 "wiawow32.sys" , Split away by boopme from AII topic |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.
To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.
 Jul 8 2009, 09:50 AM
Post
#1
|
|
|
New Member  Group: Members Posts: 3 Joined: 8-July 09 Member No.: 349,735  |
Hi. I'm also new to BleepingComputer.com. Right now i have the same problem as Rixanu. My task manager showed me a process called "wiawow32.sys" and a random letter program running. The first thing i did, attempting to remove it, i searched up the process name with F3 and i deleted the results i found. The process and the program is gone, but after reading this thread, i dont think i removed the whole thing. Since i got wiawow32.sys, my AVG free and Symantec has been finding and blocking processes (sorry, i forgot the names of the processes). My computer also frozed a lot. I followed the steps provided by boopme. I ran MBAM then Rootrepeal. So right now i really want to get rid of this thing. Can someone tell me what else i need to do?
OS: Windows XP Professional Here's the logs by the 2 programs: MBAM Malwarebytes' Anti-Malware 1.38 Database version: 2392 Windows 5.1.2600 Service Pack 3 7/7/2009 3:49:09 PM mbam-log-2009-07-07 (15-49-09).txt Scan type: Quick Scan Objects scanned: 86605 Time elapsed: 4 minute(s), 53 second(s) Memory Processes Infected: 1 Memory Modules Infected: 0 Registry Keys Infected: 3 Registry Values Infected: 5 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 5 Memory Processes Infected: C:\WINDOWS\system32\sopidkc.exe (Trojan.Agent) -> Unloaded process successfully. Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sopidkc (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sopidkc (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sopidkc (Trojan.Agent) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udso (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully. Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\sopidkc.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\WINDOWS\Temp\tmp0_52790217533.bk.old (Trojan.Agent) -> Quarantined and deleted successfully. c:\WINDOWS\Temp\txpxr_554545777921.b1k (Backdoor.Bot) -> Quarantined and deleted successfully. c:\documents and settings\localservice\local settings\temporary internet files\Content.IE5\WLAZ4HEJ\w[1].bin (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully. Rootrepeal ROOTREPEAL © AD, 2007-2009 ================================================== Scan Time: 2009/07/07 15:25 Program Version: Version 1.3.0.0 Windows Version: Windows XP SP3 ================================================== Drivers ------------------- Name: brbvhau.sys Image Path: brbvhau.sys Address: 0xBA0A8000 Size: 61440 File Visible: No Signed: - Status: - Name: dump_atapi.sys Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys Address: 0xA8A67000 Size: 98304 File Visible: No Signed: - Status: - Name: dump_WMILIB.SYS Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS Address: 0xBA5D2000 Size: 8192 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys Address: 0xA7DAF000 Size: 49152 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: C:\Documents and Settings\user\Desktop\CA6VSXMN. Status: Locked to the Windows API! Path: C:\Documents and Settings\user\Desktop\Games:Zone.Identifier Status: Invisible to the Windows API! Path: C:\Documents and Settings\user\Local Settings\Temp\Temporary Internet Files\Content.IE5\5MVT7BPW\main_188;sz=300x250;plid=AARtR8ZYgqgyxBFO;kl=N;!c=188;kbz=1;klg=en;kvid=hS9Iyo4nFBk;kpu=itn;khd=0;kt=K;ko=p;kpid=188;kga=-1;kr=A;u=hS9Iyo4nFBk_188;kgg=-1;kcr=us;afv=1;custp=[1].htm