Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

How to delete folders used in wow.dll malware?


  • This topic is locked This topic is locked
2 replies to this topic

#1 sprocket10

sprocket10

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 28 April 2013 - 01:35 AM

Hello,

 

I'm having the wow.dll trojan problem several other people have commented on here:

http://www.bleepingcomputer.com/forums/t/492040/wowdll/

http://www.bleepingcomputer.com/forums/t/492039/wowdll/

http://spywarehammer.com/simplemachinesforum/index.php?topic=14289.0

 

The malware has created an encrypted folder at:

C:\User\Username\AppData\local\temp\seprmou\

with the wow.dll and wow64.dll

 

I have followed some of the responses here by performing several scans and I thought I had removed the threat using SuperAntiSpyware. 

 

Then, I ran Malware-Byte Anti Malware and it picked up the threat again.  My next plan was to scan and then shred the encrypted folder using Spybot's Secure Shredder, but I got an error saying I didn't have access.  I am the administrator on this machine.

 

Everytime I login windows wants me to backup my encryption keys (which clued me into the problem).  Stopping the malware doesn't seem to be a problem, it's stopping the threat AND deleting the encrypted file!

 

I've about exhausted all my computer malware elimination skills here....what should I do?



BC AdBot (Login to Remove)

 


#2 sprocket10

sprocket10
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:04:06 AM

Posted 28 April 2013 - 01:35 PM

Hello all,

 

I was able to get this problem resolved and I wanted to update everyone to the fix in case someone else has this problem in the future.  As I mentioned before, eliminating the malware is not really the issue here.  Several programs can do it, but this malware adds a folder of random characters to your:

C:\Users\Username\AppData\Local\Temp   directory (I'm using Windows 7 Pro 64bit)

These folders are encrypted, and because I hadn't used encryption on my machine before, Windows had a popup message asking me to backup my encryption keys.  This was my clue that something was still wrong here.

 

My first plan was to use spybot's Secure Shredder to destroy the files, but when I tried to open them, I got a message saying I didn't have the permissions required.  Ultimately, this is the guide I SHOULD HAVE used to solve the problem in order:

http://malwaretips.com/blogs/malware-removal-guide-for-windows/

 

Although my order of running programs was:

SuperAntiSpyware (initial scan picked up the problem and fixed)

ComboFix

TDSSKiller

JunkwareRemovalTool

MBAM

RogueKiller

 

From what I can tell, the RogueKiller is what I really needed as a registry entry was preventing me from deleting the leftover folders.  All the other programs I tried were from reading other threads about this problem on this forum and others.  I had downloaded RogueKiller64.exe from a different site and whenever I did the Prescan the program just stalled for an hour before I decided to manually kill it.  The link above just has RogueKiller.exe and it worked great.

 

After running RogueKiller I could now SEE the greentext folder of random characters in the directory mentioned above.  I simply trashed it and emptied the recycle bin.  I could not add to the Secure Shredder because there was nothing inside it, just an empty encrypted folder.  I used the VBS script outlined here to check for other encrypted files (in my case this malware was the only one):

http://it-solutions-uk.blogspot.com/2011/03/how-to-efs-files-and-folders.html

 

When it returned 0 encrypted files I new it was fixed!

 

Good luck!



#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:08:06 AM

Posted 02 May 2013 - 07:44 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users