Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Winlogonhook Solution With Spysweeper


  • Please log in to reply
1 reply to this topic

#1 Mirken

Mirken

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 31 July 2006 - 12:09 AM

Mod edit: Before editing the registry, anyone, especially those not familiar with it, should make a backup, since mistakes or accidents could make your PC unbootable.

http://support.microsoft.com/kb/322756

Also, before carrying out these instructions, please see the comments posted below.--PK


I have just encountered the trojan winlogonhook found with spysweeper. After reading and searching for hours and downloading countless programs to rid my two systems of the trojan I accidently discovered a much easier way to remove the stubborn SOB

1. Run Spysweeper to find the trojan.

2. Click next - expand the trojan location folder which is a registry file.

3. Go to run - type "regedit"

4. Open HKEY_LOCAL_MACHINE

5. Find "Microsoft" and click on MSSGER (cant remember exactly but you'll see it in the spysweeper location, and delete the whole file.

6. In spysweeper check the trojan for removal and wala all done.

This way was tested on two systems and rebooted and scanned again with no trojan. Hope it helps ppl because this %#^@ me to tears

Edited by Papakid, 02 August 2006 - 01:28 PM.


BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,583 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:54 PM

Posted 02 August 2006 - 03:18 PM

Hi Mirken,

Thanks for your input. We do, however need to be very cautious when dealing with the registry. Please don't ask people to delete something without giving the exact details and spelling. Is it a key or a value?

From what I know of this trojan the correct spelling may be msmssrv.
http://research.sunbelt-software.com/threa...;threatid=44394

That is if this is the same version of what SpySweeper calls Winlogonhook.

Some with this infection have this file:

winmxw32.dll

There are related trojans that have a file win***32.dll, where *** are three random numbers.
http://www.bleepingcomputer.com/startups/i...&act=search

Another related trojan may have this in the reg key you mentioned.

MSSMGR

http://www.sophos.com/security/analyses/trojdloadrtw.html

I'm glad that this fix has worked for you and that you've got it cleared and we really appreciate you wanting to share this with everyone. But most likely this won't work for everyone. This is a family of trojans that changes often to avoid being defined. Not only do the infection files change, but file names vary from machine to machine by using randoom file names and the infectious programs can be configured remotely so that what it does is specific to each machine.

For people who have run SpySweeper to clean up the other files and reg entries, your method may work. But this is a very sophisticated infection. The reason it is called Winogonhook is because it usually affects a registry key that loads the trojan as part of Windows Explorer, the shell of Windows itself that starts when you log on to Windows--before even those startups you see in the system tray that is controlled by msconfig.

That reg key that does that is not the one you mentioned. The notify key and the file it is running must be treated carefully, else you may be unable to logon. The file resists deletion because it is "in use" and to unload it in the normal way you have to kill the Windows Explorer process, which will make your desktop disappear.

For this and other reasons I suggest anyone with this infection--and BTW, it is called many other different things by different security software vendors--submit a HijackThis log for help with correct removal.

Preparation Guide For Use Before Posting A Hijackthis Log

One important reason for doing it this way is because this is a downloader/agent trojan. Which means that it is in contact with a website where it downloads all sorts of nasties to the infected computer. You might even consider doing this yourself. SpySweeper is a very effective program and may have cleaned it all up, but no one program can keep up with everything and you may still have some things to get rid of.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users