Winlogonhook malware and more

Welcome to Majorgeeks!

Did you follow those steps for Winlogomhook removal exactly? Did you shut down the explorer shell before running Spy Sweeper?

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)
  • Bitdefender
  • Panda Scan
  • HijackThis

.

 

Okay before we continue with the other problems, you have a SpywareQuake problem to fix. Run the below and then attach the smitfiles.txt log.

SpywareQuake Removal Procedure

Also look in Add/Remove programs for the Yazzle Sudoku that you mentioned and uninstall it.

Did you save the log from CounterSpy as instructed? Please attach it.

You version of Spy Sweeper is very old. It is version 3.5 and the current release is in the 4.5 range. You need to update to the new version of the program too.

 

Hmmmmm! You may have another brand new form of a SpywareQuake or similar infection. The below lines showing up seem very suspect.

Did you find any of the files I mentioned in the SpywareQuake procedure?
Was SpywareQuake found in Add/Remove programs?
Was the C:\Program Files\SpywareQuake folder found.

 

Okay no matter what your answers are to my below questions, we will continue with the below fixes. Note: we will run the new Spy Sweeper later.

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to hpdj ... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

hpdj
If you get any error messages while doing the above, just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Download - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later to run it.
Run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click OK.

Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.

C:\Documents and Settings\Brian\Local Settings\Temp\!update.exe
C:\Documents and Settings\Brian\Local Settings\Temporary Internet Files\Content.IE5\3PLUZ2CT\!update-3715[1].0000
C:\WINDOWS\system32\oins.exe
c:\windows\system32\interf.tlb
c:\windows\system32\ot.ico
C:\WINDOWS\system32\bwfbzsn.dll
C:\WINDOWS\system32\winjgf32.dll


If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R3 - URLSearchHook: (no name) - {C8F6BD72-22E8-0E43-B72C-2C17246B74C7} - C:\WINDOWS\system32\bwfbzsn.dll
O2 - BHO: (no name) - {C8F6BD72-22E8-0E43-B72C-2C17246B74C7} - C:\WINDOWS\system32\bwfbzsn.dll
O2 - BHO: Nothing - {edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e} - C:\WINDOWS\system32\hp77D6.tmp
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll (file missing)
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162
O20 - Winlogon Notify: winjgf32 - C:\WINDOWS\SYSTEM32\winjgf32.dll
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Courtney\LOCALS~1\Temp\hpdj.exe (file missing)


Now exit HJT
Run Windows Explorer and double check to make sure the below files are all deleted (we already deleted them with killbox but we are double checking):

C:\Documents and Settings\Brian\Local Settings\Temp <--- delete all files in this folder
C:\Documents and Settings\Courtney\Local Settings\Temp <--- delete all files in this folder
C:\Documents and Settings\Brian\Local Settings\Temporary Internet Files\Content.IE5\3PLUZ2CT\!update-3715[1].0000
C:\WINDOWS\system32\oins.exe
c:\windows\system32\interf.tlb
c:\windows\system32\ot.ico
C:\WINDOWS\system32\bwfbzsn.dll
C:\WINDOWS\system32\winjgf32.dll


Now reboot into normal mode and after reboot double check the same HJT entries I had you fix above and if any still remain, fix them again a second time.

Now attach a new HJT log

Also tell me how things are working!

 

Okay that is good to know! I will add it to the list of things to delete.

Okay that was one of the new files in the family. But now you also have the newest one. The C:\WINDOWS\system32\twain32.dll file is a new baddie and there are new registry keys. I'm working on the additions to the procedure now. In a little while a new fix will be posted. Just watch the time stamp on the thread or look for the addition of the twain32.dll file in the thread. Then you will know it has been updated. Note: Always redownload SmitRem.exe. Just like I'm updating the fix here, that file constantly changes too so it is best to always redownload.

 

Okay the SpywareQuake Removal Procedure has been updated.

Make sure you re-download the fixquake.reg registry patch since it has changed and also re-download SmitRem.exe just incase it has changed.

 

All the items you mentioned as missing and also the files you could not delete in the Temp folder are normal behavior. HJT some times deletes things for us when we fix the lines. And those files were in use by Windows.

You picked up some new problems!

Make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: Windows Resources - {2D38A51A-23C9-48a1-A33C-48675AA2B494} - C:\WINDOWS\winres.dll
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.mt-download.com/MediaTicketsInstaller.cab?refid=5071

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\winres.dll

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Now run a new Spy Sweeper scan and attach a log from it! If you get Winlogonhook, run the Winlogonhook removal procedure.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Since you have a paid version of Spy Sweeper you should uninstall CounterSpy and Ewido. That will address some of the clutter and will speed you PC up.

Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

No problem Brian. Surf safely!