Can't get rid of WildMedia

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by magnum, Sep 17, 2004.

  1. magnum

    magnum Private E-2

    Help!
    I am trying to clean a machine at my church. The machine is a IBM NetVista running Win200 service pack4. We run a small network and are using TrendMicro OfficeScan for Virus Protection. Everytime a user logs in on this machine Office Scan detects WinWildApp.exe and identifies it as WildMedia. I have run AdAware,Spybot,CWShredder,memorywatcher,trojanscan,CCleaner,Kill2Me,and HJT. I have scanned the machine with Office Scan and Housecall. I can't figure out how to get rid of this thing. I cleaned up a lot of other issues but can't beat this one. After Office Scan detects the file it says it can't clean it or Quarintine it but it puts a file in the Quarntine folder and I can't find WinWildApp.exe on the machine. I know that something is telling this file to run at login but I can't figure out what.
    Thanks,
    Magnum
     
    magnum, Sep 17, 2004
    #1
  2. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Did you run our tutorial, seesm you have all the tools? http://forums.majorgeeks.com/showthread.php?t=35407
    You could also search this forum for WildMedia, see if someone else beat it.

    If you have done all you can, upload your Hijack This log file and myself or Chaslang will take a look.
     
    Major Attitude, Sep 17, 2004
    #2
  3. magnum

    magnum Private E-2

    I've done the tutorial and looked at the other threads dealing with it but the cleaning instructions provided for those members doesn't seem to apply. I don't see the items that they were instructed to be fixed in HJT.
    I'll post the HJT log
     
    magnum, Sep 17, 2004
    #3
  4. magnum

    magnum Private E-2

    Hope I posted the log correctly. I don't see it. Would you let me know if you got it
     
    magnum, Sep 17, 2004
    #4
  5. Major Attitude

    Major Attitude Co-Owner MajorGeeks.Com Staff Member

    Dont see it. Reply to this post, select manage attachments, which allows you to browse your drive for the log file, in txt format, please.
     
    Major Attitude, Sep 17, 2004
    #5
  6. magnum

    magnum Private E-2

    Ok. Here is the log as a .txt file. I hope
     

    Attached Files:

    magnum, Sep 17, 2004
    #6
  7. magnum

    magnum Private E-2

    Hey guys I know you say don't repost a message but I posted a HJT log last Friday and I haven't heard anything back. This thing is driving me nuts. I almost fell like the only thing left is format c and start over. Has anybody had a chance to look at the log before I go to that extreme.
    Magnum
     
    magnum, Sep 22, 2004
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Sorry! You slipped thru the cracks. It's been exceptionally busy here and your message probably slipped down a few pages and we missed it.

    Make sure you have enable viewing of hidden files per the READ ME.
    Bring up Task Manager (CTRL-ALT-DEL) and end the below processes if found:
    smmo.exe
    l?ass.exe
    Aqua.exe
    lite.exe
    winowg32.exe

    Now run HijackThis and check the following lines and then click FIX:
    O4 - HKLM\..\Run: [tourpath] regedit /s c:\winnt\tour.reg
    O4 - HKLM\..\Run: [Aqua.exe] C:\WINNT\system32\Aqua.exe
    O4 - HKLM\..\Run: [lite.exe] C:\WINNT\system32\lite.exe
    O4 - HKLM\..\Run: [Sys29] C:\winnt\system32\winowg32.exe
    O4 - HKLM\..\RunServices: [WindowsUpdatev4] C:\WINNT\Downloaded Program Files\svchost.exe
    O4 - HKCU\..\Run: [Awoa] C:\Documents and Settings\Administrator.HEAVENLY\Application Data\smmo.exe
    O4 - HKCU\..\Run: [Vgke] C:\WINNT\system32\l?ass.exe
    O16 - DPF: {00134F72-5284-44F7-95A8-52A619F70751} (ObjWinNTCheck Class) -

    Boot in safe mode and use Windows Explorer to locate and delete:
    C:\WINNT\system32\Aqua.exe
    C:\WINNT\system32\lite.exe
    C:\winnt\system32\winowg32.exe
    C:\WINNT\Downloaded Program Files\svchost.exe
    C:\Documents and Settings\Administrator.HEAVENLY\Application Data\smmo.exe
    C:\WINNT\system32\l?ass.exe << DO NOT DELETE lsass.exe it is a windows process.
    Reboot normal mode. I tell me how things look. Post a new HJT log too.

    QUESTIONS:
    Do you know what all of these officescan lines are for? If not fix them too.
    https://192.168.0.5:4343/officescan/console/ClientInstall/WinNTChk.cab
    O16 - DPF: {08D75BB0-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupINICtrl Class) - https://192.168.0.5:4343/officescan/console/ClientInstall/setupini.cab
    O16 - DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment SetupCtrl Class) - https://192.168.0.5:4343/officescan/console/ClientInstall/setup.cab
    O16 - DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} (Encrypt Class) - https://192.168.0.5:4343/officescan/console/html/AtxEnc.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
    O16 - DPF: {5EFE8CB1-D095-11D1-88FC-0080C859833B} (OfficeScan Corp Edition Web-Deployment ObjRemoveCtrl Class) - https://192.168.0.5:4343/officescan/console/ClientInstall/RemoveCtrl.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -

    Also, Do you know what all of the lines below are for? If not fix them too.
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = heavenly.sbc
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = heavenly.sbc
     
    chaslang, Sep 22, 2004
    #8
  9. magnum

    magnum Private E-2

    Thanks! I couldn't find winnt\system32\winowg32.exe, winnt\downloaded program files\svchost.exe, or winnt\system32\l?ass.exe but it looks like it's fixed. When I login Office Scan is no longer picking up WildMedia.
    I'm sure that all of those officescan files have something to do with the virus protection. It runs in IIS and is all centrally managed at the server. The server automatically pushes out new virus definitions etc. as soon as they are found by the server and downloaded. I wasn't sure what the system\cs1\services\tcpip\parameters:domain = hevenly.sbc were but I didn't feel comfortable deleting them because I thought they might have something to do with the networking. I'll check with the guy who set the server up.
    Thanks Again! I hope this is the end of this mess.
    Magnum
     
    magnum, Sep 23, 2004
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome.

    But when you looked for those files. Did you have viewing of hidden files enabled and did you use Windows Explorer to look for them? Or did you use Windows search?
     
    chaslang, Sep 23, 2004
    #10
  11. magnum

    magnum Private E-2

    I had view hidden files enabled. I used Windows explorer and when I didn't see them I tried windows search.
     
    magnum, Sep 23, 2004
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    OK! Looks like they are gone then.
     
    chaslang, Sep 23, 2004
    #12

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds