Whiteshark Posted March 21, 2007 Share Posted March 21, 2007 thanks, hadn't thought of that... a simple rename (dropping the H) didn't work, will now try something more sneaky, rearrange more letters, maybe change the icon... can't think of much else I can do to disguise an exe file, and besides, anything that's this smart will probably be able to see some internal identifier... back in a bit... thanks again... I've read on some italian forum other people that is unable to run both CCleaner and HijackThis too.. If you like, try to download a renamed copy of HJT from my web space: File name pippo.zip (contains HJT renamed as pippo.exe) Disco Remoto Guide in italiano per CCleaner - Recuva - Defraggler - Speccy Link to comment Share on other sites More sharing options...
scotiabahn Posted March 21, 2007 Author Share Posted March 21, 2007 Hi,Run this instead. (it will generate a hijackthis log as well) Download ComboScan to your Desktop Close all applications and windows. Double-click on comboscan.exe to run it, and follow the prompts. The scan may take a minute. When the scan is complete, a text file will open - ComboScan.txt A folder Comboscan will also open which contains the Comboscan.txt and a Supplementary.txt. Copy and paste the contents of ComboScan.txt in your next reply. Extra Note: When running Comboscan, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags Comboscan as suspicious. Please allow the Comboscan to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus) Unfortunately this has gone the same way as HijackThis... It did start running and completed the restore point, but stopped around 12% progress (as far as I could tell). Both .txt files were created but are empty... Link to comment Share on other sites More sharing options...
scotiabahn Posted March 21, 2007 Author Share Posted March 21, 2007 I've read on some italian forum other people that is unable to run both CCleaner and HijackThis too.. If you like, try to download a renamed copy of HJT from my web space: File name pippo.zip (contains HJT renamed as pippo.exe) Disco Remoto Many thanks for the help, but that hasn't worked either.... it still recognises it as a threat and shuts it down... Link to comment Share on other sites More sharing options...
scotiabahn Posted March 21, 2007 Author Share Posted March 21, 2007 I've been playing... I tried simply moving the wbjrwesa.txt file out of the windows/system32 folder to the desktop and then deleted the prefetch version (Ordinary delete, not CCleaner Securedelete - didn't work) Then I tried running CCleaner again and it worked, analyzing and removing the accumulated crud of the last few days... So that's good... However, at the moment, my desktop seems to have got a bit confused and all the icons and task bars have vanished so it might be time for a reboot. I'll let you know how I get on... Link to comment Share on other sites More sharing options...
scotiabahn Posted March 21, 2007 Author Share Posted March 21, 2007 OH bother... now my desktop has gone missing... I'm really going from bad to worse on this... since I last wrote, reboot hasn't resolved it... nor has moving wbjrwesa.txt to the old e drive helped, the desktop is still blank... the only way I can run anything is via task mgr (ctrl+alt+del) and then use File/Run.... the only good news is that I can see the internet on the desktop mc again and can run Comboscan. As requested earlier I will put the details from Comboscan.txt in here, but I will have to do that again - explorer isn't running and I can't find the output - aargh! Link to comment Share on other sites More sharing options...
