Need help with virus found - wmpsl64.exe

A recent scan of my computer showed that I had a virus. Avast! AV identified it as a ‘Rootkit: hidden process’. The filename is " C:\WINDOWS\system32\wmpsl64.exe". After I ran the scan, I was unable to delete the file and the reason given was because it was being used by another process. After the scan was completed, it was recommended that I perform a boot-time scan. This scan resulted in a series of other files being found which I chose to be moved to the chest. The only one that could not be moved was “C:\hiberfil.sys”. And the reason provided was the same as the earlier ‘wmpsl64.exe’ file, i.e. that it was being used by another process.

For now, I’m accessing the forum using a different laptop and have disconnected the ‘infected’ laptop from the internet. I also plan on using the bluetooth connection to transfer any diagnostic tools between the two laptops. Any help or advice regarding the warning messages and the infected files would be appreciated.

wmpsl64.exe appears to be part of a rogue security application, but I can’t find much info. hiberfil.sys is a legitimate Windows file in the directory you found it in. It is the hibernation file. What about the other files, the ones in the chest?
Please post logs according to http://forum.avast.com/index.php?topic=53253.0 as well.

I’m attaching a screenshot of the other files that were found during the second boot-time scan. The filename is “Boot-time scan result2”.

There were only two files found during the first boot-time scan. I’ve listed them below.

C:\Documents and Settings\Swapnil\Local Settings\Temp\481.tmp|>[UPX]
Status: Threat:Win32:MalOb-GS[Cryp]
Action: Delete
Result: Action Successful.

C:\hiberfil.sys
Status: Threat:Win32:Hupigon-ONX [Trj]
Action: Move to chest
Result: Error: The process cannot access the file because it is being used by another process (32)

I ran the tools you wanted me run.

I ran adwcleaner and then had the system reboot. On reboot, Avast! gave a warning that another virus was found. I’ve inlcuded a screenshot of the warning. The filename is Virus_Warning_2. I’m also attaching the log that was created.

I then downloaded and installed MBAM. After what seemed like a successful installation, but before the MBAM screen could appear, I received an error message. I’ve attached the screenshot of that message as well. The filename is Malware_Installation_Warning. As I was running the MBAM scan, Avast! raised another warning. I’ve also attached a screenshot of this. The filename is Virus_Warning_3.

After the MBAM scan ended, I was not prompted to restart so I went ahead and ran the OTL tool. I also copied the text into the ‘Custom Scans/Fixes’ field. The log reports generated by this program are also attached.

Finally, I ran the aswMBR.exe tool and I’ve also included the log generated by this program.

I realise this is a lot of information but I felt it would give you a better understanding of my system.

Looks like I can only attach 4 files with each post.

What’s the exclamation mark you have on the avast! ball in the tray?? what it says when you put your cursor on the ball??

essexboy is notified…so he will get to you when he comes online.

we also need the OTL.txt log…that is the important one. :wink:

do you have AVG installed?

Monitoring

true indian → The exclamation point on the avast! toolbar icon is because I’ve disabled certain ‘shields’. I found that it was slowing my system down so I decided to shut down some shields that I thought were unnecessary. I’ve disabled the ‘Mail Shield’ because I don’t use an email program like Outlook. I’ve also disabled the P2P shield because I hardly if ever use a P2P program. I’ve also disabled the IM shield because I don’t use any IM programs other than for GoogleChat and that too is only from within gmail.com and through the browser. And it looks like I also had the Script Shield disabled which I now realise may have been the reason I’ve been infected. Finally the behavior shield is also disabled.

I realise now that disabling some of these shields was probably not a good idea but after having installed the lastest update for Avast! my system had slowed down too much. If there’s a way that Avast! utilises fewer resources I’d be willing to give it a try.

Pondus → The OTL.txt log was attached in my third post along with the screenshot attachments. But I will attach it to this post as well. And no, I do not have AVG installed. I did have it at one time, but it has been uninstalled for more than a year now.

essexboy → Looking forward to your instructions.

Pondus --> The OTL.txt log was attached in my third post along with the screenshot attachments. But I will attach it to this post as well. And no, I do not have AVG installed. I did have it at one time, but it has been uninstalled for more than a year now.
yepp i see it now....not easy to see among the screen shots

Is Avast still finding this ?

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[]Accept the disclaimer and allow to update if it asks
[
]Allow the installation of the recovery console

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

essexboy → I ran ComboFix as you asked and have included the txt file generated. After it rebooted the system, I had Avast! perform another scan of my system. This time it only found one file.

C:\System Volume Information_restore{29C1B355-54FD-4236-9136-2B1E08B6BFB1]\RP941\A0224466.exe
Status: Threat: Win32: IRCBot-FAB [Trj]
Action: Move to Chest
Result: Action successful

I wasn’t prompted to run a boot-time scan this time.

Looks good … Any further problems ?

I spoke too soon. The system is now performing a boot-time scan. I will update the thread when it is finished.

I’m happy to say that my system is now 100% bug free!! :slight_smile: Thank you essexboy, Pondus & true indian for all your help.

I completed a system scan, then scanned my external drives and then performed a boot-time scan on my system as well. The scans did not show any viruses, trojan, worms, etc.

Do I need to do anything else i.e. delete/uninstall any of the programs I had to install?

hi Taj82,

You might want to turn on file protections shields, such as ScriptShield, P2P, and IM. Over here, no IM is used, but Secunia PSI uses IM to talk to its’ servers when I run that program, so I leave it on for that. All eight shields are running here without problems.

As for slow performance, please check your startups in msconfig. You may be able to do without some optional third-party programs set to start when you first turn your system on. Can be other causes, but please check back with essexboy for that.

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Remove ComboFix
[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall
(Notice the space between the “x” and “/”)
then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[
]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
[] Go to this site and click Do I have Java
[
] It will check your current version and then offer to update to the latest version

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave:

essexboy: It has been about 3 days now since my system has been bug-free so thank you again. :slight_smile:

However, I am having some issues with clearing up the tools that I used. I ran OTL with the custom code you provided. I left OTL running all night as a matter of fact, and when I checked my system this morning it seemed to have hung. I was still able to move my mouse cursor around but nothing seemed to open or function. So I force-shut down my system. I’m not sure if OTL was able to perform the fix you wanted. Any advice?

I have not run any of the other steps as I assumed the steps had to be run sequentially.

OK skip that step, it was MBAM getting uppity (as usual)

Start at the uninstall combofix and proceed from there ;D