Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Please Help... Possible, Trojan Horse Downloader.wimad.e From Infected .mp3

  • This topic is locked This topic is locked
2 replies to this topic

#1 LukeOR


  • Members
  • 6 posts
  • Local time:01:33 AM

Posted 26 May 2008 - 02:21 AM

Hi Guys, I'm pretty new to posting so I hope this turns out right.. My problem is this - I have

downloaded an .mp3 from limewire. When clicked to play ( a few times ) nothing was happening.

That made me curious so I scanned it with AVG and found it infected with " Trojan horse

Downloader.Wmad.E " So I researched a bit online, and most people were saying as long as people

weren't agreeing to a install something from some window that would pop up, they would be fine. Now like I

said, I had tried to open the file numerous times but never seen anything come up. I have noticed

my computer slow a bit since I bought it, but this could be from all programs and crap I've installed

( I think ). So I would be greatly appreciative to anyone who could give me some advise.

Computer Is - Windows Vista Home Premium, HP Pavilion dv9000, AMD Athlon™ 64 X2 Dual-Core

Processor TK-53 1.70 GHz, 1982 MB RAM, 32-bit.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:45 AM, on 5/26/2008
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16643)
Boot mode: Normal

Running processes:
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Hp\QuickPlay\QPService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch

Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health

O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless

O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -

O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software

O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\windows sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -

O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe

/detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe

oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE

O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe

/detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE

(User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE

(User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1

O13 - Gopher Prefix:
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} -
O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program

Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile

Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1

O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7

O23 - Service: BNYZAQBG - Unknown owner -

C:\Users\Luke\AppData\Local\Temp\BNYZAQBG.exe (file missing)
O23 - Service: CAJG - Unknown owner - C:\Users\Luke\AppData\Local\Temp\CAJG.exe (file

O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program

Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game

O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-

Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-

Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common

O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner -

C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0

O23 - Service: Steam Client Service - Unknown owner - C:\Program Files\Common

Files\Steam\SteamService.exe (file missing)
O23 - Service: Stardock WindowBlinds (WindowBlinds) - Unknown owner - C:\PROGRA~1

\Stardock\OBJECT~1\WINDOW~1\VistaSrv.exe (file missing)
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32


End of file - 8978 bytes


Again I hope this posting turns out all right and apologize to everyone if it dont, Also, thank you

ahead of time to anyone willing to help... Luke

BC AdBot (Login to Remove)



#2 ken545


    Malware Response Team

  • Malware Response Team
  • 1,685 posts
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:03:33 AM

Posted 26 June 2008 - 03:55 AM

Hello LukeOR

Welcome to the Bleeping Computer Malware Removal Forum, sorry about the delay, but the amount of people posting with infected computers is through the roof and sometimes we can't get to logs as fast as we would like to. If you have not resolved your issue and still need assistance, post a new HJT log please as your system may have changed since your original post. With the amount of people posting a log may occasionally fall through the cracks as it appears yours may have done.

Your log is unreadable the way you posted it, do it this way please.
  • Open HJT Scan and Save a Log File, it will open in Notepad
  • Go to Format and make sure Wordwrap is Unchecked
  • Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.


mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014

donate.gif Please consider a donation to help me keep up my fight against malware.


Just a reminder that threads will be closed if no response in 3 days

#3 ken545


    Malware Response Team

  • Malware Response Team
  • 1,685 posts
  • Gender:Male
  • Location:The Space Coast of Florida
  • Local time:03:33 AM

Posted 07 July 2008 - 03:50 AM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a Staff member. Include the address of this thread in your request. This applies only to the original topic starter. Should you have a new issue, please start a New Topic.

mvp_host.pngConsumer Security 2007-2008-2009-2010-2011-2012-2013-2014

donate.gif Please consider a donation to help me keep up my fight against malware.


Just a reminder that threads will be closed if no response in 3 days

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users