Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crash, then ntkrnlpa.exe!ZwCallbackReturn modified


  • This topic is locked This topic is locked
4 replies to this topic

#1 SmokeyAndTheBandit

SmokeyAndTheBandit

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:53 AM

Posted 16 February 2013 - 05:55 PM

This is a bit of Lochness monster story, so bare with me.  I've been working in IT for awhile now (over a decade), with a fair knowledge of Windows systems -- in this instant Windows XP Pro SP3 x86, fully patched.  

I keep regular offline back-ups and builds of my systems.  In recent months, I've noticed some strange occurrences.  The computer(s) connected to the internet would crash, then upon reboot the below Kernel sections were modified.  Restarting the system doesn't do anything to clear them and the only way to get rid of them is to rebuild the computer.  There are sometimes days or weeks in between these crashes, but it's always the same scenario.

I've implemented very strict security measures, disabling every port and every service I can think of and I'm running a fairly tight firewall policy.  I run a very tight ship when it comes to these computers, so this modification is a glaring red flag to me.  I'm fairly certain these machines are being directly targeted and compromised, despite only this seemingly benign remnant of evidence.  I have other reasons to believe this as well, outside of these computer related artifacts.  I'd rather not go into too much detail regarding the rationale behind this on a public forum.

---- Kernel code sections - GMER 1.0.15 ----

.text           ntkrnlpa.exe!ZwCallbackReturn + 2CF8                                                                   805045F0 4 Bytes  CALL EAECFD78
.text           ntkrnlpa.exe!ZwCallbackReturn + 2D00                                                                   805045F8 4 Bytes  [86, EA, 83, B7]

From what I could find on Google, ZwCallbackReturn, if I understood it correctly, is used to let user-land processes know when a driver has finished it's operations.  Other than that, I have no knowledge as to why it would be modified.  However, it's a fairly common thing among other gmer logs.

 

Anybody with in-depth knowledge know what might be happening?

 



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:53 AM

Posted 17 February 2013 - 10:41 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.
 
If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===
 
Please download ComboFix from one of these locations:
 
 
* IMPORTANT !!! Save ComboFix.exe to your Desktop
 
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
 
  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
  •  
  • Do not install any other programs until this if fixed.[/b]
  •  
  • Double click on ComboFix.exe & follow the prompts.
  •  
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. 
  •  
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  •  
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.
  •  
     
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
     

     
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
     
     
    Click on Yes, to continue scanning for malware.
     
    When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.
     
    Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
     
    Do not mouse click ComboFix's window while it's running. That may cause it to stall
     
    Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
    ===
     
    Third party programs if not up to date can be the cause of infiltration an infection.
     
    Please run this security check for my review.
     
    Download Security Check by screen317 from here.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
    ===
     
    Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.
     
    Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
  • Please post the logs and let me know if the problem persists.


    #3 SmokeyAndTheBandit

    SmokeyAndTheBandit
    • Topic Starter

    • Members
    • 3 posts
    • OFFLINE
    •  
    • Local time:10:53 AM

    Posted 17 February 2013 - 11:16 AM

    Guess what, after posting in this forum the Kernel mods disappeared.  I'll have to wait until they come back.  Wil ComboFix tell me wat caused them?  Otherwise I'm not interested in just repairing my machine, I can drop a clean build at any time.  I'm pretty sure all my software is up to date.  The only way I can think that they'd be getting in is by exploiting the firewall or NIC drivers, both of which have the latest update.  Nothing else is exposed to the internet, all remote access services are disabled.



    #4 nasdaq

    nasdaq

    • Malware Response Team
    • 38,964 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Montreal, QC. Canada
    • Local time:11:53 AM

    Posted 17 February 2013 - 11:47 AM

     Wil ComboFix tell me wat caused them?

    I realy do not know.Have to look at the log.



    #5 nasdaq

    nasdaq

    • Malware Response Team
    • 38,964 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Montreal, QC. Canada
    • Local time:11:53 AM

    Posted 23 February 2013 - 09:24 AM

    It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users