I have my Winlogon and Svchost infected with this 1320.
Avast doesn’t always “feel” them when I do system scan from windows, but he always find them if I do scan at start, before windows is loaded.
After a few times I tried to remove those viruses (appareantly successfull, but they were back the time after) I found even another file infected with a 119.
How can I remove these files? Any suggestions? I have Win XP SP2 and all security patches installed from Windows Update.
If you find a virus keeps coming back after you delete it, it’s most probably infected the System Restore folder, the best way to solve this is to disable System Restore, reboot your machine and then enable it again. After all, run a full avast! scanning.
Disable (and enable it after) System Restore
Start > Control Panel > System > System restore > Disable
Click Apply
Enable it again
Click Ok
Maybe cleaning your temporary files (Internet cache, Recycle bin, etc.) helps too…
This is really making my life hard…
I tried using even the following programs (some of them I saw suggested in threads here)
Ewido
Spybot Search & Destroy
HijackThis
And another one which I Can’t remember the name.
I’m in my office now and not at home (I’ve been up to 4:00 AM tonight to make scans lol) but I think I succeded in deleting the 119 (haven’t been found anymore) and maybe the 1320 one that was affecting SVCHOST.
The one in Winlogon is still active and I think it’s related to a file called “dvd4free.dll”, situated in c:/windows/system32.
This file is found by Hijack This and even by another program that searches for Rootkits.
They all say that this dll is hidden to windows API, indeed I cannot see it with windows.
Hijack this tries to repair it (delete it) but without success.
The Hijack This log says something about “winlogon” related to this file, so I’m thinking that this DLL is the infected file that re-infects winlogon each time I boot my system.
Anybody has suggestions on how I can do it to delete this .dll? Assuming that my hypothesis is right and that this one is the source of the Winlogon infection.
I will try your system anyway, and thanks 
It seems that these viruses damaged a few components of my PC:
Windows Installer is damaged: I can install other software, but it’s giving me error on Microsoft Software (can’t install .Net thingies or other things). Maybe I should uninstall Windows Installer and go to Windows Update, hoping it will download Windows Installer once again for me? I wonder if I will mess up already installed applications, by uninstalling Windows Update
Internet Explorer is damaged: this doesn’t effects other browsers, but when I use IE some websites are not accessible. The browser seems to be loading the page, but then stops and a white page remain on screen. This is very random and strange. For example I can access Avast website, but not Avast forums. Or in other websites I can access forums but I cannot see most avatars and signatures. Very odd, but I’m sure it’s related to some components damaged while deleting viruses. It was working perfectly until 2 days ago.
P.S.
Avast is finding a Worm virus in a .PST file I have on my PC. That’s only an archive of emails I received during 2003, it’s not currently loaded on Outlook. It says that in “Deleted Mail” I have an email with a dangerous attachment, containing a Worm, still Avast says he cannot delete it. I think I’m not running any danger anyway, sicne I won’t be opening that .PST and certainly I won’t be accessing to “Deleted Mail” folder?
This file is found by Hijack This and even by another program that searches for Rootkits.
Have you tried BlackLight anti-rootkit program?
http://www.f-secure.com/blacklight/
Another anti-rootkit program is UnHackMe:
Will try them out, thanks for your suggestions
I tried the following things:
RootkitRevealer
Ewido
Windows Defender
Avast! Antivirus
Avast! Worm Cleaner
Unhack me
Bit Defender
CCleaner
Spybot Seek & Destroy
HijackThis
BlackLight
And I still have to try SmitRem
Spybot and CCleaner are the ones who helped me delete the infection from SVCHOST.exe (when I created this thread I had the same Trojano-1320 infection on Winlogon.exe and SVCHOST.exe)
Ewido helped me with something else.
HijackThis and Rootkit Revealer were finding something concerning a dvd4free.dll file, related to winlogon.exe, hidden to windows api inside System.
Only Black Light has been able to remove that and another related .sys file.
Now I solved a few problems I had before (like not being able to install MS software/updates, and a few malfunctions of Internet Explorer, which was remaining Blank Page when trying to access some websites)
But I still have a problem!!! Avast! Antivirus still detects Win32:Trojano-1320 [Trj] infection in Winlogon.exe and, now, Regserv.dll
He appearently deletes those files, but they come back.
Tried with scan while booting, scan in Windows Safe mode… nothing.
The other software do not even detect anything.
What can I do? What kind of worm/virus/trojan is this 1320? What does it do? What can I do to remove it?
Could it be an error of Avast! in detecting it in those 2 files?
