Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan-SaturnYes detected on Webroot Spy Sweeper


  • Please log in to reply
11 replies to this topic

#1 sayulita

sayulita

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 19 February 2010 - 01:33 PM

My most recent Webroot Spy Sweeper scan detected "Trojan-SaturnYes". It is only quarantined, not removed.

Is this a problem?

I have tried to search the forums here for any information, and I have extensively searched the internet, and have found not infomation on this Trojan, just an insignificant brief mention.

I have the most recent update of Webroot Spy Sweeper, retail version.
My operating system is Windows XP overlay, from Dell, it is basically Vista from what I can figure, with some sort of XP interface.

About a week ago, while I had an online game running and was browsing the internet, I got an alert that I was infected with Internet Security 2010, and an alert for Trojan-SaturnYes. I used this site to remove Internet Security 2010, thank you! I thought that the Trojan-SaturnYes was gone with it.

I have not noticed any difference in performance, but I did get a notice yesterday that Firefox needed to update, and then two or three popup notices that Firefox needed to update plugins. The Firefox update did not give me a choice to update, it automatically updated. When the popups to update addons came up, I declined all three. I am using AVG Anti-Virus Free, current update, which has a "total protection" AVG Search Shield.

I am probably omitting something, but will gladly supply any other information needed.

Thanks in advance.

Say

Edited by sayulita, 19 February 2010 - 01:38 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:14 AM

Posted 19 February 2010 - 04:25 PM

When an anti-virus or security program quarantines a file by renaming and moving it into a virus vault (chest) or a dedicated quarantine folder, that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat until you take action to delete it. One reason for doing this is to prevent deletion of a crucial file that may have been flagged as a "false positive" especially if the scanner uses heuristic analysis technology. Heuristics is the ability of a scanning program to detect possible new variants of malware before the vendor can get samples and update the program's definitions for detection. Heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. The disadvantage to using heuristics is that it is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as suspicious or infected. If that is the case, then you can restore the file and add it to the exclusion or ignore list. Doing this also allows you to view and investigate the files while keeping them from harming your computer. Quarantine is just an added safety measure. When the quarantined file is known to be malicious, you can delete it at any time.

Keep in mind, however, that if these files are left in quarantine, other scanning programs and security tools may flag them as a threat while in the quarantined area so don't be alarmed if you see such an alert. Just delete the quarantined items after confirming they are malware and subsequent scans should no longer detect them.

The Firefox update did not give me a choice to update, it automatically updated.

By default Firefox checks for three different updates (Firefox, Installed Add Ons and Search Engines) when launching the program. To turn off Automatic updates. Go to Tools > Options > Advanced > Updated tab and uncheck "Automatically check for updates to Firefox", then click Ok. If you don't want Firefox to check for updates to Add-ons or Search Engines, then uncheck those boxes as well.

Some sites may try to install Add-ons to your browser. For added security, go to Tools > Options > Security tab and put a check next to, "Warn me when sites try to install add-ons", then click Ok
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 sayulita

sayulita
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 19 February 2010 - 07:31 PM

Thanks for the heads up on turning off automatic update. I do not usually use automatic update, it may have defaulted to that in an update. Automatic update is off now.

I understand that when some problem is quarantined that it is supposed to be disabled and thus cause no harm to one's computer. However, when I got the first malware, Internet Security 2010, along with Trojan-SaturnYes, I was alerted by Spy Sweeper as soon as I got it, and was told that Spy Sweeper quarantined them, but Internet Security 2010 almost completely disabled my computer, throwing up its own desktop, alternating between three different colour backgrounds, not to mention disabling Task Manager along with a host of other complaints. It seems that the quarantine was not effective.

I followed the instruction on this website to remove Internet Security 2010 using Malwarebytes' Anti-Malware. Thank goodness.

NOW, however, I am having more problems.

Since I wrote earlier today asking about Trojan-SaturnYes, I have had a few popups warning of an infection by Trojan Hiloti.V, specifically C:\WINDOWS\ikiruyaxu.dll.

The first popups came when I started up Firefox, and went to type in a website.

"Resident Shield alert" with the AVG logo in the top left hand corner
then an announcement that I had Trojan Hiloti.V
then another screen with a list of C:\WINDOWS\ikiruyaxu.dll listed four times to be removed.

I tried to remove the files, thinking it was AVG, and it just sat there, saying all parts of files cannot be removed.

