I have recurring D2_.exe and af.exe infection on this W98SE system. A trojan also ruined my command.com and DOS terminal functionality, so I can’t even see what network connections are running.
Please REMOVE live links to infected files :o
This is not allowed in the forum…
Access denied means, generally, that the file is in use by another process (program) and cannot be repaired/cleaned/moved/handled by avast!
Please, schedule the Boot Time Scanning:
Click on the Menu button.
Choose Schedule Boot Time Scan.
Doing so displays a dialog allowing you to schedule virus scanning.
Check Archives, if you want scan all the archives.
Specify whether all the disks or just a specific folder should be scanned.
Select Advanced options for scheduling details.
Select how to automatically process infected files.
Choose how to automatically process infected system files.
Click the Schedule button to confirm the settings.
Access denied means, generally, that the file is in use by another process (program) and cannot be repaired/cleaned/moved/handled by avast!
I get that. However, that is exactly what I need to do.
Click on the Menu button.
What ‘Menu button’? The Avast icon on my desktop starts a memory test, which AGAIN finds
rundll32.exe
and PDLL.dll
neither of which can be quarantined, moved, or renamed. Though I ran a complete C drive scan last night, this Win32:Tibs-ADO trojan virus is still on my system.
Click on the Menu button.
Choose Schedule Boot Time Scan.
Doing so displays a dialog allowing you to schedule virus scanning.
Okay, the 4.7 tool finally displayed, and I found the Menu button.
Schedule Boot Time Scan is greyed-out and cannot be selected.
As is ‘Status information’
‘Last scan results’
‘View scan reports’.
It’s puzzling that Avast software identifies the Trojan perfectly yet is unable to actually eliminate it. It keeps finding these over and over:
Stop memory scanning in order to get the avast skin (window).
If you want, you can schedule a boot time scanning just running:
C:\Program Files\ALWIL Software\Avast4\sched.exe /A:*
If a virus is replicant (coming and coming again), you should:
Boot scan is not availible in win 98se. Boot to safe mode and scan from there. The section in Tech’s post regarding system restore does not apply either.
I cannot do
C:\Program Files\ALWIL Software\Avast4\sched.exe /A:*
…because one of these trojans ruined my ‘command’ executables, as I said in my first post… I can’t run a DOS window, and when I paste the statement above into the Run tool I get a persistent MMTASK error… the same one that comes up when I try to clear my windows/temp area.
This is a W98SE system and I didn’t get the Microsoft CDs when I bought it used… stupid, I know.
update - I see that boot scanning isn’t available in W98SE.
Safe mode scan? I’ll try it.
p.s. I am sorry to post live links to known bad files… fixed now.
Sorry… Oldman is correct, both boot time scanning and system restoration aren’t available for Windows 98.
I suggest that you add this HDD as a second (slave) in another computer with avast (better with Windows XP) and run a full avast scanning (or boot time scanning).
It will be good if in this second computer you have antitrojan applications installed.
At the download prompt, choose “Save”.
Navigate to the saved file and double-click the installer, HJTsetup.exe.
HijackThis will be installed on your computer at C:\Program Files\HijackThis, making an entry in the start menu and also providing a desktop shortcut.
When the installation is complete, exit HijackThis.
svchost.exe in C:\Windows and also in C:\Windows\System
renamed to .vir
rundll32.exe in C:\Windows and also in C:\
YES, and this is now preventing me from even running Add/Remove programs
pdll.dll in C:\Windows\System
Yes
d2_.exe and pack.exe anywhere on your computer
No, been deleted quite a few times, not on now
internat.exe in C:\Windows and also in C:\
No, been deleted quite a few times, not on now
You missed af.exe, which is also gone.
QUESTIONS:
I see mention of HiJackThis… this is not a browser hijacker. Confused.
Also… mention of using ‘Trojan removal’ software… call me confused again… Avast can identify the Trojan, but not remove it? Since when is an antivirus not also an antiTrojan?
Do I need to do a Safe Mode C drive scan or not?
Do I have to do HiJackThis AND one of the Trojan removers?
Did you rename it or it was renamed by the malware? Are both instances renamed?
Is it gone from both locations or is it still in C:
(If its in C:\ don’t delete it.)
No, its not a hijacker at all. Its a tool that enumerates the running processes, registry keys etc that can help us find a solution to your problem. You can see what a hijackthis log looks like by looking at this thread
When you run the tool you will see options to “fix” things. Don’t do this right now - just generate and post the log. If its too long to post in one reply use two or more.
We may get to the safe mode scan but lets put that off a little.
It would be a good idea to download and install A-Squared which is an antitrojan program. Get the free version here
You need this because although antivirus programs do offer protection from trojans and worms their specialty is protecting you from viruses. Antispyware programs are often better at finding trojans and worms. This is true of all antivirus programs - not just avast!
Before posting the hijackthis log please upload samples of any instance of rundll32.exe and internat.exe you have to Jotti for analysis
A lot of times when a file is in use it can’t be accessed by an av. That’s why a boot time scan is good to use. The scan runs before windows is loaded. Since you can’t do a boot time scan, a safe mode scan is an alternative, but not as good since windows loads first, with minamal drivers and applaications. Hopefully the files you want to scan won’t be won’t be deemed nesseccary by windows and you will be able to scan them.
Highjackthis isn’t just for hijaking. It is a powerful tool that analyses what is running on your system. Highjackthis can identify the malware and an antitrojan program can be used for removal.
Since your are using 98se, I would suggest asquared. Again in safe mode.
If avast does find anything, please do not delete it, send it to the chest.
Posting your hijackthis log here in this thread will get a response. Follow the tutorial.
Follow mauserme’s instructions, my comments where just info for some of your questions.
I leave to work out of town for four days… however I did do one thing…
There is a link between Rundll32.exe and the Tibs-ADO virus.
I also suspect my Dial-Up Networking (I’m using Ethernet and DSL) because out of the blue I’d get occasional illegal TAPISERV messages, and that is the dialer telephony software, unused on this system. Tried to get into MODEM on the Control Panel, died with an illegal Rundll32.exe message - one that could not be gotten rid of.
When I search for rundll32.exe I find TWO files
C:\rundll32.exe size 21K creation date 1999
C:\Windows\Rundll32.exe size 131K creation date 12/2/2006
I booted with CTL and rather than launching into SAFE MODE I chose the DOS screen.
There I COPIED the C:\rundll32.exe onto the C:\Windows version and chose ‘Overwrite=Yes’.
Rebooted and things seem to be working - I can look at my dialer.
Of course there’s still that rotten PDLL.DLL hanging around… Did a FIND on it, right clicked, told Avast to look at it, virus found, move to Chest, WORKED.
Exactly where I was heading, Karl, though I thought it would have been a good idea to confirm C:\rundll32.exe was the clean file by scanning it at Jotti first. And quarantine is the best place for PDLL.DLL.
If you find C:\internat that’s probably also a clean copy of the infected original, although from the sound of things this may have been deleted completely.
When you’re back in town you will still need to take care of C:\Windows\svchost.exe (or .vir). This file properly belongs in the system folder but not the windows folder. You can quarantine C:\Windows\svchost.exe in that same manner you did PDLL.DLL
After that - run the safe mode scan with A-Squared, then post the hijackthis log.