Saturday 22 June 2013

wow.dll right click error

So i got a malware issue with one of our users recently with a unique twist. She had scanned for and removed malware using malwarebytes following a techs intructions, but whenever she right clicked any file in windows 7 she got the error:



and it also came up whenever she logged into her PC:

a rudimentary glance at the current processes revealed that the process causing this was
rundll32.exe in C:\Windows\SysWOW64.

But further digging with the process explorer revealed that the svchost process was invoking rundll32.exe in order to keep executing this. I ran roguekiller and was immeditely able to find and kill the process,  Since this was only occuring on right click i checked the shell context handlers in the registry:
and found this one with apparently no data:


intrigued i ran shellexview from nirsoft and checked context handlers and found this:


Double clicking on it revealed the cleaned out wow.dll which it was pointing to and not finding:


but deleting this key brought it back after a reboot, so i searched using the CLSID available here and found its startup key  HKEY_CLASSES_ROOT\Wow6432Node\CLsID\fbebsaOs-beee-4442-so4e-4o9d6c451 5e9):

and deleted it which got rid of it.

an update, Eddie from IEEE also had this issue and he was able to get rid of it by following this article, he very kindly let me have the roguekiller logs:


¤¤¤ Registry Entries : 8 ¤¤¤
[HJ POL] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ POL] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][SUSP PATH] HKCR\[...]\InprocServer32 :  (C:\Users\ERABIN~1\AppData\Local\Temp\sdterwm\suqatpo\wow64.dll [-]) -> FOUND
 
thank you Eddie.

10 comments:

  1. Thanks a lot for the information! I followed your instructions and found the same CLsID {fbeb8a05-beee-4442-804e-409d6c4515e9} for WOW6432Node. However regedit would not allow me to delete this key. How can I get rid of it?

    ReplyDelete
  2. I think it may be due to 2 reasons,one the process might already be running and causing this key to be in use(in my case it was rundll32.exe) end this with the task manager and try to delete the key . two: you may not have permissions on that registry key to delete it, to take permissions to that key use these directions:

    1: Right-Click the protected key in question. From the context menu that appears, Select Permissions…
    2: In the Permissions window that appears, Click Advanced.
    3: Click the Owner tab and Select your username from the list.* Now Check the Replace owner box and Click Apply.
    4: Click the Permissions tab and then the Add… button. In the Select User window Type your username into the white box and Press OK.
    5: A new Permission Entry window should pop-up, just Check the Allow Full Control box and Click OK.
    6: Back on the previous window your username should be on the list with Permissions set to Full Control. Now all that is left to do is to save and exit all open windows by Clicking OK a couple times.

    You should now be able to delete it, if it is still not removed i would suggest running a few malware removal tools, such as Rogue-Killer, malwarebytes, Hitman Pro or Kaspersky Virus Removal tool first. and then trying the steps to get rid of the error.

    ReplyDelete
  3. Thank you so much! I also followed your instruction and deleted the key.

    ReplyDelete
  4. Well, shellexview finally got rid of it on right click for me, but I still get one every time I startup D=

    Thanks for this thread, wish google would link this instead of useless crap responses from MSDN.

    For clarification purposes, "searching" for the CLSID is also done in shellexview, just right click the entries with that red boarder and select: "Open CLSID in RegEdit", ctrl-f, paste in the key without { }'s, right click + delete (it took me a while to figure this out).

    I can live with the startup error, every click with a popup was getting annoying. Thanks.

    ReplyDelete
  5. It worked. Many thanks!!!
    Apart from in shellex\contextmenuhandlers, I found fbebsaOs-beee-4442-so4e-4o9d6c4515e9 in shellex\folderextension.

    ReplyDelete
  6. Worked for the most part- Had to apply the permission instructions you provided to remote the key from 3 other locaions with the registry. User is only receiving the error upon logging in now.

    ReplyDelete
  7. Just followed this, but I'm still having the issue after deleting {fbeb8a05-beee-4442-804e-409d6c4515e9} at HKEY_CLASSES_ROOT\Wow6432Node\CLSID.

    I can't find any other instances in regedit, and I followed your steps and verified that indeed that key is referenced in ShellFolder for CD Burning in ShellExView.

    Not sure what else could be the cause of the issue if not that key. Anything that I could do to fix this past that?

    ReplyDelete
  8. Try running ROguekiller, the reference key is usually the tip of the iceberg,
    I'd start with roguekiller and if it doesn't catch something we can move to something else.

    http://www.bleepingcomputer.com/download/roguekiller/
    and instructions at :
    http://tigzyrk.blogspot.in/2012/11/en-roguekiller-official-tutorial.html

    ReplyDelete
  9. This comment has been removed by the author.

    ReplyDelete
  10. I have had this precise issue for months and months and it is annoying. Malwarebytes and Search and Destroy wouldn't find it, Avast found it and couldn't gain access, Roguekiller freezes upon finding it, so since it is a right click error I can get around it by using ctrl+ commands. I am really going to have to read through this again as alot of it goes past me. I'm an advanced computer user but basic lobotomist when it comes to programming. Any gentle reader who can hold my elbow would be greatly appreciated. I would do basic searches and then try and then fail.
    My particular right-click error is "There was a problem starting C:\users\philnew\appdata\local\temp\sqsbcbv\sobafcq\wow.dll" A Dynamic link library initialization routine failed. Avast noted another file with wow64.dll as well.

    ReplyDelete

Detect autopilot session

  Ensuring that some apps only install during autopilot is not easily accomplished, you can use the below powershell script as a requiremen...