I have posted a thread and asked about my winxxxx.tmp.exe problem before.
I have just solved it successfully.
---
Before posting the solution, first I would like to say sorry to the administrators and the experts here that I posted
the HJT log here without being asked by experts. And that's why my post has
been deleted.
---
Second, I would like to ask two questions.
(1) jabuck has said it was look2me, but later he said it was not.
jabuck, I would like to ask why you thought it was look2me. (I just want to learnt more)
(2) Besides the following line,
O20 - Winlogon Notify: winhqd32 - C:\WINDOWS\SYSTEM32\winhqd32.dll
jabuck also told each person with this problem to delete some other different lines.
I believe those other lines are not related to the winxxxx.tmp.exe problem.
However, I also want to know, how do I know which line is useless and should be deleted?
---
Third, before someone has asked me to post the following files to here:
winhqd32.dll
win1F9A.tmp.exe
I have kept a backup, and can send to you.
But I want to know why you need those files and also your e-mail again.
---
Last, I am posting my solution here, because I hope all of you who are facing this problem can solve the problem by yourself without
having the experts teaching you. I believe that is the quickest way, and that saves the experts' time too.
I just followed jabuck's way. jabuck, although you haven't helped me directly, thank you for your time helping others.
Otherwise I would not have solved this problem. In fact you have helped me...^_^
Some steps maybe redundant. I just put all steps together.
But I am pretty sure, if you follow all the steps, you must solve the problem.
SOLUTION:
(A) Preparation:
(A1) First you need Hijack This (HJT, or HT) to get a log so that the files associated with the virus/spyware/hijacker can be identified.
Download Hijack This at this link http://www.tomcoyote.org/hjt/ then place it into a folder of it's on, such as C:\HJT, so that back up copies can be made and not clutter your desktop or other folders and the backup copies of deleted items can be easily located if needed.
(A2) Please download ATF-Cleaner from http://www.atribune.org/public-beta/ATF-Cleaner.exe by Atribune.
(A3) Download killbox to your desktop from this link:
http://www.downloads.subratam.org/KillBox.exe
We'll use it in safe mode later.
(A4) Download Ewido Security Suite from http://www.ewido.net/en/download/
then set it up this way (read Ewido Setup Instructions - http://rstones12.geekstogo.com/ewidosetup.htm)
We'll run it in safe mode later
(B) Solve the problem
(B1) Create a HJT log by following these instructions:
Double click HijackThis.exe, and press "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button.
The log file would be saved under C:\HJT, and it is named hijackthis.log
Do not fix anything yet unless you know what you are doing. This is a powerful tool that can crash the computer if used improperly.
From your HJT log, you may see lines like the following,
C:\WINDOWS\TEMP\winXXXX.tmp.exe
There maybe more than 1 lines, or it is also possible that you don't see any, below is just an example in my case.
C:\WINDOWS\TEMP\win1F9A.tmp.exe
C:\WINDOWS\TEMP\win356.tmp.exe
Also, from your HJT log, you must see a line, like the following format:
O20 - Winlogon Notify: winXXX32 - C:\WINDOWS\SYSTEM32\winXXX32.dll
In my case, it is:
O20 - Winlogon Notify: winhqd32 - C:\WINDOWS\SYSTEM32\winhqd32.dll
Just make a copy of the HJT log, in case you forget these lines later.
(B2) Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
(B3) Reboot your computer in Safe Mode by doing the following:
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.
(B4) Run HJT and choose "Do a system scan only" choose the following line (in my case) and click "Fixed checked".
O20 - Winlogon Notify: winhqd32 - C:\WINDOWS\SYSTEM32\winhqd32.dll
A confirmation box will be displayed, just click Yes to delete it.
(B5) Double-click on Killbox.exe to run it.
Put a tick by Standard File Kill.
In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time.
Click on the button that has the red circle with the X in the middle after you enter each file.
C:\WINDOWS\SYSTEM32\winhqd32.dll
C:\WINDOWS\TEMP\win1F9A.tmp.exe
C:\WINDOWS\TEMP\win356.tmp.exe
It will ask for confimation to delete the file.
Click Yes.
Above are the lines which appear in my HJT log in my case. I don't know how many tmp.exe files you have got.
Just delete all of them. And remember delete the DLL file too.
You may get a message telling you that it is unable to delete the DLL file.
Ignore it, it is OK.
(B6) Run Ewido from safe mode and whenhen the scan has completed, Ewido will create a report.txt file.
Click the "Save Report" button on the bottom of the screen and save the log to your desktop.
(B7) Reboot your system
(B8) Run HJT again and do a scan again to see if the following line is still there:
O20 - Winlogon Notify: winhqd32 - winhqd32.dll
If it is not there, it means you have successfully removed it.
However, in my case I saw the following:
O20 - Winlogon Notify: winhqd32 - winhqd32.dll (file missing)
The last step I took is simply delete that line using HJT.
THE END
