I started getting a problem with CCleaner on my desktop PC this afternoon when I tried to run it, it seemed to try and start and then shut down, then tried to start again, then failed and kept repeating until I selected another program to run. I've tried rebooting, an AV scan, SpyBot run without finding anything. The weirdest thing is that from the desktop PC I can't access this forum, or the main CCleaner site or any site that refers to CCleaner, all IE windows shut down as soon as they start to load... I am writing this on my laptop... I have absolutely no idea what is going on... I've even tried uninstalling CCleaner, but I can't even do that because it bounces out just like everything else that refers to CCleaner... It seems like there is something on my machine that is doing some sort of DoS attack but I have no idea what to do about it...

Has anyone got any ideas/suggestions?

Many thanks.


P.S. Been doing some further rummaging - when I try and run CCleaner, the task manager briefly shows VERCLSID as a running process... no idea whether it should or not, but it's the only additional info I have... Sigh... Oh, by the way I can't even look at the folder and files in Explorer, I have to go into DOS and use DIR... Nothing interesting there, all the dates are a week or so past when I updated to a more current version...

Someone else reported something about not being able to use CCleaner, let alone come to the website. To me it sounds like some sort of malware targeting CCleaner, since it's after all a tool that's suggested to clear out temporary junk files that can have infections.

Interesting read here

http://www.wilderssecurity.com/showthread.php?t=127567

So the "malware" is Microsoft Updates.

I was certainly thinking that it was malware targeting CCleaner at first, but I also found the wilersecurity report about verclsid.exe and my current theory (half-baked lunatic raving more like...) is that something about the last CCleaner upgrade or an MS Update has resulted in this new incompatibility. I reckon that verclsid is checking out CCleaner and bouncing it. The reference on the wildersecurity site talks about verclsid being trapped by yet another utility so they weren't having the same symptoms as me.

Anyway, that's my current wild-eye loony idea...

Happy to hear any suggestions about handling it... I don't really want to dismember verclsid unless I really have to... it's supposed to be at least vaguely useful against REAL malware...

Here is the latest I could find

http://www.pcworld.com/article/id,125507-page,1/article.html

updated to more recent and acurate post

Well, that seems a bit simpler than some of the other guides I've seen so thanks for that, but I still have to switch off VERCLSID which is (allegedly) there to protect my machine..

I have seen something on the MS website relating to problems with HP and Nvidia, and there was a fix for that which updated the registry to make them 'acceptable' to VERCLSID. I guess that would be the ideal solution.. but that all rather presumes that I'm not barking mad in my suggestions about verclsid... haven't got time to do it now, but I guess I could try the guidance above and see what happens - if it doesn't fix it, then that would at least shoot my theory full of holes...

Good luck

I'm still hoping someone will come up with something better before I get to it...

Take a look at this

http://www.pcworld.com/article/id,125507-page,1/article.html

there's a lot of those around when you start looking... from what I can work out, the original version was so crummy that they had to put another one out real quick, but that's a year back now... this pc has a (fairly... until this...) stable system so something must have changed more recently...

I've just tried following the guidance further above but that wasn't enough... So far I've renamed two copies of verclsid.exe to *.old (found via standard search function) and deleted the prefetch copy, then rebooted and rescanned - no sign of verclsid.exe anywhere, but no improvement either... still no CClenaer running, still no access to this forum except via laptop rather than desktop...

So... either I haven't managed to find everything... or it's malware...

guess I could try getting uninstalling the MS fix itself... I'd better put the verclsid.old files back to the 'proper' extensions otherwise they may get missed... might try that later unless anyone has any better suggestions (ever hopeful...) but now I gotta got do some other stuff for a while

You could always post a hjt log in the section for it on the forum, just to clear up that possibility.

ummm... would you care to explain that in newbie language?

No problem

Read the instructions here and the download button for the hjt log program is at the bottom.

http://forum.piriform.com/index.php?showtopic=1720


This is the part of the forum where to post the log, the new topic button is at the top right hand side.

http://forum.piriform.com/index.php?showforum=12

Any problems, just ask someone will always help if you have problems doing it.

thx - I'll have a crack at that in the morning now, only just got the study back after my son finished his homework...

