Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible rootkit? Blue screen crashes, strange behavior after browsing web with google chrome


  • Please log in to reply
1 reply to this topic

#1 devonrex

devonrex

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:16 PM

Posted 15 January 2010 - 08:12 AM

Windows Version: Windows XP SP3

A couple of days ago I was browsing the web with google chrome and visited a questionable website. I remember getting some message about having an out of date version of Flash and needing to update, and my computer started slowing down like there was a huge amount of disk and cpu activity, so much so that it made me suspicious and i opened up windows task manager. There was a process called "firstatgoing.exe" using a lot of cpu time which I killed because there were no results when I googled it.

Ever since then I've been getting strange behavior like the system suddenly becoming unresponsive (start button doesn't work, my computer icon dissapears from desktop, windows task manager won't open) especially while using google chrome. Frequently I will get blue screen crashes which cause my windows to immediately restart (usually when chrome is open). None of this has ever happened until the past three days or so.

I've tried using unhackme, rootkitunhooker, gmer, and malwarebytes' anti-malware and haven't been able to find anything thats obviously the source of the problem. But using chrome causes blue screen restarts pretty consistently, and when it doesn't and I run gmer with it open I get entries similar to the following (I copied this exact one from a google search result because it is very similar)

.text C:\Documents and Settings\user\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[1336] ntdll.dll!NtCreateFile + 6 7C90D688 4 Bytes [28, 00, 17, 00]

Is that even normal behavior? I'm not sure.

But the more disturbing part is that I can run combofix 15 times in a row and get nothing unusual from the gmer stealth rootkit detector logs ( c:\combofix\ directory will be empty every time). But if I open google chrome one time, then close it (or my computer immediately blue screens which it did just now) and *then* run combofix, I always get a log file like this one:

------C:\ComboFix\mbr.txt------

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb811cf28
\Driver\ACPI -> ACPI.sys @ 0xb7f7fcb8
\Driver\atapi -> atapi.sys @ 0xb7f11852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Marvell Yukon 88E8001/8003/8010 PCI Gigabit Ethernet Controller -> SendCompleteHandler -> NDIS.sys @ 0xb7e05bb0
PacketIndicateHandler -> NDIS.sys @ 0xb7df4a0d
SendHandler -> NDIS.sys @ 0xb7e08b40
user & kernel MBR OK

---------------------

How can I proceed to find out what is causing these blue screen errors and strange gmer logs? Thank you.

Edited by devonrex, 15 January 2010 - 08:13 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:16 AM

Posted 15 January 2010 - 10:19 AM

Please note the message text in blue at the top of this forum.

No one should be using ComboFix unless instructed to do so by a Malware Removal Expert. Please read the pinned topic ComboFix usage, Questions, Help? - Look here.

With that said, if the CF log results say both the user & kernel MBR are OK, its not considered an active MBR infection even if it indicates detected hooks/malicious code. If the output said...

MBR rootkit code detected !
MBR rootkit infection detected !
Use: "mbr.exe -f" to fix.,

then you would need to be concerned about an infection. The presence of malicious code and a PE file indicates that there was an infection but it has been cleaned and the MBR has been restored successfully.

Mebroot overwrites the MBR of the hard disk and uses rootkit techniques to hide itself. The installer of the rootkit writes the content of a malicious kernel driver to the last sectors of the disk, and then modifies sectors to include sector 0 (MBR). According to gmer, fixmbr restores only sector 0 (MBR) and as such, mbr.exe will always show all sectors that were related to Mebroot even after the infection is removed.

If CF ran smoothly and did not take a long time to complete that was a good sign it was successful in performing its routines.

But using chrome causes blue screen restarts pretty consistently

If Chrome is the only program causing a BSOD, then I suggest you contact the Chrome Support forum. They have an entire subforum dedicated to Crashes <- click here.

Edited by quietman7, 15 January 2010 - 10:21 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users