Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Problems after Trojan Horse detection


  • Please log in to reply
14 replies to this topic

#1 Kryptonite

Kryptonite

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 16 May 2011 - 11:20 AM

Ad-Aware detected that a TH was attempting to invade my computer ( XP ) It quarinteened it.

I immediately engaged the ZoneAlarm Internet lock and disable the network connection.

I ran Malwarebytes which also found a few problems which were deleted.

Avira had alread updated for the day so I ran that but it seemed to run twice and also found 2 problems but the button to delete them wouldn't work.

I rebooted and got an error message which said: Couldn't fint the file C/WINDOWS/irobovisidu.dll

I ran the scan disk tool but got the same message each time the computer reboots.

Last night I updated Dr.Web and ran that. It was still running when i went to bed. 6 hours later it was still running and had processed the same 26,000 files as when i went to bed.

All morning I'm trying adawre again. It crashes and reboots the computer with the same error message.

Now I have Avira running again which will take no less than three hours.

I did a google search for irobovisidu.dll and the is nothing.

Does anyone have a clue what's going on?

All of this happened after engaging in the non-sensical arguemnet with my GF about putting a car remote start up to a cell phone and starting it via someone elses cell phone. I told her it was a hoax but she didn't believe me so I goolged it and found a web-video from myth-busters. It was during the viewing of that video that the TH came in.

Lesson:
1 Don't argue with GF's
2 Don't go on the net to prove she's wrong.
I'm sure there are more lessons here....can't wait to hear them from the bleeping gang <s>

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:23 PM

Posted 16 May 2011 - 11:39 AM

Hello and welcome. I moved this from XP to Am I Infected.
Please post your MBAM log.
The log is automatically saved and can be viewed by clicking the Logs tab in Malwarebytes.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.


Its not unusual to receive such an error after using specialized fix tools.

A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message is usually related to malware that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.

Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for a startup entry related to the file(s) in the error message. -->> irobovisidu.dll

Right-click on the entry and choose delete.
Reboot your computer and see if the startup error returns.

It crashes and reboots the computer with the same error message..The same one we are using Autoruns on?


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image


Did DrWEB finish?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Kryptonite

Kryptonite
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 17 May 2011 - 02:47 AM

Thanks boopme.

Yesterday I ran Avira again in full scan mode and it found somthing called Trash Gen. suggested to delete it which I did and run another full scan which I also did. This process took the whole day and on the last scan Avira hit 100% and was still running until there was over 1 million files or objects scanned. In any event I'm on a safe computer in the moment and will copy the MBAM log and download the Autoruns.

Will post in a while.

BTW Dr Web never finished and when I tried it yesterday it said the liscense had expired. Since I disconnected from the net I didn't update yet.

#4 Kryptonite

Kryptonite
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 17 May 2011 - 05:17 AM

I'm following your instructions but have not allowed that computer back on the internet yet.
Autorun was downloaded to a jump drive and I am copying the logs that you requested to the same drive for posting here in a little while.

Before I delete that file ( irobo....) I want to ask about the importance of noting where it is HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

In that heading the file in question appears and noticing how it is listed I can see why it took me a long time to locate it even after finding the search feature in the autorun program

Here is what it says:
Gtuboqiracevenup File not found: C:\WINDOWS\irobovisidu.dll

I will post the log in a seperate post and ask a few questions about recognizing other things in the Autorun program that look suspicious to me. I will post the questions in a seperate post in another category if it will best serve others here on BC.

#5 Kryptonite

Kryptonite
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 17 May 2011 - 05:21 AM

FYI The quick scan found and removed what you see in this log.

Avira found other things after the MBAM process report here.


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6576

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/15/2011 1:24:48 PM
mbam-log-2011-05-15 (13-24-48).txt

Scan type: Quick scan
Objects scanned: 172395
Time elapsed: 15 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\dcerpkpr.dll (Trojan.Hiloti) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ggarusuqik (Trojan.Hiloti) -> Value: Ggarusuqik -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\dcerpkpr.dll (Trojan.Hiloti) -> Delete on reboot.
c:\documents and settings\Owner\local settings\Temp\ms0cfg32.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
c:\documents and settings\Owner\local settings\temporary internet files\Content.IE5\G23JBVT5\yekevb2o[1].exe (Trojan.Hiloti) -> Quarantined and deleted successfully.

#6 Kryptonite

Kryptonite
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 17 May 2011 - 05:32 AM

The Avira log ( abreviated )
Starting to scan executable files (registry).
The registry was scanned ( '1241' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1016\A0287151.dll
[DETECTION] Is the TR/Trash.Gen Trojan
C:\WINDOWS\I386\NETCFGW.CH_
[WARNING] An exception has been identified!
[WARNING] In the module 'aecore.dll' an exception occured.
Calling the function Function <AVEPROC_TestFile> in file: <\\?\C:\WINDOWS\I386\NETCFGW.CH_>
Error description:PRIV_INSTRUCTION
EAX = 09AEF008 EBX = 000001FF

Question: the so called "WARNING" Makes me wonder if this "exception" is something to be concerned about.

#7 Kryptonite

Kryptonite
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 17 May 2011 - 05:34 AM

Last Avira log ( abreviated )

End of the scan: Monday, May 16, 2011 20:16
Used time: 3:57:35 Hour(s)

The scan has been done completely.

