Thanks for your input. We do, however need to be very cautious when dealing with the registry. Please don't ask people to delete something without giving the exact details and spelling. Is it a key or a value?
From what I know of this trojan the correct spelling may be msmssrv
That is if this is the same version of what SpySweeper calls Winlogonhook.
Some with this infection have this file:
There are related trojans that have a file win***32.dll
, where *** are three random numbers.http://www.bleepingcomputer.com/startups/i...&act=search
Another related trojan may have this in the reg key you mentioned.
I'm glad that this fix has worked for you and that you've got it cleared and we really appreciate you wanting to share this with everyone. But most likely this won't work for everyone. This is a family of trojans that changes often to avoid being defined. Not only do the infection files change, but file names vary from machine to machine by using randoom file names and the infectious programs can be configured remotely so that what it does is specific to each machine.
For people who have run SpySweeper to clean up the other files and reg entries, your method may work. But this is a very sophisticated infection. The reason it is called Winogon
hook is because it usually affects a registry key that loads the trojan as part of Windows Explorer, the shell of Windows itself that starts when you log on to Windows--before even those startups you see in the system tray that is controlled by msconfig.
That reg key that does that is not the one you mentioned. The notify key and the file it is running must be treated carefully, else you may be unable to logon. The file resists deletion because it is "in use" and to unload it in the normal way you have to kill the Windows Explorer process, which will make your desktop disappear.
For this and other reasons I suggest anyone with this infection--and BTW, it is called many other different things by different security software vendors--submit a HijackThis log for help with correct removal.Preparation Guide For Use Before Posting A Hijackthis Log
One important reason for doing it this way is because this is a downloader/agent trojan. Which means that it is in contact with a website where it downloads all sorts of nasties to the infected computer. You might even consider doing this yourself. SpySweeper is a very effective program and may have cleaned it all up, but no one program can keep up with everything and you may still have some things to get rid of.