I ran Spy Sweeper, it showed some cookies as usual, and Trojan-SaturnYes ... I quarantined all files again. I then tried to send a notice to Spy Sweeper through their interface, notifying them of Trojan-SaturnYes, and asking if they had any further info on it ....

blue screen on attempting to send the message and had to restart my computer.

this popup message on restart -

RUNDLL
C:\WINDOWS\ikiruyaxu.dll

and something about this file has been corrupted, but I don't remember the exact wording.

=forgot to add before, another popup notifying me that there was some virus/malware something, the box up and gone too quickly - the problem file was noted as -
C:\Documents and Settings\[username]\Local Settings\Temporary Internet Files\Content.IE5\6LCOEFN\get[1].htm

It seems that there is something more going on here.

Any suggestions as to what I do next?

Edited by sayulita, 19 February 2010 - 07:46 PM.


#4 sayulita

sayulita
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 20 February 2010 - 03:45 AM

bump

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:14 AM

Posted 20 February 2010 - 08:44 AM

Please download the TDSS Rootkit Removing Tool (TDSSKiller.zip) save it to your Desktop. <-Important!!!
Be sure to print out and follow the instructions provided on that same page for performing a scan.
  • Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop. (click here if you're not sure how to do this. Vista users refer to these instructions.)
  • Go to Posted Image > Run..., , then type or copy and paste everything in the code box below into the Open dialogue box:

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • Click OK.
  • If malicious services or files have been detected, the utility will prompt to reboot the computer in order to complete the disinfection procedure. Please reboot when prompted.
  • A log file named TDSSKiller.txt should have been created and saved to the root directory (usually C:\TDSSKiller.txt).
  • Copy and paste the contents of that report in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 sayulita

sayulita
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 21 February 2010 - 12:08 PM

12:03:52:154 4940 TDSS rootkit removing tool 2.2.4 Feb 15 2010 19:38:31
12:03:52:154 4940 ================================================================================
12:03:52:154 4940 SystemInfo:

12:03:52:154 4940 OS Version: 5.1.2600 ServicePack: 3.0
12:03:52:154 4940 Product type: Workstation
12:03:52:154 4940 ComputerName: LAKSHMI
12:03:52:154 4940 UserName: J Khat O'Brien
12:03:52:154 4940 Windows directory: C:\WINDOWS
12:03:52:154 4940 Processor architecture: Intel x86
12:03:52:154 4940 Number of processors: 2
12:03:52:154 4940 Page size: 0x1000
12:03:52:154 4940 Boot type: Normal boot
12:03:52:154 4940 ================================================================================
12:03:52:169 4940 UnloadDriverW: NtUnloadDriver error 2
12:03:52:169 4940 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
12:03:52:248 4940 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
12:03:52:263 4940 UtilityInit: KLMD drop and load success
12:03:52:263 4940 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
12:03:52:263 4940 UtilityInit: KLMD open success
12:03:52:263 4940 UtilityInit: Initialize success
12:03:52:263 4940
12:03:52:263 4940 Scanning Services ...
12:03:52:263 4940 CreateRegParser: Registry parser init started
12:03:52:263 4940 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
12:03:52:263 4940 CreateRegParser: DisableWow64Redirection error
12:03:52:263 4940 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
12:03:52:263 4940 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
12:03:52:263 4940 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:03:52:263 4940 wfopen_ex: Trying to KLMD file open
12:03:52:263 4940 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
12:03:52:263 4940 wfopen_ex: File opened ok (Flags 2)
12:03:52:263 4940 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 3B4BE8
12:03:52:263 4940 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
12:03:52:263 4940 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
12:03:52:263 4940 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
12:03:52:263 4940 wfopen_ex: Trying to KLMD file open
12:03:52:263 4940 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
12:03:52:263 4940 wfopen_ex: File opened ok (Flags 2)
12:03:52:263 4940 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 3B4AD8
12:03:52:263 4940 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
12:03:52:263 4940 CreateRegParser: EnableWow64Redirection error
12:03:52:263 4940 CreateRegParser: RegParser init completed
12:03:52:388 4940 GetAdvancedServicesInfo: Raw services enum returned 344 services
12:03:52:388 4940 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
12:03:52:388 4940 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
12:03:52:388 4940
12:03:52:388 4940 Scanning Kernel memory ...
12:03:52:388 4940 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
12:03:52:388 4940 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8AE747B8
12:03:52:388 4940 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects
12:03:52:388 4940
12:03:52:388 4940 DetectCureTDL3: DEVICE_OBJECT: 8ADC78A0
12:03:52:388 4940 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8ADC78A0
12:03:52:388 4940 KLMD_ReadMem: Trying to ReadMemory 0x8ADC78A0[0x38]
12:03:52:388 4940 DetectCureTDL3: DRIVER_OBJECT: 8AE747B8
12:03:52:388 4940 KLMD_ReadMem: Trying to ReadMemory 0x8AE747B8[0xA8]
12:03:52:388 4940 KLMD_ReadMem: Trying to ReadMemory 0xE1014A30[0x18]
12:03:52:388 4940 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
12:03:52:388 4940 DetectCureTDL3: IRP_MJ_CREATE : BA8EEBB0
12:03:52:388 4940 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F4562
12:03:52:388 4940 DetectCureTDL3: IRP_MJ_CLOSE : BA8EEBB0
12:03:52:388 4940 DetectCureTDL3: IRP_MJ_READ : BA8E8D1F
12:03:52:388 4940 DetectCureTDL3: IRP_MJ_WRITE : BA8E8D1F
12:03:52:388 4940 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F4562
12:03:52:388 4940 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F4562
12:03:52:388 4940 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F4562
12:03:52:388 4940 DetectCureTDL3: IRP_MJ_SET_EA : 804F4562
12:03:52:388 4940 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : BA8E92E2
12:03:52:388 4940 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
12:03:52:388 4940 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
12:03:52:388 4940 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F4562
12:03:52:388 4940 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
12:03:52:388 4940 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : BA8E93BB
12:03:52:388 4940 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : BA8ECF28
12:03:52:388 4940 DetectCureTDL3: IRP_MJ_SHUTDOWN : BA8E92E2
12:03:52:388 4940 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F4562
12:03:52:388 4940 DetectCureTDL3: IRP_MJ_CLEANUP : 804F4562
12:03:52:388 4940 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F4562
12:03:52:388 4940 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F4562
12:03:52:388 4940 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F4562
12:03:52:388 4940 DetectCureTDL3: IRP_MJ_POWER : BA8EAC82
12:03:52:388 4940 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : BA8EF99E
12:03:52:388 4940 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F4562
12:03:52:388 4940 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F4562
12:03:52:388 4940 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F4562
12:03:52:388 4940 TDL3_FileDetect: Processing driver: Disk
12:03:52:388 4940 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
12:03:52:388 4940 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
12:03:52:419 4940 TDL3_FileDetect: Processing driver: Disk
12:03:52:419 4940 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
12:03:52:419 4940 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
12:03:52:419 4940 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
12:03:52:419 4940
12:03:52:419 4940 DetectCureTDL3: DEVICE_OBJECT: 8ADC7C68
12:03:52:419 4940 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8ADC7C68
12:03:52:419 4940 KLMD_ReadMem: Trying to ReadMemory 0x8ADC7C68[0x38]
12:03:52:419 4940 DetectCureTDL3: DRIVER_OBJECT: 8AE747B8
12:03:52:419 4940 KLMD_ReadMem: Trying to ReadMemory 0x8AE747B8[0xA8]
12:03:52:419 4940 KLMD_ReadMem: Trying to ReadMemory 0xE1014A30[0x18]
12:03:52:419 4940 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
12:03:52:419 4940 DetectCureTDL3: IRP_MJ_CREATE : BA8EEBB0
12:03:52:419 4940 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F4562
12:03:52:419 4940 DetectCureTDL3: IRP_MJ_CLOSE : BA8EEBB0
12:03:52:419 4940 DetectCureTDL3: IRP_MJ_READ : BA8E8D1F
12:03:52:419 4940 DetectCureTDL3: IRP_MJ_WRITE : BA8E8D1F
12:03:52:419 4940 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F4562
12:03:52:419 4940 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F4562
12:03:52:419 4940 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F4562
12:03:52:419 4940 DetectCureTDL3: IRP_MJ_SET_EA : 804F4562
12:03:52:419 4940 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : BA8E92E2
12:03:52:419 4940 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
