PDA

View Full Version : wowexe.exe question



SurferJoe46
21-10-2005, 04:08 AM
Found a strange thing in Task Manager this am...

_wowexe.exe (there is a blank space signified by the underscore in the name....)

Any ideas what this might be?

Seems I have a lot of slow-down and cannot get AVG to update...going to get the rest of my anti-stuff running...in the meantime, any ideas?..

roddy_boy
21-10-2005, 04:16 AM
Googling says its either Windows on Windows, an application to run 16bit processes on XP, or a trojan. I'd say get them anti-vir/anti-malware stuff running, and run a Hijackthis scan to see what that comes up with.
HTH
roddy

SurferJoe46
21-10-2005, 07:52 AM
Could I have a 16 bit program running that isn't in the regular XP configuration that requires this _wowexe.exe?

Wondering how to detect and see just what things are 16 bit.

SurferJoe46
21-10-2005, 07:54 AM
BTW:

I ran Spybot, SpywareBlaster, AdAware, M$'s AntiBeta, got a live scan from McAfee and ran and scanned HJT...no baddies there!


Hmmmmmmmmmm

Speedy Gonzales
21-10-2005, 08:06 AM
Have you noticed any slowdown in anything you're doing on the PC??

Any programs hanging??

SurferJoe46
21-10-2005, 08:18 AM
OH..YES!


Boot takes a little over 5 minutes and the splashes repeat a couple of times...then I cannot get AVG updates....but everything checks out OK..

Hope this isn't another timebomb like the last time. I got CIH.W95.damaged last year, and had to reflash bios and can 4 200 gig hdd's.


I ran a linespeed test, and came back with 5606 down / 1877 up..within limits for a weekday here.

HJT and Microsoft's Baseline Security say all is OK.

Anti stuff is all checking out OK too...except for AVG..and this is another strange-o thing...I cannot get to Grisoft's site..it times out every time, but other internet stuff is running ok. Could be a selective shut-down virus?

I DID notice last night it tokk me repeated posts to get a single post..er..posted to F1.

SurferJoe46
21-10-2005, 08:19 AM
*took

Speedy Gonzales
21-10-2005, 08:38 AM
Hmm doesnt sound too good, if it takes 5 mins. Post a HJT log here.

Remember to UNZIP the hjt file, and put it in its own folder, before u run it.

Rob99
21-10-2005, 08:46 AM
I would give the stinger (http://vil.nai.com/vil/stinger/) a go.

mark c
21-10-2005, 10:41 AM
http://www.alegsa.com.ar/Visitas/index20/What%20is%20_wowexe%20exe.php

There's are forum with the same question and an answer. As said above "window on windows exe" for runnig 16 bit applications.

SurferJoe46
21-10-2005, 03:21 PM
Hmm doesnt sound too good, if it takes 5 mins. Post a HJT log here.

Remember to UNZIP the hjt file, and put it in its own folder, before u run it.

OK..got a HJT for you:


Logfile of HijackThis v1.99.1
Scan saved at 8:18:12 PM, on 10/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Mixer.exe
D:\SECURITY AREA\gcasServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\SECURITY AREA\gcasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\twain_32\SiPix\SCDeluxe\DELUXECC.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
D:\SECURITY AREA\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\wscntfy.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Sony Handheld\Hotsync.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\MSN\MSNCoreFiles\msn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopMail.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\SECURITY AREA\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = On Internet Explorer! Careful!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = http://localhost;
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\SECURI~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O2 - BHO: CBHO Object - {CBA74CDA-DF78-4AD9-954E-3B15D0A993DE} - D:\SECURITY AREA\SpoofStick\SpoofStickBHO.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: SpoofStick - {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} - D:\SECURITY AREA\SpoofStick\SpoofStick.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [gcasServ] "D:\SECURITY AREA\gcasServ.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [DELUXECC] C:\WINDOWS\twain_32\SiPix\SCDeluxe\DELUXECC.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\SECURITY AREA\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - Startup: HotSync Manager.LNK = C:\Program Files\Sony Handheld\Hotsync.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1113003336543
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} (Autodesk Dwf Viewer Control) - http://www.autodesk.com/global/dwfviewer/installer/DwfViewerSetup.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab
O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon.net/update/msnwebinstall/includes/vzWebIns.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

Speedy Gonzales
21-10-2005, 05:55 PM
OK boot into safe mode. Tick these. Tick fix checked. Reboot.

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon.net/update/msnw...es/vzWebIns.CAB

See if its any better then.

SurferJoe46
22-10-2005, 03:26 AM
OK boot into safe mode. Tick these. Tick fix checked. Reboot.

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O16 - DPF: {D06A22B4-6087-4D3D-B7AF-82B113E9ABD4} (CPostLaunch Object) - http://www2.verizon.net/update/msnw...es/vzWebIns.CAB

See if its any better then.

I tried clicking off the Verizon updater,

{D06A22B4-6087-4D3D-B7AF-82B113E9ABD4}

and it got mad and would not let me back online.....hadda use another puter on my LAN to get the updater dnloaded and shared the file and got back on again..I think it's kinda necessary. Verizon is my ISP.

The other one:

According to CastleCops Security site,

018 - Protocol:msmin is a mistaken "missing" evaluation. msgrapp.dll (often incorrectly listed by HijackThis as missing) and is legitimate as: MSN Messenger 7.5, which I use..it is a Beta version. :D



BTW: this AM everything is running just fine, although AVG is still dead :mad: ...but I don't think I should use AVG as a benchmark until they fix their problem anyway.

Still had a double boot this time...I might have to go after my online e-mail scanner and see if it's screwing up my systems...because MSN Mail always has these neat little pop-ups that till me that I have mail even though I haven't gotten to the actual MSN sign-on yet.

Just wondering here if AVG/Grisoft was trying to access auto-updates while I was experiencing the big delays in my system...what do you think? Now, there is no traffic (not much anyway) on my DSL Moden nor is there much activity on my Router...the duty lights are pretty steady, not blinking madly like yesterday.

Speedy Gonzales
22-10-2005, 06:54 AM
Oops, sorry bout telling u to delete the 1st one then :D

Umm, dunno anything about AVG. I dont use it myself. Maybe someone in the forum, who does, maybe able to help you out, with that one.

SurferJoe46
22-10-2005, 03:59 PM
No prob, Speed..I had a lot of fun getting it back and had a little lifeboat drill using the file-sharing from puter #2 to puter #1...lol....

Even though things look better and AVG is up and running again, I still find that F1 is very slow accepting my posts, and it takes forever to refresh the page too. :groan:

Can anyone there in NZ-land get a fresh squirrel for the F1 generator? Seems as though the old one is running too slow. I'd be more than happy to bring a US Prairie dog..they run forever and for less than a squirrel with all the nuts and twigs they need. :rolleyes:

BTW and 'WAY off topic: I got some nice NZ grazed mutton today at a speciality meat dealer. ...I love mutton, the older and stronger the better!

The regular butchers here try to sell the US corn-fed crap..NO FLAVOR AT ALL! Most Americans can't stand the smell and flavor of lamb. That means there's more for me!

I want my lamb and mutton to smell up the whole neighborhood when I cook it. :eek:

Can't get enough of the real thing!