Persistent win39.tmp.exe dialer trojan

You just need to know what to search for. There are many links related to fixing this. The file names are always different and also the search capabilities of vB (used for the forums) is very limited. If you search for winlogonhook, here and on Google, you will find plenty of hits.

You need to start the same place as every one else. And that is with our cleaning procedures.

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
  • Bitdefender
  • Panda Scan
  • HijackThis

.

 

You are running an outdated Sun Java version. You must get updated.

Did you install WinPcap? Possibly to use with Ethereal?
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - Winlogon Notify: winbug32 - winbug32.dll (file missing)

After clicking Fix, exit HJT.

It would be a good idea to delete all files and subfolders in: C:\Windows\Temp
This is where those dialer trojan files are hiding.

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

WinPcap is a valid product. It is not malware. See: http://www.winpcap.org/
However most people have no need for it. That is why I asked if you installed it for something. If you are sure you do not need it, just go to Add/Remove programs and uninstall it. It can always be reinstalled if later you find you needed it for something.


It would be a better idea to only work on one PC at a time. Otherwise this thread could get to confusing. So let's finish the first PC before looking at a second one. And when we do look at the second PC, all the same full cleaning procedures must be followed first and then the logs from the two online scanners must be obtained and posted before using HijackThis.

 

Okay! After we finish the first PC, we can start on your second one. But it would probably be a better idea to start another message thread for it. When you do start this new thread, make sure you run the whole READ & RUN ME on your second PC and attach the three required logs.

 

Well maybe that's not true. You have kept the below on your PC.

http://www.bleepingcomputer.com/startups/BIGFIX.EXE-568.html

As soon as I get any new PCs this is about the second thing that gets deleted (AOL is first). Third is McAfee or Norton. Fourth is all other junk demo/trial software.

You're log is free of malware. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

You're welcome! Please do not post a HijackThis log without having run the READ & RUN ME sticky and without having first posted the two online scanner logs from step 6.