Hey all, I have a problem that Norton Anti-Virus has identified as a generic Trojan that has compromised a file on my system. The file, windmh32.dll, is located in WINDOWS\system32\ directory and is, as of today, uncleanable, quarantineable or deleteable.
Upon discovering this, through a full system scan in safe mode, I did a manual search for the filename which returned this:
Having no recourse, I backed up my registry and deleted the entry in the hopes that it would orphan the file itself. Unfortunately, this hasn't been the case and realtime scans of my system have reported nothing has changed.
I've run through the list of programs to run and scans to perform prior to submitting a Hijack-This logfile (and have also submitted one for unrelated reasons) but I'd like to get some input on what else there is to be done. Reformatting is a possibility, albeit an unattractive one. However, if there are any other options to be explored that I haven't already I'd love to hear them.
Thanks for your time, all.
-Edit- Tarun reminded me of this, as well: If anyone knows what thar particular DLL does and if it is a legitimate file, I'd like to know that as well. If it's a system file, I'd like to avoid deleting it entirely. If not, great. I'll try what he proposed.
Well, I followed the advice and in the midst of typing a thankful response, my computer rebooted for no apparent reason. Upon rebooting, I received this warning message, "winlogon.exe encountered a problem and needed to close. [date & time] Please tell Microsoft... etc".
Ive just replied to your HijackThis log, the file windmh32.dll is a Trojan.Agent variant and is hooked to Winlogon but can be removed without problems which we can address on your HijackThis topic if it still remains, the problem is it's not showing in your HijackThis log which probably means you have Trojan Vundo on your system as that installs a rootkit service (DP1112) to hide 02 BHO and 020 Winlogon entries from HijackThis.
I will add another reply to your HijackThis thread to deal with Vundo if its present then we can see what else is hooking to Winlogon or if there is any malicious BHO's present and remove them