scotiabahn Posted March 21, 2007 Author Share Posted March 21, 2007 OH bother... now my desktop has gone missing... I'm really going from bad to worse on this... since I last wrote, reboot hasn't resolved it... nor has moving wbjrwesa.txt to the old e drive helped, the desktop is still blank... the only way I can run anything is via task mgr (ctrl+alt+del) and then use File/Run.... the only good news is that I can see the internet on the desktop mc again and can run Comboscan. As requested earlier I will put the details from Comboscan.txt in here, but I will have to do that again - explorer isn't running and I can't find the output - aargh! ComboScan v20070306.20 run by family on 2007-03-21 at 21:49:25 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as family.exe) ---------------------------------------------- Logfile of HijackThis v1.99.1 Scan saved at 21:49:33, on 21/03/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16414) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\Program Files\Ahead\InCD\InCDsrv.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\ctfmon.exe C:\Documents and Settings\family\Desktop\comboscan.exe C:\PROGRA~1\HIJACK~1\family.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://morwillsearch.com/?adv_id=amandaxxx&sub_id= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {B35C1E01-EB19-D484-5BA5-B1B1FAF1F1FB} - (no file) O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file) O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd O4 - HKLM\..\Run: [intense Registry Service] IntEdReg.exe /CHECK O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE O4 - Global Startup: RtlWake.lnk = ? O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing) O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O11 - Options group: [iNTERNATIONAL] International* O15 - Trusted Zone: www.amazon.co.uk O15 - Trusted Zone: *.morwillsearch.com O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/games/hamsterball/...tgameloader.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab O16 - DPF: {BED02A0F-05A1-4249-A49E-CD0D41A6A152} - http://xearl.com/abd3bb87/sm/10031/1/xp/FastTeens.cab O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbdesktop/...tivePreQual.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab O20 - Winlogon Notify: disk - C:\WINDOWS\system32\diskperff.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe O23 - Service: Wireless Adapter Configurator - Tech Mahindra- PUNE - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe -- Files created between 2007-02-21 and 2007-03-21 ----------------------------- 2007-03-21 19:57:54 0 d-------- C:\Documents and Settings\family\Application Data\AVG7 2007-03-21 19:57:46 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7 2007-03-21 19:57:43 4960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys 2007-03-21 19:57:43 19392 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys 2007-03-21 19:57:43 3968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys 2007-03-21 19:57:42 27776 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys 2007-03-21 19:57:38 4224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys 2007-03-21 19:57:33 775680 --a------ C:\WINDOWS\system32\drivers\avg7core.sys 2007-03-21 19:57:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft 2007-03-21 19:57:29 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7 2007-03-20 15:27:38 5936 --a------ C:\Documents and Settings\family\mqdmwhnt.sys 2007-03-20 15:27:38 79328 --a------ C:\Documents and Settings\family\mqdmserd.sys 2007-03-20 15:27:38 92064 --a------ C:\Documents and Settings\family\mqdmmdm.sys 2007-03-20 15:27:38 9232 --a------ C:\Documents and Settings\family\mqdmmdfl.sys 2007-03-20 15:27:38 4048 --a------ C:\Documents and Settings\family\mqdmcr.sys 2007-03-20 15:27:38 6208 --a------ C:\Documents and Settings\family\mqdmcmnt.sys 2007-03-20 15:27:38 66656 --a------ C:\Documents and Settings\family\mqdmbus.sys 2007-03-20 09:45:07 0 d-------- C:\Program Files\vtplus 2007-03-20 08:54:01 118784 --a------ C:\WINDOWS\system32\o100vc.dll 2007-03-20 08:54:01 40960 --a------ C:\WINDOWS\system32\o100ext.dll 2007-03-20 08:54:01 36864 --a------ C:\WINDOWS\system32\hcwutl32.dll 