Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

INfected computer at work...


  • Please log in to reply
16 replies to this topic

#1 Mosca

Mosca

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 05 April 2010 - 11:33 AM

Hello, friends @ bleepingcomputer.com,

A friend at work got infected about a month ago; Malwarebytes and Superantispyware do a clean and remove, in safe mode with system restore disabled, but it pops up again. Where it sits currently, AVG Free comes up after a scan with "win32Patched.cg" infected and white-listed.

Any help would be appreciated, as this is beyond my knowledge to fix.

Edited to add, XP Pro, SP3.

Thanks,

Tom

Edited by Mosca, 05 April 2010 - 12:17 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:21 PM

Posted 06 April 2010 - 08:14 AM

IMPORTANT NOTE: Since you say this a work computer, you need to contacted and advise your IT Department? In most work environments, the IT staff implement specific policies and procedures for the use of computer equipment and related resources. In fact, many companies will require you to read those policies and sign a statement of understanding. These official procedures are designed and implemented to provide security and certain restrictions to protect the network. This allows all users to safely use business resources with minimum risk of malware infection, illegal software, and exposure to inappropriate Internet sites or other prohibited activity. We will not assist with attempts to circumvent those policies or security measures.

Our forums are set up to help the home computer user deal with issues and questions relating to personal computers. We are not equipped to involve ourselves in any legal issues that may arise due to loss of business data and loss of revenue as a result of malware infection or the disinfection process which in some instances require reformatting and reinstallation of the operating system. Further, most helpers are not familiar with Servers and many of the tools we use are restricted to non-commercial use by their creators.

A business IT staff generally has established procedures in place to deal with issues and infections on client machines on the network. As such, they may not approve of employees seeking help at an online forum or outside the business office as doing so could interfere or cause problems with their removal methods. Further, the malware you are dealing with may have infected the network. If that's the case, the IT Department needs to be advised right away so they can take the appropriate measures.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Mosca

Mosca
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 06 April 2010 - 08:25 AM

Well...

We don't have an IT department; I'm as close as it gets. If this were a "general discussion" section, I could rant in print at length about how I've tried to get permission to purchase a corporate license for Kaspersky and install it on the computers, but it isn't, so I won't. Instead, we have a whole lot of desktops and laptops that are pretty much used just like home computers, not networked together but standing alone. Infections are dealt with case by case... so here we are.


Thank you regardless for taking the time to consider my request. I appreciate your position, and I'll deal with it as best I can.

Edited by Mosca, 06 April 2010 - 12:13 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:21 PM

Posted 06 April 2010 - 08:35 AM

Please post the results of your last MBAM scan for review (even if nothing was found).

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Logs are saved to the following locations:
-- In XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
-- In Vista: C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\Logs


Did AVG provide a specific file name associated with the malware threat(s) detection and if so, where is it located (full file path) at on your system?

Each security vendor uses their own naming conventions to identify various types of malware so it's difficult to determine exactly what has been detected or the nature of the infection without knowing more information about the actually file(s) involved. See Understanding virus names.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Mosca

Mosca
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 06 April 2010 - 09:23 AM

Thank you!
Most recent MWB scan:


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 6.0.2900.5512

4/3/2010 9:55:08 AM
mbam-log-2010-04-03 (09-55-08).txt

Scan type: Full scan (C:\|)
Objects scanned: 19792
Time elapsed: 19 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

For the AVG,

On 04/05, Resident Shield: (this entry appears 3 times, one after the other)

Virus Identified: Win32/Patched.CG Object: C:\Windows\system32\drivers\atapi.sys Result: Object is whitelisted (critical system file that should not be removed)


In addition to the information requested, I have set this computer to run automatic scans of AVG Free (since I can't pry loose the funds for the full strength stuff). On 04/06,

Virus identified: Trojan horse Generic17.ARXA Object: C:\WINDOWS\Temp.wyxgul.exe Result: Moved to virus vault
Virus identified: Trojan horse Generic17.ARXA Object: C:\WINDOWS\Temp.efkxxw.exe Result: Moved to virus vault



To access this site from the infected computer, I have to enter the address into the URL bar; if I try to go through a search engine, something called DNS Safe Search gets very upset. I haven't figured out how to get rid of that, or where it comes from.

