Avast WEBforum
Other => Viruses and worms => Topic started by: JerroldNik on June 08, 2010, 05:23:26 PM
-
I'm brand new to Avast. Windows XP. I installed Avast after running a full MalwareBytes removal process.
Avast immediately ripped out msdpjpkn.dll and put it in the chest.
Now many programs won't run as they say that this file is missing.
Amongst those affected: Firefox, Gimp, Acrobat, and then some Windows ones: dwwin.exe and dw.exe.
I am not an advanced user.
Can anyone advise me on this?
Thanks,
Jerrold
-
What was the location of this file, e.g. (C:\windows\system32\infected-file-name.xxx) ?
What was the malware name given on the detection ?
The only hit on this file name (which looks randomly generated) is for this topic, which for a dll is somewhat suspicious.
There may well be some hooking by this file to those other affected programs, a registry key remaining.
If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).
- 1. MalwareBytes Anti-Malware (MBAM), On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe), right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
- 2. SUPERantispyware (http://www.superantispyware.com) (SAS). On-Demand only in free version.
Don't worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie (http://en.wikipedia.org/wiki/HTTP_cookie).
Also available a portable version of SAS, http://www.superantispyware.com/portablescanner.html (http://www.superantispyware.com/portablescanner.html), no installation required.
-
Hi - thanks!
Here's what info I have:
Original file name: msdpjpkn.dll
Original folder: C:\WINDOWS\SYSTEM32
Size of file: 144932
Last modification: 02/05/2003
Time of transfe...: 07/06/2010
Category: Infected files
Virus description: Win32:Trojan-gen
File ID: 1
This was my work computer so I had to get these things working. I have subsequently:
1) Restored the file
2) Removed Avast prior to rebooting (as when I Restored and then rebooted - it just yanked it again)
3) Re-installed Firefox
4) The other programs are working fine now.
I had use MalwareBytes prior but will use the Superantispyware as well - thanks!
I would like to get back with Avast (as I have no virus protection) - but must wait until I can figure out how to prevent this from happening again.
Any help would be... helpful. :)
Thanks,
Jerrold
-
can you upload the file to www.virustotal.com or www.virscan.org when you have the result, copy the URL in the adressbar and post it here
-
Hi - thanks!
Here's what info I have:
Original file name: msdpjpkn.dll
Original folder: C:\WINDOWS\SYSTEM32
<snip>
Virus description: Win32:Trojan-gen
This was my work computer so I had to get these things working. I have subsequently:
1) Restored the file
2) Removed Avast prior to rebooting (as when I Restored and then rebooted - it just yanked it again)
3) Re-installed Firefox
4) The other programs are working fine now.
I had use MalwareBytes prior but will use the Superantispyware as well - thanks!
I would like to get back with Avast (as I have no virus protection) - but must wait until I can figure out how to prevent this from happening again.
<snip>
I find it even more suspicious that a file in the system32 folder doesn't get any hits (other than this topic) on a search.
So I do feel that the detection is good, but the problem really does look entries in registry hooked to this file when those others start, so I was kind of hoping that MBAM and SAS might find these redundant registry entries and correct/remove them. Ensure that you have the latest updates for MBAM and SAS before running another scan.
- Also useful as a diagnostic tool - FileHippo Download - HiJackThis (http://filehippo.com/download_hijackthis/) and post the contents of the HJT log file here. - HJT Information HiJackThis Tutorial (http://www.bleepingcomputer.com/forums/tutorial42.html).
Download and run HJT and post the contents of the log file (attach the log file) into this topic.
This may hopefully find the run commands that relate to this file name, etc. and hopefully we can remove that
-
Sounds like it may be hooked into either userinit or the shell, this would stop the related programmes running
-
Thanks for the timely intervention, as I'm not to sure HJT may show this hooking if it is more complex and if hidden it may require your tools to root it out ;D
-
If it is the userinit then HJT should see it - if it is the shell or IFEO then it won't
I have subscribed to the thread ;D
-
Thanks, now we need an update from JerroldNik.
-
I am very impressed with the volume and quality of responses. I can also feel the interest by the group in what may be something you haven't seen before.
