Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Hello, I've Been Infected With 'webbuying.exe' And "bad Image -wowfx.dll" Errors

  • Please log in to reply
2 replies to this topic

#1 recordpusher


  • Members
  • 4 posts
  • Local time:04:47 AM

Posted 06 January 2008 - 04:52 PM

I'm running Windows XP Professional and yesterday, I started getting all kind of Pop Ups (they are so bad that I can hardely see anything on my desktop) I see that it installed 'Web Buying" folder in my program folder and all kind of add keep coming up.

I am also getting this in the middle of my screen:
"javaw.exe -Bad Image:
"......G:\WINDOWS\system32\wowfx.dll is not a valid windows image..."

No matter how many times I close that error message it keeps poping up.

I ran Hijak this and below are the results. Any help is greatly appreciated, thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:16:33 PM, on 1/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Boot mode: Normal

Running processes:
G:\Program Files\Network Monitor\netmon.exe
G:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
G:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
G:\Program Files\Trend Micro\Antivirus\tmproxy.exe
G:\Program Files\Viewpoint\Common\ViewpointService.exe
G:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
G:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
G:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
G:\Program Files\iTunes\iTunesHelper.exe
G:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
G:\Program Files\Zune\ZuneLauncher.exe
G:\Program Files\Trend Micro\Antivirus\pccguide.exe
G:\Program Files\Trend Micro\Antivirus\PCClient.exe
G:\Program Files\Trend Micro\Antivirus\TMOAgent.exe
G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
G:\Program Files\kernel\kernel.exe
G:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
G:\Program Files\Analog Devices\SoundMAX\Smax4 .exe
G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA .EXE
G:\Program Files\Zune\ZuneLauncher .exe
G:\Program Files\iTunes\iTunesHelper .exe
G:\WINDOWS\lsass .exe
G:\Program Files\Trend Micro\Antivirus\TMOAgent .exe
G:\Program Files\Trend Micro\Antivirus\PCClient .exe
G:\Program Files\kernel\kernel .exe
G:\WINDOWS\avp .exe
G:\Program Files\Trend Micro\Antivirus\pccguide .exe
G:\Program Files\Analog Devices\SoundMAX\SMax4PNP .exe
G:\Program Files\iPod\bin\iPodService.exe
G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
G:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
G:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
G:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
G:\Program Files\Internet Explorer\IEXPLORE.EXE
G:\Program Files\Microsoft ActiveSync\wcescomm.exe
G:\Program Files\Microsoft ActiveSync\wcescomm .exe
G:\Documents and Settings\Sandman\Desktop\HJTInstall.exe
G:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: Shell=Explorer.exe G:\WINDOWS\shell.exe
F3 - REG:win.ini: load=G:\WINDOWS\system32\mllji.exe
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - G:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - g:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] G:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "G:\Program Files\Analog Devices\SoundMAX\Smax4 .exe" /tray
O4 - HKLM\..\Run: [NeroCheck] G:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] G:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [QuickTime Task] "G:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "G:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "G:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "G:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Zune Launcher] "G:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [runner1] G:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [avp] G:\WINDOWS\avp .exe
O4 - HKLM\..\Run: [pccguide.exe] "G:\Program Files\Trend Micro\Antivirus\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "G:\Program Files\Trend Micro\Antivirus\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "G:\Program Files\Trend Micro\Antivirus\TMOAgent.exe" /run
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [lsass] G:\WINDOWS\lsass .exe
O4 - HKLM\..\Run: [Printer] G:\WINDOWS\system32\printer.exe
O4 - HKCU\..\Run: [ctfmon.exe] G:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "G:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [StartCCC] G:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [Aim6] "G:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [swg] G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WebBuying] G:\Program Files\Web Buying\v1.8.6\webbuying.exe
O4 - HKCU\..\Run: [Wsre] "G:\DOCUME~1\Sandman\APPLIC~1\FNTS~1\javaw.exe" -vt yazb
O4 - HKCU\..\Run: [kernel] G:\Program Files\kernel\kernel.exe
O4 - HKCU\..\Run: [Spoolsv] G:\WINDOWS\system32\spoolvs.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-507921405-2139871995-839522115-1005\..\Run: [] (User 'Kyra')
O4 - HKUS\S-1-5-21-507921405-2139871995-839522115-1005\..\Run: [swg] G:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Kyra')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O4 - Startup: findfast .exe
O4 - Startup: findfast.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = G:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = G:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: autorun.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - G:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - G:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - G:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - G:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - G:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - G:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - G:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.2) - http://javadl-esd.sun.com/update/1.4...ndows-i586.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/40...rk/Coupons.cab
O20 - AppInit_DLLs: G:\WINDOWS\system32\wowfx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - G:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - G:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - G:\WINDOWS\U2FuZG1hbg\command.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - G:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - G:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - G:\Program Files\Network Monitor\netmon.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - G:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - G:\Program Files\Trend Micro\Antivirus\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - G:\Program Files\Trend Micro\Antivirus\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - G:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - G:\Program Files\Windows NT\pronyka.html

End of file - 10219 bytes

BC AdBot (Login to Remove)


#2 recordpusher

  • Topic Starter

  • Members
  • 4 posts
  • Local time:04:47 AM

Posted 07 January 2008 - 01:44 PM

Do you think I should run \'combofix?\' In searching this topic, that is what I see most people doing. But I\'m not to familar with it, will that solve the problem or will more steps be involved?

Thanks in advance....

#3 Yourhighness


    The BSG Malware Fighter

  • Malware Response Team
  • 7,943 posts
  • Gender:Male
  • Location:Hamburg
  • Local time:10:47 AM

Posted 24 January 2008 - 10:19 AM

Hello recordpusher and welcome to BleepingComputer!

Apollogies for the delay. The forum has been very busy lately. ComboFix should only be run in guidance of a trained helper, as it involves some advanced steps and you can do serious harm to your pc.

If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic: Preparation Guide For Use Before Posting A Hijackthis Log.



"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users