[fenzodahl512]

Do a fullscan with Dr.Web, then do below..


Please show hidden files and folders
Jotti File Submission:

• Please go to Jotti's malware scan
• Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
  
  
  • C:\WINDOWS\System32\digeste.dll
• Click on the submit button
• Please post the results in your next reply.

If Jotti server is too busy, please submit the file to VirusTotal instead.

[Advertisements]

Hi Fenz

I should have informed you about this file , rather than expect you to open the attachment.. as it may have been infected... Appologies ...!

C:\WINDOWS\System32\digeste.dll

The scans will take some time, so It be after we have sleep before I post everything.

Hopefully you now have a better understanding as to what has happened and what may have been the cause.

Maybe replacing the C:\WINDOWS\System32\digeste.dll file will resolve Avira to work again or resolve something...

cheers

[dowsp]

Hi Fenz

I should have informed you about this file , rather than expect you to open the attachment.. as it may have been infected... Appologies ...!

C:\WINDOWS\System32\digeste.dll

The scans will take some time, so It be after we have sleep before I post everything.

Hopefully you now have a better understanding as to what has happened and what may have been the cause.

Maybe replacing the C:\WINDOWS\System32\digeste.dll file will resolve Avira to work again or resolve something...

cheers

[fenzodahl512]

I didn't ask you to replace C:\WINDOWS\System32\digeste.dll

I asked you to scan it because its most probably malware.. If you google digeste.dll you will find most of it stated its a nasty..


Do Dr.Web, then do a scan with digeste.dll file via Jotti..

Post the report here.. Do you have Malwarebytes' installed on that computer? If yes, update it and do a fullscan with Malwarebytes' too.. Remove everything that Malwarebytes' found..


Post all logs here..

1. Dr. Web
2. Jotti report
3. Malwarebytes' (if you scan with it)

Edited by fenzodahl512, 16 March 2009 - 11:52 PM.

[dowsp]

Hi Fenz,

When Avira found the digestdll file it did not suggest it was a nasty, but I will take your word for it. thanks for the warning !

I have had the DwWin bad image message appear a couple of times when I have been using the computer,
but I have not seen the similar Avira message reappear as yet.

I did do the Dr Web scan and it found a few viruses, but I dont think that they were anything serious and it said it deleted them....

It took a long time to do and unfortunately I did not get a log file and when I tried to restart the computer it froze up... I cannot recall if It was surposed to restart and create a log file without rechecking.

The Jotti Scan found nothing...I was surprised to see it included numerous software packages.

I just did the Malware scan and that seems to have found and deleted or quarenteened the problem viruses,

including digeste.dll ....

.Trojon agents and security hijack


I hope that this has done it !

I will post the log next.

[dowsp]

heres the Malware log...some viruses need a reboot before they will be deleted.

-------------------------------------------


Malwarebytes' Anti-Malware 1.34
Database version: 1857
Windows 5.1.2600 Service Pack 2

18/03/2009 08:19:18
mbam-log-2009-03-18 (08-19-18).txt

Scan type: Quick Scan
Objects scanned: 66442
Time elapsed: 3 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 53
Registry Values Infected: 0
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCONSOL.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapsvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Navapw32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVNT.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVWNT.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCAN32.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZONEALARM.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filemon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpost.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regmon.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapro.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvMonitor.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.com (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASTask.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32X.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPF.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OllyDBG.EXE (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regtool.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\niu.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2SERVICE.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGUARD.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSCAN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CASECURITYCENTER.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EKRN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FAMEH32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPAVSERVER.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPWIN.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSAV32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSGK32ST.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSMA32.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsserv.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwadins.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwebupw.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GFRing3.exe (Security.Hijack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders (Trojan.Agent) -> Data: digeste.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\SYSTEM32\MSINET.oca (Rogue.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\wpv551237070981.cpx (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\digeste.dll (Trojan.Agent) -> Quarantined and deleted successfully.

[dowsp]

I just restrated my computer, and I tried to open up Avira, but It still will not open up.

the last Malware scan was a quick one ..

I will try and do a full scan later.

I may also try a Dr web again if Ive time..

[fenzodahl512]

Ok..

Also, give me the link to your website.. You can pm me if you don't want others to know..

Edited by fenzodahl512, 17 March 2009 - 03:19 AM.

[dowsp]

Hi Fenz,

I will send you my website link.

I Hope however that you do NOT get the same problems as me or do any damage to your PC .

I would rather you tell me how you will be able to avoid getting it before you open it..

I can see that the Malware scan claims to have deleted or quaranteened the digeste.dll file, BUT I am not sure

if also the DWWin.exe is also something that should have been shown on the log.



Files Infected:
C:\WINDOWS\SYSTEM32\MSINET.oca (Rogue.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\wpv551237070981.cpx (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\digeste.dll (Trojan.Agent) -> Quarantined and deleted successfully.

Edited by dowsp, 17 March 2009 - 11:00 AM.

[dowsp]

Hi Fenz,

I was going to do another Dr Web and Jotti scan.

This message may not be necessary now ! , but just out of interest for the future or if anyone else follows it.

Yesterday I Thought that some how I had updated it. BUT I see from the info you gave me that in actual fact I should have deleted the old version first.

