Help with w?nlogon.exe

I have tried everything in my power to try and remove this spyware, which by the way I can't even allocate, yet it shows up as being under system32. I have followed all the steps in "Basic Spyware, Trojan And Virus Removal". I have ran 'Hijack This' properly, and would love somone more experienced to take a look at it and help me out. I really appreciate it, and thank you very much in advance.

BTW, the w?nlogon.exe file only appears on startup when I connect to the internet.

 

Hi Tranceaddict,

If you have exhausted all of the resources in the Cleanup Tutorial (including the Online Scans), then go ahead and send us a FRESH HijackThis Log. Please be sure to follow the instructions below (Just Doublechecking ):

Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I’m not around this forum too often these days, but somebody will try to take a look when they get a chance.

PP

 

Thank you very much. I have followed the instructions to a T, here it is:

BTW, I also included a second start up list file since the dreaded "C:\WINDOWS\system32\w?nlogon.exe" only shows up while I'm connected to the internet.

 

Hi Tranceaddict,

I know you said you followed everything to a T - Just Doublechecking

Did you look for w?nlogon.exe with the viewing of hidden files Enabled? Did you try in Safe Mode? It may be CWS related - Did you run CWShredder?

If we need to, we can remove it using Pocket KillBox.

I looked at your HJT Log and most of the entries that need to be fixed are benign. There is one BHO that I do not recognize and it may be part of the problem. See if you recognize it - If not, remove it!

Scan with HJT and check the boxes for the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)

O2 - BHO: (no name) - {C58AC3C0-5A74-2086-51A2-50D059097697} - C:\WINDOWS\System32\tkpcvs.dll --> Recognize this? If not, Delete it!

O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)

O3 - Toolbar: Search Bar - {0A8CE102-FA03-4612-9BEE-7FE5452F4CB1} - (no file)

Make sure ALL browser windows are Closed when you click FIX!

Let's see if removing the BHO flushes w?nlogon.exe into the open. If not, we'll try KillBox.

Let me know how you fare with the above and post a fresh HJT log.

PP

 

I can't thank you enough. It worked, removing the C:\WINDOWS\System32\tkpcvs.dll file made the 'w?nlogon.exe ' process disappear. The w?nlogon.exe was a major drain on my system taking up between 7-23mb of RAM. Thanks again.

 

You're Welcome Happy to help!

You should still do a thorough search of your machine with Windows Explorer for that w?nlogon.exe - It probably remains on your machine.

Also, check out Chaslang's suggestions: How to Protect yourself from malware!

PP

 

Just searched for the file and nothing came up. Once again thank you for everything.

BTW, here is the new Hijack This log, looks good to me.

 

Looks OK to me, too.

Best,
PP