Author Topic: confused about file (Read 46509 times)

cnnashman · « **on:** January 31, 2013, 04:30:30 pm »

Hi Shane, i ran your all in one windows repair because i finally was given the green light my Majorgeeks that my computer was malware free. A certain file keeps popping up and i'm not positive why this is not being fixed in your program , it's called msdt.exe and supposedly it's a critical windows system file.

It never came up or showed itself after i used your program in the past so what do you think it is and how do i fix it. I should say i left the repair wmi and repair windows firewall unchecked in my most recent repair because it makes the anti virus unnoticed in action center and i find that annoying even though i can uncheck the box.

Thanks

Shane · « **Reply #1 on:** January 31, 2013, 04:46:09 pm »

The program doesn't replace or delete any files, thats why I have the system file checker in some of the first steps

You say that msdt.exe keeps pooping up. We should check to see if somehow it is in one of your startup locations.

The file is Diagnostics Troubleshooting Wizard, and is normally only opened when you click on something in Windows to trouble shoot.

Can you post a screen shot of it when it pops up?

Shane

cnnashman · « **Reply #2 on:** January 31, 2013, 06:14:53 pm »

Ok here is the screenshot, when i click it on the following shows up. "C:\Windows\system32\sdclt.exe"\UIMODE\SHOW

Shane · « **Reply #3 on:** January 31, 2013, 06:18:03 pm »

Quote

when i click it on the following shows up

When you click on what?

Shane

cnnashman · « **Reply #4 on:** January 31, 2013, 07:23:54 pm »

Oops sorry, when i click on the more info box regarding backing up and making restore points.

Shane · « **Reply #5 on:** February 01, 2013, 10:00:11 am »

OK so Diagnostics Troubleshooting Wizard only comes up when you click more info?

What about system restore, if you go and open it directly do you have it open there as well?

I was under the impression the Diagnostics Troubleshooting Wizard was opening by itself every time you started windows

Shane

cnnashman · « **Reply #6 on:** February 01, 2013, 10:28:33 am »

OK, yes the TDW only comes up when i click more info . When i clicked on system restore i got this pop up (do you want to make changes from an unknown publisher ) and here is what it says (rstrui.exe)

One odd thing is when i want more info on something like a certain file the computer automatically goes to the windows media center page.

Regarding your question about the diagnostic windows tool opening and popping up when going to windows , no it doesn't do that, it does that only when i click on certain files.

I think i'm missing certain files or something because i am seeing this file called winsxs/temp/pending renames when i do a scan.

Shane · « **Reply #7 on:** February 01, 2013, 11:07:06 am »

Quote

When i clicked on system restore i got this pop up (do you want to make changes from an unknown publisher ) and here is what it says (rstrui.exe)

Something isnt right, have you done a system file check on the system yet?

Also just to be sure your system is clean have you ran tdsskiller.exe, combofix.exe and malwarebytes anti root kit on the system yet?

Shane

cnnashman · « **Reply #8 on:** February 01, 2013, 11:12:21 am »

I have run Tdsskiller a few different times and it found nothing , i have run Malwarebytes and it's rootkit scan and it also came up with nothing. Majorgeeks had me run MG tools and i posted a log and one guy said he saw no malware , but i don't know for sure.

Maybe i need to run the Combofix

Shane · « **Reply #9 on:** February 01, 2013, 11:15:17 am »

http://www.bleepingcomputer.com/download/combofix/

Turn off your antivirus when you use it. I use combofix as the last tool in case the others dont find anything.

Shane

cnnashman · « **Reply #10 on:** February 01, 2013, 10:05:56 pm »

Thanks Shane, i will run it.

cnnashman · « **Reply #11 on:** February 02, 2013, 01:52:37 pm »

Shane where does it tell me what files are suspicious or what would be the next step. I included the file

Thanks

Shane · « **Reply #12 on:** February 02, 2013, 05:23:51 pm »

It did see something, you will notice by the bull crap names that these are bad files

R0 mjvhhu;mjvhhu;

R0 ovanvq;ovanvq;

R0 pefxbo;pefxbo;

R0 ssuhop;ssuhop;

But the question is are those files gone and where are they if they are not?

Shane

cnnashman · « **Reply #13 on:** February 02, 2013, 06:37:40 pm »

Thank you, i will figure it out eventually.

Shane · « **Reply #14 on:** February 02, 2013, 10:01:14 pm »

Is everything else working ok? If not then a repair install would be the next best thing, you will keep all your programs and settings but Windows will get reinstalled.

http://www.sevenforums.com/tutorials/3413-repair-install.html

And since you have Windows 7 with SP1 you will need a disk of Windows 7 with SP1 already on it, if you dont have one you can grab an image here

http://en.community.dell.com/support-forums/software-os/w/microsoft_os/3316.2-1-microsoft-windows-7-official-iso-download-links-digital-river.aspx

Shane

cnnashman · « **Reply #15 on:** February 03, 2013, 08:13:10 pm »

Thanks Shane, i really appreciate it and yes, i am spreading the word about your site and have been since i first experienced it. Once i find work i plan on donating as well.

