Hi all,

I have KIS 2009 on my computer since earlier this year. It's been working great till now. The problem is that when I connect to the internet, an exe file is loaded/created(I dont know which) by the names of A101.exe, F010.exe, H010.exe, and the like. This is brought to my notice by KIS, asking me whether I want to Allow or Block the execution of this executable file. Naturally, I block it. It confirms this action by saying that it has been placed in the group "untrusted". Soon after this, it starts detecting and deleting trojans.

Please note that all these files (exe and the trojans) are located in my WINDOWS folders in either system32 or in my temporary internet files.

Sometimes, KIS places such an exe file in "low restricted" without my permission. I then have to move it manually to "unstrusted".

I had reinstalled the OS on my computer after this problem began and for a while everything was back to normal. Now, again this problem has begun.

I have tried uninstalling IE7 and installed another browser, with no change in the problem. I also tried deleting all history/temp files etc with both browsers, with no effect whatsoever.

Before this problem manifested itself, I noted another issue: I got a window stating "java.exe has encountered a problem and needs to close", and even once: "Generic Process for Win32 has encountered a problem and needs to close". I would restart my system and sometimes the window came again, sometimes it didn't. Then the above described problem occurred.

When KIS treated these exe files during one of the many occurrences of this problem and restarted my computer, the OS didnt load at all and a blue screen displayed itself telling me to try restarting again. If required, I can upload a snapshot of that blue screen, so please let me know.

I have another computer with AVG working on it and the same internet connection. It seems fine and this problem is not occurring on that system. This leaves me wondering whether Kaspersky is really as good as they proclaim it to be!!

Please help...

You said you reinstalled the OS - does this mean you done a full format of the computer or just installed over the previous installation?
It seems like a really big coincidence if the same problem happens again after a full format. - if it did, are you installing your software using the original CDs or copied or downloaded versions from websites other than that of the original company?

RE: your other computer - it rarely matters if you're on the same network or not unless its a worm or virus. Its the user interaction and software installed and setup of the system which matters.


1. Attach an AVZ log of your computer to your next post. Instructions shown here.

2. Open Kaspersky, click Quarantine and select "all detected malware" in the dropdown list. Click Save and save it to your desktop.
Attach that txt file to your next post.

3. Download Kaspersky's GSI tool and save it to your desktop.
Click Settings - Customize - Scan System32 folder.
Cick OK - Create report.
Attach the report to your next post. If the file size is too large, upload it to a file-hosting website such as http://rapidshare.de/ and post here the download link to it.

Hey, thanks for the response!

Firstly, when I reinstalled the OS, I installed over the previous one, i.e. I formatted only my C drive during installation, not the other partitions. A few files weren't copied from the CD during installation, and I retrieved those files from another computer with the same OS and placed them in the correct directories/destination paths. As of today, four files are still missing, BUT my system has been working fine (as in I did this installation process about a month ago, and this infection recurred only yesterday).

Okay, now regarding the AVZ log, I followed the steps, and it failed to create the log. So it's a dead end there.

And, regarding the All Detected Malware Log, well there wasn't a save button there, so I went to Reports, then selected each item from the drop-down list and saved each as a txt file. Here's the download link to them (I've zipped them):

http://rapidshare.de/files/48631656/Reports.zip.htmlDownload the reports

Also I've attached the GSI report along with this post.

Also, in case I forgot to mention earlier, the exe runs only when I establish the internet connection. I think, though, that simply not using the internet from that system will not help, although that's what I'm doing for the time being.

Thanks again!

I wanted to clear up another point on what I said in my first post. About what I've quoted above, I meant that this problem happened about a few hours BEFORE the main problem. Just thought I'd clarify!

Thank you for the information and logs.


Tha Java problem seems to be related to a file called jvm.dll - a check in your GSI parser says it may belong to Oracle - F:\oracle\ora92\jdk\jre\bin\hotspot\jvm.dll
I dont know if the file is also active in any other location on your computer or not, but its worth a go contacting Oracle Support or checking in other forums about this problem.


I am presuming your H drive is for USB (removable pen-drives). They are highly infected, and its likley other systems its been used on are infected aswell - unless autoruns has been disabled.
First of all, disable Autoruns on your computer if its enabled... In Kaspersky, click SystemSecurity - SecurityAnalyzer... follow the prompts. If there are any tick-boxes in the list which say "autoruns for USBs", "autoruns for removable storage" or something along those lines, tick it and click Next and follow the prompts.


Execute the following script in AVZ. Instructions shown here.
*Note: Your PC will automatically restart without prompt after running the script, so save and exit all non-essential applications before running.



Download and run ATFCleaner.
Tick all the rows which say "Temp" or "Temporary Intenet Files" eg, Windows Temp.
Then click EmptySelected - OK - Exit



After run script, attach a Combofix log, please review and follow these instructions carefully.

Before Saving combofix to Desktop, please rename combofix to something like 123.exe to stop malware from disabling it.

Now, please make sure no other programs are running, close all other windows and pause Kaspersky (right click the K icon and click pause protection > Choose the
option "resume manually" if still active) until after the scanning and removal process has taken place.

Please double click on the file you downloaded. Follow the onscreen prompts to start the scan.
Once the scanning process has started please DO NOT click on the Combofix window or attempt to use your computer as this can cause the scanning process to stall.
It may take a while to complete scanning and this is normal.

You will be disconnected from the internet and your desktop icons/toolbars will disappear during scanning, do not worry, this is normal and it will be restored after
scanning has completed.

Combofix will create a logfile and display it after your computer has rebooted. Usually located in c:\combofix.txt, please attach it to your next post. Also, please don't
forget to resume the Kaspersky that you paused.

Download Combofix from here -> http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Thanks a million for your help!! I will follow up on these steps ASAP. However, I have my sem-end practical coming up on monday, so I'll perform these steps and get back on it then.

Many thanks again!

Hi again,

I performed the steps you gave in your previous post. Attached please find the ComboFix Log. However, I apparently did not have Microsoft Windows recovery console installed, so it said that it would not be able to fix any serious infections. The rest of the process executed normally.

If the recovery console prob needs to be fixed, I have a proper XP CD from which I can reinstall(formatting C drive only) if required, to fix that problem.

Btw, with reference to your previous post, my H drive is indeed for USB and I usually plug it in my college lab systems, which are, unfortunately, poorly protected from viruses and such trojans. That's why I went for Kaspersky.

Out of curiosity, what is an AVZ script, and what did those steps I just performed ensure? I know that ATF cleaner probably deleted all Temporary files, and the AVZ script probably manually deletes infections (using quarantine).

Many thanks...

See here to install Recovery Console - http://support.microsoft.com/kb/307654

Submit the following to Kaspersky's Viruslab
C:\my_try.exe
C:\try_choice.exe

The AVZ scripts are just instructions to get Kaspersky to do specific tasks such as quarantine/rename/delete files, delete/change registry entries and other system changes.
You just deleted the contents of the folders you can see in the list - QuarantineFile = quarantine/backup the file, DeleteFile - delete the file.



Please attach another AVZ, GSI log. Also download Combofix again and run it again. This will allow us to see if anything suspicious is getting recreated again.
Are you still having the problems?

I think the files C:\WINDOWS\system32\ltdrunsrv.dll and C:\WINDOWS\system32\ltdlogsrv.dll were the bulk of the problem causing the issues.

Hi,

Thanks for the info!

Just to let you know--

C:\my_try.exe
C:\try_choice.exe

are NOT viruses. They are part of SQL Embedded Programming I was practising for my today's exam. If you'll check the log they were created just on sunday, and couldn't possibly have anything to do with the problem. So do they need to be sent to the lab??

I will perform the steps you mentioned again, and finally test my computer with the internet connection to make sure the problem isn't recurring?

Also, if I haven't used a key for my XP installation, will I have a problem downloading the recovery console? I need to know whether I need to recover my key from the microsoft website now or I can do it after this problem is solved?

Thanks again!

Ha ha - I wanted to make sure it was not any bad files which were recreated or recently dropped. Unless you created something malicious you plan to infect people with, you do not need to send it to the lab

Yes, it will be good if you can connect to the internet to see if the problem is reoccurring or not.

You can install Recovery Console from your XP CD - no need to have an activation code...

I tried those steps using my CD, but it didn't run.. I was able to run just d:\i386\winnt32.exe and not d:\i386\winnt32.exe /cmdcons, and in that too the setup wizard tried to upgrade my OS, no option of installing the console. I tried browsing the I386 folder on the CD but couldn't figure anything out.. Could you check those steps again please?

Also, I tried creating an AVZ log, but again the wizard tells me it failed to do so, message being "Incorrect kernel handle". Why is this?

Have attached a GSI report as well. Although I know this should probably be done after the recovery console and combofix has been run, I did it anyway, just to try and help. Want this problem to be solved ASAP!

Thanks!

See here for installing Recovery Console manually.

GSI log looks clean. Not sure why it says incorrect kernel, that should only happen when executing a script. Are you creating the script using the the AVZ built into Kaspersky?


execute the following script in AVZ:

Upload the c\quarantine.zip file to a file-hosting website such as http://rapidshare.de/ and private message me the download link.

HELP!

Okay, my protection is not enabled (and no option to do so), my databases are corrupted, and out-dated. This is what happened:

1. I installed the Recovery Console successfully from my XP CD as per the instructions at the link you provided.
2. I attempted to run Combofix (forgot to disable Kaspersky, but did so, quickly, just before the Combofix blue box appeared where it starts running). It ran and did not detect the Recovery Console I had installed, so I exited the Combofix window, and resumed protection of Kaspersky, and restarted my computer.
3. The said option of loading either Windows XP or the Recovery Console appeared during boot, I selected XP, then the system booted up fine.
4. I was about to disable Kaspersky protection so I could start Combofix again, but noticed the little grey 'K' with a yellow exclamation mark, saying some components can't be enabled. I performed the application repair option and it rebooted my system.
5. The exclamation mark went away, but the error messages didn't. I took a print screen and have uploaded it to the Rapid Share website. I tried rolling back to previous databases, but that didn't work either. Should I uninstall and reinstall Kaspersky? I don't think I can or should update the databases from the net due to the previously existing problems that I don't know the current status of exactly.

6. Presently I ran Combofix anyway (since I anyway had to run it when protection is disabled), and without the Recovery Console option, becaused it still didn't notice that it has been installed!
Okay, Combofix ran fine and rebooted my system. When my desktop appeared and the normal Combofix process resumed, however, I noticed that Kaspersky was enabled! (It wasn't enabled when I had started Combofix, but I hadn't disabled it manually, the option in the pop-up list was greyed out so I couldn't click it) I disabled Kaspersky manually then, while Combofix continued its stuff.

7. Combofix said that "system cannot find the file whitedir01" It opened the other small identical window then and started making its log and completing its process. That small window closed and the Combofix log appeared. I copied it onto my (clean) pendrive to upload here. In the meantime, the previous blue window of Combofix with that message about the whitedir01 file remains on my desktop, and no matter how much I try to close it, it doesn't.

8. I also tried enabling Kaspersky after all this, but once again, the option in the pop-up list is greyed out so I can't click it to enable protection.

Also, because of all this, I haven't yet tried running that AVZ script you posted to create the AVZ log.

Ok, now that I've posted all this, I'm praying that help will come soon!!

In the meantime, I'll try rebooting my computer again to see if Kaspersky resumes protection.

Many Thanks and desperately awaiting a response!

Thats clean.
Disable Kaspersky.
Click Start - Run and type in combofix /u

Does it uninstall Combofix?

Restart your computer. Enable Kaspersky again if it was disabled after restart.

Does Kaspersky still has a problem?

Yes, it still does. Combofix uninstalled successfully and I restarted my computer. Kaspersky was enabled after restart, and to be sure I resumed protection nevertheless (because the option existed in the pop-up box on right-clicking the icon), and then the only error message was that my databases need updation.

After a few seconds, however, the other two error messages returned, and protection was disabled, and I am unable to resume protection(same problem w.r.t Kaspersky as I mentioned in the previous post, no issues with Combofix now).

What is the possible reason for this?

Thanks and waiting for a reply!

No reason I can think of.
If you mean errors on Kaspersky, uninstall it (only save application data, remove everything else), restart, install Kaspersky, update and restart.

If you mean other errors (not on Kaspersky), post a screenshot of it.

The problem seems to be solved as far as I can see!! Kaspersky's working fine after the uninstall and reinstall.
I ran Combofix once more. It still didn't detect that I've installed the Microsoft Windows Recovery Console. I've attached the report.

I'm connected to the internet from the system I've been fixing with your help. Seems to be working fine, no exe's or trojan's so far.

After I reinstalled Kaspersky yesterday, I updated from the net, then ran a quick scan and a full scan overnight. It detected 5 trojans and deleted them.
Then I ran ComboFix as mentioned above. Also, as a precautionary measure, I uninstalled my IE 7.0 last week itself and switched to Opera because I'd heard that IE 7 and 8 have been causing trouble with friends. Any insight on this?

Also, anything else I should do to make absolutely certain that this problem is gone?

Thanks a million for all your help!! I'll post back if the problem (against my hopes) reoccurs.

Thanks again!

Thats great.

Combofix log also looks clean - no active infections on your computer now.

Not sure about IE7 and 8 issues - guess it depends on your system setup and personal experiences, some people may have problems, others may not... pretty much inconclusive opinion, comment or insight

You dont need to do anything else, you're good. If you want, you can do another scan for inactive infections using MBAM, but there is no rush for this, as the troublesome (active) ones are gone.


Execute the following script in AVZ:

Upload the c\quarantine.zip file to a file-hosting website such as http://rapidshare.de/ and private message me the download link.

Alright, all done, tested and the problem seems to be rid of!

Many many thanks for all your help!