Jump to content
CCleaner Community Forums
scotiabahn

CCleaner failing

Recommended Posts

thanks, hadn't thought of that... a simple rename (dropping the H) didn't work, will now try something more sneaky, rearrange more letters, maybe change the icon... can't think of much else I can do to disguise an exe file, and besides, anything that's this smart will probably be able to see some internal identifier...

 

back in a bit...

 

thanks again...

 

I've read on some italian forum other people that is unable to run both CCleaner and HijackThis too..

:unsure:

 

If you like, try to download a renamed copy of HJT from my web space:

 

File name pippo.zip (contains HJT renamed as pippo.exe)

 

Disco Remoto

Share this post


Link to post
Share on other sites
Hi,

Run this instead. (it will generate a hijackthis log as well)

 

Download ComboScan to your Desktop

  • Close all applications and windows.

  • Double-click on comboscan.exe to run it, and follow the prompts.

  • The scan may take a minute. When the scan is complete, a text file will open - ComboScan.txt

  • A folder Comboscan will also open which contains the Comboscan.txt and a Supplementary.txt.

  • Copy and paste the contents of ComboScan.txt in your next reply.

  • Extra Note: When running Comboscan, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags Comboscan as suspicious. Please allow the Comboscan to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)

 

 

 

Unfortunately this has gone the same way as HijackThis... It did start running and completed the restore point, but stopped around 12% progress (as far as I could tell). Both .txt files were created but are empty...

Share this post


Link to post
Share on other sites
I've read on some italian forum other people that is unable to run both CCleaner and HijackThis too..

:unsure:

 

If you like, try to download a renamed copy of HJT from my web space:

 

File name pippo.zip (contains HJT renamed as pippo.exe)

 

Disco Remoto

 

 

Many thanks for the help, but that hasn't worked either.... it still recognises it as a threat and shuts it down...

Share this post


Link to post
Share on other sites

I've been playing...

 

I tried simply moving the wbjrwesa.txt file out of the windows/system32 folder to the desktop and then deleted the prefetch version (Ordinary delete, not CCleaner Securedelete - didn't work)

 

Then I tried running CCleaner again and it worked, analyzing and removing the accumulated crud of the last few days... So that's good...

 

However, at the moment, my desktop seems to have got a bit confused and all the icons and task bars have vanished so it might be time for a reboot. I'll let you know how I get on...

Share this post


Link to post
Share on other sites

OH bother... now my desktop has gone missing... I'm really going from bad to worse on this...

 

since I last wrote, reboot hasn't resolved it...

 

nor has moving wbjrwesa.txt to the old e drive helped, the desktop is still blank... the only way I can run anything is via task mgr (ctrl+alt+del) and then use File/Run....

 

the only good news is that I can see the internet on the desktop mc again and can run Comboscan. As requested earlier I will put the details from Comboscan.txt in here, but I will have to do that again - explorer isn't running and I can't find the output - aargh! :angry:

Share this post


Link to post
Share on other sites
OH bother... now my desktop has gone missing... I'm really going from bad to worse on this...

 

since I last wrote, reboot hasn't resolved it...

 

nor has moving wbjrwesa.txt to the old e drive helped, the desktop is still blank... the only way I can run anything is via task mgr (ctrl+alt+del) and then use File/Run....

 

the only good news is that I can see the internet on the desktop mc again and can run Comboscan. As requested earlier I will put the details from Comboscan.txt in here, but I will have to do that again - explorer isn't running and I can't find the output - aargh! :angry:

 

ComboScan v20070306.20 run by family on 2007-03-21 at 21:49:25

Computer is in Normal Mode.

