Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bluescreen and freezing during GMER scan


  • Please log in to reply
2 replies to this topic

#1 Mad_Matter

Mad_Matter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 24 August 2010 - 03:38 PM

One of my WinXP machines got a bluescreen for about 1 second and then restarted during a GMER scan, I was planning on submitting a log after detecting some malware. MBAM detected and removed 2 malware files:\applicationdata\avdrn.dat (Malware.Trace) and \local settings\temp\services.exe (password.stealer).

The noticeable symptoms were lockups and failed shutdowns. But it only seemed to occur with 1 profile so I also scanned a file that was in that profile's startup folder (not a shortcut). Symantec didn't flag it so I scanned it with VirusTotal.
Here's the result.

12 of 42 scanners flagged it but only Trend Micro seemed to have specifics on it. The registry entries that were to be removed were missing. But I just learned that if it were part of a rootkit it would probably be hidden anyway. Could really use some advice. Thanks.

Edited by Mad_Matter, 24 August 2010 - 03:41 PM.


BC AdBot (Login to Remove)

 


#2 Mad_Matter

Mad_Matter
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 25 August 2010 - 08:35 AM

I found some spyware with MBAM and removed it and found a suspicious file which I scanned with Virus Total.Here's the result. . TrendMicro flagged it as something specific but the removal instructions refer to registry entries that I cant see. Thinking I might have a rootkit, I scanned with GMER but in normal boot mode I always get a BSOD. In safe boot mode the computer becomes unresponsive. Is there a legal bootable rootkit scanner (Hiren's is not legal) or another workaround? I'm wondering if a clean install is the only recourse.

Added VT log for ease

File name: updpxe32.exe
Submission date: 2010-08-23 12:43:42 (UTC)
Current status: finished
Result: 12 /42 (28.6%)
VT Community

not reviewed
Safety score: -
Compact Print results Antivirus Version Last Update Result
AhnLab-V3 2010.08.23.06 2010.08.23 -
AntiVir 8.2.4.38 2010.08.23 -
Antiy-AVL 2.0.3.7 2010.08.23 -
Authentium 5.2.0.5 2010.08.23 -
Avast 4.8.1351.0 2010.08.22 Win32:Crypt-HKP
Avast5 5.0.332.0 2010.08.22 Win32:Crypt-HKP
AVG 9.0.0.851 2010.08.23 -
BitDefender 7.2 2010.08.23 -
CAT-QuickHeal 11.00 2010.08.23 -
ClamAV 0.96.2.0-git 2010.08.23 -
Comodo 5830 2010.08.23 TrojWare.Win32.Trojan.Agent.Gen
DrWeb 5.0.2.03300 2010.08.23 -
Emsisoft 5.0.0.37 2010.08.23 -
eSafe 7.0.17.0 2010.08.23 -
eTrust-Vet 36.1.7804 2010.08.21 -
F-Prot 4.6.1.107 2010.08.22 -
F-Secure 9.0.15370.0 2010.08.23 -
Fortinet 4.1.143.0 2010.08.23 -
GData 21 2010.08.23 Win32:Crypt-HKP
Ikarus T3.1.1.88.0 2010.08.23 -
Jiangmin 13.0.900 2010.08.23 -
Kaspersky 7.0.0.125 2010.08.23 Trojan-Spy.Win32.Zbot.anbz
McAfee 5.400.0.1158 2010.08.23 Suspect-D!0E16DB17F97D
McAfee-GW-Edition 2010.1B 2010.08.23 Heuristic.BehavesLike.Win32.Suspicious.H
Microsoft 1.6103 2010.08.23 -
NOD32 5388 2010.08.23 a variant of Win32/Kryptik.GFN
Norman 6.05.11 2010.08.23 -
nProtect 2010-08-23.01 2010.08.23 -
Panda 10.0.2.7 2010.08.22 Suspicious file
PCTools 7.0.3.5 2010.08.23 -
Prevx 3.0 2010.08.23 -
Rising 22.62.00.04 2010.08.23 -
Sophos 4.56.0 2010.08.23 -
Sunbelt 6778 2010.08.23 Trojan.Win32.Generic.pak!cobra
SUPERAntiSpyware 4.40.0.1006 2010.08.23 -
Symantec 20101.1.1.7 2010.08.23 -
TheHacker 6.5.2.1.355 2010.08.23 -
TrendMicro 9.120.0.1004 2010.08.23 TROJ_BURNIX.SMEP
TrendMicro-HouseCall 9.120.0.1004 2010.08.23 TROJ_BURNIX.SMEP
VBA32 3.12.14.0 2010.08.23 -
ViRobot 2010.8.23.4003 2010.08.23 -
VirusBuster 5.0.27.0 2010.08.22 -
Additional informationShow all
MD5 : 0e16db17f97d98d080d20eec13a75cf2
SHA1 : 59717db0143de687cd85e07c80202e93cbd39f9c
SHA256: ce12f6b7f51d366924b099b80285f7176dadddb8a8821f66d6cf1b2dd48e5862
ssdeep: 768:AYGKA4cXmLL/ES4HjVMPchFWee4AFiZXgZV:AHKA4ACL/EacvWLpiZXgZ
File size : 31232 bytes
First seen: 2010-08-23 12:43:42
Last seen : 2010-08-23 12:43:42
Magic: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID:
Win32 Executable Generic (42.3%)
Win32 Dynamic Link Library (generic) (37.6%)
Generic Win/DOS Executable (9.9%)
DOS Executable Generic (9.9%)
VXD Driver (0.1%)
sigcheck:
publisher....: n/a
copyright....: Copyright, 2008
product......: VXD Filter
description..: VXD Filter
original name: VXDF
internal name: VXDF
file version.: 2.15.1.1
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

