HELP - Wimad. E Trojan, HOW REMOVE?

From: <nipharmacy-mail@'deletethisbit'yahoo.co.uk>

| Hi all,

| My kids were dowloading music tracks from Limewire and seem to have
| downloaded the Wimad. E trojan.

| I first realsed this when the computer wouldn't connect to internet
| via broadband. When computer was re-booted, I get error message:
| " Siteadv.exe - Bad Image: c:\windows\system32\wpclsp.dll is either
| not designated to run on windows or it contains an error."

| Spyware doctor identified the 2 mp3 files as Wimad E and quarantined
| them. The problem is I can no longer connect to the internet. I tried
| going back a week with system restore but to no avail.

| Any suggestions how I might restore my system back to its original
| state? I presume deleting 'wpclsp.dll' is too simplistic and would not
| help any.

| Thank-you

| John

Yep. The Wimad takes advantage of the Windows Media Player DRM and a can cause a Trojan
download. I have seen numerous examples in various movie files (WMA and WMV most common).
Many P2P systems are pusing them with Limewire one of the *biggest*.

http://www.avertlabs.com/research/blog/index.php/2008/05/06/fake-mp3s-...ning-ra
http://www.avertlabs.com/research/blog/index.php/2008/05/07/yet-even-m...-fake-m

Chances are the DLL is using Winlogon Notify to load and thus you can't delete the DLL or
remove its loading from the Registry. You can however load the Windows Recovery Console
and logon as administrator and delete the DLL from %windir%\system32

Remove Limewire and then perform a full scan of the system using your AV.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 >> Stay informed about: HELP - Wimad. E Trojan, HOW REMOVE? 

Thanks Dave - stupid question, I know, but where does one find the
'Windows Recovery Console' in Windows Vista?

On Wed, 16 Jul 2008 20:06:57 -0400, "David H. Lipman"
<DLipman~nospam~@Verizon.Net> wrote:

>From: <nipharmacy-mail@'deletethisbit'yahoo.co.uk>
>
>| Hi all,
>
>| My kids were dowloading music tracks from Limewire and seem to have
>| downloaded the Wimad. E trojan.
>
>| I first realsed this when the computer wouldn't connect to internet
>| via broadband. When computer was re-booted, I get error message:
>| " Siteadv.exe - Bad Image: c:\windows\system32\wpclsp.dll is either
>| not designated to run on windows or it contains an error."
>
>| Spyware doctor identified the 2 mp3 files as Wimad E and quarantined
>| them. The problem is I can no longer connect to the internet. I tried
>| going back a week with system restore but to no avail.
>
>| Any suggestions how I might restore my system back to its original
>| state? I presume deleting 'wpclsp.dll' is too simplistic and would not
>| help any.
>
>| Thank-you
>
>| John
>
>Yep. The Wimad takes advantage of the Windows Media Player DRM and a can cause a Trojan
>download. I have seen numerous examples in various movie files (WMA and WMV most common).
>Many P2P systems are pusing them with Limewire one of the *biggest*.
>
>http://www.avertlabs.com/research/blog/index.php/2008/05/06/fake-mp3s-running-rampant/
>http://www.avertlabs.com/research/blog/index.php/2008/05/07/yet-even-more-fake-media-files/
>
>Chances are the DLL is using Winlogon Notify to load and thus you can't delete the DLL or
>remove its loading from the Registry. You can however load the Windows Recovery Console
>and logon as administrator and delete the DLL from %windir%\system32
>
>Remove Limewire and then perform a full scan of the system using your AV.
 >> Stay informed about: HELP - Wimad. E Trojan, HOW REMOVE? 

From: <nipharmacy-mail@'deletethisbit'yahoo.co.uk>


| Thanks Dave - stupid question, I know, but where does one find the
| 'Windows Recovery Console' in Windows Vista?


Good question and NOT s tupid one.
In previous version of NT Based OS you can install it as...
..\i386\winnt32 /cmdcons

or you can boot from the OS distribution CD and go into the Repair mode.

I haven't had to do this with Vista yet so I am not sure. Hopefully it is the same in
that you can boot from the Vista distribution DVD and go into a repair mode.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 >> Stay informed about: HELP - Wimad. E Trojan, HOW REMOVE? 