--------------------------------------------------------------------------------

 

 

 

-- HijackThis (run as family.exe) ----------------------------------------------

 

Logfile of HijackThis v1.99.1

Scan saved at 21:49:33, on 21/03/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16414)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Documents and Settings\family\Desktop\comboscan.exe

C:\PROGRA~1\HIJACK~1\family.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://morwillsearch.com/?adv_id=amandaxxx&sub_id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {B35C1E01-EB19-D484-5BA5-B1B1FAF1F1FB} - (no file)

O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"

O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"

O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd

O4 - HKLM\..\Run: [intense Registry Service] IntEdReg.exe /CHECK

O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: RtlWake.lnk = ?

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O15 - Trusted Zone: www.amazon.co.uk

O15 - Trusted Zone: *.morwillsearch.com

O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/games/hamsterball/...tgameloader.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab

O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab

O16 - DPF: {BED02A0F-05A1-4249-A49E-CD0D41A6A152} - http://xearl.com/abd3bb87/sm/10031/1/xp/FastTeens.cab

O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbdesktop/...tivePreQual.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab

O20 - Winlogon Notify: disk - C:\WINDOWS\system32\diskperff.dll (file missing)

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: Wireless Adapter Configurator - Tech Mahindra- PUNE - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe

 

 

-- Files created between 2007-02-21 and 2007-03-21 -----------------------------

 

2007-03-21 19:57:54 0 d-------- C:\Documents and Settings\family\Application Data\AVG7

2007-03-21 19:57:46 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7

2007-03-21 19:57:43 4960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys

2007-03-21 19:57:43 19392 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys

2007-03-21 19:57:43 3968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys

2007-03-21 19:57:42 27776 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys

2007-03-21 19:57:38 4224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys

2007-03-21 19:57:33 775680 --a------ C:\WINDOWS\system32\drivers\avg7core.sys

2007-03-21 19:57:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

2007-03-21 19:57:29 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7

2007-03-20 15:27:38 5936 --a------ C:\Documents and Settings\family\mqdmwhnt.sys

2007-03-20 15:27:38 79328 --a------ C:\Documents and Settings\family\mqdmserd.sys

