I have XP windows and is infected the file winjks32.dll with Trojan.Abwiz , Symatec offer to repair it with the FixAbwiz.exe, but nothing happen for that reason I quit Norton and started to use Avast HOME Edition, work perfect but still having the file infected, somebody can help me please???
Are you saying avast can detect it but it keeps coming back ?
Or are you saying avast doesn’t detect it ?
What was the infected files location, where was it found example (C:\windows\system32\infected-file-name.xxx) ?
A google search for winjks32.dll returns many hits mostly located in the C:\WINDOWS\SYSTEM32\ folder, but for a few different virus names.
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode Ewido anti-spyware.
Hi Riqui,
You’ll find removal instructions here if Ewido doesn’t kill it:
http://www.pchelpforum.com/spyware-adware/19142-weird-infection.html#post125203
No I am not saying avast detect it, and recommend put in the Chest because can not repair.
The infected files location, where was is (C:\windows\system32\winjks32.dll
Thanks I am going to try with Ewido anti-spyware, and let you Know
It’s a process injecting Trojan, so avast! may detect it but will not be able to remove it. Ewido can kill these process injecting Trojans, if it has the Trojan definition in its database, otherwise you will have to kill the injected dll’s before removing the startup entry and deleting the file as described in the link above.
Thanks FreewheelinFrank, I will do that at night at present i am at work.
Trojans generally can’t be repaired (either by the VRDB or avast virus cleaner), because the entire content of the file is malware, so it is either move to chest or delete, move to the chest being the best option (first do no harm). When a file is in the chest it can’t do any harm and you can investigate the infected warning.
The VRDB only protects certain files, .exe, dll and other system files, it doesn’t protect data files or all files, it is not a back-up program, so there are going to be many occasions where repair won’t be an option.
Only true virus infection can be repaired, e.g. when a virus infects a file it adds a small part to it, provided that file is one that avast’s VRDB would monitor and you have run the VRDB, then it may be possible to repair the file to its uninfected state.
However, for the most part so called viruses, trojans (adware/spyware/malware, etc.) can’t be repaired because the complete content of the file is malicious.
Whilst browsing or collecting email, etc. if you get infected then the malware by default inherits the same permissions that you have for your user account. So if the user account has administrator rights, the malware has administrator rights and can reap havoc. With limited rights the malware can’t put files in the system folders, create registry entries, etc. This greatly reduces the potential harm that can be done by an undetected or first day virus, etc.
Check out the link to DropMyRights (in my signature below) - Browsing the Web and Reading E-mail Safely as an Administrator. This obviously applies to those NT based OSes that have administrator settings, winNT, win2k, winXP.
Thanks a lot DavidR, excellent tips I will do that .
By the way, you know this Trojan what was doing in the beginning was creating a dialer ??? each time than I connect the Internet.
Regards,
No problem, welcome to the forums.
Some of the google searches for the file name and or the trojan name indicated this could also be a dialer, not a serious issue if you don’t have a dial-up connection or still have a dial-up modem connected.
-
Spywareblaster Don’t install this until you are clean. This is a passive tool that tries to block known malware including dialers, but as mentioned DON’T install untill your clean.
DavidR your 100% avastEvangelist, I have a lot to do tonight and as soon all be right you will know.
DavidR this is the report after ewedo scan my PC
E:\Shared Documents\Downloads\Internet[DAP] Download Accelerator Plus v7.2.0.0. [multilanguage] + crack.rar/crack\DAP.exe → Adware.Dap : Cleaned with backup (quarantined).
E:\Shared Documents\Downloads\Internet[DAP] Download Accelerator Plus v7.2.0.0. [multilanguage] + crack\crack\DAP.exe → Adware.Dap : Cleaned with backup (quarantined).
C:\Program Files\Safety Bar → Adware.Generic : Cleaned with backup (quarantined).
C:\Program Files\Safety Bar\Uninstall.bat → Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID{052b12f7-86fa-4921-8482-26c42316b522} → Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID{873eb32d-ae1a-4183-89bd-45a77f761be4} → Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{873eb32d-ae1a-4183-89bd-45a77f761be4} → Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Safety Bar → Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-746137067-343818398-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{873EB32D-AE1A-4183-89BD-45A77F761BE4} → Adware.Generic : Cleaned with backup (quarantined).
C:\WINDOWS\Temp\winE1B.tmp.exe → Trojan.Dialer.pz : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\kernel32.dll → Trojan.Small : Cleaned with backup (quarantined).
Like you can look I have two drives C and E and in the scan Trojan.Abwiz is no reported, well what do you think? could be removed or is in quarantined with other name ???
Any way what next ?, the step than you suggested after was cleaned by ewedo , right???
Ewido has cleaned up other issues other that the original file you reported as having been sent to the chest, to all intents no other AV or trojan hunter can examine the contents of the chest (it is a protected area), so perhaps that it why it wasn’t found.
Some of the other stuff cleaned may well have been restoring the original file (which in safe mode it shouldn’t be able to do.
After running Ewido you might what to check that link that FreewheelinFrank gave to the removal instructions here if Ewido doesn’t kill it, hopefully it shouldn’t find anything.
Then run an avast scan again then install and run AdAware then Spybot S&D, if after those nothing else is found install SpywareBlaster.
Good DavidR, OK I will continue with the target but correct me if I am wrong , all the stuff in quarantine stay there or manually has be delete it ?
:
There is no rush to delete anything from the chest, they can’t do any harm there. Anything that you send to the chest you should leave there for a week or two. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.
FreewheelinFrank, today I was visting your link for be ready to work at night but you know the location for Process Explorer By Systernals is out off service do you have another place?
Thanks
Yes it is , one more consult need to be in 32-bit or 64-bit or doesn’t matter :
Well I just paid a visit and it is in service http://www.sysinternals.com/Utilities/ProcessExplorer.html.
Yes DavidR it is in service , but my consult still without an answer which one download or is indifferent ???
Would you believe they are all the same, the reason they use different links so that they can keep track of download statistics for different platforms.
The second one as you use winXP 32bit., see image.