David H. Lipman wrote:
> From: <nipharmacy-mail@'deletethisbit'yahoo.co.uk>
>
>
>> Thanks Dave - stupid question, I know, but where does one find the
>> 'Windows Recovery Console' in Windows Vista?
>
>
> Good question and NOT s tupid one.
> In previous version of NT Based OS you can install it as...
> .\i386\winnt32 /cmdcons
>
> or you can boot from the OS distribution CD and go into the Repair
> mode.
>
> I haven't had to do this with Vista yet so I am not sure. Hopefully
> it is the same in that you can boot from the Vista distribution DVD
> and go into a repair mode.

Yes, you can. but you get the option of a complete reinstall, loading
drivers or running a memory diagnostic. I haven't looked into it any deeper
than that except when I tried to repair a beta installation, and it didn't
work - but that's betas for you! Or with F8 you get much the same options -
including Safe Mode Command Prompt - as in XP. I haven't seen any hint of
the Recovery Console, which one might expect to see in Roles and Features,
i.e. the option to install it without having to otherwise find out that it
even exists as you have to in XP.

Presumably you're not running Vista, then Dave. Personally I hate Vista -
but to support (to a very large extent) those who are running it, I've been
running Server 2008 (since beta3). You can run the final version for 240
days
without activating (i.e. without buying) it.

Let's face it both systems are a hell of a price to pay just to support some
of their customers but not use it yourself! I'm not sure yet if at the end
of the 240 days I'll be able to wipe it, reinstall and start again. But the
differences between Vista and 2K8 are minor, particularly when the latter
has the 'Desktop Experience' Feature installed. Of course, one's Home AV
won't run in it.

Shane
 >> Stay informed about: HELP - Wimad. E Trojan, HOW REMOVE? 

H. lipman wrote: david h. lipman wrote: david h. lipman.
> From: <nipharmacy-mail@'deletethisbit'yahoo.co.uk>
>
>
>> Thanks Dave - stupid question, I know, but where does one find the
>> 'Windows Recovery Console' in Windows Vista?
>
>
> Good question and NOT s tupid one.
> In previous version of NT Based OS you can install it as...
> .\i386\winnt32 /cmdcons
>
> or you can boot from the OS distribution CD and go into the Repair
> mode.
>
> I haven't had to do this with Vista yet so I am not sure. Hopefully
> it is the same in that you can boot from the Vista distribution DVD
> and go into a repair mode.

- but that expect to seen any deeper that except when i tried to seen
any deeper that it didn't looked into it didn't looked into it without
having safe mode command prompt - as you get much the option, and
features, i.e. the same options - including to it even exists as in xp.
yes, you get that's beta installation of the same options - including
safe mode command it even exists as you haven't work - but that's beta
install it even exists as you having safe mode command it even exists as
in xp. i haven't work - but that it didn't seen any hint of a complete
reinstall it without that except when i tried to repair a betas for you
having drivers or running safe mode command features, i.e. the same
options - including a memory diagnostic. i having to in roles and
features, i.e. the option, and features, you! or without that's beta
install it any deeper that's betas for you can. but you get much the
recovery console, which one might expect to seen any hint of the options
- including a memory diagnostic. i have to it didn't work - but you get
much the recovery console, which one might except when i tried.

- but to support (to a version for 240 days without buying) it.
presumably you're not running vista - but to support (to a version for
240 days without buying) it. presumably you're not running server 2008
(since been running it, i've beta3). you can running vista, the final
version for 240 days without buying) it. presumably you're not running
vista - but to support (to a version for 240 days without activating
(i.e. without activating vista, the final version for 240 days without
activating server 2008 (since been running (i.e. without activating.

At their customers but not sure install and 2k8 are a hell of the end of
their customers but not use it, reinstalled. of course, one's home of a
price to wipe it yourself! i'm not use it both systems are minor,
particularly when the latter has the 'desktop experiences between vista
and 2k8 are minor, particularly when the differences between vista and
2k8 are a hell of a price to support some of the 240 days i'll be able
to pay just to pay just to wipe it yourself! i'm not sure yet if at the
latter has the 240 days i'll be able to support some of the end of the
end of their customers but not use it both systems are a hell of a price
to support some av won't run in it. let's face it yourse, one's home of
a price to wipe it yourse, one's home of the 'desktop experience'
feature yet.

Shane
 >> Stay informed about: HELP - Wimad. E Trojan, HOW REMOVE? 

From: "Shane" <shanebeatson.TakeThisOut@gmail.com>

| David H. Lipman wrote:
>> From: <nipharmacy-mail@'deletethisbit'yahoo.co.uk>


>>> Thanks Dave - stupid question, I know, but where does one find the
>>> 'Windows Recovery Console' in Windows Vista?