16988 Scanned directories
1028388 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
1028388 Files not concerned
11865 Archives were scanned
0 Warnings
2 Notes
731823 Objects were scanned with rootkit scan
2 Hidden objects were found

#8 Kryptonite

Kryptonite
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 17 May 2011 - 06:19 AM

A "Cannot find...", "Could not run...", "Error loading... or "specific module could not be found" message is usually related to malware that was set to run at startup but has been deleted. Windows is trying to load this file but cannot locate it since the file was mostly likely removed during an anti-virus or anti-malware scan. However, an associated orphaned registry entry remains and is telling Windows to load the file when you boot up. Since the file no longer exists, Windows will display an error message. You need to remove this registry entry so Windows stops searching for the file when it loads.

To resolve this, download Autoruns, search for the related entry and then delete it.

Create a new folder on your hard drive called AutoRuns (C:\AutoRuns) and extract (unzip) the file there. (click here if you're not sure how to do this.)
Open the folder and double-click on autoruns.exe to launch it.
Please be patient as it scans and populates the entries.
When done scanning, it will say Ready at the bottom.
Scroll through the list and look for a startup entry related to the file(s) in the error message. -->> irobovisidu.dll

Right-click on the entry and choose delete.
Reboot your computer and see if the startup error returns.

It crashes and reboots the computer with the same error message..The same one we are using Autoruns on?



Booted without error message.

I'm doing another scan before venturing back onto the net.

#9 Kryptonite

Kryptonite
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 17 May 2011 - 07:36 AM

Things are still not right.

Followed instructions for ESET OnlineScan

Walked into the kitchen for a cup of coffee and when I came back my sign-on screen was up which usually means a crash. Sure enough. I did a screen shot and pasted it in paint. The message was long.

Just updated DrWeb and we'll see how that one goes.

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:23 PM

Posted 17 May 2011 - 11:20 AM

You may also want to run SFC

Please run SFC (System File Checker)
Please run System File Checker sfc /scannow... For more information on this tool see How To Use Sfc.exe To Repair System Files

NOTE for Vista/WIN 7 users..The command needs to be run from an Elevated Command Prompt.Click Start, type cmd into the Start/Search box,
right-click cmd.exe in the list above and select 'Run as Administrator'


You will need your operating system CD handy.

Open Windows Task Manager....by pressing CTRL+SHIFT+ESC

Then click File.. then New Task(Run)

In the box that opens type sfc /scannow ......There is a space between c and /

Click OK
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 Kryptonite

Kryptonite
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 17 May 2011 - 11:57 AM

No CD with this computer.

Since I last posted every program has caused a crash well into the scans 40 minutes or 40 % sometimes it's hours into the scan.

Those screen shots that I took need to be moved to the jump drive so I can post them.

In the mean time I'm not real confident about going on the net with that computer.

I appreciate the help boopme, thanks.

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:23 PM

Posted 17 May 2011 - 07:08 PM

I feel we have to move you as without a CD drive you will need our Malware staff to help you replace or fix what is wrong.
Please start a topic about constant app crashing.

We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.

Edited by boopme, 20 May 2011 - 01:09 PM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 Kryptonite

Kryptonite
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 18 May 2011 - 05:19 AM

I feel we have to move you as without a CD drive you will need our Malware staff tohwlp you replace pt fix what is wrong.
Please start a topic about constant app crashing.

We need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.


Hey, Thanks boopme for the help. I wanted to post those screen shots of the error messages but interestingly enough the jump drive i have been shuttling back and forth between computers does not even show up in the root menu in windows explorer. My computer is really screwed up. She's an old Gateway that has served me really well.

In any event, i will post what you suggested. Could you either move my post if it's in the wrong spot or tell me where to post it. ( haven't looked yet to see if there is a specific maleware forum but if there is i guess that is where to post it )

And since i have your eye for now i want to ask you about another post i made a day or so ago in the chat about anything room. It had to do with this original post. Before i posted here on BC i did a google search for the irobo.....dll file and there was nothing. i posted my question here and before i finished looking around BC and moving on to other things to do, the goolge page for the .dlll search was still open. Looking at it before i closed it i noticed that there was something listed ( one thing listed where there was zero before ) turns out that it was my post on BC. That absolutely amazzzzed me' blew my mind that something posted on one website that had the word robo....dll in it and google decyphered from all content in the world being processed on the www the WORLD WIDE WEB and it found my post here on BC. i see that lots of people read my post but as of yesterday no one commented. Is it just me that is shocked at this ( ? ) ( don't even know what to call it; phenominum ? ) You can say that it is just me; i've heard it my whole life....what can i do, it's how i see things otherwise known as "me".

Thanks again

#14 Kryptonite

Kryptonite
  • Topic Starter

  • Members
  • 139 posts
  • OFFLINE
  •  
  • Local time:03:23 PM

Posted 18 May 2011 - 05:30 AM

1 more thing:

i didn't see that you actually included a link in your post to me. Thinking back to reading it for the first time a few mins ago; i still don't recall seeing it as i am seeing it now as part of the "quote" aspect which highlights your words. Maybe i thought it was one of those advertisements that seem to be a part of many "free" website lately. In fact i think that perhaps a main reason why our modern computers with multi layered processors and 4 gigs of ram or more take longer to load a page than our old ones back in the stoneage of computering...does it make sense to advertise without asking to have cookies set so the consumer can be tracked? You can also tell me that i sound paranoid because i've been told that too when i try to bring this up as a discussion. Do you have any thoughts about that?

#15 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:23 PM

Posted 18 May 2011 - 07:58 PM

Click on the Blue lettered words they are hyper links.
You can disable them(cookies)but wait and ask in the other forum as we don't want to make such changes yet.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users