2007-03-20 08:54:01 96768 --a------ C:\WINDOWS\system32\hcwTVWnd.dll 2007-03-20 08:54:01 89600 --a------ C:\WINDOWS\system32\hcwTVDlg.dll 2007-03-20 08:54:01 48128 --a------ C:\WINDOWS\system32\hcwtuner.dll 2007-03-20 08:54:01 393216 --a------ C:\WINDOWS\system32\HCWsnbd9.dll 2007-03-20 08:54:01 36864 --a------ C:\WINDOWS\system32\hcwps32.dll 2007-03-20 08:54:01 155648 --a------ C:\WINDOWS\system32\hcwpnp32.dll 2007-03-20 08:54:01 45056 --a------ C:\WINDOWS\system32\hcwi2c32.dll 2007-03-20 08:54:01 32768 --a------ C:\WINDOWS\system32\hcwHook.dll 2007-03-20 08:54:01 184832 --a------ C:\WINDOWS\system32\hcwChan.dll 2007-03-20 08:54:01 135168 --a------ C:\WINDOWS\system32\hcwAV.dll 2007-03-20 08:54:01 113664 --a------ C:\WINDOWS\system32\hcwAud32.dll 2007-03-20 08:54:01 140440 --a------ C:\WINDOWS\system32\drivers\hcw848nt.sys 2007-03-20 08:54:00 28672 --a------ C:\WINDOWS\system32\BTGPIO32.dll 2007-03-20 08:54:00 28672 --a------ C:\WINDOWS\system32\BT848Wst.dll 2007-03-20 08:54:00 16384 --a------ C:\WINDOWS\system32\Bt848_32.dll 2007-03-15 14:12:05 21504 --a------ C:\WINDOWS\system32\drivers\hidserv.dll 2007-03-15 13:50:56 0 d-------- C:\Program Files\Motive 2007-03-15 13:50:56 0 d-------- C:\Program Files\BT Broadband Desktop Help<BTBROA~1> 2007-02-26 18:42:38 0 d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA 2007-02-26 18:37:19 208896 --a------ C:\WINDOWS\system32\NVUNINST.EXE -- Find3M Report --------------------------------------------------------------- 2007-03-21 20:42:45 0 d-------- C:\Program Files\ZipCentral<ZIPCEN~1> 2007-03-21 19:57:29 0 d-------- C:\Program Files\Grisoft 2007-03-21 19:56:42 0 d---s---- C:\Documents and Settings\family\Application Data\Microsoft<MICROS~1> 2007-03-20 15:28:23 0 d-------- C:\Program Files\Motorola Phone Tools<MOTORO~1> 2007-03-20 15:25:41 0 d-------- C:\Program Files\Avanquest update<AVANQU~1> 2007-03-20 09:44:57 0 d-------- C:\Program Files\WinTV 2007-03-18 12:53:29 0 d-------- C:\Program Files\Microsoft Money<MICROS~4> 2007-03-17 18:12:35 16 --a------ C:\WINDOWS\popcinfo.dat 2007-03-15 21:21:19 0 d-------- C:\Program Files\Outlook Express Quick Backup<OUTLOO~2> 2007-03-15 21:21:05 249856 -----n--- C:\WINDOWS\Setup1.exe 2007-03-15 21:21:03 73216 --a------ C:\WINDOWS\ST6UNST.EXE 2007-03-15 13:57:49 0 d-------- C:\Documents and Settings\family\Application Data\Motive 2007-03-15 13:52:14 0 d-------- C:\Program Files\Common Files\Motive 2007-02-18 19:21:36 0 d-------- C:\Program Files\Yahoo! 2007-01-29 10:37:18 0 d-------- C:\Program Files\BT Home Hub<BTHOME~1> 2007-01-29 08:58:06 60416 -----n--- C:\WINDOWS\system32\tzchange.exe 2007-01-25 07:55:27 29232 --a------ C:\WINDOWS\hpoins03.dat 2007-01-22 21:43:35 0 d-------- C:\Program Files\btbb_wcm 2007-01-21 12:05:59 0 d-------- C:\Program Files\OpenTTD 2007-01-12 09:27:42 232960 --a------ C:\WINDOWS\system32\webcheck.dll 2007-01-12 09:27:42 51712 -----n--- C:\WINDOWS\system32\msfeedsbs.dll<MSFEED~1.DLL> 2007-01-12 09:27:42 458752 -----n--- C:\WINDOWS\system32\msfeeds.dll 2007-01-12 09:27:42 6054400 --a------ C:\WINDOWS\system32\ieframe.dll 2007-01-08 19:04:54 105984 --a------ C:\WINDOWS\system32\url.dll 2007-01-08 19:04:08 102400 --a------ C:\WINDOWS\system32\occache.dll 2007-01-08 19:02:04 266752 --a------ C:\WINDOWS\system32\iertutil.dll 2007-01-08 19:02:04 44544 --a------ C:\WINDOWS\system32\iernonce.dll 2007-01-08 19:02:02 384000 --a------ C:\WINDOWS\system32\iedkcs32.dll 2007-01-08 19:02:02 383488 --a------ C:\WINDOWS\system32\ieapfltr.dll 2007-01-08 19:02:02 161792 --a------ C:\WINDOWS\system32\ieakui.dll 2007-01-08 19:02:02 230400 --a------ C:\WINDOWS\system32\ieaksie.dll 2007-01-08 19:02:02 153088 --a------ C:\WINDOWS\system32\ieakeng.dll 2007-01-08 19:01:14 17408 --a------ C:\WINDOWS\system32\corpol.dll 2007-01-08 19:00:48 124928 --a------ C:\WINDOWS\system32\advpack.dll 2007-01-08 18:08:14 56832 --a------ C:\WINDOWS\system32\ie4uinit.exe 2007-01-08 18:08:10 13824 --a------ C:\WINDOWS\system32\ieudinit.exe -- Registry Dump --------------------------------------------------------------- [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe" "Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe\" -quiet" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime" "type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\"" "RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\"" "nwiz"="nwiz.exe /install" "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup" "IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\"" "Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd" "Intense Registry Service"="IntEdReg.exe /CHECK" "btbb_wcm_McciTrayApp"="C:\\Program Files\\btbb_wcm\\McciTrayApp.exe" "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit" "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "NoChange"="1" "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce] "RunNarrator"="Narrator.exe" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce] "RunNarrator"="Narrator.exe" [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE" "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE" "AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoActiveDesktop"=dword:00000000 "ForceActiveDesktopOn"=dword:00000000 Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe] "Debugger"="\"c:\\windows\\system32\\wbjrwesa.txt\"" HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\disk [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\ NetworkService REG_MULTI_SZ DnsCache\ rpcss REG_MULTI_SZ RpcSs\ imgsvc REG_MULTI_SZ StiSvc\ termsvcs REG_MULTI_SZ TermService\ HTTPFilter REG_MULTI_SZ HTTPFilter\ DcomLaunch REG_MULTI_SZ DcomLaunchTermService\ -- End of ComboScan: finished at 2007-03-21 at 21:52:13 ------------------------ Link to comment Share on other sites More sharing options...
scotiabahn Posted March 21, 2007 Author Share Posted March 21, 2007 This bit looks key to me:- [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe] "Debugger"="\"c:\\windows\\system32\\wbjrwesa.txt\"" I've tried REGEDIT to get rid of the debugger value but it won't let me... just occurs to me that CCleaner might be able to now it's running... I'll go have a look... Link to comment Share on other sites More sharing options...
scotiabahn Posted March 21, 2007 Author Share Posted March 21, 2007 This bit looks key to me:- [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe] "Debugger"="\"c:\\windows\\system32\\wbjrwesa.txt\"" I've tried REGEDIT to get rid of the debugger value but it won't let me... just occurs to me that CCleaner might be able to now it's running... I'll go have a look... nope it didn't find it... Help! any suggestions? At least I had the desktop before? Link to comment Share on other sites More sharing options...
scotiabahn Posted March 22, 2007 Author Share Posted March 22, 2007 I have got my desktop back, but only by putting wbjrwesa.txt back into c:\windows\system32, which means I lose CCleaner, HijackThis and the rest as viable applications, but at least I can do most things again... I'm also going to put back KB908531 and verclsid.exe because that doesn't seem to be the problem, it's just this stupid txt file, which I can't delete or erase, nor remove from my registry, which I suspect is the key part of this. An interesting 24 hours or so, back to the same situation as before, but at least there is a better suspect for the problem... Now, anyone got any ideas on how to kill it? A few things occurred to me overnight on a more general level:- 1. How did I get this on my machine? Best guess is via an infected website - had a nasty pop-up explosion of windows maybe a week back, and probably hadn't run CCleaner since then... 2. Why are is someone targeting CCleaner and it's chums? It doesn't affect my anti-spyware, anti-ad, or anti-virus software... 3. I have to say that I am impressed by this nasty little thing, it's pretty hard to detect, hard to kill and fiendishly selective. It also occurred to me that whoever wrote it might be monitoring this forum, highly amused by their handiwork. Well, if he/she is, bravo, it's very good, but you could be kind and put me out of my misery and tell me how to fix it... If anyone wonders why I should ask such a thing, well, I am an eternal optimist when it comes to the potential for generosity in the human spirit... Thanks to everyone for their help so far... Link to comment Share on other sites More sharing options...