Now I'm really getting worried... I wasn't able to look at the Hijackthis website from my desktop... I downloaded it on my laptop and emailed the zip file across, but I can't expand the zip on my desktop... so do we have malware attacking CCleaner and it's related software, or is this still a verclsid issue, because HJT uses similar classes that MS consider unfriendly?

I'm going to have to try complete removal of KB908531 and see where that gets me, but I'll have to do it later - work to be done...

Meantime, anyybody has anything else to chip in, be glad to hear it...

OK...

so, I've completely removed KB908531 (uninstalled through Control Panel/add/remove programs), deleted any remaining versions of verclsid.exe, including in prefetch, and scoured the registry deleting any remaing references in there, and rebooted the machine..

still won't run CCleaner...

tried looking at task manager again to see if there's anything happening there, see if verclsid is popping up from somewhere else...

no, it isn't, BUT... I have a new suspect that I could use some guidance on... I noticed that when I click on CCleaner I am now getting another process in task manager - wbjrwesa.txt, whatever the h*ll that is...

have tried searching for it on Google but it's not listed there... tried browsing it, but I get 'access denied'... it exists in windows/system32 and prefetch...

any suggestions?

meantime I'll go look a bit further... tempted to just try deleting the damn thing, but as I've already wrecked something else (don't ask! ) trying to get rid of this, I'd like to see whether anyone has any other suggestions...

I wonder if it's possible to put the hjt log zip on a usb drive, unzip it in there, and drag and drop the file onto your desktop, just to see if it's even possible it will allow you to run it.

unfortunately I don't have a USB drive option for the affected machine, but I could try it on an old-fashioned floppy or even the old hard drive still attached for backups...


otherwise I think I'll just have to try and smite it!

I can unzip it on my old E drive, but it won't run nor can I move the .exe to the desktop... as soon as I do a 'mouseover' the filename in explorer it bounces me out and shows wbjrwesa.txt in taskmgr... bother...

Have you tried re-naming HJT on your other PC and then transfer the file over

thanks, hadn't thought of that... a simple rename (dropping the H) didn't work, will now try something more sneaky, rearrange more letters, maybe change the icon... can't think of much else I can do to disguise an exe file, and besides, anything that's this smart will probably be able to see some internal identifier...

back in a bit...

thanks again...

Hi,
Run this instead. (it will generate a hijackthis log as well)

Download ComboScan to your Desktop

• Close all applications and windows.
• Double-click on comboscan.exe to run it, and follow the prompts.
• The scan may take a minute. When the scan is complete, a text file will open - ComboScan.txt
• A folder Comboscan will also open which contains the Comboscan.txt and a Supplementary.txt.
• Copy and paste the contents of ComboScan.txt in your next reply.
• Extra Note: When running Comboscan, some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so. Also, it may happen that your Antivirus flags Comboscan as suspicious. Please allow the Comboscan to run and don't let your Antivirus delete it. (In this case, it may be better to temporary disable your Antivirus)

fancy rename doesn't work any better... there are too many internal names that even I can see (but can't amend...)

unless anyone has any better ideas, I'm gonna have a crack at deleting the wbjrwesa.txt file (it would be rather ironic if I could use the Secure Delete function of CCleaner to get rid of it ) My suspicion is that nothing in Explorer will work, but I'm hopeful that 'ERASE' in a command window might give it a fright...

Meanwhile, I'll go fix the other application I broke taking out too much to get rid of this bug

oops - just seen this - will go give it a try... ta muchly...

I've read on some italian forum other people that is unable to run both CCleaner and HijackThis too..


If you like, try to download a renamed copy of HJT from my web space:

File name pippo.zip (contains HJT renamed as pippo.exe)

Disco Remoto

Unfortunately this has gone the same way as HijackThis... It did start running and completed the restore point, but stopped around 12% progress (as far as I could tell). Both .txt files were created but are empty...

Many thanks for the help, but that hasn't worked either.... it still recognises it as a threat and shuts it down...

I've been playing...

I tried simply moving the wbjrwesa.txt file out of the windows/system32 folder to the desktop and then deleted the prefetch version (Ordinary delete, not CCleaner Securedelete - didn't work)

Then I tried running CCleaner again and it worked, analyzing and removing the accumulated crud of the last few days... So that's good...

However, at the moment, my desktop seems to have got a bit confused and all the icons and task bars have vanished so it might be time for a reboot. I'll let you know how I get on...

