Jump to content

dbghlp.dll included in FileZilla 2.5.1


Recommended Posts

Hi Maniac,

Thank you for the help.

I tried to follow the instructions but :

If I do run mbam.exe /developer I can't do the same check (right click on a single folder)

The Quick Scan doesn't check (or detect, I don't know) the dll (as already said)

I didn't try a full scan in developer mode

If I do run mbam.exe /developer "C:\Program Files\FileZilla" the file is not detected as infected

This seems very strange to me ... What can I do ? Isn't it easier to send you the dll ?

Did you see anything else in my logs ?

Pulsar33

Link to post
Share on other sites

Hi All,

Before starting a new thread, can somebody tell me what is this :

S3 pfsvgae;pfsvgae;\??\c:\docume~1\erick\locals~1\temp\pfsvgae.sys --> c:\docume~1\erick\locals~1\temp\pfsvgae.sys [?]

Today, after computer restart, I don't find such a file in this folder ... :)

Regards

Pulsar33

Link to post
Share on other sites

Hi Maniac,

The dll isn't malicious according to the result of the analisis.

If locals~1\temp\pfsvgae.sys is something bad, it is for sure not linked to the dbghlp.dll

In the meantime, I've used the Sophos AntiRootKit 1.5.4 and it didn't find any hidden element.

So, according to this and all the logs above and attached, what can you say about my PC ?

Regards

Pulsar33

Link to post
Share on other sites

The dll isn't malicious according to the result of the analisis.

I know, the problem is that was detected by our heurestics. They're new and need more testing, you know .... every beginning is difficult.

Thanks a lot! :lol:

Now:

Step 1

Please, uninstall the following applications:

  1. Adobe Acrobat 5.0

You can read, how to do this here:

Step 2

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s):

  1. Malwarebytes' Anti-Malware log
  2. a new fresh DDS log only

Link to post
Share on other sites

Hi Maniac,

Acrobat 5 was removed but the uninstall procedure said : 'C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx' is in use. Unable to delete 'C:\Program Files\Adobe' and sub folders. I've deleted the folders after reboot

As said at the top of this thread, MBAM doesn't find anything in Quick Scan mode (see log below). The dbghlp.dll file distributed with FileZilla is not detected anymore on right click scan ( FP solved in new database )

On the other hand, as said last time, before removing acrobat, I've used the Sophos AntiRootKit 1.5.4 and it didn't find any hidden element. I've installed IceSword too and taken the Modules and the Process logs.

However, in the new DDS log, I can see once more :

S3 pfsvgae;pfsvgae;\??\c:\docume~1\erick\locals~1\temp\pfsvgae.sys --> c:\docume~1\erick\locals~1\temp\pfsvgae.sys [?]

and I can see a new strange line :

R3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\9.tmp --> c:\windows\system32\9.tmp [?]

I can't see these two files either in Explorer or under IceSword

Moreover, I experienced a black screen reboot ( not BSOD ) using IceSword File menu to open C:\Windows

After reboot, I was able to access to C:\Windows under IceSword.

I've seen that MEMSWEEP.sys is part of the Sophos distribution.

Is there "something fighting" against the tools I install ?

Last point : I can't use Sophos anymore has it seems to need acrobat to open the file sarman.pdf at launch.

Strange behaviour, and I need acrobat too, but this is another question for later.

Hope you find what you need to help me in that.

Thank you

Pulsar33

MBAM log

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Version de la base de donn

Link to post
Share on other sites

On the other hand, as said last time, before removing acrobat, I've used the Sophos AntiRootKit 1.5.4 and it didn't find any hidden element. I've installed IceSword too and taken the Modules and the Process logs.

Stop for a moment.... You'll not install and do anything that is not described in my instructions until we finish.

I see this line in your MBAM log:

Malwarebytes' Anti-Malware 1.45

Your program version is old, the current version is 1.46 , so:

Temporarily disable your Anti-Virus and other security software while installing and running.

Windows XP:

  • Click on Start and select Control Panel
  • Open Add/Remove Programs
  • Uninstall Malwarebytes' Anti-Malware
  • Restart your computer very important
  • Download and run mbam-clean.exe from here
  • It will ask to restart your computer, please allow it to do so very important
  • After the computer restarts, temporarily disable your Anti-Virus and install the latest version of Malwarebytes' Anti-Malware from here
    • Note: You will need to reactivate the program using the license you were sent via email if using the Pro version
    • Launch the program and set the Protection and Registration. Then go to the UPDATE tab if not done during installation and check for updates.
      Restart the computer again and verify that MBAM is in the task tray if using the Pro version. Now setup any file exclusions as may be required in your Anti-Virus/Internet-Security/Firewall applications and restart your Anti-Virus/Internet-Security applications. You may use the guides posted in the FAQ's here or post to ask and we'll explain how to do it.

Next:

  • Launch Malwarebytes' Anti-Malware
  • Go to "Update" tab and select "Check for Updates". If an update is found, it will download and install the latest version.
  • Go to "Scanner" tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Link to post
Share on other sites

**Note: If you need more detailed information, please visit the web page of ComboFix in BleepingComputer. **

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.

Please download ComboFix from

Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Open Tools -> Options -> Main tab
    • Set to Always ask me where to Save the files.

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause unpredictable results.
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the C:\Combo-Fix.txt for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Link to post
Share on other sites

Hi Maniac,

The job is done. Please, see the report below.

The main questions I have are :

- why did combifix desactivate winpcap which is necessary for wireshark lookup and survey ?

- is there real threats on my PC and if yes, what did they do ?

Hope you can explain me.

Best regards

Pulsar33

ComboFix 10-08-12.03 - Erick 13/08/2010 20:37:50.1.1 - x86

Microsoft Windows XP Professionnel 5.1.2600.1.1252.33.1036.18.511.277 [GMT 2:00]

Lanc

Link to post
Share on other sites

Recovery console installed

Boot Console => BSOD ( tried 2 times ) UNMOUNTABLE_BOOT_VOLUME

STOP 0x000000ED ( 0x823167B8, 0xC000014F, 0x00000000, 0x00000000 )

And it seems that I can't remove the Console tool :D

However, the boot volume IS correct => Boot XP OK

And if needed, the Recovery Console works wth "R" command on Windows CD (tested)

But to do what ?

Best regards

Pulsar33

Link to post
Share on other sites

1. No, it's not.

2. It's legitimate.

3. Will be removed.

Open Notepad and copy and paste the text in the code box below into it:

Driver::
pfsvgae

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

Link to post
Share on other sites

We have a serious problem. It seems that the missing two important system file:

c:\windows\System32\wscntfy.exe

c:\windows\System32\xmlprov.dll

One of them can't be replaced, because there are three system files that are modified and maybe they prevent this happening.

c:\windows\system32\mspmsnsv.dll

c:\windows\system32\d3d9.dll

c:\windows\LastGood\System32\d3d9.dll

Une copie infect
Link to post
Share on other sites

  • 5 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.