fireryone Posted March 22, 2007 Share Posted March 22, 2007 I was wondering if you could take out the txt file again (loose your desktop), then in taskmanager try initiating explorer.exe (via File / Run / C:\windows\explorer.exe ), that usually would bring back the desktop and start menu etc. I noticed this because in the HJT/Comboscan report above, explorer is not running, which is why you have no desktop. Also what are the contents of the text file? fireryone Link to comment Share on other sites More sharing options...
login123 Posted March 22, 2007 Share Posted March 22, 2007 FYI: I am running an HP computer, wxp up to date. 1. verclsid.exe is in system 32, 2. there is a prefetch file for it, 3. and it is present in C:\WINDOWS\$hf_mig$\KB908531\SP2QFE. 4. Neither wbjrwesa.txt nor wbjrwesa is found on C: drive anywhere using windows explorer No information about wbjrwesa found on google, dogpile, mama, ask.com, nor yahoo answers. edit 22 mar 07: Also no information from computer associates virus info database. Am running CCleaner V. 1.36.430. All applications are running OK. Makes me think the problem isn't verclsid. . .?? Good hunting, hope this helps. The CCleaner SLIM version is always released a bit after any new version; when it is it will be HERE :-) Pssssst: ... It isn't really a cloud. Its a bunch of big, giant servers. Link to comment Share on other sites More sharing options...
scotiabahn Posted March 22, 2007 Author Share Posted March 22, 2007 I was wondering if you could take out the txt file again (loose your desktop), then in taskmanager try initiating explorer.exe (via File / Run / C:\windows\explorer.exe ), that usually would bring back the desktop and start menu etc. I noticed this because in the HJT/Comboscan report above, explorer is not running, which is why you have no desktop. Also what are the contents of the text file? I did try that, but explorer won't run, presumably because of the registry key that includes the wbjrwesa.txt reference I am unable to read the wbjrwesa.txt (access denied!) - I wish I could, I'd love to know what sneaky little code is in there... Thanks for the suggestions. Link to comment Share on other sites More sharing options...
scotiabahn Posted March 22, 2007 Author Share Posted March 22, 2007 FYI: I am running an HP computer, wxp up to date. 1. verclsid.exe is in system 32, 2. there is a prefetch file for it, 3. and it is present in C:\WINDOWS\$hf_mig$\KB908531\SP2QFE. 4. Neither wbjrwesa.txt nor wbjrwesa is found on C: drive anywhere using windows explorer No information about wbjrwesa found on google, dogpile, mama, ask.com, nor yahoo answers. edit 22 mar 07: Also no information from computer associates virus info database. Am running CCleaner V. 1.36.430. All applications are running OK. Makes me think the problem isn't verclsid. . .?? Good hunting, hope this helps. yes , I agree with you, verclsid almost certainly isn't the problem. I had it completely removed yesterday evening and I still had the problem. Like yourself, I can't find any reference to wbjrwesa.txt anywhere. I suppose the wretched thing could have been generated on my machine by something else... another of those great unknowns at the moment... Thanks for the help. Link to comment Share on other sites More sharing options...
Moderators rridgely Posted March 22, 2007 Moderators Share Posted March 22, 2007 Hello, thanks for the combofix log. Here is what I think should be done. Anyone with this problem, start a new topic in the hijackthis log section. Post either a combofix log or a hijackthis log(if you can get it). Try renaming hijackthis to family.exe. Thanks. Link to comment Share on other sites More sharing options...
