C:\WINDOWS\wml.exe

Status
Not open for further replies.
Q

Quazze

Posts: 23   +0
Greetings,

I read a similar thread regarding this infection, but due to my lack of understanding [and finding specific items in my HiJackThis log] I am going to require additional assistance from anyone willing to help. I've ran my Trend Micro AntiVirus but it was not helpful [either was ComboFix since I am running Windows Vista].

My log is attached and thank you in advance for your assistance.
 
Why did you run ComboFix? You shouldnt have done so unless asked to by someone.

Ill look over your log and advise back later.
 
FYI: I ran ComboFix only because of specific forums I found doing a Google search [since I have less than 5 posts, I cannot post links].

I had attempted to follow the same cleanup, but things became a bit hairy. I do look forward to your assistance kritius and can only hope you can assist me in this endeavor. It is an ugly situation.
 
What instructions exactly did you follow for ComboFix, when people are using ComboFix the instructions are tailored for their specific computer and are not mean to be followed by anyone else.

Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please attach the log into your next reply.
  • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Unistall your version of Combofix.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
  • CF_Cleanup.png
  • When shown the disclaimer, Select "2"

Download and Run ComboFix
  • Download this file to your desktop from either of the two below listed places :

    HERE or HERE
  • Then double click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Attach that log in your next reply
WARNING: Do not mouseclick combofix's window whilst it's running. That may cause it to stall
 
Continuation ...

Note: When I first tried to run ComboFix before contacting TechSpot, it never game me options to run it. When I clicked on ComboFix.exe [which I saved to my Desktop], it simply had a small window saying ComboFix that filled up (as if loading). Once the window was filled, a blue screen quickly flashed and says something like the program cannot be ran. It is hard to explain because the blue screen flashes so quickly. All in all, it appears I cannot run ComboFix.


1) I successfully ran Malwarebytes Anti-Malware. It took a few times due to some computer glitches, but it finally completed. I followed your instructions and have attached the log.

2) I cannot uninstall ComboFix. I tried your easy-to-follow command in the run section of Windows Vista [ComboFix /u], but Windows gives me an execute command and nothing more. I tried the execute command, but nothing seems to happen when I try to run ComboFix. I looked into my Control Panel to see if I could remove the program, but ComboFix was not located there.

I haven't done anything else to my PC as of yet. I graciously appreciate all your kind efforts in helping me move past these problems and I certainly look forward to your next response on what I need to do.
 
To access the Run prompt -> hold down your windows key and press R

Right click the combofix Icon on your desktop and select run as administrator


You also need to disable real time protection from your anti-malware software

Close all other windows and browsers, and make sure your firewall allows it access to your files
 
...

I have closed my browser and turned off my Firewall and anti-virus program(s). However, again when I try to run ComboFix this is what happens.

Using Windows Button and R, I type in ComboFix /u. Then a new windows opens and states the following:

Open File - Security Warning
The publisher could not be verified. Are you sure you want to run this software?
Name: C:\Users\David\Desktop\ComboFix.exe
Publisher: Unknown Publisher
Type: Application
From: C:\User\David\Desktop\ComboFix.exe

My options then are Run or Cancel. When I click Run, the previous window closes and a new window opens stating "User Account Control" ... An unidentified program wants access to your computer. My options are Cancel or Allow. When I click on Allow, a very small ComboFix window appears and a bar begins to fill up. Once the bar is filled, it disappears and a new blue window opens up and quickly flashes a message stating that the program cannot be found or located or ran ... something in this nature [it goes by so fast I can barely make out words].

The same process happens when I right click on ComboFix and Run As Administrator.

I sincerely appreciate all your efforts in helping me ... and at this point in time I am deathly confused. Please continue to assist me.
 
Let's try this, I downloaded combofix through our link and had the same thing happen but easily got it to work, by playing with some windows settings.

Turn off UAC
Click on Start -> Control Panel -> User Accounts -> click Turn user account control on or off -> uncheck the box -> click ok

Try again (I had to try twice in a row for it to work, but had UAC on the whole time)
 
UAC

Thank you for your quick response.