12:03:52:419 4940 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
12:03:52:419 4940 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F4562
12:03:52:419 4940 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
12:03:52:419 4940 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : BA8E93BB
12:03:52:419 4940 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : BA8ECF28
12:03:52:419 4940 DetectCureTDL3: IRP_MJ_SHUTDOWN : BA8E92E2
12:03:52:419 4940 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F4562
12:03:52:419 4940 DetectCureTDL3: IRP_MJ_CLEANUP : 804F4562
12:03:52:419 4940 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F4562
12:03:52:419 4940 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F4562
12:03:52:419 4940 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F4562
12:03:52:419 4940 DetectCureTDL3: IRP_MJ_POWER : BA8EAC82
12:03:52:419 4940 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : BA8EF99E
12:03:52:419 4940 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F4562
12:03:52:419 4940 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F4562
12:03:52:419 4940 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F4562
12:03:52:419 4940 TDL3_FileDetect: Processing driver: Disk
12:03:52:419 4940 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
12:03:52:419 4940 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
12:03:52:435 4940 TDL3_FileDetect: Processing driver: Disk
12:03:52:435 4940 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
12:03:52:435 4940 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
12:03:52:435 4940 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
12:03:52:435 4940
12:03:52:435 4940 DetectCureTDL3: DEVICE_OBJECT: 8ADC7030
12:03:52:435 4940 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8ADC7030
12:03:52:435 4940 KLMD_ReadMem: Trying to ReadMemory 0x8ADC7030[0x38]
12:03:52:435 4940 DetectCureTDL3: DRIVER_OBJECT: 8AE747B8
12:03:52:435 4940 KLMD_ReadMem: Trying to ReadMemory 0x8AE747B8[0xA8]
12:03:52:435 4940 KLMD_ReadMem: Trying to ReadMemory 0xE1014A30[0x18]
12:03:52:435 4940 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_CREATE : BA8EEBB0
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_CLOSE : BA8EEBB0
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_READ : BA8E8D1F
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_WRITE : BA8E8D1F
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_SET_EA : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : BA8E92E2
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : BA8E93BB
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : BA8ECF28
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_SHUTDOWN : BA8E92E2
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_CLEANUP : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_POWER : BA8EAC82
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : BA8EF99E
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F4562
12:03:52:435 4940 TDL3_FileDetect: Processing driver: Disk
12:03:52:435 4940 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
12:03:52:435 4940 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
12:03:52:435 4940 TDL3_FileDetect: Processing driver: Disk
12:03:52:435 4940 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
12:03:52:435 4940 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
12:03:52:435 4940 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
12:03:52:435 4940
12:03:52:435 4940 DetectCureTDL3: DEVICE_OBJECT: 8AE74148
12:03:52:435 4940 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AE74148
12:03:52:435 4940 DetectCureTDL3: DEVICE_OBJECT: 8ADC8F18
12:03:52:435 4940 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8ADC8F18
12:03:52:435 4940 DetectCureTDL3: DEVICE_OBJECT: 8AE5F030
12:03:52:435 4940 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8AE5F030
12:03:52:435 4940 KLMD_ReadMem: Trying to ReadMemory 0x8AE5F030[0x38]
12:03:52:435 4940 DetectCureTDL3: DRIVER_OBJECT: 8AE60670
12:03:52:435 4940 KLMD_ReadMem: Trying to ReadMemory 0x8AE60670[0xA8]
12:03:52:435 4940 KLMD_ReadMem: Trying to ReadMemory 0xE190A2E8[0x1A]
12:03:52:435 4940 DetectCureTDL3: DRIVER_OBJECT name: \Driver\nvgts, Driver Name: nvgts
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_CREATE : BA65844C
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_CREATE_NAMED_PIPE : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_CLOSE : BA65844C
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_READ : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_WRITE : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_QUERY_INFORMATION : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_SET_INFORMATION : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_QUERY_EA : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_SET_EA : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_FLUSH_BUFFERS : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_DIRECTORY_CONTROL : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_DEVICE_CONTROL : BA65844C
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_INTERNAL_DEVICE_CONTROL : BA65844C
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_SHUTDOWN : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_LOCK_CONTROL : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_CLEANUP : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_CREATE_MAILSLOT : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_QUERY_SECURITY : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_SET_SECURITY : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_POWER : BA65844C
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_SYSTEM_CONTROL : BA65844C
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_DEVICE_CHANGE : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_QUERY_QUOTA : 804F4562
12:03:52:435 4940 DetectCureTDL3: IRP_MJ_SET_QUOTA : 804F4562
12:03:52:435 4940 TDL3_FileDetect: Processing driver: nvgts
12:03:52:435 4940 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\nvgts.sys
12:03:52:435 4940 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\nvgts.sys
12:03:52:466 4940 KLMD_ReadMem: Trying to ReadMemory 0xBA65B40E[0x400]
12:03:52:466 4940 TDL3_StartIoHookDetect: CheckParameters: 1, BA65F17C, 0
12:03:52:466 4940 TDL3_FileDetect: Processing driver: nvgts
12:03:52:466 4940 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\nvgts.sys
12:03:52:466 4940 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\nvgts.sys
12:03:52:466 4940 TDL3_FileDetect: C:\WINDOWS\system32\drivers\nvgts.sys - Verdict: Clean
12:03:52:466 4940
12:03:52:466 4940 Completed
12:03:52:466 4940
12:03:52:466 4940 Results:
12:03:52:466 4940 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
12:03:52:466 4940 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
12:03:52:466 4940 File objects infected / cured / cured on reboot: 0 / 0 / 0
12:03:52:466 4940
12:03:52:466 4940 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
12:03:52:466 4940 UtilityDeinit: KLMD(ARK) unloaded successfully