AndyManchesta Posted March 23, 2007 Share Posted March 23, 2007 Hi scotiabahn Hazelnut asked me to check on this thread but Im not sure at the moment if the malware has caused damage to the registry which is causing multiple problems or if it will be possible to clean it up. HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe] "Debugger"="\"c:\\windows\\system32\\wbjrwesa.txt\"" Now that's not nice its lucky in a sense that its not added a debugger value for an an essential file such as winlogon.exe as you then wouldnt of been able to login when you moved the wbjrwesa.txt file, This reg key sets up another program to run as a debugger when the initial file (explorer.exe) is run but Windows doesn't verify that its a legit debugger, it just starts the file in the debugger value and if the file is deleted then the file which has the debugger value will not run either, in this case where the debugger value is a txt file I would of expected it to show error's even if the file exists like explorer isnt a valid win32 application because its trying to load the txt file and if the txt file is removed then explorer.exe will not run and give a message similiar to Windows cannot find explorer.exe so there maybe other parts to this infection which are not showing up to now, the explorer.exe subkey isnt in the Image File Execution Options key by default so its fine to remove it but it does show that the machine has been infected, To remove the value goto Start > Run and copy and paste this reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe" /f Press OK and it will remove the key, you will not notice anything but the key will be removed, you can then attempt to move the txt file again and see if explorer loads on reboot, if it doesnt then there is something else protecting the reg entries or recreating it when its removed, it maybe easier to download process explorer from here to save having to keep rebooting http://download.sysinternals.com/Files/ProcessExplorer.zip Run the program and then run the above regfix, move the wbjrwesa.txt to your desktop then right click explorer.exe in process explorer and choose restart, if it starts ok then the debugger value wasnt recreated but if you get error's and explorer fails to restart then the debugger value is still present so you will have to either run the reg fix again by using task manager > new task or put the file back into system32 while we check for other trojans that maybe protecting it, R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = ht*p://morwillsearch.com/?adv_id=amandaxxx&sub_id= Im sure you didnt set morwillsearch as your default search page as they have been associated with many trojans over the years mostly CWS and clicker variants but that could of been on your system for a long time so it maybe unrelated, its also in your IE trusted zone so that needs fixing, O16 - DPF: {BED02A0F-05A1-4249-A49E-CD0D41A6A152} - ht*p://xearl.com/abd3bb87/sm/10031/1/xp/FastTeens.cab This appears to be a pr0n dialer of some form which was probably installed without your consent but the domain xearl.com is linked to gromozon infections which are very difficult to clean due to rootkits being installed, that infection only seems to target Italian IP addresses but with it being present on your system you will have to run a couple of rootkit scans to make sure its clear, you can get more info on gromozon here http://www.prevx.com/gromozon.asp O20 - Winlogon Notify: disk - C:\WINDOWS\system32\diskperff.dll (file missing) Another trojan entry, the file looks like its already been removed at some stage but its left the registry entry behind, I think its a variant of VIPSearcher but it maybe a Delf trojan http://research.sunbelt-software.com/threa...;threatid=40085 Please post the logs from these below steps into a new topic on the HijackThis forum Here as this looks more like malware damage rather than CCleaner failing, If you cannot extract HijackThis then download the Trend Micro .exe version from here http://www.trendsecure.com/portal/en-US/th...JackThis_v2.exe Run Hijack This and choose Do A System Scan then place a check next to these entries R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = h*tp://morwillsearch.com/?adv_id=amandaxxx&sub_id= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O2 - BHO: (no name) - {B35C1E01-EB19-D484-5BA5-B1B1FAF1F1FB} - (no file) O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file) O15 - Trusted Zone: *.morwillsearch.com O16 - DPF: {BED02A0F-05A1-4249-A49E-CD0D41A6A152} - ht*p://xearl.com/abd3bb87/sm/10031/1/xp/FastTeens.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - ht*p://zone.msn.com/bingame/popcaploader_v10.cab O20 - Winlogon Notify: disk - C:\WINDOWS\system32\diskperff.dll (file missing) Close all open browser and other windows except for Hijack This and press the Fix Checked button Optional Fix O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present This is a lock on your homepage to prevent it being changed, the buttons in Internet Options to change it will be grayed out on the homepage part, if you or a protection program added the homepage lock then it can be ignored but if not then it can be fixed with HijackThis Download the Gromozon remover from Here and run it just to make sure there isnt a infection present, Download win32delfkil.exe. Save it on your desktop. Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil. Close all windows, open the win32delfkil folder and double click on fix.bat. The computer will reboot automatically. Post the contents of the logfile c:\windelf.txt into your new HijackThis topic Download Blacklight beta HERE and save it to your desktop. Run the program, accept statement > click next then scan When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the blbeta.exe file. Finally if your able to please do an online scan with Kaspersky WebScanner. Click on Kaspersky Online Scanner You will be promted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make sure that the following are selected: Scan using the following Anti-Virus database: Extended (if available otherwise Standard) Scan Options: Scan ArchivesScan Mail Bases [*]Click OK [*]Now under select a target to scan: Select My Computer [*]This program will start and scan your system. [*]The scan will take a while so be patient and let it run. [*]Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: [*]Save the file to your desktop. [*]Copy and paste that information in your next post. Please then start a new topic in the HijackThis forum, post the windelf.txt, blacklight log if it finds hidden files and the Kaspersky log, Let us know if you have problems Regards Andy Link to comment Share on other sites More sharing options...
