PWS-WoW

[nickc1976]

Hi All,

I have a PC (running XP) which is displaying McAfee warning messages about an infected file. It gives the name of the virus as PWS-WoW. To begin with the infected file was listed as:

C:\Documents and Settings\%username%\Local Settings\temporary internet files\content.ie5\CG7ZC7C\Loader[1].exe

After I unsuccessfully attempted to delete, clean, quarantine then exclude the file, the message disappeared. The warning then reappeared at 10 minute intervals, each time with a slightly different location for the infected file, examples below:

C:\Documents and Settings\%username%\Local Settings\Temporary Internet Files\Content.IE5\J7WJ1AVV\Loader[1].exe

C:\Documents and Settings\%username%\Local Settings\Temporary Internet Files\Content.IE5\KLXG0REX\Loader[1].exe

After running scans with the tools recommended by this forum, the warning message has now changed, and the infected file is listed as:

C;\Windows\System32\secpol.exe\secpol.exe

And

C:\Windows\System32\fsmgmt.dll

I have attached the three log files, any advice on how to fix this would be appreciated as I’m pretty much a novice when it comes to virus removal.

Thanks

Nick


[saving space - attachment deleted by admin]

[evilfantasy]

Enable Viewing Of Hidden System Files & Folders

1. Right Click Start.
2. Select Control Panel.
3. Select the Tools menu and click Folder Options.
4. Select the View Tab.
5. Under the Hidden files and folders heading select Show hidden files and folders.
6. Uncheck the Hide extensions for known file types option.
7. Uncheck the Hide protected operating system files (recommended) option.
8. Click Apply.
9. Click OK.

--------------------

Open HijackThis and select Do a system scan only and place a check mark next to:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\secpol.exe,
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = HQ.AUTOCAB.COM
O17 - HKLM\Software\..\Telephony: DomainName = HQ.AUTOCAB.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = HQ.AUTOCAB.COM
O20 - Winlogon Notify: fsmgmt - C:\WINDOWS\SYSTEM32\fsmgmt.dll

Close all windows except for HijackThis and click Fix checked

--------------------

Restart the computer in Safe Mode.

* Restart the computer.
* Before Windows loads start tapping the F8 key.
* When you get to the boot menu, use the arrow keys to select Safe mode
* Then Press Enter
* The computer restarts in Safe mode.

Locate this file and delete it. (in bold)

C:\WINDOWS\system32\secpol.exe

Restart in normal mode.

-------------------

Please download ATF Cleaner by Atribune. ATF Cleaner.exe This program does not require an installation. The executable actually runs the program.

NOTE: ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
* Double-click ATF-Cleaner.exe to run the program.
* Under Main choose: Select All
* Click the Empty Selected button.

If you use Firefox browser
* Click Firefox at the top and choose: Select All
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
* Click Opera at the top and choose: Select All
* Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

-------------------

Use the Trend Micro Housecall Scan

1. Click Scan Now. It's Free
2. Read and put a Check next to Yes, I accept the Terms of Use
3. Then click Launch HouseCall Wait for the Java-Based Housecall Kernel Test
4. Click Starting Housecall and wait for the updates to finish.
5. Under Scan complete computer for malware, grayware, and vulnerabilities click the Next>> button.

* It will download the latest scan engine and pattern files. When the definitions have been downloaded, the scan will start.
* Please wait while HouseCall scans your system…
* Once the scan is complete, it will take you to the summary page.

6. Under Cleanup options choose Clean all detected infections automatically
7. Click the Clean now>> button.
8. When presented with a notification According to your instructions, all detected infections were cleaned..., click OK

* The Housecall log is saved to C:\Documents and Settings\UserName\.housecall\log\

-------------------

Next post please attach
Housecall scan log.
New HijackThis log.

Please attach the logs as separate attachments and in Text (.txt) format

[nickc1976]

Hi,

Thanks for your help with this. I have followed your instructions. The Housecall scan produced several log files, so I have attached them all.

Cheers

[saving space - attachment deleted by admin]

[nickc1976]

Final Housecall log...

[saving space - attachment deleted by admin]

[kuszmania9999]

O4 - HKLM\..\Run: [Di dictionary] "C:\Program Files\Di recnik\Di.exe


I guess this is a worm..but wait for expert confirmation,i'm no expert in these case.

[nickc1976]

I am aware of this software, we have a Serbian employee who uses this machine, Di Recnik is used for translation

[evilfantasy]

Work through this post and attach the logs when done.

I don't know what happened to the Trend Micro scan but it doesn't seem to have done anything.

Also, what do you know about AUTOCAB.COM?

[nickc1976]

AUTOCAB.COM is a domain, but it is no longer used