Edited by Mosca, 06 April 2010 - 09:26 AM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:21 PM

Posted 06 April 2010 - 09:40 AM

The AVG results indicate atapi.sys is probably infected as a result of a TDL3/TDSS infection. TDL3 is the third generation of TDSS which uses rootkit technology to hide itself on a system by infecting drivers like atapi.sys, iastor.sys and a few others. Atapi.sys is a common target for this rootkit because it loads early during the boot process and is difficult to detect. Common symptons/signs of this infection include:
  • Google and browser redirection as TDL3 modifies DNS query results.
  • Slowness of the computer and poor performance.
  • BSODs that occur immediately after XP splash screen appears.
  • Infected (patched) atapi.sys and iastor.sys.
For more specific analysis and explanation of the infection, please refer to:Please download the TDSS Rootkit Removing Tool (TDSSKiller.zip) and save it to your Desktop. <-Important!!!
Be sure to print out and follow the instructions provided on that same page for performing a scan or refer to these instructions.
  • Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop. (click here if you're not sure how to do this. Vista users refer to these instructions.)
  • Go to Posted Image > Run..., , then type or copy and paste everything in the code box below into the Open dialogue box:

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  • Click OK.
  • If any TDSS variants are found, TDSSKiller will advise what has been detected.
  • It will then prompt you to type delete into into the screen. Type delete and press Enter
  • You will be prompted to reboot the computer to finish the cleaning process. When prompted to reboot, press the Y key and press Enter.
  • If not prompted, reboot manually.
  • A log file named TDSSKiller.txt should have been created and saved to the root directory (usually C:\TDSSKiller.txt).
  • Copy and paste the contents of that report in your next reply.
Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • TFC will clear out all temp folders for all user accounts (temp, IE temp, Java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Mosca

Mosca
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 06 April 2010 - 09:59 AM

Hmmm. TDSSKIller found the infection, didn't ask for the "delete" but did prompt the reboot; the reboot is hung up on the "Logging off" screen. I want to force the reboot by interrupting the power supply, but I don't want to do it before getting confirmation to do so from my guide.

(Hung up as in really, really hung up, going on 20 minutes.)

Edit: Ah. Patience, grasshopper. I just heard the Windows chime; something is happening. Slowly, but happening.

Edit @ 45 minutes after running TDSSKiller: Nope; still hung on reboot, after TDSS Killer.

Edited by Mosca, 06 April 2010 - 10:40 AM.


#8 Mosca

Mosca
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 06 April 2010 - 10:55 AM

Here is the TDSS Killer log file:

10:49:26:984 1532 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
10:49:26:984 1532 ================================================================================
10:49:26:984 1532 SystemInfo:

10:49:26:984 1532 OS Version: 5.1.2600 ServicePack: 3.0
10:49:26:984 1532 Product type: Workstation
10:49:26:984 1532 ComputerName: DDWHBQH1
10:49:26:984 1532 UserName: Nationwide Sales1
10:49:26:984 1532 Windows directory: C:\WINDOWS
10:49:26:984 1532 Processor architecture: Intel x86
10:49:26:984 1532 Number of processors: 2
10:49:26:984 1532 Page size: 0x1000
10:49:26:984 1532 Boot type: Normal boot
10:49:26:984 1532 ================================================================================
10:49:27:000 1532 UnloadDriverW: NtUnloadDriver error 2
10:49:27:000 1532 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
10:49:27:078 1532 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
10:49:27:078 1532 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
10:49:27:078 1532 wfopen_ex: Trying to KLMD file open
10:49:27:078 1532 wfopen_ex: File opened ok (Flags 2)
10:49:27:078 1532 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
10:49:27:093 1532 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
10:49:27:093 1532 wfopen_ex: Trying to KLMD file open
10:49:27:093 1532 wfopen_ex: File opened ok (Flags 2)
10:49:27:093 1532 Initialize success
10:49:27:093 1532
10:49:27:093 1532 Scanning Services ...
10:49:27:703 1532 Raw services enum returned 363 services
10:49:27:718 1532
10:49:27:718 1532 Scanning Kernel memory ...
10:49:27:718 1532 Devices to scan: 3
10:49:27:718 1532
10:49:27:718 1532 Driver Name: Disk
10:49:27:718 1532 IRP_MJ_CREATE : BA0EEBB0
10:49:27:718 1532 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
10:49:27:718 1532 IRP_MJ_CLOSE : BA0EEBB0
10:49:27:718 1532 IRP_MJ_READ : BA0E8D1F
10:49:27:718 1532 IRP_MJ_WRITE : BA0E8D1F
10:49:27:718 1532 IRP_MJ_QUERY_INFORMATION : 804F4562
10:49:27:718 1532 IRP_MJ_SET_INFORMATION : 804F4562
10:49:27:718 1532 IRP_MJ_QUERY_EA : 804F4562
10:49:27:718 1532 IRP_MJ_SET_EA : 804F4562
10:49:27:718 1532 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
10:49:27:718 1532 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
10:49:27:718 1532 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
10:49:27:718 1532 IRP_MJ_DIRECTORY_CONTROL : 804F4562
10:49:27:718 1532 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
10:49:27:718 1532 IRP_MJ_DEVICE_CONTROL : BA0E93BB
10:49:27:718 1532 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
10:49:27:718 1532 IRP_MJ_SHUTDOWN : BA0E92E2
10:49:27:718 1532 IRP_MJ_LOCK_CONTROL : 804F4562
10:49:27:718 1532 IRP_MJ_CLEANUP : 804F4562
10:49:27:718 1532 IRP_MJ_CREATE_MAILSLOT : 804F4562
10:49:27:718 1532 IRP_MJ_QUERY_SECURITY : 804F4562
10:49:27:718 1532 IRP_MJ_SET_SECURITY : 804F4562
10:49:27:718 1532 IRP_MJ_POWER : BA0EAC82
10:49:27:718 1532 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
10:49:27:718 1532 IRP_MJ_DEVICE_CHANGE : 804F4562
10:49:27:718 1532 IRP_MJ_QUERY_QUOTA : 804F4562
10:49:27:718 1532 IRP_MJ_SET_QUOTA : 804F4562
10:49:27:734 1532 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
10:49:27:734 1532
10:49:27:734 1532 Driver Name: Disk
10:49:27:734 1532 IRP_MJ_CREATE : BA0EEBB0
10:49:27:734 1532 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
10:49:27:734 1532 IRP_MJ_CLOSE : BA0EEBB0
10:49:27:734 1532 IRP_MJ_READ : BA0E8D1F
10:49:27:734 1532 IRP_MJ_WRITE : BA0E8D1F
10:49:27:734 1532 IRP_MJ_QUERY_INFORMATION : 804F4562
10:49:27:734 1532 IRP_MJ_SET_INFORMATION : 804F4562
10:49:27:734 1532 IRP_MJ_QUERY_EA : 804F4562
10:49:27:734 1532 IRP_MJ_SET_EA : 804F4562
10:49:27:734 1532 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
10:49:27:734 1532 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
