1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Help - winlogon has been hijacked by random BHO

Discussion in 'Virus & Other Malware Removal' started by caven, Oct 5, 2008.

Thread Status:
Not open for further replies.
  1. caven

    caven Thread Starter

    Joined:
    Oct 5, 2008
    Messages:
    2
    Hi all,

    I tried fixing it by looking through your forums but I guess the solutions don't apply anymore to my issue as the original threads were old.

    Anyway my problem is I have a dll that inserted it self as a BHO and I can't remove it. It added numerous sites to the "Trusted List" in IE and from time to time in Firefox and IE it would create a popup of some advertisement for security or entertainment or whatever.

    I've disabled the BHO numerous times, removed the sites from the trusted list and even quarantined the file using Symantec.

    I've tried deleting the registry entries manually and using a batch file to automatically remove the file before and after boot.

    I've also tried using Hijackthis and Killbox to remove the registry entries and delete the dll.

    I believe the dll is using the winlogon service somehow to constantly recreate the registry entries whenever they're deleted as well as lock the dll and prevent it from being deleted.

    The dll is called urqrldwm.dll (I realize its just a generic name.) It had replicated it self into about 10 other dlls and registry entries, but I was able to remove those. They at first were executing using rundll32.exe in the registry.

    The registry entries are as follows:

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1702984E-7F76-458B-A33A-A7B32A0DCC72}]

    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\urqRLDWm]

    [-HKEY_CLASSES_ROOT\CLSID\{1702984E-7F76-458B-A33A-A7B32A0DCC72}]


    If anyone can help me free my winlogon so that I can successfully remove these files I would appreciate it. If not I had planned on migrating to Vista anyway lol.

    I'm using windows XP Professional SP3 btw.

    Also it appears that that my "Display Properties" have been hijacked as well. I'm missing my "Screen Saver" and "Desktop" tabs, but I'm not really worried about those as much as getting rid of the popups. I've attached a screenshot of the display properties window.


    side note: It appears that this hijacker can only affect IE and Firefox as Google Chrome seems to be immune (it's what im using to type this out.)

    Please let me know if there is any additional information you require.
     

    Attached Files:

  2. caven

    caven Thread Starter

    Joined:
    Oct 5, 2008
    Messages:
    2
    I fixed it. Thank you to all the people who contribute to this forum. I was able to figure out a solution by referring to a more recent post from someone experiencing similar issues.


    Thanks again.
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/756210

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice