WinXP SP2, Avast Home edition

I’ve had no problems with Avast before but this one got through… Avast did catch some miscellaneous *.exe’s subsequently.

This what I did to resolve the problem. I encountered it yesterday, it included an unknown download of some SpyFalcon goodies (a corrupted malware program - no, I didn’t download it it came with the rest of the problems). Google it to find out more about them, not a good thing.

I was getting repeated *.tmp.exe attempts to access the internet, deleting those files in the temp directory did no good as recursors would just respawn.

Here’s a quick summary of what I did to solve the problem in hopes of helping others (#3 on should apply to all with the win???32.dll problem - BTW, mine was winbue32.dll):

1. Uninstalled SpyFalcon;
2. Uninstalled IE Favorites links added due to #1;
3. Deleted these files from the following location: C:\windows\system32
   a. win???32.dll;
   b. ncompat.tlb;
   c. hp?? ??.tmp (those should be four other characters without a space but this thing turns it into a frown);
4. Deleted registry entries for #3;
5. Downloaded and installed both SMITREM (http://noahdfear.geekstogo.com/click%20counter/click.php?id=1) and EWIDO, only update EWIDO at this point, do not run a scan, (http://www.ewido.net/en/download/);
6. Reboot into SAFE mode;
7. Run SMITREM (just follow all prompts);
8. Run EWIDO (full system scan);
9. Restart to Windows.

System files deleted:

1. C:\WINDOWS\system32\win???32.dll;
2. C:\WINDOWS\system32\ncompat.tlb;
3. C:\WINDOWS\system32\hp???.tmp;
4. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\win???32.dll (use the RUN command and then enter REGEDIT);
5. C:\Documents and Settings[username]\Local Settings\Temporary Internet Files\Content.IE5[foldername]\wdinit64.exe.

Other files:

Miscellaneous C:\Documents and Settings[username]\Local Settings\Temporary Internet Files\Content.IE5[foldername]\win??.tmp.exe files (usually only show the .tmp extension if you look in the folders but you can do a search for *.tmp.exe).

The latter was identified as: Trojan.Dialer.oy

*** You could probably do this manually without resorting to SMITREM and EWIDO, I got all of the files except for the wdinit64.exe without them.

Welcome to the Avast Forum ymb469
very comprehensive details I’m sure that
they will be put to good use when needed
Good to see you solved a nasty problem
Thanks

Not a problem, just trying to do my part. I would have liked someone to have posted this before I had to to save me time…

You have done a good thing ymb469 and you can be well pleased that
this will help others just think of the joy you got from doing it yourself
http://www.killersklan.it/forum/smile/berlusca.gif

Trust me, it was satisfying to do it for myself. I would like to think that I am at least moderately literate in this area.

Noticing the flag you represent, I would add that we (241st STB, MI) are having a ceremony to honor the Aussies who have served with us next month. Some of your compatriots will be here to celebrate.

I know that that has NOTHING to do with the post, just a comment…

I take my hat off to you and the brave men of the (241st STB, MI) you should all be very proud people

Some of your compatriots will be here to celebrate

From the Aussie Onya Bloke
http://ganjataz.com/01smileys/images/smileys/OdBall-thatworks2.gif

Thank you for taking the time to put this together and post it, I’m sure it will help others, who use the forums search function.

Can I make one suggestion, Change the Title slightly to also include reference to SpyFalcon and that your thread is not a cry for help rather a how to.

example, ‘How To: Remove SpyFalcon and win???32.dll, *.tmp.exe files’ or similar, this will help it stand out from the crowd when people use the search function, they see the title and only a very small piece of the text, so a more meaningful Title really stands out.

Welcome to the forums.

Nice job of it, ymb469.

It is always nice when someone posts some helpful information.

Please take David’s advice and change the title so others will find this help easily. You can use the Modify button at the top right of your post to do this.