Help - winlogon has been hijacked by random BHO

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

caven

Thread Starter
Joined
Oct 5, 2008
Messages
2
Hi all,

I tried fixing it by looking through your forums but I guess the solutions don't apply anymore to my issue as the original threads were old.

Anyway my problem is I have a dll that inserted it self as a BHO and I can't remove it. It added numerous sites to the "Trusted List" in IE and from time to time in Firefox and IE it would create a popup of some advertisement for security or entertainment or whatever.

I've disabled the BHO numerous times, removed the sites from the trusted list and even quarantined the file using Symantec.

I've tried deleting the registry entries manually and using a batch file to automatically remove the file before and after boot.

I've also tried using Hijackthis and Killbox to remove the registry entries and delete the dll.

I believe the dll is using the winlogon service somehow to constantly recreate the registry entries whenever they're deleted as well as lock the dll and prevent it from being deleted.

The dll is called urqrldwm.dll (I realize its just a generic name.) It had replicated it self into about 10 other dlls and registry entries, but I was able to remove those. They at first were executing using rundll32.exe in the registry.

The registry entries are as follows:

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1702984E-7F76-458B-A33A-A7B32A0DCC72}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\urqRLDWm]

[-HKEY_CLASSES_ROOT\CLSID\{1702984E-7F76-458B-A33A-A7B32A0DCC72}]


If anyone can help me free my winlogon so that I can successfully remove these files I would appreciate it. If not I had planned on migrating to Vista anyway lol.

I'm using windows XP Professional SP3 btw.

Also it appears that that my "Display Properties" have been hijacked as well. I'm missing my "Screen Saver" and "Desktop" tabs, but I'm not really worried about those as much as getting rid of the popups. I've attached a screenshot of the display properties window.


side note: It appears that this hijacker can only affect IE and Firefox as Google Chrome seems to be immune (it's what im using to type this out.)

Please let me know if there is any additional information you require.
 

Attachments

caven

Thread Starter
Joined
Oct 5, 2008
Messages
2
I fixed it. Thank you to all the people who contribute to this forum. I was able to figure out a solution by referring to a more recent post from someone experiencing similar issues.


Thanks again.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top