SYSWOW/cmd.exe ERROR

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by aclark88, Mar 27, 2013.

  1. aclark88

    aclark88 Private First Class

    When I sign in now it pops up 'windows wants access and I know its not legit so I click no and it just keeps popping up over and over - apparently its malware so Ive run the usual scans.

    Here are the logs - any help is appreciated. I assume the .exe's Hitman found are the problem...

    TDSS came up blank.

    Thanks :)
     

    Attached Files:

  2. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re run Hitman and have it delete Malware, Malware remnants and Potential Unwanted Programs.



    [​IMG] Fix items using RogueKiller.

    Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
    When it opens, press the Scan button
    Now click the Registry tab and locate these 3 detections:
    • [RUN][SUSP PATH] HKCU\[...]\Run : FyeEpxvc (C:\Users\Adam\AppData\Local\wsmrfxml\fyeepxvc.exe) [-] -> FOUND
    • [RUN][SUSP PATH] HKUS\S-1-5-21-898199155-3521637707-3960584212-1000[...]\Run : FyeEpxvc (C:\Users\Adam\AppData\Local\wsmrfxml\fyeepxvc.exe) [-] -> FOUND
    • [SHELL][SUSP PATH] HKLM\[...]\Wow6432Node\Winlogon : Userinit (userinit.exe,,C:\Users\Adam\AppData\Local\Temp\wecyraxi.exe) [-] -> FOUND

    Place a checkmark each of these items, leave the others unchecked.
    Now press the Delete button.
    When it is finished, there will be a log on your desktop called: RKreport[2].txt
    Attach RKreport[2].txt to your next message. (How to attach)
    Reboot the machine.


    Please disable all anti-virus and anti-spyware programs while we do the following (re-enable when you are finished):

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    • O2 - BHO: BBrowsee2sAove - {91F2AEDD-9199-78AB-787A-1EB4A0B6F83B} - C:\ProgramData\BBrowsee2sAove\5150ad46a8a28.dll
    • O2 - BHO: Wajam IE BHO - {A7A6995D-6EE1-4FD1-A258-49395D5BF99C} - C:\Program Files (x86)\Wajam\IE\priam_bho.dll
    • O4 - Startup: fyeepxvc.exe
    • O20 - AppInit_DLLs: c:\progra~2\browse~1\sprote~1.dll
    • O23 - Service: WajamUpdater - Wajam - C:\Program Files (x86)\Wajam\Updater\WajamUpdater.exe

    After clicking Fix exit HJT.



    Download and run OTM.

    Download OTM by Old Timer and save it to your Desktop.

    • Right-click OTM.exe And select " Run as administrator " to run it.
    • Paste the following code under the [​IMG] area. Do not include the word Code.

    Code:
    
    :files
    C:\ProgramData\tgyugouw.log
    C:\Program Files (x86)\Wajam
    C:\Users\Adam\AppData\Local\cftvwwws.log
    C:\Users\Adam\AppData\Local\etdswtol.log
    C:\Users\Adam\AppData\Local\gbfukqes.log
    C:\Users\Adam\AppData\Local\hsukewxv.log
    C:\Users\Adam\AppData\Local\ikcguajk.log
    C:\Users\Adam\AppData\Local\isnacexm.log
    C:\Users\Adam\AppData\Local\lllrkovo.log
    C:\Users\Adam\AppData\Local\rulqqokj.log
    C:\Users\Adam\AppData\Local\surbcmym.log
    C:\Users\Adam\AppData\Local\uniuokqc.log
    C:\Users\Adam\AppData\Local\ycbktudn.log
    C:\Users\Adam\AppData\Local\Temp\wecyraxi.exe
    C:\Users\Adam\AppData\Local\wsmrfxml
    
    :Commands
    [emptytemp]
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it into notepad, save it as something appropriate and attach it into your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.



    Download Windows Repair by Tweaking.com and unzip the contents into a newly created folder on your desktop.
    • Now run Repair_Windows.exe by double clicking on it ( if you are running Vista or Win 7, use right click and select Run As Administrator)
    • Now select the Start Repairs tab.
    • The click the Start button.
    • Create a System Restore point if prompted.
    • On the next screen, click the Unselect All button to first deselect all repairs.
    • Now select the following repair options:
      • Reset Registry Permissions
      • Reset File Permissions
      • Register System Files
      • Repair WMI
      • Repair Windows Firewall
      • Remove Policies Set By Infections
      • Repair Winsock & DNS Cache
      • Repair Proxy Settings
      • Repair Windows Updates
      • Set Windows Services To Default Startup
    • Now on the lower right side check the box to Restart/Shutdown System When Finished
    • Then make sure the Restart System radio button is enabled.
    • Shutdown any other programs that you are running now before continuing.
    • Now click the Start button.
    • Be patient while the tool repairs the selected items.
    • It should reboot automatically when finished.

    After reboot, check to see if your firewall is working.


    Re run RogueKiller and Hitman, just scan and attach logs.
    Now run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
    Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
     
  3. aclark88

    aclark88 Private First Class

    Thought the problem was fixed but it seems to be back and programs picking up the same stuff again?

    Wont allow access to some programs, iexplorer not letting me access pages.

    Attached what I could.
     

    Attached Files:

  4. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re run Hitman and have it delete Malware, Suspicious files, Malware remnants, and Potential Unwanted Programs.

    [​IMG] For 32-bit (x86) systems download Farbar Recovery Scan Tool and save it to a flash drive.
    For 64-bit (x64) systems download Farbar Recovery Scan Tool x64 and save it to a flash drive.

    Plug the flashdrive into the infected PC.

    Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.

