Ewido always find pptp16.dll but don't fix it

Discussion in 'ewido anti-spyware forum' started by jeanbaptiste, Mar 2, 2006.

Thread Status:
Not open for further replies.
  1. jeanbaptiste

    jeanbaptiste Registered Member

    Joined:
    Mar 2, 2006
    Posts:
    3
    Hello,

    I've just installed Ewido, because I was seriously infected.
    Now, I've got 2 problems, but I don't know if they are linked :

    1) Some of my applications don't want to be launched : nothing happens. But if I do "right click -> compatibility -> win98", most of them can be launched (it's very strange, the were working very good yesterday). Also, some of my icons within applications are replaced by black squares, and I can't turn in the auto-protect function of norton antivirus (error 4002,516)


    2) On the other side, each time (or nearly) I click somewhere, Ewido found an infected file "pptp16.dll" in system32 (infection : backdoor.haxdoor.gz). I always choose Clean (hem, "Nettoyer" in the french version), but the alert will always pop up. I've never found this file in system32, only as a key in the registry (winNT/winlogon)

    These 2 problems are coming in the same time, but one won't solve the other. Is Ewido behavior normal ? Why doesn't it fix the problem ?

    Thank you for your help

    jeanbaptiste
    (WinXP SP2, sempron 3000+)
     
  2. Don Pelotas

    Don Pelotas Registered Member

    Joined:
    Jun 29, 2004
    Posts:
    2,257
    1. You could try running the System File Checker (sfc.exe), this will scan all protected Windows files to verify their versions have not been overwritten or damaged, and if so will replace the compromised version with a fresh copy.

    To run it, click Start/Run and type 'sfc.exe /scannow' (without the quotes but with the space between the 'e' and the '/').

    Alternatively, you can click start/Run and type in CMD and click O.K., when the black window opens type in "sfc /scannow".

    You will need to insert your Windows CD into the drive to enable sfc to effect the repair. Sfc.exe will just stop without any other sign than the statusbar is gone!.

    2. You have to open "Explorer", go to "Tools" > "Folder Options" > "View" and check "Show hidden files and folders", click "Apply" and "Ok", to see the file.:)
     
  3. jeanbaptiste

    jeanbaptiste Registered Member

    Joined:
    Mar 2, 2006
    Posts:
    3
    Thank you for your answer

    1. I will try when I find a Windows CD (My Windows is on the Acer Recovery CD :mad: )
    (well, actually I've tried, but at nearly 70% I'm asked to insert the CD)(Is that an evidence that my files are corrupted ?)(when Windows asks me "Windows can ask you later to insert a CD. Do you really want to ignore the file ?", I click "Yes" until the end.)

    2. My hidden and system files are always displayed. The file pptp16.dll is not present in system32, but when I try to create another file named pptp16.dll, I got a message saying that it already exists.
    However, I have this file 40 times quarantined by ewido, is there a way to export one ?

    JB
     
  4. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Maybe it is being hidden by rootkit techniques, so is not visible in Explorer? If the .dll is loaded into Winlogon, that would explain why ewido keeps finding it but cannot get rid of it - you cannot delete a file that is being used by the system at the time, and you cannot terminate Winlogon to delete the module without crashing windows.:(

    Since you have the filepath, perhaps you could try deleting pptp16.dll on reboot by using Pocket Killbox; though it might not work since it would need to close all the handles and unload the .dll all simultaneously - its worth a try though!
    If you cannot enable Norton's auto protect feature you effectively have no AV.:'( Perhaps you can uninstall Norton and replace it with a good alternative - AntiVir is surprisingly good at cleaning infected machines (you would have to scan in safe mode of course - and that applies to ewido scans as well). You could also try an online scan at Housecall (see Don's sigs).;)

    Else you are looking at submitting a HJT log to a spyware removal forum.:eek:
     
  5. jeanbaptiste

    jeanbaptiste Registered Member

    Joined:
    Mar 2, 2006
    Posts:
    3
    Thank you.

    I think I deleted the pptp16.dll with the method of (http://castlecops.com/p723340-Even_tried_DOS.html), using Avenger.
    He no longer appears in the HijackThis log.

    However, to be sure, I tried to create a file called pptp16.dll in system32. This worked, so I means that pptp16.dll was really deleted. But instantly, this new file disappeared ! As if Explorer woudn't show any file called pptp16.dll. I also have strange things, like the impossibility to display the Windows Firewall, the impossibility to activate the norton auto-protect, the impossibility to reconnect to a LAN (i'm writing from another computer)(windows always say that a wire is unplugged, whereas it is).

    But these things are not linked to ewido, which has not re-alarmed me.

    Thank you for your answers

    Bye

    jb
     
Thread Status:
Not open for further replies.