Won't update along with 2 viruse

FortonG

Hello Bitdefender has found these viruses

File c:\windows\system32\msdddr.dll

infected with MemScan:Trojan.Conhook.C

It will also NOT UPDATE.

I have tried to update it several times and it will NOT update.

Thank you for your time and efforts.

* note *

I have gone into safemode to try and delete both files but it won't let me.

AndreiASM

Do you get an error message when you try to update BD?

See if the trojan has added itself to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run and delete any refference which points to the trojan. You can also open your task manager and see if there are any processes in memory related to the trojan.

You could also try to start the computer in Safe Mode with command prompt. Then, you can try to delete the trojan from the command prompt.

FortonG

Do you get an error message when you try to update BD?

See if the trojan has added itself to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run and delete any refference which points to the trojan. You can also open your task manager and see if there are any processes in memory related to the trojan.

You could also try to start the computer in Safe Mode with command prompt. Then, you can try to delete the trojan from the command prompt.

I don't know how to use command prompt very well.

Could you be a little more specific on this? THANK YOU for your response!

AndreiASM

After you boot in safe mode with command prompt, type in the following command:

del c:\windows\system32\msdddr.dll <ENTER>

Then you can restart the computer (you can open the task manager by pressing CTRL+ALT+DEL and choosing Shut Down -> Restart).

Regards, Andrei

FortonG

After you boot in safe mode with command prompt, type in the following command:

del c:\windows\system32\msdddr.dll <ENTER>

Then you can restart the computer (you can open the task manager by pressing CTRL+ALT+DEL and choosing Shut Down -> Restart).

Regards, Andrei

Okay, one quick question, I won't be deleting the entire sysytem 32 folder will I?

AndreiASM

Nop, you will only delete the file msdddr.dll.

Post here if it worked, or if you can't delete the file.

FortonG

Nop, you will only delete the file msdddr.dll.

Post here if it worked, or if you can't delete the file.

I couldn't delete the file.

AndreiASM

I'm not sure, but I think this trojan injects code in EXPLORER.EXE. Check if there are any instances of EXPLORER.EXE in memory (!! after boot-ing in safe mode with command prompt). Also, check the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run to see if there are any refferences of the trojan and delete them.

FortonG

I'm not sure, but I think this trojan injects code in EXPLORER.EXE. Check if there are any instances of EXPLORER.EXE in memory (!! after boot-ing in safe mode with command prompt). Also, check the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run to see if there are any refferences of the trojan and delete them.

heres what I see in regular windows.

khufu

Try to use Unlocker to delete the file.

FortonG

I'm not sure, but I think this trojan injects code in EXPLORER.EXE. Check if there are any instances of EXPLORER.EXE in memory (!! after boot-ing in safe mode with command prompt). Also, check the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run to see if there are any refferences of the trojan and delete them.

I also have a hijackthis log.

/applications/core/interface/file/attachment.php?id=130" data-fileid="130" rel="">hijackthis_scanlog.txt

AndreiASM

Send me the file using a Private Message. Only Virus Reasearchers can download files attached on this forum.

Niels

Hi Forton Graphics

I suggest that you try the following:

For your update problem.

Go to start,my computer,press on the icon of your hard disc where windows is installed on then open the folder windows and the follow subfolders,system 32,drivers,etc,then press with your rightmouse button on HOSTS choose open then choose for wordpad mfc-application. The only reference that must be there is the one with 127.0.0.1 localhost If there are other just deletes these lines. Then save the file. If you find other references these are mostly created by malware to make it impossible to obtain updates or visit security sites and also to re direct you.

Try also this tool : http://www.handybits.com/download.asp?product=shredder Install it rightclick on the file and choose for shred this file.

I also recommend that you boot your pc into safe mode.

Then scan with BitDefender. Go to start,run,at the run dialog box type cmd press enter. Then type the follow commands each followed by pressin on enter:

%SystemDrive%

cd %ProgramFiles%Common FilesSoftwinBitDefender Scan Server

Here are the commands how that BitDefender must react on infected files:

To disinfect the infected files type the command:

bdc /files /boot /arc /mail /log=bdcscan.log /fixed /dis

To quarantine the infected files type the command:

bdc /files /boot /arc /mail /log=bdcscan.log /fixed /move /moves

To delete the infected files type the command:

bdc /files /boot /arc /mail /log=bdcscan.log /fixed /del

Regards

Niels

FortonG

Hi Forton Graphics

I suggest that you try the following:

For your update problem.

Go to start,my computer,press on the icon of your hard disc where windows is installed on then open the folder windows and the follow subfolders,system 32,drivers,etc,then press with your rightmouse button on HOSTS choose open then choose for wordpad mfc-application. The only reference that must be there is the one with 127.0.0.1 localhost If there are other just deletes these lines. Then save the file. If you find other references these are mostly created by malware to make it impossible to obtain updates or visit security sites and also to re direct you.

Try also this tool : http://www.handybits.com/download.asp?product=shredder Install it rightclick on the file and choose for shred this file.

I also recommend that you boot your pc into safe mode.