Status: Locked to the Windows API! Path: C:\Documents and Settings\user\Local Settings\Temp\Temporary Internet Files\Content.IE5\OHIN45QN\main_188;sz=300x250;plid=AARtR8Eh9uPhhQhu;kl=N;!c=188;klg=en;kvid=ygcBtFhUHn4;kpu=WorldNewsDaily;khd=0;kt=K;ko=c;kpid=188;kg a=-1;kr=H;kp=1;u=ygcBtFhUHn4_188;kgg=-1;kcr=us;af[1].htm Status: Locked to the Windows API! SSDT ------------------- #: 012 Function Name: NtAlertResumeThread Status: Hooked by "<unknown>" at address 0x89cf9640 #: 013 Function Name: NtAlertThread Status: Hooked by "<unknown>" at address 0x89c590a8 #: 017 Function Name: NtAllocateVirtualMemory Status: Hooked by "<unknown>" at address 0x89baad78 #: 031 Function Name: NtConnectPort Status: Hooked by "<unknown>" at address 0x89b93e00 #: 043 Function Name: NtCreateMutant Status: Hooked by "<unknown>" at address 0x89b9f008 #: 053 Function Name: NtCreateThread Status: Hooked by "<unknown>" at address 0x89b78108 #: 083 Function Name: NtFreeVirtualMemory Status: Hooked by "<unknown>" at address 0x89b64f78 #: 089 Function Name: NtImpersonateAnonymousToken Status: Hooked by "<unknown>" at address 0x89b85a08 #: 091 Function Name: NtImpersonateThread Status: Hooked by "<unknown>" at address 0x89b8aca8 #: 108 Function Name: NtMapViewOfSection Status: Hooked by "<unknown>" at address 0x89dada48 #: 114 Function Name: NtOpenEvent Status: Hooked by "<unknown>" at address 0x89ce37f0 #: 123 Function Name: NtOpenProcessToken Status: Hooked by "<unknown>" at address 0x89ba10a8 #: 129 Function Name: NtOpenThreadToken Status: Hooked by "<unknown>" at address 0x89ba2ab0 #: 206 Function Name: NtResumeThread Status: Hooked by "<unknown>" at address 0x89854860 #: 213 Function Name: NtSetContextThread Status: Hooked by "<unknown>" at address 0x89d2b920 #: 228 Function Name: NtSetInformationProcess Status: Hooked by "<unknown>" at address 0x89b5cf20 #: 229 Function Name: NtSetInformationThread Status: Hooked by "<unknown>" at address 0x89b5de80 #: 253 Function Name: NtSuspendProcess Status: Hooked by "<unknown>" at address 0x89cfb7b0 #: 254 Function Name: NtSuspendThread Status: Hooked by "<unknown>" at address 0x89d17110 #: 257 Function Name: NtTerminateProcess Status: Hooked by "<unknown>" at address 0x89855860 #: 258 Function Name: NtTerminateThread Status: Hooked by "<unknown>" at address 0x89d5f428 #: 267 Function Name: NtUnmapViewOfSection Status: Hooked by "<unknown>" at address 0x89e196a0 #: 277 Function Name: NtWriteVirtualMemory Status: Hooked by "<unknown>" at address 0x89baabf8 Stealth Objects ------------------- Object: Hidden Thread [ETHREAD: 0x88fa94e0, TID: 3420] Process: TeaTimer.exe (PID: 2464) Address: 0x05734f74 Size: - Hidden Services ------------------- Service Name: msncache Image Path: %SystemRoot%\system32\svchost.exe -k netsvcs ==EOF== |
 |
 
|
Posts in this topic
PaladinDuran "wiawow32.sys" Jul 8 2009, 09:50 AM
boopme Hello ,I split you to your own topic as that one i... Jul 8 2009, 10:06 AM PaladinDuran Ok. I did as you said. My Spybot scan didn't... Jul 8 2009, 12:55 PM boopme Hi, Can you submit this file for a second opinion?... Jul 8 2009, 02:32 PM PaladinDuran Sorry. I've been away from the computer a few... Jul 11 2009, 04:02 PM
boopme OK in the meantme have him run Dr.web.
Before we ... Jul 11 2009, 07:06 PM  |
2 User(s) are reading this topic (2 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 21st November 2009 - 08:22 PM |
© 2003-2009 All Rights Reserved Bleeping Computer LLC.