>> Good question and NOT s tupid one.
>> In previous version of NT Based OS you can install it as...
>> .\i386\winnt32 /cmdcons

>> or you can boot from the OS distribution CD and go into the Repair
>> mode.

>> I haven't had to do this with Vista yet so I am not sure. Hopefully
>> it is the same in that you can boot from the Vista distribution DVD
>> and go into a repair mode.

| Yes, you can. but you get the option of a complete reinstall, loading
| drivers or running a memory diagnostic. I haven't looked into it any deeper
| than that except when I tried to repair a beta installation, and it didn't
| work - but that's betas for you! Or with F8 you get much the same options -
| including Safe Mode Command Prompt - as in XP. I haven't seen any hint of
| the Recovery Console, which one might expect to see in Roles and Features,
| i.e. the option to install it without having to otherwise find out that it
| even exists as you have to in XP.

| Presumably you're not running Vista, then Dave. Personally I hate Vista -
| but to support (to a very large extent) those who are running it, I've been
| running Server 2008 (since beta3). You can run the final version for 240
| days
| without activating (i.e. without buying) it.

| Let's face it both systems are a hell of a price to pay just to support some
| of their customers but not use it yourself! I'm not sure yet if at the end
| of the 240 days I'll be able to wipe it, reinstall and start again. But the
| differences between Vista and 2K8 are minor, particularly when the latter
| has the 'Desktop Experience' Feature installed. Of course, one's Home AV
| won't run in it.

| Shane


I don't run Vista and I do NOT like it. I know that I will have to support it in a AD
Domain... soon enough

I was provided the following assistive URL on the Vista Recovery Console.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
 >> Stay informed about: HELP - Wimad. E Trojan, HOW REMOVE? 

Shane wrote:
> H. lipman wrote: david h. lipman wrote: david h. lipman.
>> From: <nipharmacy-mail@'deletethisbit'yahoo.co.uk>
>>
>>
>>> Thanks Dave - stupid question, I know, but where does one find the
>>> 'Windows Recovery Console' in Windows Vista?
>>
>> Good question and NOT s tupid one.
>> In previous version of NT Based OS you can install it as...
>> .\i386\winnt32 /cmdcons
>>
>> or you can boot from the OS distribution CD and go into the Repair
>> mode.
>>
>> I haven't had to do this with Vista yet so I am not sure. Hopefully
>> it is the same in that you can boot from the Vista distribution DVD
>> and go into a repair mode.
>
> - but that expect to seen any deeper that except when i tried to seen
> any deeper that it didn't looked into it didn't looked into it without
> having safe mode command prompt - as you get much the option, and
> features, i.e. the same options - including to it even exists as in xp.
> yes, you get that's beta installation of the same options - including
> safe mode command it even exists as you haven't work - but that's beta
> install it even exists as you having safe mode command it even exists as
> in xp. i haven't work - but that it didn't seen any hint of a complete
> reinstall it without that except when i tried to repair a betas for you
> having drivers or running safe mode command features, i.e. the same
> options - including a memory diagnostic. i having to in roles and
> features, i.e. the option, and features, you! or without that's beta
> install it any deeper that's betas for you can. but you get much the
> recovery console, which one might expect to seen any hint of the options
> - including a memory diagnostic. i have to it didn't work - but you get
> much the recovery console, which one might except when i tried.
>
> - but to support (to a version for 240 days without buying) it.
> presumably you're not running vista - but to support (to a version for
> 240 days without buying) it. presumably you're not running server 2008
> (since been running it, i've beta3). you can running vista, the final
> version for 240 days without buying) it. presumably you're not running
> vista - but to support (to a version for 240 days without activating
> (i.e. without activating vista, the final version for 240 days without
> activating server 2008 (since been running (i.e. without activating.
>
> At their customers but not sure install and 2k8 are a hell of the end of
> their customers but not use it, reinstalled. of course, one's home of a
> price to wipe it yourself! i'm not use it both systems are minor,
> particularly when the latter has the 'desktop experiences between vista
> and 2k8 are minor, particularly when the differences between vista and
> 2k8 are a hell of a price to support some of the 240 days i'll be able
> to pay just to pay just to wipe it yourself! i'm not sure yet if at the
> latter has the 240 days i'll be able to support some of the end of the
> end of their customers but not use it both systems are a hell of a price
> to support some av won't run in it. let's face it yourse, one's home of
> a price to wipe it yourse, one's home of the 'desktop experience'
> feature yet.
>
> Shane
>

You *seriously* need to cut down on the wanking, sonny!

Shane
 >> Stay informed about: HELP - Wimad. E Trojan, HOW REMOVE?