My thoughts were that it was a random file other than it popping up as missing for all the different programs.
Again, they did start working again once I let the file loose.
I would really appreciate it if you folks would agree on one course of action for me to follow. Step by step if you would as I really cannot afford the downtime without the computer. Today's efforts probably cost me 6 or 7 hours of frustration.
If no-one jumps in on that, I will just carry out your recommendations - then await someone's direction prior to re-installing Avast.
My brother-in-law is the main tech-help guy at a local university. He recommends Avast to all offsite users. Just thought you'd like the plug.
He doesn't have the background that you folks seem to have and gave this forum the nod.
Thanks again, Really,
Jerrold
-
Letting the file loose really is the last thing that you want as we have said it is hooking these other files either from the userinit or the shell as essexboy said.
There is no disagreement as such, we still want you to run the applications mentioned MBAM plus SAS and report their findings. Then followed up by posting the contents of the hijackthis log file so we can see what is running on your system, e.g. if the userinit section is what is being used by msdpjpkn.dll to hook the other files.
Then we can give more detailed instructions, but to do that we need the reports, etc.
-
You're gonna love this.
I had already done the MBAM procedure. Updating that and running it again provided no new results.
I installed SAS, updated and ran that.
Luckily, I did a PrtScn and pasted the image onto a Word Doc. You'll find out why I say "luckily" in a moment.
Results:
Processing: C:\WINDOWS\SYSTEM32\MSDPJPKN.DLL
Processing: C:\WINDOWS\SYSTEM32\MSDPJPKN.DLL
Processing: C:\WINDOWS\N1260CP.EXE
Processing: C:\WINDOWS\N1260SM.EXE
Removing: PID (63438944) C:\WINDOWS\SYSTEM32\MSDPJPKN.DLL
Removing: C:\WINDOWS\SYSTEM32\MSDPJPKN.DLL
Removing: C:\WINDOWS\N1260CP.EXE
Removing: C:\WINDOWS\N1260SM.EXE
Now for the funny stuff.
Once again, those specific programs will not load because of a "missing component" further detailed as "missing MSDPJPKN.DLL". But now add to the list of programs - SUPERAntiSpyware!
That's right - I couldn't even print you the log sheet if I wanted to because the program won't open.
Now I can't even reload the file because the program that ripped it can't open.
This is a big issue because everything I send (estimates, quotes, pricing, order acknowledgments and invoicing is sent as PDF, I am essentially grounded.
My next step (as I must do something while waiting to hear back from you guys) is to turn off SAS (as it doesn't work anyway, and try to run the next thing in the list above - HiJackThis.
Hopefully it will work. :)
Later,
Jerrold
-
In order to do the VirusTotal.com or virscan.org scans - I need the file.
Once SAS has ripped the file - is it gone or is it in a vault somewhere? If you can tell me where to find it, I'll do the scans.
Thanks,
Jerrold
-
Okay fellows, I've done the HiJackThis sweep and have posted the results below. No further action has been taken.
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:05:07 AM, on 09/06/2010
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: THotkey - TOSHIBA Corp. - C:\WINDOWS\SYSTEM32\THOTKEY.EXE
--
End of file - 3761 bytes
-
I see that you need to update your system as Acrobat 5.0 is very down level and vulnerable to infection as V9.3 is the current version.
Windows has not been kept up to date as SP3 has been available for almost 2 years and Microsoft will stop support for old versions shortly.
Internet Explorer (IE) V6 is very vulnerable to infection and IE is now at V8.
You need to remove all of Norton (Symantec)
Download and run the Norton Removal Tool
http://service1.symantec.com/support/tsgeninfo.nsf/docid/2005033108162039
-
Acrobat 5.0 is in use because it does the job and I'm not in the financial position to replace it. Last time I checked, that was around a $600 hit. If this is indeed a major issue - DavidR please confirm and I will "consider" that investment.
Service Pack 2 is because this version of Windows was installed by unconventional means. I can probably use the code from my tower's XP Pro now that I am half a year into it, but, as an average user, am not positive on the steps required to achieve this.