OH bother... now my desktop has gone missing... I'm really going from bad to worse on this...

since I last wrote, reboot hasn't resolved it...

nor has moving wbjrwesa.txt to the old e drive helped, the desktop is still blank... the only way I can run anything is via task mgr (ctrl+alt+del) and then use File/Run....

the only good news is that I can see the internet on the desktop mc again and can run Comboscan. As requested earlier I will put the details from Comboscan.txt in here, but I will have to do that again - explorer isn't running and I can't find the output - aargh!

ComboScan v20070306.20 run by family on 2007-03-21 at 21:49:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as family.exe) ----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 21:49:33, on 21/03/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\family\Desktop\comboscan.exe
C:\PROGRA~1\HIJACK~1\family.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://morwillsearch.com/?adv_id=amandaxxx&sub_id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {B35C1E01-EB19-D484-5BA5-B1B1FAF1F1FB} - (no file)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [Intense Registry Service] IntEdReg.exe /CHECK
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: RtlWake.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: www.amazon.co.uk
O15 - Trusted Zone: *.morwillsearch.com
O16 - DPF: RaptisoftGameLoader - http://www.miniclip.com/games/hamsterball/...tgameloader.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {BED02A0F-05A1-4249-A49E-CD0D41A6A152} - http://xearl.com/abd3bb87/sm/10031/1/xp/FastTeens.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.broadbandassist.com/bbdesktop/...tivePreQual.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O20 - Winlogon Notify: disk - C:\WINDOWS\system32\diskperff.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Wireless Adapter Configurator - Tech Mahindra- PUNE - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe


-- Files created between 2007-02-21 and 2007-03-21 -----------------------------

2007-03-21 19:57:54 0 d-------- C:\Documents and Settings\family\Application Data\AVG7
2007-03-21 19:57:46 0 d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-03-21 19:57:43 4960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2007-03-21 19:57:43 19392 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2007-03-21 19:57:43 3968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2007-03-21 19:57:42 27776 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-03-21 19:57:38 4224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2007-03-21 19:57:33 775680 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2007-03-21 19:57:29 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-03-21 19:57:29 0 d-------- C:\Documents and Settings\All Users\Application Data\avg7
2007-03-20 15:27:38 5936 --a------ C:\Documents and Settings\family\mqdmwhnt.sys
2007-03-20 15:27:38 79328 --a------ C:\Documents and Settings\family\mqdmserd.sys
2007-03-20 15:27:38 92064 --a------ C:\Documents and Settings\family\mqdmmdm.sys
2007-03-20 15:27:38 9232 --a------ C:\Documents and Settings\family\mqdmmdfl.sys
2007-03-20 15:27:38 4048 --a------ C:\Documents and Settings\family\mqdmcr.sys
2007-03-20 15:27:38 6208 --a------ C:\Documents and Settings\family\mqdmcmnt.sys
2007-03-20 15:27:38 66656 --a------ C:\Documents and Settings\family\mqdmbus.sys
2007-03-20 09:45:07 0 d-------- C:\Program Files\vtplus
2007-03-20 08:54:01 118784 --a------ C:\WINDOWS\system32\o100vc.dll
2007-03-20 08:54:01 40960 --a------ C:\WINDOWS\system32\o100ext.dll
2007-03-20 08:54:01 36864 --a------ C:\WINDOWS\system32\hcwutl32.dll
2007-03-20 08:54:01 96768 --a------ C:\WINDOWS\system32\hcwTVWnd.dll
2007-03-20 08:54:01 89600 --a------ C:\WINDOWS\system32\hcwTVDlg.dll
2007-03-20 08:54:01 48128 --a------ C:\WINDOWS\system32\hcwtuner.dll
2007-03-20 08:54:01 393216 --a------ C:\WINDOWS\system32\HCWsnbd9.dll
2007-03-20 08:54:01 36864 --a------ C:\WINDOWS\system32\hcwps32.dll
2007-03-20 08:54:01 155648 --a------ C:\WINDOWS\system32\hcwpnp32.dll
2007-03-20 08:54:01 45056 --a------ C:\WINDOWS\system32\hcwi2c32.dll
2007-03-20 08:54:01 32768 --a------ C:\WINDOWS\system32\hcwHook.dll
2007-03-20 08:54:01 184832 --a------ C:\WINDOWS\system32\hcwChan.dll
2007-03-20 08:54:01 135168 --a------ C:\WINDOWS\system32\hcwAV.dll
2007-03-20 08:54:01 113664 --a------ C:\WINDOWS\system32\hcwAud32.dll
2007-03-20 08:54:01 140440 --a------ C:\WINDOWS\system32\drivers\hcw848nt.sys
2007-03-20 08:54:00 28672 --a------ C:\WINDOWS\system32\BTGPIO32.dll
2007-03-20 08:54:00 28672 --a------ C:\WINDOWS\system32\BT848Wst.dll
2007-03-20 08:54:00 16384 --a------ C:\WINDOWS\system32\Bt848_32.dll
2007-03-15 14:12:05 21504 --a------ C:\WINDOWS\system32\drivers\hidserv.dll
2007-03-15 13:50:56 0 d-------- C:\Program Files\Motive
2007-03-15 13:50:56 0 d-------- C:\Program Files\BT Broadband Desktop Help<BTBROA~1>
2007-02-26 18:42:38 0 d-------- C:\Documents and Settings\All Users\Application Data\NVIDIA
2007-02-26 18:37:19 208896 --a------ C:\WINDOWS\system32\NVUNINST.EXE