10:49:27:734 1532 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
10:49:27:734 1532 IRP_MJ_DIRECTORY_CONTROL : 804F4562
10:49:27:734 1532 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
10:49:27:734 1532 IRP_MJ_DEVICE_CONTROL : BA0E93BB
10:49:27:734 1532 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
10:49:27:734 1532 IRP_MJ_SHUTDOWN : BA0E92E2
10:49:27:734 1532 IRP_MJ_LOCK_CONTROL : 804F4562
10:49:27:734 1532 IRP_MJ_CLEANUP : 804F4562
10:49:27:734 1532 IRP_MJ_CREATE_MAILSLOT : 804F4562
10:49:27:734 1532 IRP_MJ_QUERY_SECURITY : 804F4562
10:49:27:734 1532 IRP_MJ_SET_SECURITY : 804F4562
10:49:27:734 1532 IRP_MJ_POWER : BA0EAC82
10:49:27:734 1532 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
10:49:27:734 1532 IRP_MJ_DEVICE_CHANGE : 804F4562
10:49:27:734 1532 IRP_MJ_QUERY_QUOTA : 804F4562
10:49:27:734 1532 IRP_MJ_SET_QUOTA : 804F4562
10:49:27:734 1532 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
10:49:27:734 1532
10:49:27:734 1532 Driver Name: atapi
10:49:27:734 1532 IRP_MJ_CREATE : 8A6BACA1
10:49:27:734 1532 IRP_MJ_CREATE_NAMED_PIPE : 8A6BACA1
10:49:27:734 1532 IRP_MJ_CLOSE : 8A6BACA1
10:49:27:734 1532 IRP_MJ_READ : 8A6BACA1
10:49:27:734 1532 IRP_MJ_WRITE : 8A6BACA1
10:49:27:734 1532 IRP_MJ_QUERY_INFORMATION : 8A6BACA1
10:49:27:734 1532 IRP_MJ_SET_INFORMATION : 8A6BACA1
10:49:27:734 1532 IRP_MJ_QUERY_EA : 8A6BACA1
10:49:27:734 1532 IRP_MJ_SET_EA : 8A6BACA1
10:49:27:734 1532 IRP_MJ_FLUSH_BUFFERS : 8A6BACA1
10:49:27:734 1532 IRP_MJ_QUERY_VOLUME_INFORMATION : 8A6BACA1
10:49:27:734 1532 IRP_MJ_SET_VOLUME_INFORMATION : 8A6BACA1
10:49:27:734 1532 IRP_MJ_DIRECTORY_CONTROL : 8A6BACA1
10:49:27:734 1532 IRP_MJ_FILE_SYSTEM_CONTROL : 8A6BACA1
10:49:27:734 1532 IRP_MJ_DEVICE_CONTROL : 8A6BACA1
10:49:27:734 1532 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A6BACA1
10:49:27:734 1532 IRP_MJ_SHUTDOWN : 8A6BACA1
10:49:27:734 1532 IRP_MJ_LOCK_CONTROL : 8A6BACA1
10:49:27:734 1532 IRP_MJ_CLEANUP : 8A6BACA1
10:49:27:734 1532 IRP_MJ_CREATE_MAILSLOT : 8A6BACA1
10:49:27:734 1532 IRP_MJ_QUERY_SECURITY : 8A6BACA1
10:49:27:734 1532 IRP_MJ_SET_SECURITY : 8A6BACA1
10:49:27:734 1532 IRP_MJ_POWER : 8A6BACA1
10:49:27:734 1532 IRP_MJ_SYSTEM_CONTROL : 8A6BACA1
10:49:27:734 1532 IRP_MJ_DEVICE_CHANGE : 8A6BACA1
10:49:27:734 1532 IRP_MJ_QUERY_QUOTA : 8A6BACA1
10:49:27:734 1532 IRP_MJ_SET_QUOTA : 8A6BACA1
10:49:27:734 1532 Driver "atapi" infected by TDSS rootkit!
10:49:27:734 1532 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
10:49:27:734 1532 File "C:\WINDOWS\system32\DRIVERS\atapi.sys" infected by TDSS rootkit ... 10:49:27:734 1532 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
10:49:27:734 1532 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
10:49:27:859 1532 vfvi6
10:49:27:921 1532 !dsvbh1
10:49:28:296 1532 dsvbh2
10:49:28:296 1532 fdfb2
10:49:28:296 1532 Backup copy found, using it..
10:49:28:312 1532 will be cured on next reboot
10:49:28:312 1532 Reboot required for cure complete..
10:49:28:312 1532 Cure on reboot scheduled successfully
10:49:28:312 1532
10:49:28:312 1532 Completed
10:49:28:312 1532
10:49:28:312 1532 Results:
10:49:28:312 1532 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
10:49:28:312 1532 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
10:49:28:312 1532 File objects infected / cured / cured on reboot: 1 / 0 / 1
10:49:28:312 1532
10:49:28:312 1532 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
10:49:28:312 1532 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
10:49:28:312 1532 UnloadDriverW: NtUnloadDriver error 1
10:49:28:312 1532 KLMD(ARK) unloaded successfully



