Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.



  • Please log in to reply
4 replies to this topic

#1 Alohakakou


  • Members
  • 5 posts
  • Local time:02:49 AM

Posted 18 April 2013 - 02:30 AM

I can't seem to track down where the call is coming from for wow.dll. I get a message on startup: C:\Users\User\AppData\Local\Temp\sxmretq\sbdpwsu\wow.dll.

I've searched the registry, disabled startup items in msconfig, scanned with many different antiviruses. During scanning, a trojan was found and deleted, along with spyware. I'm attaching the hjt log. Thanks for any help.

Edited by hamluis, 18 April 2013 - 11:12 AM.
Moved from Win 7 to Am I Infected - Hamluis.

BC AdBot (Login to Remove)


#2 noknojon


  • Banned
  • 10,871 posts
  • Gender:Not Telling
  • Local time:10:49 PM

Posted 18 April 2013 - 02:53 AM

Hi -

Please do not add any HJT Logs in this area of the forum. They will be removed -


It sounds like you have a 64bit system as "wow" means Windows on Windows and allows you to use 32bit programs.


If you are searching for a file for  a specific reason, ignore the WOW and go back beyond that -

In your case you are looking for > > C:\Users\User\AppData\Local\Temp\sxmretq\sbdpwsu which looks like a very odd Temp File ??


Ask in the Am I Infected area if you wish to see if this is an infection and you will get help there -


Thank You -

#3 dsdepew


  • Members
  • 2 posts
  • Gender:Male
  • Local time:05:49 AM

Posted 19 April 2013 - 09:10 PM

I am also getting the same type of pop-up message upon bootup.  The only difference is the gobblebygook names of the subfolders under Temp on my computer are sybpqcb\sqxbxco.  This event first occurred yesterday, however the Norton Internet Security on my unit got rid of the wow.dll trojan.  I contact Norton this morning but the tech representative wasn't much help.  I did a file search and found two with the same date and time as when Norton quarantined the trojan.  They are:



I could not find any correlation between these and wow.dll.

#4 narenxp


  • BC Advisor
  • 16,371 posts
  • Gender:Male
  • Location:India
  • Local time:07:49 AM

Posted 20 April 2013 - 05:51 AM

  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters


  • Check Loaded Modules and Detect TDLFS file system. Do not check Verify file digital signatures (even though it is checked in the example)
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now


  • Click Start Scan and allow the scan process to run
  • If threats are detected select Skip for all of them unless I instruct you otherwise
  • Click Continue

  • Click Reboot computer
  • Please post the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)in your reply
  • Due to forum upgrade you may face issues posting the TDSSkiller log.Just last few lines of log is sufficient


  • Please download Rkill by Grinler from one of the 4 links below (if one of them does not work try another.) and save it to your desktop:
  • Link 1
  • Link 2

  • In order for Rkill to run properly you must disable your anti-malware software. Please refer to this page if you are not sure how.
  • Double-click on Rkill. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • Note: You may have to run Rkill a few times before it is successful. You may also have to download Rkill from a different link which will save it as a different file name.
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • An Rkill.log will appear. Please copy and paste the contents in your reply (file also located at c:\rkill.log)
  • Do not reboot your computer after running Rkill as the malware programs will start again. If your computer reboots, run Rkill again before continuing on to the next step.
  • If nothing happens or if the tool does not run, please let me know in your next reply.


ESET Online Scanner

I'd like us to scan your machine with ESET OnlineScan This process may may take several hours, that is normal
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)


    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.

  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology

  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Copy and paste the information in your next reply. Note: If no malware was found you will not get a log.
  • Click the Back button.
  • Click the Finish button


Junkware Removal Tool by thisisu
  • Please download Junkware Removal Tool
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Right-mouse click JRT.exe and select Run as administrator (Windows XP double click the icon)
  • Please allow the program time to run
  • Once completed a Notepad document will open on your desktop
  • Copy and paste the contents in your reply.

Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:
  • TDSSKiller log
  • RKILL log
  • ESET log
  • Junkware removal tool log


#5 dsdepew


  • Members
  • 2 posts
  • Gender:Male
  • Local time:05:49 AM

Posted 22 April 2013 - 03:00 PM

This is a follow-up to my entry on 4/19/13.  I did a system restore on my computer, going back to before when the wow.dll incident first happened.  This did the trick.  A key feature of a system restore is that Windows resets the registry to the way it was on that particular date and time (in my case, I went back to April 11).  The price I had to pay was that Windows (my system is Windows 7 Home Premium) reinstalled the six updates of April 11th (no big deal; just waited about 10-15 minutes for the updates to install after shutting down) and that Norton Internet Security had to do a Live Update and reset its anti-virus, anti-spyware & sonar.


In fact, it was Norton's quarantining of the wow.dll trojan that caused the pop-up message problem, i.e., while NIS quashed the trojan's phishing effects (it looks for personal banking & related info), it did not erase or correct the side effects of the trojan's invasion.  Norton has yet to admit that their software is to blame (at least it deserves a co-blame along with the perpetrator of the trojan).  I will drop all the gory details on Norton when I complete their survey.  In short, they need to update their NIS software so that if correctly eliminates threats without messing up the registry.  I know they continually update their software, so hopefully they'll take my upcoming feedback correctly.


Finally, I am not saying that BD Advisor's recommendation of using Kaspersky's TDSSKiller doesn't work.  In fact, if my attempt of doing the system restore did not work, this was going to be my next step.  I am just leery of going into the registry to do manual edits - I'm not that computer savvy.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users