help removing trojan winlogonhook

Welcome to Majorgeeks!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.


- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

- now run the steps in SpyFalcon Removal Procedure attach the requested log later.



After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis


When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)

• Bitdefender
• Panda Scan
• HijackThis
• smitfiles.txt

.

 

Yes it is no wonder you are still infected. All the illegal downloads are killing you. It will be impossible to clean you up unless you delete all these infected downloads and stop downloading them.

You forgot to attach the smitfiles.txt log. Please attach it.

Also please follow the directions in step 7 of the READ ME and install HijackThis properly. You have it installed exactly where we ask that it not be installed.

 

Did you install HijackThis properly yet? If not, please do so before continuing.

Look in Add/Remove programs for the below and uninstall if found:
AZSearch
CyDoor
ISTbar
MediaTickets
MediaBack
MyWay or MyWaySearch etc
SpywareStrike

Empty your Recycle Bin and each hard disk!

Empty your Microsoft AntiSpyware Quarantine folder. Also MS Antispyware has been discontinued. You should uninstall this and upgrade to MS Windows Defender.

Also empty your XoftSpy\Quarantine folder.

You have a bunch of infections in the below backup folder you will need to cleanup since it has backups of all your infections!!!!
M:\Retrospect Backup\Backup of Drive H (H)

Downloading stuff like below is the reason you have so many infections. You should delete these infected files and stop downloading them.
M:\downloads\adobe auditions + crack\aa\Adobe_Audition_v1[1].5_by_Again_www.lomalka.ru_.zip[out.exe]
M:\downloads\adobe auditions + crack\aa\Adobe_Audition_v1[1].5_www.lomalka.ru_.zip[gfz.exe]
M:\downloads\1click dvd copy with keygen\cr-c4291.exe[run.exe]
M:\downloads\system mechanic 5.5a with crack\systemmechanic5pro.exe
M:\downloads\absolute security pro + crack\Absolute_Security_Pro_v4[1].0_www.crack.cd_.zip

And the below is a very bad idea! Unless you like infections! Delete it!!
M:\downloads\WarezP2P_DLC.exe


Start by downloading two tools we will need:

- Process Explorer

- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of winrip32.dll once and then click the kill button. After you have killed all of the winrip32.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of winrip32.dll and kill it.

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-48675AA2B494} - H:\WINDOWS\winres.dll (file missing)
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O18 - Protocol: bt2 - {1730B77B-F429-498F-9B15-4514D83C8294} - (no file)
O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} - (no file)
O20 - Winlogon Notify: winrip32 - H:\WINDOWS\SYSTEM32\winrip32.dll


Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.
H:\WINDOWS\SYSTEM32\ncompat.tlb
H:\WINDOWS\system32\javacore.dll
H:\WINDOWS\SYSTEM32\winrip32.dll


If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot locate the below with Windows Explorer and delete them:
H:\WINDOWS\SYSTEM32\azebar.xml
H:\WINDOWS\SYSTEM32\ncompat.tlb
H:\WINDOWS\SYSTEM32\1024 <--- the whole folder
H:\WINDOWS\SYSTEM32\oins.exe
H:\WINDOWS\system32\javacore.dll
H:\WINDOWS\temp\winA.tmp.exe <-- it would be best to delete all files in this temp folder
H:\WINDOWS\temp\win6.tmp.exe
H:\WINDOWS\winres.dll
H:\WINDOWS\tool5.exe
H:\WINDOWS\cdmxtras
H:\Documents and Settings\Administrator.DESKTOP\Local Settings\Temporary Internet Files\Content.IE5\0TENQH0D\mullbin1[1].exe
H:\Documents and Settings\scotty\Local Settings\Temporary Internet Files\Content.IE5\G3F0QIJS\mullbin1[1].exe
H:\INCINERATE\H1.rar[setup.exe]
H:\INCINERATE\H3.exe
H:\INCINERATE\H4.exe


Now attach a new HJT log and tell me how the steps went.
Make sure you tell me how things are working now!

 

No! You still have not install HijackThis properly! Install it properly and attach a new HJT log. You must do this before we go any further.

Then tell me what you use all of the below for:

 

Tell me which ones are uninstalled!

Also tell me which ones you NEVER want to load!
And also tell me which ones you may want to load sometimes!

Uninstall all the items you listed and trial software that you do not use. Then attach a new HJT log. If they are already uninstalled we may need to fix those lines manually.

Do you use Restrospect?


This next item is probably for some protected gaming software you use.
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

Normally this is only there while installing. It's strange to still be there now.