I did finally force the reboot; I reran TDSS Killer to make sure that I didn't interrupt anything:

11:44:17:562 3840 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
11:44:17:562 3840 ================================================================================
11:44:17:562 3840 SystemInfo:

11:44:17:562 3840 OS Version: 5.1.2600 ServicePack: 3.0
11:44:17:562 3840 Product type: Workstation
11:44:17:562 3840 ComputerName: DDWHBQH1
11:44:17:562 3840 UserName: Nationwide Sales1
11:44:17:562 3840 Windows directory: C:\WINDOWS
11:44:17:562 3840 Processor architecture: Intel x86
11:44:17:562 3840 Number of processors: 2
11:44:17:562 3840 Page size: 0x1000
11:44:17:562 3840 Boot type: Normal boot
11:44:17:562 3840 ================================================================================
11:44:17:562 3840 UnloadDriverW: NtUnloadDriver error 2
11:44:17:562 3840 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
11:44:17:640 3840 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
11:44:17:640 3840 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
11:44:17:640 3840 wfopen_ex: Trying to KLMD file open
11:44:17:640 3840 wfopen_ex: File opened ok (Flags 2)
11:44:17:640 3840 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
11:44:17:640 3840 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
11:44:17:640 3840 wfopen_ex: Trying to KLMD file open
11:44:17:640 3840 wfopen_ex: File opened ok (Flags 2)
11:44:17:640 3840 Initialize success
11:44:17:640 3840
11:44:17:640 3840 Scanning Services ...
11:44:18:234 3840 Raw services enum returned 363 services
11:44:18:234 3840
11:44:18:234 3840 Scanning Kernel memory ...
11:44:18:234 3840 Devices to scan: 3
11:44:18:234 3840
11:44:18:234 3840 Driver Name: Disk
11:44:18:234 3840 IRP_MJ_CREATE : BA0EEBB0
11:44:18:234 3840 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
11:44:18:234 3840 IRP_MJ_CLOSE : BA0EEBB0
11:44:18:234 3840 IRP_MJ_READ : BA0E8D1F
11:44:18:234 3840 IRP_MJ_WRITE : BA0E8D1F
11:44:18:234 3840 IRP_MJ_QUERY_INFORMATION : 804F4562
11:44:18:234 3840 IRP_MJ_SET_INFORMATION : 804F4562
11:44:18:234 3840 IRP_MJ_QUERY_EA : 804F4562
11:44:18:234 3840 IRP_MJ_SET_EA : 804F4562
11:44:18:234 3840 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
11:44:18:234 3840 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
11:44:18:234 3840 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
11:44:18:234 3840 IRP_MJ_DIRECTORY_CONTROL : 804F4562
11:44:18:234 3840 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
11:44:18:234 3840 IRP_MJ_DEVICE_CONTROL : BA0E93BB
11:44:18:234 3840 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
11:44:18:234 3840 IRP_MJ_SHUTDOWN : BA0E92E2
11:44:18:234 3840 IRP_MJ_LOCK_CONTROL : 804F4562
11:44:18:234 3840 IRP_MJ_CLEANUP : 804F4562
11:44:18:234 3840 IRP_MJ_CREATE_MAILSLOT : 804F4562
11:44:18:234 3840 IRP_MJ_QUERY_SECURITY : 804F4562
11:44:18:234 3840 IRP_MJ_SET_SECURITY : 804F4562
11:44:18:234 3840 IRP_MJ_POWER : BA0EAC82
11:44:18:234 3840 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
11:44:18:234 3840 IRP_MJ_DEVICE_CHANGE : 804F4562
11:44:18:234 3840 IRP_MJ_QUERY_QUOTA : 804F4562
11:44:18:234 3840 IRP_MJ_SET_QUOTA : 804F4562
11:44:18:312 3840 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
11:44:18:312 3840
11:44:18:312 3840 Driver Name: Disk
11:44:18:312 3840 IRP_MJ_CREATE : BA0EEBB0
11:44:18:312 3840 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
