleted. Try running it in "SAFE MODE".
Before doing so make sure you close ALL browser windows and exit any other programs.
Open Task Manager (Cntrl+Alt+Delete) and in the Task Manager's Process list, locate explorer.exe. Right click on it and select End Process. Do not be alarmed! This will make your Desktop and icons disappear. It is only temporary. Run a full scan with Spy Sweeper and reboot.

Next, please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

If your running Win XP/2000, download and scan with Ewido Anti-Malware v3.5
Ewido Install and Scan Instructions

Then perform these online Virus scans:
[Watch the Address bar in IE. You may receive alerts that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then Click Install ActiveX component.]
Trend Micro Housecall Scan
Panda ActiveScan [ActiveScan Panda does not remove adware/spyware but will autoclean for viruses & worms.]

Post back if your still having problems.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 LuKeY

LuKeY
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 26 May 2006 - 01:32 PM

Many thanks for the Quick reply and advise Quietman7. I did everything as you asked, but nothing cured the problem. (Though a couple more of the pesky things were found and removed).

I ran Hijack this afterwards, and found this line -

O20 - Winlogon Notify: winofa32 - C:\WINDOWS\SYSTEM32\winofa32.dll

Hijack this removed it and I renamed the .dll in safemode. Upon restarting my PC is remaining calm (and F-Prot is remaining quiet, which is the main thing)

It would seem that my troubles had something to do with that .dll file.

It's the first time as well that I've looked up a dll on the net and found no info about it. Possibly a new variant of an old nasty?

Anyway, thank you very much for all your help. If things return I will seek your advice immediatly :D

PS - Before fixing the problem whilst in Safemode I too had the same symptoms as the poor person in this thread - http://www.bleepingcomputer.com/forums/t/53682/ul-window-seek/

(Just thought I'd mention it in case it's a similar thing)

Edited by LuKeY, 26 May 2006 - 01:54 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:42 PM

Posted 26 May 2006 - 07:19 PM

Actually I found the O20 - Winlogon Notify: entry for winofa32.dll in a HJT log at a Spanish forum. The thread was dated 4/30/06 so I suspected as much with your problem but wanted to try the other scans before moving on to Hijackthis.

You can delete the file you renamed. Good job.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 LuKeY

LuKeY
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:42 PM

Posted 26 May 2006 - 07:21 PM

Well thanks for the help :D

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:42 PM

Posted 26 May 2006 - 07:51 PM

Your welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users