 

I think your list is incomplete. You need AVG7, the ATI stuff,.

But please answer my questions exactly.

Which do you never want to load? (as in we should uninstall or delete them). Otherwise I would just say uninstall all this stuff you don't want to load?

And which do you want to load sometimes? (as with your startup manager)

If you do not want MS Antispyware and Spyware Doctor, you should uninstall them because they will still have certain things loaded even if not run at startup. SpySweeper is way better than them anyway as long as you keep it current.

 

You have to give it to me!!

I'm asking you what you use because I have no idea what you use.

I'm also asking you what you may want to use sometimes. If you left the decision to me, your Retrospect stuff would already have been uninstalled. See what I mean. Once we uninstall it, it is gone permanently unless you reinstall it later.

If want to be able to use certain software sometimes but do not want them to load at startup, this is something different then uninstalling.

You should not be uninstalling AVG7. Without it, you have no antivirus which is unacceptible. And you did not uninstall it. If you did, it would not be there.

 

Goto Control Panel and select Add/Remove programs. Then uninstall each of the below (if you are really sure you do not want them - I have asked three times and your answers indicate you do not want them).
Alcohol Soft or Alcohol 120
AVG7
AI RoboForm
iPodService or anything else indicating Apple iPod
SpwareDoctor
Stardock or Stardock Bootskin
Windows Defender
WinPcap

Then run HijackThis and select the below lines and then click Fix checked:
O4 - HKCU\..\Run: [PRIVANAL] "H:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe

Now exit HJT!


Let's get an installed programs list from HijackThis too so we can see if there is anything eles you may want to uninstall.

Run HijackThis, click Open the Misc Tools section
Click Open Uninstall Manager
Click Save List (generates uninstall_list.txt)
Click Save, to save it to a file where you can find it.
Upload this file as an attachment too.

What about the below services? Don't you use them?

O23 - Service: Wintab32 - Unknown owner - H:\WINDOWS\System32\Wintab32.exe (file missing)
O23 - Service: X10 Device Network Service (x10nets) - Unknown owner - H:\PROGRA~1\ATIMUL~1\RemCtrl\x10nets.exe (file missing)

 

You cannot remove services like that. That is why I said to uninstall the programs. It the uninstall still exists, it should remove the services. If you had in the past tried manually deleting files rather than using uninstall, you may have corrupted the uninstaller and it will no longer work.

So why weren't they in the previous list when I ask you about this a few times.

Goto Add/Remove programs and uninstall the below:
Secure Delivery
Viewpoint Media Player <--- this was given in step 0 of the READ & RUN ME and already should have been uninstalled.
YazzleActiveX By OIN

If you get any error messages while doing the below, just ignore and continue thru to the end.
Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Ati HotKey Poller .. then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Now repeat the above steps to stop and disable the following services:
AVG7 Alert Manager Server (if that is not found, look for the short name: Avg7Alrt)
AVG7 Update Service (if that is not found, look for the short name: Avg7UpdSvc)
Ctlsvsessscd
X10 Device Network Service (if that is not found, look for the short name: x10nets)


Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Ati HotKey Poller

Now repeat the above Delete NT Service steps for:
Avg7Alrt)
Avg7UpdSvc)
Ctlsvsessscd
x10nets)

Now exit HJT and reboot when it tells you it needs to.

After reboot verify that those O23 lines are now gone.
Also delete the below folder if it still exists:
H:\Program Files\Grisoft

 

That's strange! It is in your Uninstall log from HijackThis.

Please follow all the steps below.

Please download Look2Me-Destroyer.exe to your desktop.

• Close all windows before continuing.
• Double-click Look2Me-Destroyer.exe to run it.
• Put a check next to Run this program as a task.
• You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
• When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
• Once it's done scanning, click the Remove L2M button.
• You will receive a Done Scanning message, click OK.
• When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
• Your computer will then shutdown.
• Turn your computer back on.
• Please post the contents of C:\Look2Me-Destroyer.txt.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX


Now run the steps in the below and attach the Ewido log.

Running Ewido Anti-Malware


Now run SpySweeper again and save the SpySweeper log.


Now come back here and attach the 3 logs (Look2Me Destroyer, Ewido, SpySweeper)

 

You're welcome! Happy to hear eveything is all fixed up. No I do not need anymore lgs if you are clean. You can also uninstall Ewido now.

The link I will give you below should answer most of your questions. No Majorgeeks does not take donations, but you can buy some Geek-Wear if desired (see http://www.jinx.com/scripts/products.asp?affid=30 ). You can also send an appreciation email to the owners of the site and thank them for hosting this free forum.

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!