IE is ONLY in use because Firefox doesn't work because of the problem that is being discussed. I'd think that would have been obvious. :)
Although Acrobat 5.0 or Service Pack 2 may have contributed to the origin of the problem. I don't see how their being present affects the cure. Maybe it does. I'm certainly no expert. DavidR, please confirm that this problem cannot be fixed while they are present and my actions will take an entirely different approach.
-
Removed Symantec.
Didn't know anything was on there. Used to use WinFax (most recently) and way back used AntiVirus.
I can't remember, but I'm sure I experienced problems with IE 8. I pay it no attention though because I use Firefox. I can update IE I suppose, but there may be issues with Service Pack 2.
After removing Symantec - HiJackThis log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:18:40 AM, on 09/06/2010
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [Printing Migration] rundll32.exe C:\WINDOWS\System32\spool\migrate.dll,ProcessWin9xNetworkPrinters (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: THotkey - TOSHIBA Corp. - C:\WINDOWS\SYSTEM32\THOTKEY.EXE
--
End of file - 3561 bytes
-
And now Outlook is not working right either. This is not good.
Frustrating because everything was fine until I started screwing around with that file... a result of Avast (which was correctable) and then SAS (which does not seem to be correctable).
-
This is one of the shortest HJT logs I have seen for XP and suspect there could well be something hiding other entries.
Currently your system is bit of a security nightmare, with so many elements out of date, you still have XP and zero XP SP updates at all. This limits the IE browser version you can use IE6, the problem being that IE is an integral part of the OS leaving that vulnerable also. I also believe that your JAVA version is also out of date as some of the CLSID and file names are related to old versions.
You can't use IE8 because it requires a minimum of XP SP2 (or possibly (SP3) to be able to install it, so that may well have been your problem. I believe there is even a minimum SP for IE7, so your stuck until you update your OS and that is a catch 22 as you really can't update your OS if the system is infected.
Plus those mentioned by YoKenny, the date for end of security update extended support of XP is July 2010, yes next month if you haven't got SP3 installed.
All of which, leaves your system more vulnerable to exploit - I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/ (http://secunia.com/software_inspector/).
I don't see any mention of msdpjpkn.dll in the hijackthis log, but that doesn't give me confidence there isn't something hiding it and will probably need essexboy's tool bag to root it out. Having said that, given the security state of your system I don't know how successful this is likely to be.
-
And now Outlook is not working right either. This is not good.
Frustrating because everything was fine until I started screwing around with that file... a result of Avast (which was correctable) and then SAS (which does not seem to be correctable).
Sorry but everything was not fine, your system is way out of date security wise and it is infected, the result of the infection being removed has broken redundant registry entries screwing the other programs it was hooked into.
-
DavidR, thank you for being patient and understanding what my frame of mind is. Although I appreciate that this old bag of a computer was not in great shape - it worked. Had I left well enough alone after doing the MBAM I'd be okay - but of course I wanted to get an Anti-Virus on it.
That, in turn, has revealed the current sorry state of affairs.
Rather than spending a ton of money on this old ratbag of a computer - I'll just go buy a new one. Doesn't help me right now though. Plus - there is so much on this computer that is vital (which I can't use) that this makes it not such an easy endeavor.
So - can I retrieve that file from SAS or not? Has it been deleted from the computer or is it in some vault somewhere?
Java is: Java(TM) 6 Update 20
XP does have SP 2 on it.
I'm thinking that there is no mention of the nasty file because SAS ripped it.
I don't know.
So - have you guys got any idea what this is that has done this to me - or has it just been dismissed as "serves you right" for a bad system?
-
Secunia wouldn't work. According to their literature, I'd assume it is due to the "illegitimate" condition of the OS.
I can understand if this group is not interested in working on this any further - given the "state" of affairs. But I am hoping that some amongst you will be curious in getting to the bottom of it.
Hopeful,
Jerrold
-
SAS has a Quarantine section, in the Main window (double click the SAS tray icon), Manage Quarantine. That will allow you to restore the file, but believe me that is restoring an infected file. All you would be doing is treating the symptom (the errors as a result of the removal of the file) and not the disease, the infection itself. The associated registry entry which is calling for the loading of this file and because of the file being in quarantine, the error displayed.