-- Find3M Report ---------------------------------------------------------------

2007-03-21 20:42:45 0 d-------- C:\Program Files\ZipCentral<ZIPCEN~1>
2007-03-21 19:57:29 0 d-------- C:\Program Files\Grisoft
2007-03-21 19:56:42 0 d---s---- C:\Documents and Settings\family\Application Data\Microsoft<MICROS~1>
2007-03-20 15:28:23 0 d-------- C:\Program Files\Motorola Phone Tools<MOTORO~1>
2007-03-20 15:25:41 0 d-------- C:\Program Files\Avanquest update<AVANQU~1>
2007-03-20 09:44:57 0 d-------- C:\Program Files\WinTV
2007-03-18 12:53:29 0 d-------- C:\Program Files\Microsoft Money<MICROS~4>
2007-03-17 18:12:35 16 --a------ C:\WINDOWS\popcinfo.dat
2007-03-15 21:21:19 0 d-------- C:\Program Files\Outlook Express Quick Backup<OUTLOO~2>
2007-03-15 21:21:05 249856 -----n--- C:\WINDOWS\Setup1.exe
2007-03-15 21:21:03 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-03-15 13:57:49 0 d-------- C:\Documents and Settings\family\Application Data\Motive
2007-03-15 13:52:14 0 d-------- C:\Program Files\Common Files\Motive
2007-02-18 19:21:36 0 d-------- C:\Program Files\Yahoo!
2007-01-29 10:37:18 0 d-------- C:\Program Files\BT Home Hub<BTHOME~1>
2007-01-29 08:58:06 60416 -----n--- C:\WINDOWS\system32\tzchange.exe
2007-01-25 07:55:27 29232 --a------ C:\WINDOWS\hpoins03.dat
2007-01-22 21:43:35 0 d-------- C:\Program Files\btbb_wcm
2007-01-21 12:05:59 0 d-------- C:\Program Files\OpenTTD
2007-01-12 09:27:42 232960 --a------ C:\WINDOWS\system32\webcheck.dll
2007-01-12 09:27:42 51712 -----n--- C:\WINDOWS\system32\msfeedsbs.dll<MSFEED~1.DLL>
2007-01-12 09:27:42 458752 -----n--- C:\WINDOWS\system32\msfeeds.dll
2007-01-12 09:27:42 6054400 --a------ C:\WINDOWS\system32\ieframe.dll
2007-01-08 19:04:54 105984 --a------ C:\WINDOWS\system32\url.dll
2007-01-08 19:04:08 102400 --a------ C:\WINDOWS\system32\occache.dll
2007-01-08 19:02:04 266752 --a------ C:\WINDOWS\system32\iertutil.dll
2007-01-08 19:02:04 44544 --a------ C:\WINDOWS\system32\iernonce.dll
2007-01-08 19:02:02 384000 --a------ C:\WINDOWS\system32\iedkcs32.dll
2007-01-08 19:02:02 383488 --a------ C:\WINDOWS\system32\ieapfltr.dll
2007-01-08 19:02:02 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2007-01-08 19:02:02 230400 --a------ C:\WINDOWS\system32\ieaksie.dll
2007-01-08 19:02:02 153088 --a------ C:\WINDOWS\system32\ieakeng.dll
2007-01-08 19:01:14 17408 --a------ C:\WINDOWS\system32\corpol.dll
2007-01-08 19:00:48 124928 --a------ C:\WINDOWS\system32\advpack.dll
2007-01-08 18:08:14 56832 --a------ C:\WINDOWS\system32\ie4uinit.exe
2007-01-08 18:08:10 13824 --a------ C:\WINDOWS\system32\ieudinit.exe