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:14 AM

Posted 21 February 2010 - 03:22 PM

Now rescan again with Malwarebytes Anti-Malware, but this time perform a Full Scan in normal mode and check all items found for removal. Don't forgot to check for database definition updates through the program's interface (preferable method) before scanning and to reboot afterwards. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. When done, click the Logs tab and copy/paste the contents of the new report in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 sayulita

sayulita
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 22 February 2010 - 02:17 PM

I downloaded a new copy of Malwarebytes, as that was recommended in the last malware removal that I performed, as the app had to be altered in order for it to perform properly. I checked for updates, then ran the full scan.

Malwarebytes found:
vendor: Rootkit.Agent
category: Registry Key
Items: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\asc3550p

I chose to remove it, but when it prompted me to restart, I didn't. I misread your instructions, but then I did restart the machine right after that.

When the machine restarted, I got a popup error notice:

RUNDLL
Error loading C:\WINDOWS\ikiruyaxu.dll
The specified module could not be found.
(and a place to check OK, which I did not do, nor have I yet closed it.)

Find the log from the scan below:

Malwarebytes' Anti-Malware 1.44
Database version: 3776
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/22/2010 1:54:15 PM
mbam-log-2010-02-22 (13-54-15).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 214251
Time elapsed: 35 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\asc3550p (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:14 AM

Posted 22 February 2010 - 02:53 PM

It's not unusual to receive such an error(s) when "booting up" after using anti-virus and other security scanning tools to remove a malware infection.

RunDLL32.exe is a legitimate Windows file that executes/loads .dll (Dynamic Link Library) modules which too can be legitimate or sometimes malware related. A RunDLL "Error loading..." or "specific module could not be found" message usually occurs when the .dll file(s) that was set to run at startup in the registry has been deleted. Windows is trying to load this file(s) but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry still remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.
  • Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this. Vista users refer to these instructions.)
  • Open the folder and double-click on autoruns.exe to launch it.
  • Please be patient as it scans and populates the entries.
  • When done scanning, it will say Ready at the bottom.
  • Scroll through the list and look for a startup entry related to the file(s) in the error message.
  • If found, right-click on the entry and choose delete.
  • Reboot your computer and see if the startup error returns.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 sayulita

sayulita
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 10 March 2010 - 04:03 AM

Sorry for such a delay in replying.

I did follow your instructions and the alert did not reappear. Thanks so much for your excellent help and instructions.

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,394 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:14 AM

Posted 10 March 2010 - 08:52 AM

You're welcome.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Start > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Posted Image > Run... and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 sayulita

sayulita
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:07:14 AM

Posted 12 March 2010 - 01:54 PM

I had thought that this topic would be closed, and opened a new topic, as I have a new, more complex situation going on. The topic # is 301633. I tried to create a link, but cannot figure out how to do that.

I don't know if I should wait till I get an answer on that topic, or do what you have recommended that I do.

I have done nothing since creating the new topic and running the scans, as recommended in the guide.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users