PEiD: -
PEInfo: PE structure information

[[ basic data ]]
entrypointaddress: 0xE08F
timedatestamp....: 0x47A4D256 (Sat Feb 02 20:28:06 2008)
machinetype......: 0x14C (Intel I386)

[[ 7 section(s) ]]
name, viradd, virsiz, rawdsiz, ntropy, md5
.textbss, 0x1000, 0xC000, 0x0, 0.0, d41d8cd98f00b204e9800998ecf8427e
.debug, 0xD000, 0x77A, 0x800, 7.52, abc691245791e8ddd1826be4efdfdc80
.text, 0xE000, 0x1C5, 0x200, 5.3, 242ba2212257e888d677fda9f2251600
.idata, 0xF000, 0x4681, 0x4800, 6.81, 45682fb7fd3078f64bce821341af3103
.rdata, 0x14000, 0x84B, 0xA00, 7.01, fb5c6d6808a77047c0194fc5dc7fd57c
.rsrc, 0x15000, 0xFFC, 0x1000, 6.54, 6141aea081d14a5895e6b058e082382a
.data, 0x16000, 0x882, 0xA00, 7.07, 27dfec46bd05b377120e8d660b8a0a22

[[ 7 import(s) ]]
advapi32.dll: RegQueryValueExW, RegQueryInfoKeyW, RegOpenKeyExW, RegOpenKeyExA, RegSetValueExW, RegDeleteKeyA, RegEnumKeyExW, FreeSid, InitializeSecurityDescriptor, GetTokenInformation, RegCreateKeyExW, OpenProcessToken, RegQueryValueExA, CloseServiceHandle, RegCloseKey, RegSetValueExA, RegDeleteValueW, RegDeleteValueA, RegCreateKeyExA, AllocateAndInitializeSid, RegEnumKeyExA, OpenThreadToken, RegDeleteKeyW
dnsapi.dll: DnsCopyStringEx
kernel32.dll: CreateFileMappingA, CreateMutexA, WriteConsoleW, ResumeThread, lstrcatW, OpenProcess, GetTempPathA, SetFileAttributesA, FileTimeToLocalFileTime, AddAtomW, MulDiv, GetLastError, CreateFileMappingW, FindResourceA, GetExitCodeProcess, ExitProcess, VirtualFree, IsDBCSLeadByte, LoadLibraryExA, FindNextFileA, IsValidCodePage, SizeofResource, GetCommandLineW, VirtualAlloc, OutputDebugStringW, CreateProcessW, GetCurrentProcess, GetComputerNameW, LockResource, CreateDirectoryA, RemoveDirectoryW, GetWindowsDirectoryW, GetCurrentDirectoryW, CreateMutexW, RaiseException, SetThreadPriority, CloseHandle, LoadResource, ExpandEnvironmentStringsA, CopyFileW, ReleaseSemaphore, DeviceIoControl, GetFullPathNameW
oleaut32.dll: SafeArrayGetLBound, SafeArrayAccessData, SafeArrayUnaccessData, VariantCopyInd, SafeArrayGetElement, GetErrorInfo, VariantChangeTypeEx, SysReAllocStringLen, SetErrorInfo, LoadTypeLibEx, GetActiveObject, VariantCopy, LoadTypeLib, OleLoadPicture, SafeArrayCreate, SysStringByteLen, SafeArrayPtrOfIndex, VariantClear, RegisterTypeLib, VariantChangeType, VariantInit, SafeArrayPutElement, SysAllocStringLen, SysAllocStringByteLen, SysFreeString