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe\" -quiet"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"type32"="\"C:\\Program Files\\Microsoft IntelliType Pro\\type32.exe\""
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"nwiz"="nwiz.exe /install"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\point32.exe\""
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"Intense Registry Service"="IntEdReg.exe /CHECK"
"btbb_wcm_McciTrayApp"="C:\\Program Files\\btbb_wcm\\McciTrayApp.exe"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"


[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe]
"Debugger"="\"c:\\windows\\system32\\wbjrwesa.txt\""
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\disk

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\
NetworkService REG_MULTI_SZ DnsCache\
rpcss REG_MULTI_SZ RpcSs\
imgsvc REG_MULTI_SZ StiSvc\
termsvcs REG_MULTI_SZ TermService\
HTTPFilter REG_MULTI_SZ HTTPFilter\
DcomLaunch REG_MULTI_SZ DcomLaunchTermService\



-- End of ComboScan: finished at 2007-03-21 at 21:52:13 ------------------------

This bit looks key to me:-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe]
"Debugger"="\"c:\\windows\\system32\\wbjrwesa.txt\""


I've tried REGEDIT to get rid of the debugger value but it won't let me...

just occurs to me that CCleaner might be able to now it's running... I'll go have a look...

nope it didn't find it...

Help! any suggestions? At least I had the desktop before?

I have got my desktop back, but only by putting wbjrwesa.txt back into c:\windows\system32, which means I lose CCleaner, HijackThis and the rest as viable applications, but at least I can do most things again...

I'm also going to put back KB908531 and verclsid.exe because that doesn't seem to be the problem, it's just this stupid txt file, which I can't delete or erase, nor remove from my registry, which I suspect is the key part of this.

An interesting 24 hours or so, back to the same situation as before, but at least there is a better suspect for the problem... Now, anyone got any ideas on how to kill it?

A few things occurred to me overnight on a more general level:-

1. How did I get this on my machine? Best guess is via an infected website - had a nasty pop-up explosion of windows maybe a week back, and probably hadn't run CCleaner since then...

2. Why are is someone targeting CCleaner and it's chums? It doesn't affect my anti-spyware, anti-ad, or anti-virus software...

3. I have to say that I am impressed by this nasty little thing, it's pretty hard to detect, hard to kill and fiendishly selective. It also occurred to me that whoever wrote it might be monitoring this forum, highly amused by their handiwork. Well, if he/she is, bravo, it's very good, but you could be kind and put me out of my misery and tell me how to fix it... If anyone wonders why I should ask such a thing, well, I am an eternal optimist when it comes to the potential for generosity in the human spirit...

Thanks to everyone for their help so far...

I was wondering if you could take out the txt file again (loose your desktop), then in taskmanager try initiating explorer.exe (via File / Run / C:\windows\explorer.exe ), that usually would bring back the desktop and start menu etc.

I noticed this because in the HJT/Comboscan report above, explorer is not running, which is why you have no desktop.

Also what are the contents of the text file?

FYI: I am running an HP computer, wxp up to date.
1. verclsid.exe is in system 32,
2. there is a prefetch file for it,
3. and it is present in C:\WINDOWS\$hf_mig$\KB908531\SP2QFE.
4. Neither wbjrwesa.txt nor wbjrwesa is found on C: drive anywhere using windows explorer

No information about wbjrwesa found on google, dogpile, mama, ask.com, nor yahoo answers.

edit 22 mar 07: Also no information from computer associates virus info database.

Am running CCleaner V. 1.36.430. All applications are running OK. Makes me think the problem isn't verclsid. . .??

Good hunting, hope this helps.

I did try that, but explorer won't run, presumably because of the registry key that includes the wbjrwesa.txt reference

I am unable to read the wbjrwesa.txt (access denied!) - I wish I could, I'd love to know what sneaky little code is in there...