2007-03-20 15:27:38 92064 --a------ C:\Documents and Settings\family\mqdmmdm.sys

2007-03-20 15:27:38 9232 --a------ C:\Documents and Settings\family\mqdmmdfl.sys

2007-03-20 15:27:38 4048 --a------ C:\Documents and Settings\family\mqdmcr.sys

2007-03-20 15:27:38 6208 --a------ C:\Documents and Settings\family\mqdmcmnt.sys

2007-03-20 15:27:38 66656 --a------ C:\Documents and Settings\family\mqdmbus.sys

2007-03-20 09:45:07 0 d-------- C:\Program Files\vtplus

2007-03-20 08:54:01 118784 --a------ C:\WINDOWS\system32\o100vc.dll

2007-03-20 08:54:01 40960 --a------ C:\WINDOWS\system32\o100ext.dll

2007-03-20 08:54:01 36864 --a------ C:\WINDOWS\system32\hcwutl32.dll

2007-03-20 08:54:01 96768 --a------ C:\WINDOWS\system32\hcwTVWnd.dll

2007-03-20 08:54:01 89600 --a------ C:\WINDOWS\system32\hcwTVDlg.dll

2007-03-20 08:54:01 48128 --a------ C:\WINDOWS\system32\hcwtuner.dll

2007-03-20 08:54:01 393216 --a------ C:\WINDOWS\system32\HCWsnbd9.dll

2007-03-20 08:54:01 36864 --a------ C:\WINDOWS\system32\hcwps32.dll

2007-03-20 08:54:01 155648 --a------ C:\WINDOWS\system32\hcwpnp32.dll

2007-03-20 08:54:01 45056 --a------ C:\WINDOWS\system32\hcwi2c32.dll

2007-03-20 08:54:01 32768 --a------ C:\WINDOWS\system32\hcwHook.dll

2007-03-20 08:54:01 184832 --a------ C:\WINDOWS\system32\hcwChan.dll

2007-03-20 08:54:01 135168 --a------ C:\WINDOWS\system32\hcwAV.dll

2007-03-20 08:54:01 113664 --a------ C:\WINDOWS\system32\hcwAud32.dll

2007-03-20 08:54:01 140440 --a------ C:\WINDOWS\system32\drivers\hcw848nt.sys

2007-03-20 08:54:00 28672 --a------ C:\WINDOWS\system32\BTGPIO32.dll

2007-03-20 08:54:00 28672 --a------ C:\WINDOWS\system32\BT848Wst.dll

2007-03-20 08:54:00 16384 --a------ C:\WINDOWS\system32\Bt848_32.dll

2007-03-15 14:12:05 21504 --a------ C:\WINDOWS\system32\drivers\hidserv.dll

2007-03-15 13:50:56 0 d-------- C:\Program Files\Motive

2007-03-15 13:50:56 0 d-------- C:\Program Files\BT Broadband Desktop Help<BTBROA~1>

2007-02-26 18:42:38 0 d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA

2007-02-26 18:37:19 208896 --a------ C:\WINDOWS\system32\NVUNINST.EXE

 

 

-- Find3M Report ---------------------------------------------------------------

 

2007-03-21 20:42:45 0 d-------- C:\Program Files\ZipCentral<ZIPCEN~1>

2007-03-21 19:57:29 0 d-------- C:\Program Files\Grisoft

2007-03-21 19:56:42 0 d---s---- C:\Documents and Settings\family\Application Data\Microsoft<MICROS~1>

2007-03-20 15:28:23 0 d-------- C:\Program Files\Motorola Phone Tools<MOTORO~1>

2007-03-20 15:25:41 0 d-------- C:\Program Files\Avanquest update<AVANQU~1>

2007-03-20 09:44:57 0 d-------- C:\Program Files\WinTV

2007-03-18 12:53:29 0 d-------- C:\Program Files\Microsoft Money<MICROS~4>

2007-03-17 18:12:35 16 --a------ C:\WINDOWS\popcinfo.dat

2007-03-15 21:21:19 0 d-------- C:\Program Files\Outlook Express Quick Backup<OUTLOO~2>

2007-03-15 21:21:05 249856 -----n--- C:\WINDOWS\Setup1.exe

2007-03-15 21:21:03 73216 --a------ C:\WINDOWS\ST6UNST.EXE

2007-03-15 13:57:49 0 d-------- C:\Documents and Settings\family\Application Data\Motive

2007-03-15 13:52:14 0 d-------- C:\Program Files\Common Files\Motive

2007-02-18 19:21:36 0 d-------- C:\Program Files\Yahoo!

2007-01-29 10:37:18 0 d-------- C:\Program Files\BT Home Hub<BTHOME~1>

2007-01-29 08:58:06 60416 -----n--- C:\WINDOWS\system32\tzchange.exe

2007-01-25 07:55:27 29232 --a------ C:\WINDOWS\hpoins03.dat

2007-01-22 21:43:35 0 d-------- C:\Program Files\btbb_wcm

2007-01-21 12:05:59 0 d-------- C:\Program Files\OpenTTD

2007-01-12 09:27:42 232960 --a------ C:\WINDOWS\system32\webcheck.dll

2007-01-12 09:27:42 51712 -----n--- C:\WINDOWS\system32\msfeedsbs.dll<MSFEED~1.DLL>