I MAY have redownloaded a new version without deleting the old one.. I cannot be sure...

Maybe I thought that it automatically updated.

Anyway I cannot see how to delete the old version via contol panel add and remove programs or in start.. all programmes... I cannot see any uninstall option.

Do I just delete the icon on desktop ? or if I redownload will a new version override the old one ?




-------------------------
Also when I shown Hidden files following the Major geeks instuction for windows XP..

It says

Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide extensions for known file types option.
Uncheck the Hide protected operating system files (recommended) option.
Click yes to confirm that you really want to do this.

I could not see where I was surposed to click YES ! so I clciked apply / ok

I hope this was correct or that it no longer matters from my last scan


-----------------
Please show hidden files and folders
Jotti File Submission:

http://forums.majorg...ead.php?t=74220

Windows XP
Right Click Start.
Select Explore
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide extensions for known file types option.
Uncheck the Hide protected operating system files (recommended) option.
Click yes to confirm that you really want to do this.
Click Apply.
Click OK.




Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:


C:\WINDOWS\System32\digeste.dll


-----------------------



Now, do this first..

Delete any Dr.Web CureIt that you have in the computer..


Please download Dr.Web CureIt to the Desktop:

Please reboot into Safe Mode
Once you are in Safe Mode, double-click the launch.exe or cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, please do a re-scan.. This time, choose Complete Scan
Click the green arrow button at the right, and the scan will start.
After the scan finished, click Select all
Click on Cure and choose Move incurable
When the scan has finished, in the menu, click File and choose Save report list
Save the report to your Desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit. Reboot your PC in Normal Mode, and post DrWeb.csv in your next reply (Open it as Notepad)

[dowsp]

Hi Fenz

Just to confirm

I did a FULL Dr Web scan... It found some further viruses and deleted /cured some.

I sent the Log to you by PM.

Thks

[fenzodahl512]

Sorry for my late reply.. I will be very busy until next tuesday.. Got lots of assignment and things to do.. Perhaps I can online likes only once a day..

Anyhow, I still haven't go to the link yet, but some interesting find..

I receive this warning when I try to get into the link

"This site may harm your computer."

So.. I just quit.. Maybe I'll try it tonight..

Dr.Web seems good to me..

Lets uninstall >> reboot >> reinstall Avira and then do a fullscan with your Avira.. Just repair/remove everything that it found and tell me more about it..

If you still unable to run Avira, just unintall it back >> reboot the computer >> Go below and do an online scan with CA antivirus..

http://www.ca.com/US...sinfo/scan.aspx

You will need Internet Explorer for that...

[dowsp]

Hi Fenz,

If you are busy, there is no rush.

The computer seems to be running OK.

It is a bit of a mystery as to why Avira will not work.

I uninstalled it , rebooted and reinstalled it... and unfortunatley it still will not work.

I tried the online scan.... initially It had to download active X, but I could not get the scan to work.

I dont know if its the virus somehow preventing various Antiviruses from working or just some other problem.

I dont really know !

[dowsp]

Hi fenz

I wondered if by any chance that the reason Avira will not work maybe because when I set up
SDfix some days ago and it was running, It could not complete its scan because a message came up saying that there was not enogth disc space on my machine.

When I start up my computer in normal mode SDfix is still running or trying to until I close it.

I was aware my Hard drive was close to full and I forgot to make some further disc space.

I have now moved some files ( 4 gigs worth) to my external drive.

After I have done this and rebootted, the SD fix opens up.

I wonder if I need to let this complete its scan in normal mode now it has been loaded to my machine and if this may make a difference. I wonder if Maybe it has been causing some sort of conflict with Avira.


As I was not able to let SDfix complete its scan when I first loaded it from Safemode... ( it later restarted into Normal mode) , at the moment when I turn my computer on in normal mode, the process appears.

I just wonder even after a few days after It was loaded and started the process if I still need to let it complete its process...

Its hard for me to tell if its still working through the process or if Its stalled as you say it takes a long time for it to go through the process.

I will try it again and allow it maybe an hour to see if it moves forward in the scan.

IF NOT then maybe I need to delete it and reinstall it again and try it again.

I just wondered if you had any thoughts on it !

Thanks

Dowsp

[dowsp]

I reacted too soon after making the extra space on my machine.

Prior to making the space, everytime I booted my computer in normal mode
the SDfix programme was open and trying to run ( Big Blie screen)

It even appeared again the first time I rebooted my machine in normal mode after
I had made more disc space available. which was when I just wrote to you.

I just rebooted it again and NOW its not showing....I am not sure why as prior to this I had not given SDfix much time to complete its scan ( unless it had done so and I did not think it had) I did not see any messages or logs appear though !..

So I am not sure what to make of it or IF I should do a scan again in normal mode.

I also wondered if maybe the extra disc space may have effected Avira.

Unfortunately It Still has not as yet !

[fenzodahl512]

Most likely the computer just got new infection.. Do below...


Download DDS by sUBs and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.

• When done, DDS will open two (2) logs:
  • DDS.txt
  • Attach.txt
• Save both reports to your Desktop and post them in your next reply