Hello, I am here to request your help because I really do not know what to do.
This morning when I tried to launch Internet Explorer I got a message by my Avast 4.8 informing that the file C:\Windows\System32\msqpdxssfxjkix.dll was infected with the malware Win32: Fasec32 [trj].
I tried clicking the ‘Delete’ button but immediately after confirming the deletion the same pop-up appeared, after deleting it about 4 times the browser launched. And this happens every time I try to launch IE or Firefox.
The recommended action is to ‘move to chest’, but after i click I get a message saying that it couldn’t be done because the file was in use (probably because it’s a Windows file, I think).
Please download HijackThis from the link below. Do not download HJT to the desktop but instead download it into it’s own folder on the hard drive.
Run the program but do not make any fixes and then post the log results using the “copy & paste” method. It will probably take more than one post to be able to get the complete log posted.
OR, you can post it as an attachment to your post by clicking on “Additional Options…” below left of the posting box. Someone will review your log and then offer help.
If you have XP, vista32bit or Win2k, you could enable a boot time scan (runs before windows starts so the file shouldn’t be in use). Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, ‘Schedule boot-time scan…’ Or see http://www.digitalred.com/avast-boot-time.php.
The file name looks like a randomly generated one, common to a vundo infection, so there are probably other things you need to fix and HiJackThis is an analysis tool that helps us to help you.
Me and my dad found a way to delete it. Apparently it wasn’t that hard to get rid of it.
And I learned that it’s best to re-boot first. “A boot a day keeps the doctor away”.
You can lock this now
You all seem like a great community by the way, I’ll be sure to drop by more often
If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again. What is your firewall ?
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
The boot-time scan has finished and it has found the infected file, wich I ordered to be deleted. (Should I have moved it to chest instead?)
The firewall that is running is Windows Firewall.
I have also noticed that the system and the browser is running slower. :-\
Hmm HJT shows nothing so we will take a two pronged approach to this. First we will run a general purpose cleaner and then an analysis scan
Please download Malwarebytes’ Anti-Malware from Here or Here
Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.
Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
[*]Disable any script blocking protection[*] Double click dds.scr to run the tool. [*]When done, DDS.txt will open. [*]Click Yes at the next prompt for Optional Scan. [*]Save both reports to your desktop.
Please include the contents of the following in your next reply:
Deletion is never a good first option (you have none left), though in this case not a problem, but a bad habit to get into - ‘first do no harm’ don’t delete, send virus to the chest and investigate.
Your firewall might not be doing you any favours as the Vista firewall has outbound protection disabled by default. Even when enabled it isn’t very friendly as it is rule based and you have to make the rules. Vista Firewall Control, check out this topic for some user friendly help for the Vista Firewall, Outbound protection, http://forum.avast.com/index.php?topic=30234.0
Work through the applications that essexboy has suggested posting/attaching any requested logs/files.
Thank you, I have downloaded Malwarebytes and did the scan, had 4 Trojans :o Deleted the new 3 easily but the one that has causing me problems had to be deleted on reboot.
After the desinfection I did another scan and found nothing
Log:
Malwarebytes’ Anti-Malware 1.31
Database version: 1597
Windows 6.0.6001 Service Pack 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\videosoft (Trojan.DNSChanger) → Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
C:\resycled (Trojan.DNSChanger) → Quarantined and deleted successfully.
Files Infected:
C:\Windows\System32\msqpdxssfxjkix.dll (Trojan.TDSS) → Delete on reboot.
C:\Windows\System32\drivers\msqpdxeyvppreq.sys (Trojan.Agent) → Quarantined and deleted successfully.
Also downloaded DDS but (probably because of scripts) I couldn’t make it work.
Can someone tell me how to disable scripts that are blocking it, please.
[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
[*]Double click on ComboFix.exe & follow the prompts.
[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.
Ok, did that, the log is attached.
Some parts are in portuguese, but you probably can figure it out. (?)
Also, as I shut down avast! antivirus, the following message popped up at the sytem tray: “The file or directory C:\Windows\inf\SMSvcHost 3.0.0.0 is corrupt and unreadable. Please run the Chkdsk utility.”
A few minutes later a similar message popped up.