11:44:18:312 3840 IRP_MJ_CLOSE : BA0EEBB0
11:44:18:312 3840 IRP_MJ_READ : BA0E8D1F
11:44:18:312 3840 IRP_MJ_WRITE : BA0E8D1F
11:44:18:312 3840 IRP_MJ_QUERY_INFORMATION : 804F4562
11:44:18:312 3840 IRP_MJ_SET_INFORMATION : 804F4562
11:44:18:312 3840 IRP_MJ_QUERY_EA : 804F4562
11:44:18:312 3840 IRP_MJ_SET_EA : 804F4562
11:44:18:312 3840 IRP_MJ_FLUSH_BUFFERS : BA0E92E2
11:44:18:312 3840 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
11:44:18:312 3840 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
11:44:18:312 3840 IRP_MJ_DIRECTORY_CONTROL : 804F4562
11:44:18:312 3840 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
11:44:18:312 3840 IRP_MJ_DEVICE_CONTROL : BA0E93BB
11:44:18:312 3840 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA0ECF28
11:44:18:312 3840 IRP_MJ_SHUTDOWN : BA0E92E2
11:44:18:312 3840 IRP_MJ_LOCK_CONTROL : 804F4562
11:44:18:312 3840 IRP_MJ_CLEANUP : 804F4562
11:44:18:312 3840 IRP_MJ_CREATE_MAILSLOT : 804F4562
11:44:18:312 3840 IRP_MJ_QUERY_SECURITY : 804F4562
11:44:18:312 3840 IRP_MJ_SET_SECURITY : 804F4562
11:44:18:312 3840 IRP_MJ_POWER : BA0EAC82
11:44:18:312 3840 IRP_MJ_SYSTEM_CONTROL : BA0EF99E
11:44:18:312 3840 IRP_MJ_DEVICE_CHANGE : 804F4562
11:44:18:312 3840 IRP_MJ_QUERY_QUOTA : 804F4562
11:44:18:312 3840 IRP_MJ_SET_QUOTA : 804F4562
11:44:18:328 3840 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
11:44:18:328 3840
11:44:18:328 3840 Driver Name: atapi
11:44:18:328 3840 IRP_MJ_CREATE : B9EF76F2
11:44:18:328 3840 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
11:44:18:328 3840 IRP_MJ_CLOSE : B9EF76F2
11:44:18:328 3840 IRP_MJ_READ : 804F4562
11:44:18:328 3840 IRP_MJ_WRITE : 804F4562
11:44:18:328 3840 IRP_MJ_QUERY_INFORMATION : 804F4562
11:44:18:328 3840 IRP_MJ_SET_INFORMATION : 804F4562
11:44:18:328 3840 IRP_MJ_QUERY_EA : 804F4562
11:44:18:328 3840 IRP_MJ_SET_EA : 804F4562
11:44:18:328 3840 IRP_MJ_FLUSH_BUFFERS : 804F4562
11:44:18:328 3840 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
11:44:18:328 3840 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
11:44:18:328 3840 IRP_MJ_DIRECTORY_CONTROL : 804F4562
11:44:18:328 3840 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
11:44:18:328 3840 IRP_MJ_DEVICE_CONTROL : B9EF7712
11:44:18:328 3840 IRP_MJ_INTERNAL_DEVICE_CONTROL : B9EF3852
11:44:18:328 3840 IRP_MJ_SHUTDOWN : 804F4562
11:44:18:328 3840 IRP_MJ_LOCK_CONTROL : 804F4562
11:44:18:328 3840 IRP_MJ_CLEANUP : 804F4562
11:44:18:328 3840 IRP_MJ_CREATE_MAILSLOT : 804F4562
11:44:18:328 3840 IRP_MJ_QUERY_SECURITY : 804F4562
11:44:18:328 3840 IRP_MJ_SET_SECURITY : 804F4562
11:44:18:328 3840 IRP_MJ_POWER : B9EF773C
11:44:18:328 3840 IRP_MJ_SYSTEM_CONTROL : B9EFE336
11:44:18:328 3840 IRP_MJ_DEVICE_CHANGE : 804F4562
11:44:18:328 3840 IRP_MJ_QUERY_QUOTA : 804F4562
11:44:18:328 3840 IRP_MJ_SET_QUOTA : 804F4562
11:44:18:343 3840 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1
11:44:18:343 3840
11:44:18:343 3840 Completed
11:44:18:343 3840
11:44:18:343 3840 Results:
11:44:18:343 3840 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
11:44:18:343 3840 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
11:44:18:343 3840 File objects infected / cured / cured on reboot: 0 / 0 / 0
11:44:18:343 3840
11:44:18:343 3840 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
11:44:18:343 3840 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
11:44:18:343 3840 KLMD(ARK) unloaded successfully