2007-01-12 09:27:42 458752 -----n--- C:\WINDOWS\system32\msfeeds.dll

2007-01-12 09:27:42 6054400 --a------ C:\WINDOWS\system32\ieframe.dll

2007-01-08 19:04:54 105984 --a------ C:\WINDOWS\system32\url.dll

2007-01-08 19:04:08 102400 --a------ C:\WINDOWS\system32\occache.dll

2007-01-08 19:02:04 266752 --a------ C:\WINDOWS\system32\iertutil.dll

2007-01-08 19:02:04 44544 --a------ C:\WINDOWS\system32\iernonce.dll

2007-01-08 19:02:02 384000 --a------ C:\WINDOWS\system32\iedkcs32.dll

2007-01-08 19:02:02 383488 --a------ C:\WINDOWS\system32\ieapfltr.dll

2007-01-08 19:02:02 161792 --a------ C:\WINDOWS\system32\ieakui.dll

2007-01-08 19:02:02 230400 --a------ C:\WINDOWS\system32\ieaksie.dll

2007-01-08 19:02:02 153088 --a------ C:\WINDOWS\system32\ieakeng.dll

2007-01-08 19:01:14 17408 --a------ C:\WINDOWS\system32\corpol.dll

2007-01-08 19:00:48 124928 --a------ C:\WINDOWS\system32\advpack.dll

2007-01-08 18:08:14 56832 --a------ C:\WINDOWS\system32\ie4uinit.exe

2007-01-08 18:08:10 13824 --a------ C:\WINDOWS\system32\ieudinit.exe

 

 

-- Registry Dump ---------------------------------------------------------------

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]

"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe\" -quiet"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""

"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""

"nwiz"="nwiz.exe /install"

"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"

"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""

"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"

"Intense Registry Service"="IntEdReg.exe /CHECK"

"btbb_wcm_McciTrayApp"="C:\\Program Files\\btbb_wcm\\McciTrayApp.exe"

"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"

"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]

"NoChange"="1"

"Installed"="1"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]

"Installed"="1"

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]

"RunNarrator"="Narrator.exe"

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]

"RunNarrator"="Narrator.exe"

 

 

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

 

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]

"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoActiveDesktop"=dword:00000000

"ForceActiveDesktopOn"=dword:00000000

 

Windows Registry Editor Version 5.00

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe]

"Debugger"="\"c:\\windows\\system32\\wbjrwesa.txt\""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\disk

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

 

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]

LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\

NetworkService REG_MULTI_SZ DnsCache\

rpcss REG_MULTI_SZ RpcSs\

imgsvc REG_MULTI_SZ StiSvc\

termsvcs REG_MULTI_SZ TermService\

HTTPFilter REG_MULTI_SZ HTTPFilter\

DcomLaunch REG_MULTI_SZ DcomLaunchTermService\

 

 

 

-- End of ComboScan: finished at 2007-03-21 at 21:52:13 ------------------------

Share this post


Link to post
Share on other sites

This bit looks key to me:-

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe]

"Debugger"="\"c:\\windows\\system32\\wbjrwesa.txt\""

 

 

I've tried REGEDIT to get rid of the debugger value but it won't let me...

 

just occurs to me that CCleaner might be able to now it's running... I'll go have a look...

Share this post


Link to post
Share on other sites
This bit looks key to me:-

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe]

"Debugger"="\"c:\\windows\\system32\\wbjrwesa.txt\""

I've tried REGEDIT to get rid of the debugger value but it won't let me...

 

just occurs to me that CCleaner might be able to now it's running... I'll go have a look...

 

 

nope it didn't find it...

 

Help! any suggestions? At least I had the desktop before?

Share this post


Link to post
Share on other sites

I have got my desktop back, but only by putting wbjrwesa.txt back into c:\windows\system32, which means I lose CCleaner, HijackThis and the rest as viable applications, but at least I can do most things again...

 

I'm also going to put back KB908531 and verclsid.exe because that doesn't seem to be the problem, it's just this stupid txt file, which I can't delete or erase, nor remove from my registry, which I suspect is the key part of this.

 

An interesting 24 hours or so, back to the same situation as before, but at least there is a better suspect for the problem... Now, anyone got any ideas on how to kill it?

 

A few things occurred to me overnight on a more general level:-

 

1. How did I get this on my machine? Best guess is via an infected website - had a nasty pop-up explosion of windows maybe a week back, and probably hadn't run CCleaner since then...

 

2. Why are is someone targeting CCleaner and it's chums? It doesn't affect my anti-spyware, anti-ad, or anti-virus software...