Thanks for the suggestions.

yes , I agree with you, verclsid almost certainly isn't the problem. I had it completely removed yesterday evening and I still had the problem. Like yourself, I can't find any reference to wbjrwesa.txt anywhere. I suppose the wretched thing could have been generated on my machine by something else... another of those great unknowns at the moment...

Thanks for the help.

Hello, thanks for the combofix log.
Here is what I think should be done.

Anyone with this problem, start a new topic in the hijackthis log section. Post either a combofix log or a hijackthis log(if you can get it).
Try renaming hijackthis to family.exe.

Thanks.

Hi scotiabahn

Hazelnut asked me to check on this thread but Im not sure at the moment if the malware has caused damage to the registry which is causing multiple problems or if it will be possible to clean it up.

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe]
"Debugger"="\"c:\\windows\\system32\\wbjrwesa.txt\""

Now that's not nice its lucky in a sense that its not added a debugger value for an an essential file such as winlogon.exe as you then wouldnt of been able to login when you moved the wbjrwesa.txt file, This reg key sets up another program to run as a debugger when the initial file (explorer.exe) is run but Windows doesn't verify that its a legit debugger, it just starts the file in the debugger value and if the file is deleted then the file which has the debugger value will not run either, in this case where the debugger value is a txt file I would of expected it to show error's even if the file exists like explorer isnt a valid win32 application because its trying to load the txt file and if the txt file is removed then explorer.exe will not run and give a message similiar to Windows cannot find explorer.exe so there maybe other parts to this infection which are not showing up to now, the explorer.exe subkey isnt in the Image File Execution Options key by default so its fine to remove it but it does show that the machine has been infected,

To remove the value goto Start > Run and copy and paste this

reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe" /f

Press OK and it will remove the key, you will not notice anything but the key will be removed, you can then attempt to move the txt file again and see if explorer loads on reboot, if it doesnt then there is something else protecting the reg entries or recreating it when its removed, it maybe easier to download process explorer from here to save having to keep rebooting

http://download.sysinternals.com/Files/ProcessExplorer.zip

Run the program and then run the above regfix, move the wbjrwesa.txt to your desktop then right click explorer.exe in process explorer and choose restart, if it starts ok then the debugger value wasnt recreated but if you get error's and explorer fails to restart then the debugger value is still present so you will have to either run the reg fix again by using task manager > new task or put the file back into system32 while we check for other trojans that maybe protecting it,


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = ht*p://morwillsearch.com/?adv_id=amandaxxx&sub_id=

Im sure you didnt set morwillsearch as your default search page as they have been associated with many trojans over the years mostly CWS and clicker variants but that could of been on your system for a long time so it maybe unrelated, its also in your IE trusted zone so that needs fixing,


O16 - DPF: {BED02A0F-05A1-4249-A49E-CD0D41A6A152} - ht*p://xearl.com/abd3bb87/sm/10031/1/xp/FastTeens.cab

This appears to be a pr0n dialer of some form which was probably installed without your consent but the domain xearl.com is linked to gromozon infections which are very difficult to clean due to rootkits being installed, that infection only seems to target Italian IP addresses but with it being present on your system you will have to run a couple of rootkit scans to make sure its clear, you can get more info on gromozon here

http://www.prevx.com/gromozon.asp


O20 - Winlogon Notify: disk - C:\WINDOWS\system32\diskperff.dll (file missing)

Another trojan entry, the file looks like its already been removed at some stage but its left the registry entry behind, I think its a variant of VIPSearcher but it maybe a Delf trojan

http://research.sunbelt-software.com/threa...;threatid=40085


Please post the logs from these below steps into a new topic on the HijackThis forum Here as this looks more like malware damage rather than CCleaner failing, If you cannot extract HijackThis then download the Trend Micro .exe version from here

http://www.trendsecure.com/portal/en-US/th...JackThis_v2.exe

Run Hijack This and choose Do A System Scan then place a check next to these entries