Using Windows Vista, I go to Start --> Control Panel --> ? [I have User Accounts and Family Safety with two options underneath (Set up parental control for any user and Add or remove user accounts).

I do use a password for my computer and I am currently logged on as Administrator [since the other option I assume is for guests ... if that means anything].

Please advise.
 
Thank you Blind Dragon.

I switched to Class View and was able to turn off [unchecked the box] of the UAC. However, I still cannot get ComboFix to work/load.

I was finally able to read the wording on the blue window that pops up after I try to open up ComboFix. It reads as follows: The sytem cannot find message text number 0x8 in the message file or system.

When I unchecked the box in the UAC, I also had my firewall down, Trend Micro AntiVirus 2007 off and I had all my web browsers closed. And yet I still cannot seem to get ComboFix to work appropriately. I had tried ComboFix /u and Run as Administrator. It just seems hopeless. I also fiddled around with the UAC like you suggested Blind Dragon but after several reboots from my system, I was unsuccessful. :(
 
Ok, that's enough messing with it.

: Download and Run DSS

Download Deckard's System Scanner (DSS) to your Desktop. You must be logged onto an account with administrator privileges.
  • Close all applications and windows.
  • Double-click on dss.exe to run it, and follow the prompts.
  • When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<- this one will be minimized.
  • Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your reply.
 
Main.txt & Extra.txt

Since the text is too long to Copy and Paste (21822 characters for Main.txt), I have attached the log instead. I also will include the Extra.txt log as well.

Thank you for taking the time to help me.
 
I have studied this infection quite a bit over the last few weeks and I am going to include some files that weren't shown in your log, if there please let me know as we will have additional steps to remove.

You might want to copy and paste these instructions into a notepad file, and save it to your desktop. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Run Hijackthis and Select Do A System Scan Only
Put a check mark next to the following entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKCU\..\Run: [MSServer] rundll32.exe C:\Users\David\AppData\Local\Temp\efcCuSmj.dll,#1
O4 - HKCU\..\Run: [fdyvqvum] C:\ProgramData\fdyvqvum\sdolidmh.exe
O4 - HKCU\..\Run: [PfJnvj0FDZ] C:\ProgramData\gdsvyjyp\kzmfgder.exe
O4 - HKCU\..\Run: [cmds] rundll32.exe C:\Users\David\AppData\Local\Temp\pmnoNdcb.dll,c
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqcpqdktp/downloads/sysinfo.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/VistaMSNPUpldes-es.cab

Select Fix Checked

Close Hijackthis

Show hidden files through windows explorer
  • Access Windows Explorer by clicking Start, point to All Programs, Accesories, and then click Windows Explorer. Or hold the windows key and press E
  • On the Tools menu in Windows Explorer, click Folder Options.
  • Click the View tab.
  • Under Hidden files and folders, click Show hidden files and folders and Turn Hide protected operating system files off.

Use Windows Explorer to navigate to and delete the following folder:

Folder:
C:\C:\Users\All Users\gdsvyjyp<-This folder
C:\Users\All Users\fdyvqvum <-This folder
C:\ProgramData\fdyvqvum<-This folder
C:\ProgramData\gdsvyjyp<-This folder

Files:
C:\Users\David\DesktopFWebdEditor.exe<-This file
C:\Users\David\Desktopfwebd.exe<-This file
C:\Users\David\Desktopfilemanagerclient.exe<-This file
C:\Users\David\AppData\Local\Temp\pmnoNdcb.dll<-This file
C:\Users\David\AppData\Local\Temp\efcCuSmj.dll<-This file

Also look for the following which weren't shown in your log, delete if there (also let me know if there):
C:\Documents and Settings\David\Desktopblackbird.jpg
C:\Documents and Settings\David\DesktopEditorFKWP1.5.exe
C:\Documents and Settings\David\DesktopEditorFKWP2.0.exe
C:\Documents and Settings\David\Desktopfilemanagerclient.exe
C:\Documents and Settings\David\Desktopfkwp1.5.exe
C:\Documents and Settings\David\Desktopfkwp2.0.exe
C:\Documents and Settings\David\Desktopfwebd.exe
C:\Documents and Settings\David\DesktopFWebdEditor.exe
C:\Documents and Settings\David\DesktopTrojan.Win32.BlackBird.exe

Restart your computer into normal mode

Run a new scan with Hijackthis and attach the log
 
New HiJackThis log

Hello Blind Dragon,

I had difficulties locating the Tool Menu in Windows Explorer while in Safe Mode. After 20 minutes of fiddling around, I finally gave up and restarted my computer in Normal Mode and Tool Menu was easily found and accessible.