 

3. I have to say that I am impressed by this nasty little thing, it's pretty hard to detect, hard to kill and fiendishly selective. It also occurred to me that whoever wrote it might be monitoring this forum, highly amused by their handiwork. Well, if he/she is, bravo, it's very good, but you could be kind and put me out of my misery and tell me how to fix it... If anyone wonders why I should ask such a thing, well, I am an eternal optimist when it comes to the potential for generosity in the human spirit...

 

Thanks to everyone for their help so far...

Share this post


Link to post
Share on other sites

I was wondering if you could take out the txt file again (loose your desktop), then in taskmanager try initiating explorer.exe (via File / Run / C:\windows\explorer.exe ), that usually would bring back the desktop and start menu etc.

 

I noticed this because in the HJT/Comboscan report above, explorer is not running, which is why you have no desktop.

 

Also what are the contents of the text file?

Share this post


Link to post
Share on other sites

FYI: I am running an HP computer, wxp up to date.

1. verclsid.exe is in system 32,

2. there is a prefetch file for it,

3. and it is present in C:\WINDOWS\$hf_mig$\KB908531\SP2QFE.

4. Neither wbjrwesa.txt nor wbjrwesa is found on C: drive anywhere using windows explorer

 

No information about wbjrwesa found on google, dogpile, mama, ask.com, nor yahoo answers.

 

edit 22 mar 07: Also no information from computer associates virus info database.

 

Am running CCleaner V. 1.36.430. All applications are running OK. Makes me think the problem isn't verclsid. . .??

 

Good hunting, hope this helps. :)

Share this post


Link to post
Share on other sites
I was wondering if you could take out the txt file again (loose your desktop), then in taskmanager try initiating explorer.exe (via File / Run / C:\windows\explorer.exe ), that usually would bring back the desktop and start menu etc.

 

I noticed this because in the HJT/Comboscan report above, explorer is not running, which is why you have no desktop.

 

Also what are the contents of the text file?

 

 

I did try that, but explorer won't run, presumably because of the registry key that includes the wbjrwesa.txt reference

 

I am unable to read the wbjrwesa.txt (access denied!) - I wish I could, I'd love to know what sneaky little code is in there...

 

Thanks for the suggestions.

Share this post


Link to post
Share on other sites
FYI: I am running an HP computer, wxp up to date.

1. verclsid.exe is in system 32,

2. there is a prefetch file for it,

3. and it is present in C:\WINDOWS\$hf_mig$\KB908531\SP2QFE.

4. Neither wbjrwesa.txt nor wbjrwesa is found on C: drive anywhere using windows explorer

 

No information about wbjrwesa found on google, dogpile, mama, ask.com, nor yahoo answers.

 

edit 22 mar 07: Also no information from computer associates virus info database.

 

Am running CCleaner V. 1.36.430. All applications are running OK. Makes me think the problem isn't verclsid. . .??

 

Good hunting, hope this helps. :)

 

 

yes , I agree with you, verclsid almost certainly isn't the problem. I had it completely removed yesterday evening and I still had the problem. Like yourself, I can't find any reference to wbjrwesa.txt anywhere. I suppose the wretched thing could have been generated on my machine by something else... another of those great unknowns at the moment...

 

Thanks for the help.

Share this post


Link to post
Share on other sites

Hello, thanks for the combofix log.

Here is what I think should be done.

 

Anyone with this problem, start a new topic in the hijackthis log section. Post either a combofix log or a hijackthis log(if you can get it).

Try renaming hijackthis to family.exe.

 

Thanks.

Share this post


Link to post
Share on other sites

Hi scotiabahn

 

Hazelnut asked me to check on this thread but Im not sure at the moment if the malware has caused damage to the registry which is causing multiple problems or if it will be possible to clean it up.