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = h*tp://morwillsearch.com/?adv_id=amandaxxx&sub_id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {B35C1E01-EB19-D484-5BA5-B1B1FAF1F1FB} - (no file)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O15 - Trusted Zone: *.morwillsearch.com
O16 - DPF: {BED02A0F-05A1-4249-A49E-CD0D41A6A152} - ht*p://xearl.com/abd3bb87/sm/10031/1/xp/FastTeens.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - ht*p://zone.msn.com/bingame/popcaploader_v10.cab
O20 - Winlogon Notify: disk - C:\WINDOWS\system32\diskperff.dll (file missing)

Close all open browser and other windows except for Hijack This and press the Fix Checked button

Optional Fix

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

This is a lock on your homepage to prevent it being changed, the buttons in Internet Options to change it will be grayed out on the homepage part, if you or a protection program added the homepage lock then it can be ignored but if not then it can be fixed with HijackThis

Download the Gromozon remover from Here and run it just to make sure there isnt a infection present,

Download win32delfkil.exe.
Save it on your desktop.
Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil.
Close all windows, open the win32delfkil folder and double click on fix.bat.
The computer will reboot automatically.
Post the contents of the logfile c:\windelf.txt into your new HijackThis topic

Download Blacklight beta HERE and save it to your desktop.
Run the program, accept statement > click next then scan
When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the blbeta.exe file.

Finally if your able to please do an online scan with Kaspersky WebScanner.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  • Scan Options:
  Scan Archives
  Scan Mail Bases
• Click OK
• Now under select a target to scan:
  Select My Computer
• This program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Please then start a new topic in the HijackThis forum, post the windelf.txt, blacklight log if it finds hidden files and the Kaspersky log,

Let us know if you have problems

Regards

Andy

Andy,

many thanks for all that and I'll work my way through this asap, although I'm afraid work will get in the way for most of the day... My one query at this point is whether this should go on the HijackThis forum rather than CCleaner, I'm not sure I see the advantage in that, the history is here. I admit my description 'CCleaner failing' isn't very descriptive, but that's all I knew at the time. This malware is certainly targeting specific applications, particularly CCleaner, as well as HijackThis and Comboscan at least, but ignoring others (don't like to write their names in case 'they' improve their malware... not that I'm getting paranoid or anything...)

Thanks again, I'll get started on this later today...

Thanks for the suggestion, but is there anything special about renaming hijackthis to family.exe? Way back in the discussion, you will see, there were a few attempts with renamed files that still got bounced - I can only assume that this malware can see some internal naming or descriptor.

Thanks again.

No, its the same as renaming it earlier, I don't believe there is any significance to family.exe (correct me if I'm wrong ).

--

If andy's suggestion dosn't work (for some reason),

You may be able to remove some stuff with a live boot cd ( ala BartPE) or a linux live CD (if you underestand a linux environment) .

You could use a BartPE boot disk to check the contents of that file and remove infections.
There are many programs (called plugins) you can include on the disk along with the bootable windows like environment.

links:
BartPE Home Page
Download Part PE
Download Plugins


NOTE:
If this seems too over your head feel free to wait for other suggestions.

over my head - could be...

this definitely isn't an area where I have a great deal of expertise, but I'll have a crack at this after I've had a go at Andy's suggestions... should keep me out of mischief for a while

The reason Andy asked you to put all further logs into the Hijackthis forum, is because you will only get help from the 'appointed Malware experts' rather than lots of diverse ideas from other well meaning members or visitors.

Please follow Andys advise he is among the best of the Malware fighters.

Mike

Can I just clear up something Scot, Andy is asking you to post the log on our forum here on CCleaner in the hijackthis
section here under "new topic"


http://forum.piriform.com/index.php?showforum=12

that makes sense...

now that's an impressive title - 'appointed malware expert'... coo, wish I had that on my c.v.

actually, no I don't, this stuff makes my head hurt

okey-dokey, will do, when I get a chance later today hopefully...

Me to good luck with the quest

Andy,

I've made a start on this but not produced any logs yet to put on the other forum section. I just wanted to report back on this bit. The reg delete worked and I moved the file to my desktop and rebooted, hey presto, no desktop as before. I used Taskmgr 'Run' to get command working and to shift the txt file back to system32 and I got my desktop back after another reboot. The interesting thing is that the registry is still clean, the debugger value hasn't been reinstated...

Not sure what that means, will go play with the rest of the utilities (which will probably mean moving the stupid file again because it doesn't like HijackThis at least...)

Hopefully, next entry will be in HijackThis section...

Thanks


Steve