But before that, under Safe Mode and running HiJackThis (System Scan Only) as you suggested, I was able to place a check mark next to half of the entries you had listed. The other entries were not found/located. I then selected Fix and closed HiJackThis.

This was when I was not able to find Tool Menu under Windows Exlporer and had to result in running in Normal Mode to access this option. While in Normal Mode, I was able to delete/locate 0 of the Folders you had mentioned. These folders were not found:

Folder Not Located:
C:\C:\Users\All Users\gdsvyjyp
C:\Users\All Users\fdyvqvum
C:\ProgramData\fdyvqvum
C:\ProgramData\gdsvyjyp

I was about to locate and delete 3 of the 5 files you mentioned. The files not found were as follows:

Files Not Located:
C:\Users\David\AppData\Local\Temp\pmnoNdcb.dll
C:\Users\David\AppData\Local\Temp\efcCuSmj.dll

In addition, you asked me to look for additional files that were not in my log. I was not able to locate any of the 9 folders/files you had mentioned.

In conclusion, I restarted my computer and ran a new HiJackThis System Can Only and have attached the log for your review.
 
Well the entries wont show in the log now because the registry entries are gone. That doesn't mean all of the files are gone for sure.

As a 2nd opinion to what we have done, please do the following online scan.

Run Kaspersky Online AV Scanner

Order to use it you have to use Internet Explorer.
Go to Kaspersky and click the Accept button at the end of the page.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
  • Read the Requirements and limitations before you click Accept.
  • Allow the ActiveX download if necessary.
  • Once the database has downloaded, click Next.
  • Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
  • Click on "My Computer"
  • When the scan has completed, click Save Report As...
  • Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
  • Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.
Attach the report into your next reply
 
I was able to perform all of your requests, with the exception of being able to Save the log. I ran Kaspersky Online Scanner and then went to work. When I came back, this is what I saw on my screen:

Selected target: My Computer
Source: C:\; D:\; E:\;

Report is empty.
Please note: The free Kaspersky Online Scanner does not provide comprehensive protection and cannot prevent future infections. It only detects malware that has already penetrated your storage devices. We strongly recommend that you use a fully-functional antivirus solution to protect your computer at all times.

Please wait, this process may take a long time depending on the selected target. If you want to continue browsing, open a new window.

Scan Progress [99%]:


Total number of scanned objects: 131759
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:57:12


It looked as if the scan stopped at 99% for some odd reason. I will rerun scan and post log as you requested.
 
Scan Complete

Note: Background on Desktop is black and most of my pictures will not automatically display when my picture folder is open.

I have attached the Kaspersky Online Scanner log for your review. Please advise.
 
I cannot. I've been playing around with it, but there certainly seems to be an internal error happening. Although I never received any error messages, I definitely can tell that something is amiss. Just looking at my pictures and also pictures in my desktop background [right clicking it --> personalize --> desktop background], everything seems a blur.

Despite that, and after reading my logs, how am I looking?

Edit: I have yet to run my normal Trend Micro Anti-Virus. Although I am sure this matters not at this point, the good news is that the virus flash window that kept popping up with its Security Update (c:\windows\wml.exe), that has vanished.
 
Do this

Go to start -> control panel -> administrative tools -> Event viewer -> look for errors in last few hours -> post the event ID and source for each

not info or warnings only errors. right click them and select show all instances then properties
 
Status
Not open for further replies.

Similar threads

K
Question Assistance Needed for HPE DL30 Proliant Server Error Codes
Replies
0
Views
608
KJ707
K
H
Friday Night Festivities: Passwords & BSOD
Replies
0
Views
1K
Hikermann
H
J
Need help with BSOD Event ID 41
Replies
1
Views
1K
Kshipper
Kshipper

Latest posts

Back