rpcrt4.dll: NdrByteCountPointerFree, MesEncodeFixedBufferHandleCreate, NdrByteCountPointerBufferSize, MesHandleFree, CreateStubFromTypeInfo, NdrAllocate, NDRCContextBinding, NdrByteCountPointerUnmarshall, DllRegisterServer, NdrClientInitialize, NDRcopy, MesIncrementalHandleReset, NDRSContextMarshall, NdrAsyncServerCall, NDRCContextMarshall, NdrAsyncClientCall, DceErrorInqTextW, DllGetClassObject, NdrConformantStructBufferSize, MesInqProcEncodingId, MesBufferHandleReset, MesDecodeIncrementalHandleCreate, CStdStubBuffer_CountRefs, NDRSContextMarshallEx
shell32.dll: Shell_GetCachedImageIndex, DAD_DragLeave, DllInstall, DllGetVersion, DAD_DragEnterEx, DriveType, Shell_MergeMenus, IsLFNDrive, RestartDialog, DragFinish, DAD_DragMove, DragAcceptFiles, GetFileNameFromBrowse, IsNetDrive, DllUnregisterServer, SHCoCreateInstance, PathQualify, SHChangeNotifyRegister, PifMgr_OpenProperties, SHGetSetSettings, DllGetClassObject, DllCanUnloadNow, PickIconDlg, SHChangeNotifyDeregister, SHILCreateFromPath, Shell_GetImageLists, PathResolve, SHStartNetConnectionDialogW, SHDefExtractIconW
user32.dll: SetTimer, SendMessageA, BeginPaint, UpdateWindow, SetWindowPos, GetDC, SetWindowLongW, CharNextA, GetParent, GetDlgItem, wsprintfA, ReleaseDC, EndDialog, SetCursor, GetSystemMetrics, TranslateMessage, GetWindowRect, GetSysColor, CharNextW, DestroyWindow, GetDesktopWindow, SendMessageW, ShowWindow, PostMessageW, LoadStringW, CreateWindowExA, GetClientRect, GetWindowLongW, LoadStringA, GetWindowLongA, KillTimer, EndPaint, PostQuitMessage, DispatchMessageA, IsWindow

Symantec reputation:Suspicious.Insight


VT Community

Edited by boopme, 25 August 2010 - 12:02 PM.


#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:31 AM

Posted 27 August 2010 - 06:15 AM

Hi, please let me know if there is any mode accessible at the moment (try also Last Known Good Configuration).

If not, let me know if you have your windows installation CD.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users