So it will require more powerful tools to get to the bottom of this, which essexboy has in his tool-kit.
-
Interesting.
Although I kept getting pop-ups that SAS couldn't open - it did. With some of the other programs, after finally opening they just failed and closed automatically. SAS did not do that.
Upon looking into the Quarantine area (sorry for the stupidity), it lists the items as:
Rogue.Agent/Gen-Nullo[EXE]
-C:\WINDOWS\N1260CP.EXE
-C:\WINDOWS\N1260SM.EXE
Trojan.Agent/Gen-Uphov-C
-C:\WINDOWS\SYSTEM32\MSDPJPKN.DLL
-C:\WINDOWS\SYSTEM32\MSDPJPKN.DLL
(two instances of that one)
I can appreciate your concern. I am thinking that for now - I will restore the nasty files so that my computer works. I have to earn an income...
Then I'll pull what I can for data (I'll get someone to help me do this - cause I don't know how) onto my tower.
Then I'll wipe the box clean and start from scratch with a legit XP. SP3 it and go from there.
When I pull the data back in, I'll scan it.
Can you please shoot me a list of the procedure that you would do?
For instance:
1. Transfer data (how to do it safely for the receiving tower)
2. Format box
3. Install which components for safety
4. Install (current) versions of software(s)
5. Reload data through scans
Also, I've never done the backup thing or the system restore. Any quick advice on that and what to use/when?
Can I throw some software versions at you so that you can tell me if I must upgrade them?
Tired of me yet?
Jerrold
-
Alright. I restored it - don't shoot me.
Then I found the file and uploaded it into the scanners you wanted. Here are the URLs for the results.
VirusTotal:
http://www.virustotal.com/analisis/137a88278cd071dd7b8bac7443e4972b29c6abb91ee0b1c44bfd3312ba33f4f2-1276103634
Virscan:
http://virscan.org/report/9f859b05c76d0cd4f46a3cb99e80a7be.html
-
Well it is pretty conclusive, it is malware, I also suspect that this comes with a rootkit to hid other elements and try to prevent their removal.
For that we are going to need other tools from essexboy.
Sorry I don't have a list of things to do to start from scratch, it isn't quite that simple as your list:
1. Transfer data (how to do it safely for the receiving tower)
2. Format box
3. Install which components for safety
4. Install (current) versions of software(s)
5. Reload data through scans
-
Well - I'd be surprised if it were so simple.
I'm sure that I will eventually get a new box, but in the meantime - what are the next steps with essexboy?
-
First he has to get back to the forum, he like myself doesn't work for Avast so he works also, so helps in his free time. He is in the same time zone as me so he will possibly only have got back from work.
-
OK that is definitely hooked within the system, now it is just a matter of determining where it is hooking
(http://www.geekstogo.com/misc/guide_icons/gmer.png) GMER Rootkit Scanner - Download (http://www.gmer.net/gmer.zip) - Homepage (http://www.gmer.net/)
- Download GMER
- Extract the contents of the zipped file to desktop.
- Double click GMER.exe.
(http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif)
- If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
- In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
- IAT/EAT
- Drives/Partition other than Systemdrive (typically C:\)
- Show All (don't miss this one)
(http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg) (http://www.geekstogo.com/misc/guide_icons/GMER_instructions.jpg)
Click the image to enlarge it
- Then click the Scan button & wait for it to finish.
- Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
- Save the log where you can easily find it, such as your desktop.
**Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.
THEN
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop
- Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
- Select Scan all users
- Under the Custom Scan box paste this in
netsvcs
drivers32
%SYSTEMDRIVE%\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /180
%systemroot%\*. /mp /s
- Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Due to forum restrictions please attach the logs to your post
-
I ran GMER 1.0.15.15281
Upon completion it stated:
"GMER hasn't found any system modification."
I haven't pressed [OK] yet.
I haven't continued with OTL either. Where is it located? Same website? I didn't check while I was there.
Thanks,
Jerrold
-
You can close GMER - to download OTL just click the red link above - or this one Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your Desktop