File cwjv.wmo

Topic

New Reply

Some time ago I wound up with the file cwjv.wmo in my C:Windowssystem32 directory. I found that it was a malware file of some kind and I deleted it. Now whenever I boot some program is trying to find it and I can’t figure out what that something is. I get the message “file cwjv.wmo not found”. I would really like to get rid of whatever is looking for the file if someone can help.

Thanks,
Kent Sinkey

Reply | Quote

Replies

What anti-virus and/or anti-malware are you running?

Start > Run
msconfig
and click on the Startup tab. Can you see anything you don’t recognise there?

Reply | Quote

SuperAntiSpyware claims to be able to remove this and there is a free version of the program.

Reply | Quote

I have tried Panda Cloud, Microsoft Security Essentials, Avira, AVG, SuperAntiSpyware as well as the Pro version. I’ve looked in Process Explorer and my start up programs. Actually I’ve done everything I can think of with no good result. I even tried Trend Online scan which left a lot to be desired. Nothing seems to find the program which wants to load cwjv.wmo. However, I don’t know everything and that’s why I’m asking for help.

Cheers!!! Kent

Reply | Quote

I have tried Panda Cloud, Microsoft Security Essentials, Avira, AVG, SuperAntiSpyware as well as the Pro version. I’ve looked in Process Explorer and my start up programs. Actually I’ve done everything I can think of with no good result. I even tried Trend Online scan which left a lot to be desired. Nothing seems to find the program which wants to load cwjv.wmo. However, I don’t know everything and that’s why I’m asking for help.

Try using Autoruns for Windows. See the Logon tab. If you’re not sure of what you see there post a screenshot.

Joe

--Joe

Reply | Quote

Try using Autoruns for Windows. See the Logon tab. If you’re not sure of what you see there post a screenshot.

Joe

Dear JoeP,
I downloaded and ran Autoruns as you suggested. I found two entries that showed “file not found” so I unchecked both of those and rebooted. The error message did not show up. Is that all I have to do? I have attached a screen shot.

Thanks, Kent

Reply | Quote

Dear JoeP,
I downloaded and ran Autoruns as you suggested. I found two entries that showed “file not found” so I unchecked both of those and rebooted. The error message did not show up. Is that all I have to do? I have attached a screen shot.

Hello,
I’m not Joe, but have some comments.
Autoruns is a good tool, in cases like this; I was going to suggest it earlier, but I thought that Leif’s first suggestion was a good start, something to check (since the System Configuration Utility, msconfig, is there on all PCs, if only meant as a simple troubleshooting tool. However, it only shows some run entries in the registry and the files).

You have found a “cwjv.wmo” entry in the Shell key; it should be removed/disabled. The bad entry probably looked something like this: rundll32.exe cwjv.wmo htvss.

The rundll32.exe entry is also a bit odd in the Winlogon shell key, I think. It is a valid system file. It’s used to execute a DLL, so nothing wrong with that, but it may have been used by malware.

NOTE: Please note that “Explorer.exe (Windows Explorer) C:windowsexplorer.exe” should be there, and must be there. I think you know this, just be careful if you remove or disable something from the shell key.

If you uncheck a registry entry in Autoruns, the entry is moved to a sub key in the registry, and thus it will not be executed at logon. Autoruns can restore it, if you check the box again. To remove the entry from the registry, check the box, right-click and select Delete.

As usual, when working with the registry, it is good to have a back up of the registry key, before doing changes. One should not change things there, unless one knows what the result will be.

The logon tab in Autoruns is the most commonly used. Usually it’s a good idea to hide Microsoft and/or Windows entries (Options menu + a refresh) to filter, zoom in, on the other entries.

Some sections on the Logon tab are very important for the PC and should generally speaking never be touched: Userinit (never touch that one) and Shell. Changes in the run keys and the startup folder, on the other hand, can affect installed software (or the OS in a minor way). In your case you have some extra entries in the shell key that I think can be disabled/removed (I would just keep the important “Explorer.exe”.). You can wait and see if there are other opinions.

Malwarebytes’ Anti-Malware is also known to be good with such malware. But now it seems like you have most, or all, removed.

BTW: not all “File not found” entries in Autoruns are bad or leftovers from some software uninstalls. In the case of some driver entries, they are there in the registry in case they are needed by the OS and the software.

Reply | Quote

Thank you. I have deleted the entry. It was a bit strange, when I would open Autoruns, Avira whould show a virus until I either unchecked or removed the entry. Anyway, I’ve learned some new stuff and I appreciate your assistance. Have a Merry Christmas, everyone.
Kent

Hello,
I’m not Joe, but have some comments.
Autoruns is a good tool, in cases like this; I was going to suggest it earlier, but I thought that Leif’s first suggestion was a good start, something to check (since the System Configuration Utility, msconfig, is there on all PCs, if only meant as a simple troubleshooting tool. However, it only shows some run entries in the registry and the files).

You have found a “cwjv.wmo” entry in the Shell key; it should be removed/disabled. The bad entry probably looked something like this: rundll32.exe cwjv.wmo htvss.

The rundll32.exe entry is also a bit odd in the Winlogon shell key, I think. It is a valid system file. It’s used to execute a DLL, so nothing wrong with that, but it may have been used by malware.

NOTE: Please note that “Explorer.exe (Windows Explorer) C:windowsexplorer.exe” should be there, and must be there. I think you know this, just be careful if you remove or disable something from the shell key.

If you uncheck a registry entry in Autoruns, the entry is moved to a sub key in the registry, and thus it will not be executed at logon. Autoruns can restore it, if you check the box again. To remove the entry from the registry, check the box, right-click and select Delete.

As usual, when working with the registry, it is good to have a back up of the registry key, before doing changes. One should not change things there, unless one knows what the result will be.

The logon tab in Autoruns is the most commonly used. Usually it’s a good idea to hide Microsoft and/or Windows entries (Options menu + a refresh) to filter, zoom in, on the other entries.

Some sections on the Logon tab are very important for the PC and should generally speaking never be touched: Userinit (never touch that one) and Shell. Changes in the run keys and the startup folder, on the other hand, can affect installed software (or the OS in a minor way). In your case you have some extra entries in the shell key that I think can be disabled/removed (I would just keep the important “Explorer.exe”.). You can wait and see if there are other opinions.

Malwarebytes’ Anti-Malware is also known to be good with such malware. But now it seems like you have most, or all, removed.

BTW: not all “File not found” entries in Autoruns are bad or leftovers from some software uninstalls. In the case of some driver entries, they are there in the registry in case they are needed by the OS and the software.

Reply | Quote

The cannot find message is probably because the registry still points to the deleted file and is trying to run the cwjv.wmo file.

I’d suggest running Ccleaner to scan the registry and to remove the orphaned entries. This should solve your problem, especially since none of the programs you mentioned (SuperAntiSpyware etc.) find the virus any longer.

Reply | Quote

Agreed. CCleaner’s registry cleaner has a backup utility to backup the registry before scanning or changing anything and you can selectively remove the items it finds. I would give it a try and see if it clears the orphan from the registry or .dll that is calling that file.

Reply | Quote