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe]

"Debugger"="\"c:\\windows\\system32\\wbjrwesa.txt\""

 

Now that's not nice :blink: its lucky in a sense that its not added a debugger value for an an essential file such as winlogon.exe as you then wouldnt of been able to login when you moved the wbjrwesa.txt file, This reg key sets up another program to run as a debugger when the initial file (explorer.exe) is run but Windows doesn't verify that its a legit debugger, it just starts the file in the debugger value and if the file is deleted then the file which has the debugger value will not run either, in this case where the debugger value is a txt file I would of expected it to show error's even if the file exists like explorer isnt a valid win32 application because its trying to load the txt file and if the txt file is removed then explorer.exe will not run and give a message similiar to Windows cannot find explorer.exe so there maybe other parts to this infection which are not showing up to now, the explorer.exe subkey isnt in the Image File Execution Options key by default so its fine to remove it but it does show that the machine has been infected,

 

To remove the value goto Start > Run and copy and paste this

 

reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe" /f

 

Press OK and it will remove the key, you will not notice anything but the key will be removed, you can then attempt to move the txt file again and see if explorer loads on reboot, if it doesnt then there is something else protecting the reg entries or recreating it when its removed, it maybe easier to download process explorer from here to save having to keep rebooting

 

http://download.sysinternals.com/Files/ProcessExplorer.zip

 

Run the program and then run the above regfix, move the wbjrwesa.txt to your desktop then right click explorer.exe in process explorer and choose restart, if it starts ok then the debugger value wasnt recreated but if you get error's and explorer fails to restart then the debugger value is still present so you will have to either run the reg fix again by using task manager > new task or put the file back into system32 while we check for other trojans that maybe protecting it,

 

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = ht*p://morwillsearch.com/?adv_id=amandaxxx&sub_id=

 

Im sure you didnt set morwillsearch as your default search page as they have been associated with many trojans over the years mostly CWS and clicker variants but that could of been on your system for a long time so it maybe unrelated, its also in your IE trusted zone so that needs fixing,

 

 

O16 - DPF: {BED02A0F-05A1-4249-A49E-CD0D41A6A152} - ht*p://xearl.com/abd3bb87/sm/10031/1/xp/FastTeens.cab

 

This appears to be a pr0n dialer of some form which was probably installed without your consent but the domain xearl.com is linked to gromozon infections which are very difficult to clean due to rootkits being installed, that infection only seems to target Italian IP addresses but with it being present on your system you will have to run a couple of rootkit scans to make sure its clear, you can get more info on gromozon here

 

http://www.prevx.com/gromozon.asp

 

 

O20 - Winlogon Notify: disk - C:\WINDOWS\system32\diskperff.dll (file missing)

 

Another trojan entry, the file looks like its already been removed at some stage but its left the registry entry behind, I think its a variant of VIPSearcher but it maybe a Delf trojan

 

http://research.sunbelt-software.com/threa...;threatid=40085

 

 

Please post the logs from these below steps into a new topic on the HijackThis forum Here as this looks more like malware damage rather than CCleaner failing, If you cannot extract HijackThis then download the Trend Micro .exe version from here

 

http://www.trendsecure.com/portal/en-US/th...JackThis_v2.exe

 

Run Hijack This and choose Do A System Scan then place a check next to these entries

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = h*tp://morwillsearch.com/?adv_id=amandaxxx&sub_id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: (no name) - {B35C1E01-EB19-D484-5BA5-B1B1FAF1F1FB} - (no file)

O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)

O15 - Trusted Zone: *.morwillsearch.com

O16 - DPF: {BED02A0F-05A1-4249-A49E-CD0D41A6A152} - ht*p://xearl.com/abd3bb87/sm/10031/1/xp/FastTeens.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - ht*p://zone.msn.com/bingame/popcaploader_v10.cab

O20 - Winlogon Notify: disk - C:\WINDOWS\system32\diskperff.dll (file missing)

Close all open browser and other windows except for Hijack This and press the Fix Checked button

 

Optional Fix

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

This is a lock on your homepage to prevent it being changed, the buttons in Internet Options to change it will be grayed out on the homepage part, if you or a protection program added the homepage lock then it can be ignored but if not then it can be fixed with HijackThis

 

Download the Gromozon remover from Here and run it just to make sure there isnt a infection present,

 

Download win32delfkil.exe.