I've also run TFC.

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:21 PM

Posted 06 April 2010 - 11:42 AM

Looks like that worked.

Try doing an online scan to see if you find anything else that the other scans may have missed.

Please perform a scan with Kaspersky Online Virus Scanner.
-- Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.
-- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.
  • Vista users need to right-click the IE or FF Start Menu or Quick Launch Bar icons and Run As Administrator from the context menu.
  • Read the "Advantages - Requirements and Limitations" then press the Posted Image... button.
  • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
  • When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the Posted Image... button.
  • Make sure these boxes are checked. By default, they should be. If not, please check them and click on the Posted Image... button afterwards:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
  • Click on My Computer under the Scan section. OK any warnings from your protection programs.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As... and change the Files of type to Text file (.txt)
  • Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
  • Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.
-- Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Mosca

Mosca
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 06 April 2010 - 03:31 PM

Looks like it found one more bad guy:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Tuesday, April 6, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Tuesday, April 06, 2010 08:52:57
Records in database: 3914280
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 53903
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 01:12:41


File name / Threat / Threats count
C:\WINDOWS\system32\drivers\etc\hosts Infected: Trojan.Win32.Qhost.mlv 1

Selected area has been scanned.

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:21 PM

Posted 06 April 2010 - 04:19 PM

Please download hosts.zip and save it to your Desktop.
Be sure to read and print out these Install Instructions with screenshots for the MVPS HOSTS File if you need them.
  • Extract (unzip) the file to its own folder C:\hosts. (click here if you're not sure how to do this. Vista users refer to these instructions.)
  • Open up the hosts folder and double-click on the mvps.bat file to run the script.
  • When running the mvps.bat file you may see a DOS window indicating the Previous version was saved and renamed...Press any key to continue...
  • Press any key and the DOS windows will close.
  • The script will rename your present HOSTS file to HOSTS.MVP and copy the new HOSTS file to the correct location on your system.
  • If any installed security programs provide an alert about changes to the HOSTS file, allow the change.
  • You can read more about what we are doing in Blocking Unwanted Parasites with a Hosts File.
Note: You may have to overwrite the hosts file in "Safe Mode" if you get "an access denied message" when trying to do it in normal mode.

If you encounter a problem with the zipped version, try using an alternative zipping tool like 7zip or ExtractNow. If you still encounter problems, then use the MVPS HOSTS File text version. Go to File in the top menu and select "Save As", then save hosts.txt to your desktop. Rename it hosts without an extension. Go to the folder containing your existing HOSTS file and rename it HOSTS.MVP. Then copy the hosts file on your desktop into the same folder where you renamed the existing file.

Note: If using Vista or Windows 7, be aware that they require special instructions.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#12 Mosca

Mosca
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 06 April 2010 - 04:31 PM

Thank you, thank you, thank you!

We are knocking off for today, I will finish up tomorrow.

Did I say, thank you?

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:21 PM

Posted 07 April 2010 - 07:04 AM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 Mosca

Mosca
  • Topic Starter

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Local time:09:21 PM

Posted 07 April 2010 - 10:40 AM

OK, instructions followed, everything went as described.

The automatic AVG scan this morning showed no infections. Just curious, why is that? Is it because the Kaspersky online scan is a deeper scan, or does it have a more sophisticated model, or both? Or is the detected file a remnant that just needs to be isolated? I understand how the Hosts file works, in addition I find this interesting and worth understanding as well.

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,945 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:21 PM

Posted 07 April 2010 - 12:18 PM

No single product is 100% foolproof and can prevent, detect and remove all threats at any given time. The security community is in a constant state of change as new infections appear. Each vendor has its own definition of what constitutes malware and scanning your computer using different criteria will yield different results. The fact that each program has its own definition files means that some malware may be picked up by one that could be missed by another. Thus, a multi-layered defense using several anti-spyware products (including an effective firewall) to supplement your anti-virus combined with common sense and safe surfing habits provides the most complete protection.

If there are no more problems or signs of infection, you should Create a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Go to Posted Image > Programs > Accessories > System Tools and click "System Restore".
  • Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name, then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  • Then use Disk Cleanup to remove all but the most recently created Restore Point.
  • Go to Posted Image > Run... and type: Cleanmgr
  • Click "Ok". Disk Cleanup will scan your files for several minutes, then open.
  • Click the "More Options" tab, then click the "Clean up" button under System Restore.
  • Click Ok. You will be prompted with "Are you sure you want to delete all but the most recent restore point?"
  • Click Yes, then click Ok.
  • Click Yes again when prompted with "Are you sure you want to perform these actions?"
  • Disk Cleanup will remove the files and close automatically.
Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users