winlogonhook removal

Discussion in 'NOD32 version 2 Forum' started by Myrddin, Jul 29, 2006.

Thread Status:
Not open for further replies.
  1. Myrddin

    Myrddin Registered Member

    Joined:
    Jul 29, 2006
    Posts:
    3
    Hi I've got the "winlogonhook" trojan on my system, but have no way to remove it since NOD32 doesn't detect or remove it. Spy Sweeper (trial) detected it but can't remove it. It's randomly downloading files and popping up web pages and I can't seem to do anything about it. I'm running trials of SpySweeper, ewido, and Ad-Aware se, besides my subscription to NOD32, which isn't helping either.

    Is NOD32 going to come out with an update for this trojan soon, or do I have to run additional spyware detectors? I don't even know which one, since none of the above are helping anyway. Please help!

    ~ Myrddin
     
  2. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please drop an email to support @ eset.com with a link to this thread, we'll provide you with some diagnostic tools.
     
  4. Myrddin

    Myrddin Registered Member

    Joined:
    Jul 29, 2006
    Posts:
    3
    Finally! I'm scanning all-clear now in all spyware scanners. I'll share the key to eradicating this pesky and somewhat dangerous trojan, winlogonhook. Maybe someone else will find it useful.

    I had initially downloaded and ran "HijackThis" but after looking at the log it produced, I couldn't figure out which startup file looked suspicious or not.

    And after proceeding through the initial steps in the General Cleaning Instructions without any luck I eventually came to Step 22, and tried http://housecall.trendmicro.com, and there it was! It detected a Trojan on my machine, in a file called "winbjv32.dll" as well as an accomplice Registry entry.

    Unfortunately it couldn't remove the file because it was in use. But looking in my "Hijackthis" log, I noticed the same filename:

    O20 - Winlogon Notify: winbjv32 - winbjv32.dll

    So I used HijackThis feature "delete a file on reboot" and told it to delete this file on startup.

    After startup, I ran a new HijackThis scan and the line had changed to:

    O20 - Winlogon Notify: winbjv32 - winbjv32.dll (file missing)

    I clicked the checkbox on that line, and had HijiackThis remove it. I then did a Spy Sweeper scan, and yes, it DID find the winlogonhook trojan, but this time when it removed the registry entry, there was no memory-resident program running to put it back. Now, after many subsequent scans and reboots, I'm starting to feel confident that this trojan is finally gone. (whew!)

    Have I missed anything do you think?

    And why is it that no spyware tool can simply detect and remove this thing? If Trendmicro/Housecall could identify the file, why can't Spy Sweeper (or NOD32 for that matter) locate it too and remove it on reboot?

    Anyway thank you all for the help.
     
  5. Cat-21

    Cat-21 Registered Member

    Joined:
    Feb 7, 2005
    Posts:
    60
    A simple way to fix this is to create a BartPE CD with the NOD32 plugin making NOD32 available to you in the Bart bootable environment. NOD32 is not seeing the virus you mention because it is a rootkit I have seen before. You could try Blacklight or Rootkitrevealer but I have found the Bart method easiest. Like I said earlier, since the Bart environment is not running in Windows NOD will quickly destroy the rootkit as it's no longer hidden from Windows and NOD. The virus you have is Zlob-based rootkit dropper. They basically modified Zlob into a rootkit, very difficult to remove using traditional AV and Spyware tools.
     
  6. Myrddin

    Myrddin Registered Member

    Joined:
    Jul 29, 2006
    Posts:
    3
    Sounds fun! I'll have to give it a try.

    One question though: Where can I find a NOD32 plugin for BartPE? Or, can I just use the files from my registered version?

    Thanks!
     
    Last edited: Aug 2, 2006
Thread Status:
Not open for further replies.