Save it on your desktop.

Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil.

Close all windows, open the win32delfkil folder and double click on fix.bat.

The computer will reboot automatically.

Post the contents of the logfile c:\windelf.txt into your new HijackThis topic :)

 

Download Blacklight beta HERE and save it to your desktop.

Run the program, accept statement > click next then scan

When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the blbeta.exe file.

 

Finally if your able to please do an online scan with Kaspersky WebScanner.

 

Click on Kaspersky Online Scanner

 

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT

  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:

     

    • Extended (if available otherwise Standard)

     

    • Scan Options:

     

    • Scan Archives
      Scan Mail Bases

     

    [*]Click OK

    [*]Now under select a target to scan:

    • Select My Computer

     

    [*]This program will start and scan your system.

    [*]The scan will take a while so be patient and let it run.

    [*]Once the scan is complete it will display if your system has been infected.

    • Now click on the Save as Text button:

     

    [*]Save the file to your desktop.

    [*]Copy and paste that information in your next post.

     

Please then start a new topic in the HijackThis forum, post the windelf.txt, blacklight log if it finds hidden files and the Kaspersky log,

 

Let us know if you have problems

 

Regards

 

Andy

Share this post


Link to post
Share on other sites

Andy,

 

many thanks for all that and I'll work my way through this asap, although I'm afraid work will get in the way for most of the day... My one query at this point is whether this should go on the HijackThis forum rather than CCleaner, I'm not sure I see the advantage in that, the history is here. I admit my description 'CCleaner failing' isn't very descriptive, but that's all I knew at the time. This malware is certainly targeting specific applications, particularly CCleaner, as well as HijackThis and Comboscan at least, but ignoring others (don't like to write their names in case 'they' improve their malware... not that I'm getting paranoid or anything...)

 

Thanks again, I'll get started on this later today...

Share this post


Link to post
Share on other sites
...Try renaming hijackthis to family.exe.

 

Thanks.

 

Thanks for the suggestion, but is there anything special about renaming hijackthis to family.exe? Way back in the discussion, you will see, there were a few attempts with renamed files that still got bounced - I can only assume that this malware can see some internal naming or descriptor.

 

Thanks again.

Share this post


Link to post
Share on other sites
QUOTE(rridgely @ Mar 22 2007, 10:54 PM) post_snapback.gif...Try renaming hijackthis to family.exe.

 

 

Thanks.

 

Thanks for the suggestion, but is there anything special about renaming hijackthis to family.exe? Way back in the discussion, you will see, there were a few attempts with renamed files that still got bounced - I can only assume that this malware can see some internal naming or descriptor.

 

Thanks again.

 

 

No, its the same as renaming it earlier, I don't believe there is any significance to family.exe (correct me if I'm wrong :lol: ).

 

--

 

If andy's suggestion dosn't work (for some reason),

 

You may be able to remove some stuff with a live boot cd ( ala BartPE) or a linux live CD (if you underestand a linux environment) .

 

You could use a BartPE boot disk to check the contents of that file and remove infections.

There are many programs (called plugins) you can include on the disk along with the bootable windows like environment.

 

links:

BartPE Home Page

Download Part PE

Download Plugins

 

 

NOTE:

If this seems too over your head feel free to wait for other suggestions.

Share this post


Link to post
Share on other sites
Thanks for the suggestion, but is there anything special about renaming hijackthis to family.exe? Way back in the discussion, you will see, there were a few attempts with renamed files that still got bounced - I can only assume that this malware can see some internal naming or descriptor.

 

Thanks again.

No, its the same as renaming it earlier, I don't believe there is any significance to family.exe (correct me if I'm wrong :lol: ).