Akumasama, did you try what I’ve suggested before? (disable system restore, clean temporary files)?
I don’t think so…
With another antivirus I got the following names
Win32/Spy.Goldun.GU trojan.
Win32/Rootkit.Agent.AT trojan
Maybe these are the real names of what Avast! identifies as “trojano-1320”?
Maybe now I can look for specific tools for these 2 problems?
Hi Akumasama,
Removal instructions for Goldun:
Windows NT/2000/XP/2003In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type ‘Regedit’ and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the ‘Registry’ menu, click ‘Export Registry File’. In the ‘Export range’ panel, click ‘All’, then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Shell
wmedia16.exeand delete it if it exists.
Close the registry editor.
http://www.sophos.com/virusinfo/analyses/trojgolduna.html
Rootkit.Agent.AT is Nod32’s name for the malware and doesn’t give information about the nature of the rootkit, but digging around, I found a description of what I think may be the problem:
If this rootkit does use msdirectx.sys, the solution is here:
http://forum.avast.com/index.php?topic=14618.msg142666#msg142666
I also found that
winlogon.exe
regserv.exe
were infected with, if I recall the name, trojan.small.g
Anyway I should be allright now, I’m doing a scan with Avast! and didn’t give me the usual memory error. After the scan is done, if all is allright, I will reboot and do another scan, after that I will consider myself safe.
Thanks a lot for your informations
What happened to me sounds so strange though… in a few days a SINGLE infection which I took from a file which was coming from a supposedly-safe friend, totally infected my PC with plenty of Trojans, Backdoors and Rootkits, up to the point that it became really hard to get rid of all of them.
All of this in no more than 2-3 days.
Woah! :o
Thanks again for your support anyway, I REALLY hope I’ve been able to do it, this time
HI
Can some one tell me ever so simply the steps to clean my computer of the win32;trojano-1320 worm. It is in my regserv.dll and winlogon.dll. Avast picks them up but they come back.
Also I downloaded spyware doctor and i cant uninstall it.
Thanks
John
Hi John B,
Have you tried a boot time scan with avast!?
You need to right click anywhere on the avast! scanner screen and select ‘Schedule a boot time scan.’
(This doesn’t work in Win 98: if you have this OS, boot into safe mode before scanning- hit F8 while booting. If you have a cordless keyboard, set the default option to ‘move to chest’ before rebooting because the keyboard won’t work during the scan.)
I also suggest you run Ewido: http://www.ewido.net/en/
Followed by these two programs in safe mode (tap F8 while booting):
Ad-Aware: http://www.lavasoft.de/
Spybot Search & Destroy: http://www.safer-networking.org/
Good luck!
Thanks but i cant seem to be able to select a boot time scan by using a right clicK?
the programme will not allow me to schedule a boot time scan?
First of all you have to use this software
http://www.f-secure.com/blacklight/
He will find the two hidden files called
regserv.dll
winlogon.dll
hidden from windows API and resident inside C:\Windows\System
Blacklight will rename them to winlogon.dll.ren and regserv.dll.ren.
Once they are renamed you can fisically see them on your PC, and you can manually delete these 2 files (do not put them in the thrashcan, DELETE them).
After this Load Avast and try to remove the 2 processes Winlogon.exe and friends. Avast! will probably tell u that there are viral processes in memory, and will ask you to plan a total scan on next boot. Let him do so. System will reboot and this time he should be able to remove them for real.
Or you can try the trial version of Nod32 (which is the only one who gave me the real name of what Avast! calls by the codename of Trojano-1320), but I don’t really like Nod32, Avast! is way better imho
What do you mean? Are you using Windows XP? Why can’t you do that?
After several attempts it worked. Thanks.
I have just tried blacklight and it didnt find any thing after a scan.
Odd… I’m at office right now and I just caught the virus once again (it infeceted a Forum Board I used to check).
Seems like the name is Troj/Haxdoor-BC, is that even a name? Got it looking around for the network.
Don’t know what are the effects of this thing, but appearently locks the access to a few websites (dunno according to which variables, but the same websites which I couldn’t access when I got this virus in my home PC, are the same I can’t access now at work).
Blacklight saved my ass finding those 2 rootkits and renaming them. After I deleted it (after rebooting the system and making them visibile) I was already able to access all those websites. I’m doing a full system scan now, and I’ll be cleaning up registries soon.
Hi what part of blackloght did you use?
I have just completed a third scan of the blacklight beta rootkit scan but nothing found.
What programme of blacklight should I use.