Virus/Trajan problem

[Hilamonsta]

Hey all, I have a problem that Norton Anti-Virus has identified as a generic Trojan that has compromised a file on my system. The file, windmh32.dll, is located in WINDOWS\system32\ directory and is, as of today, uncleanable, quarantineable or deleteable.

 

Upon discovering this, through a full system scan in safe mode, I did a manual search for the filename which returned this:

FOUND: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\windmh32\DllName type:reg_sz value:windmh32.dll

 

Having no recourse, I backed up my registry and deleted the entry in the hopes that it would orphan the file itself. Unfortunately, this hasn't been the case and realtime scans of my system have reported nothing has changed.

 

I've run through the list of programs to run and scans to perform prior to submitting a Hijack-This logfile (and have also submitted one for unrelated reasons) but I'd like to get some input on what else there is to be done. Reformatting is a possibility, albeit an unattractive one. However, if there are any other options to be explored that I haven't already I'd love to hear them.

 

Thanks for your time, all.

 

-Edit- Tarun reminded me of this, as well: If anyone knows what thar particular DLL does and if it is a legitimate file, I'd like to know that as well. If it's a system file, I'd like to avoid deleting it entirely. If not, great. I'll try what he proposed.

[Tarun]

Go to Start > Run > sfc.exe /purgecache

Next, you may need Unlocker to help you delete the infected file.

After you delete the file, run sfc.exe /purgecache once more.

[Hilamonsta]

Go to Start > Run > sfc.exe /purgecache

Next, you may need Unlocker to help you delete the infected file.

After you delete the file, run sfc.exe /purgecache once more.

 

 

Do you know if the file is part of my OS? I'd hate to go deleting it outright if so

[Tarun]

It is not a part of the Windows OS. Not even Google can find any results on the file.

 

Additionally, I searched for the file name on my computer and the Microsoft DLL Help database with no results.

[hazelnut]

I would follow Taruns advice on this Hilamonsta, he knows about things like this. Here is a post about a similar name thing to yours perhaps

 

http://forum.avast.com/index.php?PHPSESSID...20856.msg174813

[Hilamonsta]

I would follow Taruns advice on this Hilamonsta, he knows about things like this. Here is a post about a similar name thing to yours perhaps

 

http://forum.avast.com/index.php?PHPSESSID...20856.msg174813

 

 

 

Well, I followed the advice and in the midst of typing a thankful response, my computer rebooted for no apparent reason. Upon rebooting, I received this warning message, "winlogon.exe encountered a problem and needed to close. [date & time] Please tell Microsoft... etc".

 

According to the error-report link (http://oca.microsoft.com/en/response.aspx?SGD=808ea20c-780c-4b55-a1ef-4ceb4ddaf382&SID=1888), this business was caused by "Winlogon Trojan/Worm".

 

So it appears as if everything is ok now. Thanks very much and I'll update the thread if anything happens in the next 48 hours or so.

[Tarun]

You may want to download and scan with Avast. Get rid of Norton; it causes more problems than it's worth.

 

Should you need any help, please post a reply in this thread.

[AndyManchesta]

Hi Hilamonsta

 

Ive just replied to your HijackThis log, the file windmh32.dll is a Trojan.Agent variant and is hooked to Winlogon but can be removed without problems which we can address on your HijackThis topic if it still remains, the problem is it's not showing in your HijackThis log which probably means you have Trojan Vundo on your system as that installs a rootkit service (DP1112) to hide 02 BHO and 020 Winlogon entries from HijackThis.

 

I will add another reply to your HijackThis thread to deal with Vundo if its present then we can see what else is hooking to Winlogon or if there is any malicious BHO's present and remove them

 

Andy