 

--

 

If andy's suggestion dosn't work (for some reason),

 

You may be able to remove some stuff with a live boot cd ( ala BartPE) or a linux live CD (if you underestand a linux environment) .

 

You could use a BartPE boot disk to check the contents of that file and remove infections.

There are many programs (called plugins) you can include on the disk along with the bootable windows like environment.

 

links:

BartPE Home Page

Download Part PE

Download Plugins

NOTE:

If this seems too over your head feel free to wait for other suggestions.

 

 

over my head - could be... :unsure:

 

this definitely isn't an area where I have a great deal of expertise, but I'll have a crack at this after I've had a go at Andy's suggestions... should keep me out of mischief for a while :rolleyes:

Share this post


Link to post
Share on other sites
Andy,

 

many thanks for all that and I'll work my way through this asap, although I'm afraid work will get in the way for most of the day... My one query at this point is whether this should go on the HijackThis forum rather than CCleaner, I'm not sure I see the advantage in that, the history is here. I admit my description 'CCleaner failing' isn't very descriptive, but that's all I knew at the time. This malware is certainly targeting specific applications, particularly CCleaner, as well as HijackThis and Comboscan at least, but ignoring others (don't like to write their names in case 'they' improve their malware... not that I'm getting paranoid or anything...)

 

Thanks again, I'll get started on this later today...

 

The reason Andy asked you to put all further logs into the Hijackthis forum, is because you will only get help from the 'appointed Malware experts' rather than lots of diverse ideas from other well meaning members or visitors.

 

Please follow Andys advise he is among the best of the Malware fighters.

 

Mike

Share this post


Link to post
Share on other sites
The reason Andy asked you to put all further logs into the Hijackthis forum, is because you will only get help from the 'appointed Malware experts' rather than lots of diverse ideas from other well meaning members or visitors.

 

Please follow Andys advise he is among the best of the Malware fighters.

 

Mike

 

that makes sense...

 

now that's an impressive title - 'appointed malware expert'... coo, wish I had that on my c.v. :lol:

 

actually, no I don't, this stuff makes my head hurt :blink:

Share this post


Link to post
Share on other sites
that makes sense...

 

now that's an impressive title - 'appointed malware expert'... coo, wish I had that on my c.v. :lol:

 

actually, no I don't, this stuff makes my head hurt :blink:

 

 

Me to :lol: good luck with the quest

Share this post


Link to post
Share on other sites
...

 

To remove the value goto Start > Run and copy and paste this

 

reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe" /f

 

Press OK and it will remove the key, you will not notice anything but the key will be removed, you can then attempt to move the txt file again and see if explorer loads on reboot, if it doesnt then there is something else protecting the reg entries or recreating it when its removed, it maybe easier to download process explorer from here to save having to keep rebooting

 

http://download.sysinternals.com/Files/ProcessExplorer.zip

 

Run the program and then run the above regfix, move the wbjrwesa.txt to your desktop then right click explorer.exe in process explorer and choose restart, if it starts ok then the debugger value wasnt recreated but if you get error's and explorer fails to restart then the debugger value is still present so you will have to either run the reg fix again by using task manager > new task or put the file back into system32 while we check for other trojans that maybe protecting it,

 

...

 

Let us know if you have problems

 

Regards

 

Andy

 

 

Andy,

 

I've made a start on this but not produced any logs yet to put on the other forum section. I just wanted to report back on this bit. The reg delete worked and I moved the file to my desktop and rebooted, hey presto, no desktop as before. I used Taskmgr 'Run' to get command working and to shift the txt file back to system32 and I got my desktop back after another reboot. The interesting thing is that the registry is still clean, the debugger value hasn't been reinstated...

 

Not sure what that means, will go play with the rest of the utilities (which will probably mean moving the stupid file again because it doesn't like HijackThis at least...)

 

Hopefully, next entry will be in HijackThis section...

 

Thanks

 

 

Steve

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...