scotiabahn Posted March 23, 2007 Author Share Posted March 23, 2007 Andy, many thanks for all that and I'll work my way through this asap, although I'm afraid work will get in the way for most of the day... My one query at this point is whether this should go on the HijackThis forum rather than CCleaner, I'm not sure I see the advantage in that, the history is here. I admit my description 'CCleaner failing' isn't very descriptive, but that's all I knew at the time. This malware is certainly targeting specific applications, particularly CCleaner, as well as HijackThis and Comboscan at least, but ignoring others (don't like to write their names in case 'they' improve their malware... not that I'm getting paranoid or anything...) Thanks again, I'll get started on this later today... Link to comment Share on other sites More sharing options...
scotiabahn Posted March 23, 2007 Author Share Posted March 23, 2007 ...Try renaming hijackthis to family.exe. Thanks. Thanks for the suggestion, but is there anything special about renaming hijackthis to family.exe? Way back in the discussion, you will see, there were a few attempts with renamed files that still got bounced - I can only assume that this malware can see some internal naming or descriptor. Thanks again. Link to comment Share on other sites More sharing options...
fireryone Posted March 23, 2007 Share Posted March 23, 2007 QUOTE(rridgely @ Mar 22 2007, 10:54 PM) ...Try renaming hijackthis to family.exe. Thanks. Thanks for the suggestion, but is there anything special about renaming hijackthis to family.exe? Way back in the discussion, you will see, there were a few attempts with renamed files that still got bounced - I can only assume that this malware can see some internal naming or descriptor. Thanks again. No, its the same as renaming it earlier, I don't believe there is any significance to family.exe (correct me if I'm wrong ). -- If andy's suggestion dosn't work (for some reason), You may be able to remove some stuff with a live boot cd ( ala BartPE) or a linux live CD (if you underestand a linux environment) . You could use a BartPE boot disk to check the contents of that file and remove infections. There are many programs (called plugins) you can include on the disk along with the bootable windows like environment. links: BartPE Home Page Download Part PE Download Plugins NOTE: If this seems too over your head feel free to wait for other suggestions. fireryone Link to comment Share on other sites More sharing options...
scotiabahn Posted March 23, 2007 Author Share Posted March 23, 2007 Thanks for the suggestion, but is there anything special about renaming hijackthis to family.exe? Way back in the discussion, you will see, there were a few attempts with renamed files that still got bounced - I can only assume that this malware can see some internal naming or descriptor. Thanks again. No, its the same as renaming it earlier, I don't believe there is any significance to family.exe (correct me if I'm wrong ). -- If andy's suggestion dosn't work (for some reason), You may be able to remove some stuff with a live boot cd ( ala BartPE) or a linux live CD (if you underestand a linux environment) . You could use a BartPE boot disk to check the contents of that file and remove infections. There are many programs (called plugins) you can include on the disk along with the bootable windows like environment. links: BartPE Home Page Download Part PE Download Plugins NOTE: If this seems too over your head feel free to wait for other suggestions. over my head - could be... this definitely isn't an area where I have a great deal of expertise, but I'll have a crack at this after I've had a go at Andy's suggestions... should keep me out of mischief for a while Link to comment Share on other sites More sharing options...