    To enter System Recovery Options by using Windows installation disc:

    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Choose your language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    On the System Recovery Options menu you will get the following options:
    • Select Command Prompt
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
    • Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please attach this log to your next reply. (How to attach)

    Re run Hitman again and attach the log.
     
  5. aclark88

    aclark88 Private First Class

    My hitman pro trial has expired so wont let me delete anything without a license?

    Is there a way around this?
     
  6. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Just skip Hitman and run FRST as requested. Thanks. :)
     
  7. aclark88

    aclark88 Private First Class

    Ok so ran the scan and re-run Hitman afterwards, saved both logs which are now attached.
     

    Attached Files:

  8. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

    Attached is fixlist.txt
    • Save fixlist.txt to your flash drive.
    • You should now have both fixlist.txt and FRST64.exe on your flash drive.

    Now re-enter System Recovery Options.
    Run FRST64 and press the Fix button just once and wait.
    The tool will make a log on the flashdrive (Fixlog.txt).
    Please attach this to your next message. (How to attach)


    Now re run Hitman again and attach log.
     

    Attached Files:

  9. aclark88

    aclark88 Private First Class

    Ok done that. 2 logs attached. Thanks again for your help so far.
     

    Attached Files:

  10. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re run Hitman and have it delete Malware, Malware remnants, & Potential Unwanted Programs.

    Now run it again and show me the log so I can see what is left.
     
  11. aclark88

    aclark88 Private First Class

    I cant delete stuff with Hitman as the trial has expired? Is that right?
     
  12. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Wajam <--- Uninstall this


    Download and run OTM.


    Download OTM by Old Timer and save it to your Desktop.

    • Right-click OTM.exe And select " Run as administrator " to run it.
    • Paste the following code under the [​IMG] area. Do not include the word Code.

    Code:
    :Files
    C:\Users\Adam\AppData\Local\Temp\0.3599821161009549.bfg
    C:\Users\Adam\AppData\Local\Temp\fyeepxvc.exe
    C:\Users\Adam\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8494FA5A9F5E79C31AA4D06DA1E70652_80E0D9A75675AFCD2AF3C5F913F8A720
    C:\Users\Adam\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8494FA5A9F5E79C31AA4D06DA1E70652_80E0D9A75675AFCD2AF3C5F913F8A720
    C:\Users\Adam\AppData\Local\Temp\wecyraxi.exe
    :Commands
    [emptytemp]
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.


    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    [​IMG] Please download Junkware Removal Tool to your desktop.
    • Shut down your protection software now to avoid potential conflicts.
    • Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Attach JRT.txt to your next message.


    Now re run Hitman again and attach the new log.
     
  13. aclark88

    aclark88 Private First Class

    Thanks again, here are logs...
     

    Attached Files:

  14. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Re run Hitman and have it delete Malware remnants and Potential Unwanted Programs


    Now re run yet again and attach newest log.

    Run the C:\MGtools\GetLogs.bat file by double clicking on it. (Right click and run as admin if using Vista or Windows7) Then attach the new C:\MGlogs.zip file that will be created by running this.
     
  15. aclark88

    aclark88 Private First Class

    Still cant delete stuff in Hitman but uploaded log and MG log as well...
     

    Attached Files:

  16. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    • Right-click OTM.exe And select " Run as administrator " to run it.
    • Paste the following code under the [​IMG] area. Do not include the word Code.

    Code:
    :Files
    C:\ProgramData\Browyse2ssaave
    
    :reg
    [-HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2BCC283C-34F3-753B-D5C9-9F2346D55302}]
    [-HKU\S-1-5-21-898199155-3521637707-3960584212-1000\Software\Classes\CLSID\{312BFDCE-A901-4203-B4F2-ADCB957D1887}]
    [-HKU\S-1-5-21-898199155-3521637707-3960584212-1000_Classes\CLSID\{312BFDCE-A901-4203-B4F2-ADCB957D1887}]
    [-HKU\S-1-5-21-898199155-3521637707-3960584212-1000_Classes\Wow6432Node\CLSID\{312BFDCE-A901-4203-B4F2-ADCB957D1887}]
    [-HKLM\SOFTWARE\Classes\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}]
    [-HKLM\SOFTWARE\Classes\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}]
    [-HKLM\SOFTWARE\Classes\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}]
    [-HKLM\SOFTWARE\Classes\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}]
    [-HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}]
    [-HKLM\SOFTWARE\Classes\Wow6432Node\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}]
    [-HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}]
    [-HKLM\SOFTWARE\Classes\Wow6432Node\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}]
    [-HKLM\SOFTWARE\Classes\Wow6432Node\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}]
    [-HKLM\SOFTWARE\Classes\Wow6432Node\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}]
    [-HKLM\SYSTEM\ControlSet001\services\eventlog\Application\WajamUpdater\]
    [-HKLM\SYSTEM\ControlSet002\services\eventlog\Application\WajamUpdater\]
    [-HKLM\SYSTEM\CurrentControlSet\services\eventlog\Application\WajamUpdater\]
    
    :Commands
    [emptytemp]
    [Reboot]
    • Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
    • Push the large [​IMG] button.
    • OTM may ask to reboot the machine. Please do so if asked.
    • Copy everything in the Results window (under the green bar), and paste it in your next reply.

    NOTE: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and attach the contents of that document back here in your next post.


    Re run Hitman now again and show me the log.
     
  17. aclark88

    aclark88 Private First Class

    (Edited by Kestrel13! - attached inline log!)
     

    Attached Files:

    Last edited by a moderator: Apr 30, 2013
  18. Kestrel13!

    Kestrel13! Super Malware Fighter - Major Dilemma Staff Member

    Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

    Make sure that you tell me if you receive a success message about adding the above
    to the registry. If you do not get a success message, it definitely did not work.


    Rerun Hitman again and attach log.
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds