help removing Winlogon Hook!! Please

When you have finished steps 0 thru 7 of the READ ME, just attach the three requested logs

- Bitdefender
- PandaActiveScan
- HijackThis

Make sure you follow all steps and also get HijackThis installed properly per step 7's instructions.

Please attach your SpySweeper log too. I assume you are using a paid version???? Is it current?

 

The html file is what we want. Just follow the directions in step 6 and you will have done it correctly. That is, and html file is save with a .txt extension so you can upload it. The formatting is much easier to read in the html file and it also requires no editing on your part.

You should wait unitl you finish ALL steps before posting.

 

You need to update your Spy Sweeper definitions. You are out of date.

Also empty your Recycle Bin and Trend Micro\Internet Security 2006\Quarantine folders.

Now run the steps in the below and attach the smitfiles.txt log:

SpyFalcon Removal Procedure

 

Start by downloading two tools we will need:

- Process Explorer

- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of winwlw32.dll once and then click the kill button. After you have killed all of the winwlw32.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of winwlw32.dll and kill it.

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O20 - Winlogon Notify: winwlw32 - C:\WINDOWS\SYSTEM32\winwlw32.dll


Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.
C:\WINDOWS\system32\ldD716.tmp
C:\WINDOWS\SYSTEM32\ncompat.tlb
C:\WINDOWS\SYSTEM32\1024C
C:\WINDOWS\SYSTEM32\winwlw32.dll

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot locate the below folder with Windows Explorer and delete it:
C:\Documents and Settings\Blake\Local Settings\Temporary Internet Files\Content.IE5\49EMJ3BM\support[4].htm
C:\Documents and Settings\Blake\Local Settings\Temporary Internet Files\Content.IE5\WXMZO123\CAW1YJW9.HTM

Note: The below is a possible souce of your problems! Downloading cracks is dangerous and illegal!
C:\Downloads\DVDX.Platinum.2.1.0.43.zip[crack.exe]

You should consider deleting this file!!


Now attach a new HJT log and tell me how the steps went.
Make sure you tell me how things are working now!

 

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Symantec Core LC (or if not found look for the short name: SNDSrvc) ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Symantec Core LC

If you get an error message from HJT, just ignore it and continue with all steps.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O20 - Winlogon Notify: winwlw32 - winwlw32.dll (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe <--- this may be gone already if above steps worked.

After clicking Fix, exit HJT.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

 

I'm not sure what you are trying to tell me.

Are the problems gone or not?

SmitRem does not bring back SpyFalcon. You still had some infected files on your system and they just reactivated the infection at some point.

To fix Yazzle, just have HijackThis fix the below line.

O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123

 

It belongs to Windows and is exactly what it says it is, a clean up program. You are only noticing it now because of the spyware scanning procedures, especially when using Webroot Spy Sweeper or other spyware software that does a deep clean search. Programs that require a reboot need access to files extracted from archives before Windows reloads. This command loads the routine to clean up what is left in the temporary system files. It's part of your operating system so when asked if you want to delete it or keep it, click on KEEP IT.

Normal!

 

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

You're welcome!

And for those not able to read binary! The translation is:

I ONLY KNOW ONE OTHER PERSON AS GOOD AS YOU!!