MikeW Posted March 23, 2007 Share Posted March 23, 2007 Andy, many thanks for all that and I'll work my way through this asap, although I'm afraid work will get in the way for most of the day... My one query at this point is whether this should go on the HijackThis forum rather than CCleaner, I'm not sure I see the advantage in that, the history is here. I admit my description 'CCleaner failing' isn't very descriptive, but that's all I knew at the time. This malware is certainly targeting specific applications, particularly CCleaner, as well as HijackThis and Comboscan at least, but ignoring others (don't like to write their names in case 'they' improve their malware... not that I'm getting paranoid or anything...) Thanks again, I'll get started on this later today... The reason Andy asked you to put all further logs into the Hijackthis forum, is because you will only get help from the 'appointed Malware experts' rather than lots of diverse ideas from other well meaning members or visitors. Please follow Andys advise he is among the best of the Malware fighters. Mike Win 7 Home Premium 64 bit - IE11 - Nod32 - Mbam pro Link to comment Share on other sites More sharing options...
Moderators hazelnut Posted March 23, 2007 Moderators Share Posted March 23, 2007 Can I just clear up something Scot, Andy is asking you to post the log on our forum here on CCleaner in the hijackthis section here under "new topic" http://forum.piriform.com/index.php?showforum=12 Support contact https://support.ccleaner.com/s/contact-form?language=en_US&form=general or support@ccleaner.com Link to comment Share on other sites More sharing options...
scotiabahn Posted March 23, 2007 Author Share Posted March 23, 2007 The reason Andy asked you to put all further logs into the Hijackthis forum, is because you will only get help from the 'appointed Malware experts' rather than lots of diverse ideas from other well meaning members or visitors. Please follow Andys advise he is among the best of the Malware fighters. Mike that makes sense... now that's an impressive title - 'appointed malware expert'... coo, wish I had that on my c.v. actually, no I don't, this stuff makes my head hurt Link to comment Share on other sites More sharing options...
scotiabahn Posted March 23, 2007 Author Share Posted March 23, 2007 Can I just clear up something Scot, Andy is asking you to post the log on our forum here on CCleaner in the hijackthissection here under "new topic" http://forum.piriform.com/index.php?showforum=12 okey-dokey, will do, when I get a chance later today hopefully... Link to comment Share on other sites More sharing options...
MikeW Posted March 23, 2007 Share Posted March 23, 2007 that makes sense... now that's an impressive title - 'appointed malware expert'... coo, wish I had that on my c.v. actually, no I don't, this stuff makes my head hurt Me to good luck with the quest Win 7 Home Premium 64 bit - IE11 - Nod32 - Mbam pro Link to comment Share on other sites More sharing options...
scotiabahn Posted March 23, 2007 Author Share Posted March 23, 2007 ... To remove the value goto Start > Run and copy and paste this reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe" /f Press OK and it will remove the key, you will not notice anything but the key will be removed, you can then attempt to move the txt file again and see if explorer loads on reboot, if it doesnt then there is something else protecting the reg entries or recreating it when its removed, it maybe easier to download process explorer from here to save having to keep rebooting http://download.sysinternals.com/Files/ProcessExplorer.zip Run the program and then run the above regfix, move the wbjrwesa.txt to your desktop then right click explorer.exe in process explorer and choose restart, if it starts ok then the debugger value wasnt recreated but if you get error's and explorer fails to restart then the debugger value is still present so you will have to either run the reg fix again by using task manager > new task or put the file back into system32 while we check for other trojans that maybe protecting it, ... Let us know if you have problems Regards Andy Andy, I've made a start on this but not produced any logs yet to put on the other forum section. I just wanted to report back on this bit. The reg delete worked and I moved the file to my desktop and rebooted, hey presto, no desktop as before. I used Taskmgr 'Run' to get command working and to shift the txt file back to system32 and I got my desktop back after another reboot. The interesting thing is that the registry is still clean, the debugger value hasn't been reinstated... Not sure what that means, will go play with the rest of the utilities (which will probably mean moving the stupid file again because it doesn't like HijackThis at least...) Hopefully, next entry will be in HijackThis section... Thanks Steve Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now