Thanks again

NoWhereMan · « **Reply #16 on:** February 06, 2013, 11:31:04 pm »

msdt.exe - Trojan W32.Tilebot-BQ
[A quick search of the issue yielded this result]

Combofix 'should have gotten it', but; you can try the Sophos tool:
--
Virus Removal Tool Free virus detection and removal Removes viruses, spyware, rootkits and fake antivirus
100% free! Totally, absolutely, completely
Supports Windows XP, Vista and 7
Works alongside your existing antivirus
--

===========
W32/Tilebot-BQ is a worm and IRC backdoor Trojan for the Windows platform.

W32/Tilebot-BQ spreads to other network computers by exploiting common buffer overflow vulnerabilities, including: PNP (MS05-039), ASN.1 (MS04-007), and RPC-DCOM (MS04-012), and by copying itself to network shares and Microsoft SQL servers protected by weak passwords.

W32/Tilebot-BQ runs continuously in the background, providing a backdoor server which allows a remote intruder to gain access and control over the computer via IRC channels.

W32/Tilebot-BQ includes functionality to access the internet and communicate with a remote server via HTTP.

When first run W32/Tilebot-BQ copies itself to <Windows>\msdt.exe.
===========
hth

chris635 · « **Reply #17 on:** February 07, 2013, 03:00:26 am »

According to what you have listed, it looks like maybe a trojan. Download this.

http://superantispyware.com/index.html

Just download the portable version (the personal edition is free), that way you don't have to install it, all you have to do is run it (create a system restore first).

Superantispyware is really good at removing trojans (usually). Then you may want to run malewarebytes (use the free version, you will install this one) for good measure.

http://www.malwarebytes.org/

Which antivirus are you running?

Shane, what are your thoughts on this?

Chris

chris635 · « **Reply #18 on:** February 07, 2013, 03:09:33 am »

Oops sorry guys

. I read the post wrong and you two are on top of it. I need sleep bad

lol Hope I maybe could have helped. So I'll stop making a fool of myself and just go to bed now.

Chris

Shane · « **Reply #19 on:** February 07, 2013, 03:04:16 pm »

You guys are doing good with it, so didnt think I need to post yet

Shane

cnnashman · « **Reply #20 on:** February 20, 2013, 03:27:05 pm »

I have tried to remedy this heur Trojan which i got from a reimage program (has nothing to do with Shane's programs) and i got help from Majorgeeks and Bleeping computer but they are telling me they don't see any malware.

This reimage program continues to pop up on my screen enticing me to click it on . Anti virus programs are finding nothing but i suspect my computer is being controlled remotely at times because the hard drive is always going full bore etc...

Any other ideas guys, very much appreciated.

Shane · « **Reply #21 on:** February 20, 2013, 05:20:28 pm »

Did you try the anti rootkit by malwarebytes yet?

http://www.malwarebytes.org/products/mbar/

Shane

cnnashman · « **Reply #22 on:** February 20, 2013, 06:22:11 pm »

Yes, on numerous occasions, i don't think there is a rootkit remover/antivirus/on demand scanner i have not tried at this point. I am thinking the best thing to do is purchase a recovery disk from my laptops manufacturer (asus) model U56E and reinstall windows because i have even started from scratch a few times by using the partitions without success in ridding it.

My laptop didn't come with the disks unfortunately, and i didn't make them as i should have . I wish i didn't have to purchase them because i have been out of work for a long long time but i will have to if it's needed to correct this.

Do you think this is a good option? Thanks a lot

Shane · « **Reply #23 on:** February 21, 2013, 09:33:32 am »

Dont do a factory restore, instead just do a repair install like I said in an earlier post. I even gave you a link to get a windows 7 disk downloaded and a guide on how to do a repair install

Quote

Is everything else working ok? If not then a repair install would be the next best thing, you will keep all your programs and settings but Windows will get reinstalled.

http://www.sevenforums.com/tutorials/3413-repair-install.html

And since you have Windows 7 with SP1 you will need a disk of Windows 7 with SP1 already on it, if you dont have one you can grab an image here
http://en.community.dell.com/support-forums/software-os/w/microsoft_os/3316.2-1-microsoft-windows-7-official-iso-download-links-digital-river.aspx

Shane

cnnashman · « **Reply #24 on:** February 21, 2013, 11:13:07 am »

Awesome, thanks Shane, your the best.