Then scan with BitDefender. Go to start,run,at the run dialog box type cmd press enter. Then type the follow commands each followed by pressin on enter:

%SystemDrive%

cd %ProgramFiles%Common FilesSoftwinBitDefender Scan Server

Here are the commands how that BitDefender must react on infected files:

To disinfect the infected files type the command:

bdc /files /boot /arc /mail /log=bdcscan.log /fixed /dis

To quarantine the infected files type the command:

bdc /files /boot /arc /mail /log=bdcscan.log /fixed /move /moves

To delete the infected files type the command:

bdc /files /boot /arc /mail /log=bdcscan.log /fixed /del

Regards

Niels

The hosts file is okay... only 127. is there.

also do you mean

\SystemDrive\

cd \ProgramFiles\Common FilesSoftwinBitDefender Scan Server

instead of ?

%SystemDrive%

cd %ProgramFiles%Common FilesSoftwinBitDefender Scan Server

so it would be

C:\%systemdrive% [enter]

C:\cd%programfiles%common filessoftwinbitdefender scan server [enter ] ?

then this?

C:\bdc /files /boot /arc /mail /log=bdcscan.log /fixed /del [enter] ?

Niels

Hi Forton Graphics

So you didn't find anything different then localhost after 127.0.0.1? If so these references you may also delete. Because then BitDefender can't get connection to the update servers.

If that fails take a look here : http://kb.bitdefender.com/KB18-en--Update-...#39;t-work.html

You just have to enter the commands that I've written. So you don't need to change anything. Sorry that I wasn't clear enough. So after you entered these commands

%SystemDrive% press enter

cd %ProgramFiles%Common FilesSoftwinBitDefender Scan Server press enter

After that type : e.g bdc /files /boot /arc /mail /log=bdcscan.log /fixed /dis press enter

Or you can try this also put in the installation disc of BitDefender and reboot your pc. Then you are also able to scan your computer before you are in windows.

Regards

Niels

FortonG

Hi Forton Graphics

So you didn't find anything different then localhost after 127.0.0.1? If so these references you may also delete. Because then BitDefender can't get connection to the update servers.

If that fails take a look here : http://kb.bitdefender.com/KB18-en--Update-...#39;t-work.html

You just have to enter the commands that I've written. So you don't need to change anything. Sorry that I wasn't clear enough. So after you entered these commands

%SystemDrive% press enter

cd %ProgramFiles%Common FilesSoftwinBitDefender Scan Server press enter

After that type : e.g bdc /files /boot /arc /mail /log=bdcscan.log /fixed /dis press enter

Or you can try this also put in the installation disc of BitDefender and reboot your pc. Then you are also able to scan your computer before you are in windows.

Regards

Niels

Tried that... in CMD % doesn't do anything...

Also I tried that unlocker program. Win logon is there twice along with explorer.exe. I have tried to unlock them but it just shuts the system down.

Niels

Then try my second suggestion. Did you try to delete the file with file shredder?

Regards

Niels

FortonG

Then try my second suggestion. Did you try to delete the file with file shredder?

Regards

Niels

I tried all of what you suggested and nothing worked.. any other ideas?

AndreiASM

Did you try using System Restore? You could also try to kill explorer.exe, and then choose run (from Task Manager) and then choose BD. Then try to make a full scan. Kill any process you don't need (except the ones needed by BD).

Niels

Hi Forton Graphics

It could be that the trojan has also infected a system restore point. Go to start,my computer,rightclick on my computer choose properties,system restore check the option disable system restore on all stations (drives) confirm by pressing on apply and ok. After you done that uncheck the option again and confirm by pressing on apply and ok. Download drweb cureit: ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe

If curei can't remove try this tool:

http://www.malwarebytes.org/fa-setup.exe

Drag and drop the msdddr.dll file to the program check and under attempt FileASSASIN delete file then press on execute.

Regards

Niels

vlad

Boot your PC in safe mode. Run hijackthis again, check the following boxes and click fix:

O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\tmp84CF.tmp.dll

O2 - BHO: (no name) - {51FB4A2A-A3FE-4F0E-8AA9-271B62C09E3F} - C:\WINDOWS\system32\msdddr.dll

O4 - HKLM\..\Run: [bootService] rundll32.exe "C:\WINDOWS\fccbxw.dll",realset

O4 - HKLM\..\Run: [infoData] rundll32.exe "C:\WINDOWS\nnkhhe.dll",realset

O20 - Winlogon Notify: msdddr - C:\WINDOWS\SYSTEM32\msdddr.dll

Reboot the PC in safe mode again.

Save the following as runme.bat and run it (note: Notepad may add a .txt extension; set Explorer to allow you to see extensions for known file types and change it to .bat):

:------------------from here----------------------

@echo off

c:

cd \

md _malware_

cd _malware_

ren C:\WINDOWS\system32\tmp84CF.tmp.dll c:\_malware_\tmp84CF.tmp.dll.xxx 2>err.log >log.log

ren C:\WINDOWS\system32\msdddr.dll c:\_malware_\msdddr.dll.xxx 2>>err.log >>log.log

ren C:\WINDOWS\fccbxw.dll c:\_malware_\fccbxw.dll.xxx 2>>err.log >>log.log

ren C:\WINDOWS\nnkhhe.dll c:\_malware_\nnkhhe.dll.xxx 2>>err.log >>log.log

attrib -S -H -R *.*

:------------------up to here----------------------

A folder called _malware_ should appear in C:\; archive its contents with the password infected and attach it here.

If this doesn't fix the problem (which is possible, because it appears to inject itself in winlogon.exe and explorer.exe), it will be more difficult to get rid of, but still possible. Keep me posted on your progress.