winlogon.exe infected with Trojan.Keylogger.iOpus.A..HELP!!

Status
Not open for further replies.
H

hearthacker

Journeyman
hi!

i recently installed BitDefender Antivirus and came to know that winlogon.exe is infected with a keylogger named iOpus Keylogger...now when i try to disinfect the file it fails cos winlogon is in use by windows..please suggest me a removal/disinfection method.

here is a HijackThis! log:

Logfile of HijackThis v1.99.1
Scan saved at 12:20:51 AM, on 2/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
E:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
E:\WINDOWS\system32\nvsvc32.exe
E:\WINDOWS\system32\svchost.exe
E:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
E:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
E:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
E:\Program Files\Softwin\BitDefender9\vsserv.exe
E:\WINDOWS\system32\wscntfy.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\RunDLL32.exe
E:\Program Files\PowerISO\SCDEmuApp.exe
E:\PROGRA~1\SOFTWIN\BITDEF~2\bdmcon.exe
E:\Program Files\Softwin\BitDefender9\bdoesrv.exe
E:\PROGRA~1\SOFTWIN\BITDEF~2\bdnagent.exe
E:\PROGRA~1\SOFTWIN\BITDEF~2\bdswitch.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\InterVideo\WinDVR\WinDvr.exe
E:\Program Files\InterVideo\WinDVR\WinScheduler.exe
E:\WINDOWS\system32\qttask.exe
E:\Program Files\Adobe\Premiere 6.5\premiere.exe
E:\Program Files\Gol AVI VCD DVD Converter\dvdconverter.exe
E:\Program Files\Internet Explorer\iexplore.exe
F:\Softwares\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SCDEmuApp.exe] E:\Program Files\PowerISO\SCDEmuApp.exe
O4 - HKLM\..\Run: [BDMCon] E:\PROGRA~1\SOFTWIN\BITDEF~2\bdmcon.exe
O4 - HKLM\..\Run: [BDOESRV] "E:\Program Files\Softwin\BitDefender9\bdoesrv.exe"
O4 - HKLM\..\Run: [BDNewsAgent] "E:\PROGRA~1\SOFTWIN\BITDEF~2\bdnagent.exe"
O4 - HKLM\..\Run: [BDSwitchAgent] "E:\PROGRA~1\SOFTWIN\BITDEF~2\bdswitch.exe"
O4 - HKLM\..\Run: [QuickTime Task] "E:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ares] "E:\Program Files\Ares\Ares.exe" -h
O4 - Startup: Adobe Gamma.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Download with &DAP - E:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///E:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - E:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///E:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///E:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///E:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - E:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - E:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - *www2.snapfish.com/SnapfishActivia.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BB45A5CF-0627-4B8C-97A3-F7796F7E4560}: NameServer = 203.197.12.42,202.54.15.30
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Autodesk - E:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - E:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - E:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - E:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - E:\Program Files\Softwin\BitDefender9\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - E:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)

Thankyou
hearthacker
 
anandk

anandk

Distinguished Member
log file appears clean.
as sgstd by ^genius's :D above, scan in SAFE MODE with ur bitdefender ;-)
also clear up ur pc junk with something like 'ccleaner' after that.
 
47shailesh

47shailesh

Security Exp
Kill the following processes
iopus_starr_pro_setup.exe, iopus_starr_pro_setup_de.exe, starrcmd.exe, wsys.exe, ssys.exe, starrcmd.exe, wsys.exe


Unregister the following DLLs and reboot
see32.dll, see32u.dll, see32z.dll, wsys.dll in Program Files\starr\
see32.dll, see32u.dll, see32z.dll, wsys.dll in Windows\system\


Delete these registry entries
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\windll
HKEY_LOCAL_MACHINE\software\paco32


Remove the following files
getem.bat, iopus-starr-pro.reg, iopus_starr_pro_setup.exe, iopus_starr_pro_setup_de.exe, license.txt, readme.txt, slog.sysz, ssys.exe, starr.wse, uninstall_starr.txt, what's new.lnk, whatsnew.txt.
license.lnk, starr commander.lnk, starr manual.lnk, uninstall starr.lnk in Program Files\Common Files\starr\
see32.dll, see32u.dll, see32z.dll, starr-manual.chm, starrcmd.exe, wsys.dll, wsys.exe in Program Files\starr\
see32.dll, see32u.dll, see32z.dll, slog.sys, starrcmd.exe, wsys.dll, wsys.exe in Windows\system\


Remove the following directories
Documents and Settings\UserName\start menu\programs\starr\uninstall starr.lnk
Program Files\starr

source


USE Process Explorer for Windows v10.21 for killing processes

USE registerTS 1.0 *www.freedownloadscenter.com/image/b_new.gif to unregister DLL
 
Last edited:
OP
H

hearthacker

Journeyman
thankyou guys..i didnt seem to find the files specified by 47shailesh but m gonna restart my system and clean the file using B.Defender.

Thankyou :)
 
OP
H

hearthacker

Journeyman
i tried running Bitdefender in safe mode but when i click on the bitdefender icon in the start menu, nithing happens...i see BDMCON.exe as a process in task manager but I am unable to run the program. I even tried right clicking on the partition and selectnig Bitdefender Antivirus but still nothing happened. please help.

thanx
 
uchiha.sasuke

uchiha.sasuke

Journeyman
Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

"Shell"="Explorer.exe"

Check this key out..........is this key have same value in ur registry too....
m not sure this really work for u.......but no harm in checking......
 
emailaatif786

emailaatif786

Always Questioning?
hearthacker said:
i tried running Bitdefender in safe mode but when i click on the bitdefender icon in the start menu, nithing happens...i see BDMCON.exe as a process in task manager but I am unable to run the program. I even tried right clicking on the partition and selectnig Bitdefender Antivirus but still nothing happened. please help.

thanx
Click to expand...
First boot into safe mode by F8.
Login as an Administrator.
go to C:\Windows\System32\
Rename winlogon.exe to AAAAA_winlogon.exe
Restart your computer in normal mode, (Windows will not find Winlogon.exe & will AUTO-CREATE it).
go to C:\Windows\System32\ and delete AAAAA_winlogon.exe
Restart your computer.
 
Status
Not open for further replies.
Top Bottom