Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SSL blocking and BSOD


  • This topic is locked This topic is locked
3 replies to this topic

#1 dbh369

dbh369

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:35 AM

Posted 10 November 2013 - 12:44 AM

On my work (wired) lan, I am regularly, but not always, unable to access any SSL/TLS site. I've also seen recently BSODs with various drivers named as the culprit. Ran full Webroot scan, nothing. Ran Malwarebytes, eventually 'stuck' but after scanning files, where it found nothing (but set off Webroot a couple of times.) Ran GMER and got rootkit warning. This line was in my GMER output:

Library         pö¶ö¶ é||ö¶ (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [5588]                                                                          0x07EA0000             

 

This vaguely resembles TDSS but not sure. Suggestions? I have the full log from GMER and from a 3rd party scan (I'll wait for that to be requested, almost 1000 lines long.)

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-11-09 23:05:10
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 HITACHI_ rev.BBFZ 232.89GB
Running: hcvj9hm8.exe; Driver: C:\DOCUME~1\dhuff\LOCALS~1\Temp\fwldipod.sys


---- System - GMER 2.1 ----

SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwAddBootEntry [0x9D27CB10]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwAssignProcessToJobObject [0x9D27D5EE]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwClose [0x9D2C143E]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwCreateEvent [0x9D2895E0]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwCreateEventPair [0x9D28962C]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwCreateIoCompletion [0x9D2897C6]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwCreateKey [0x9D2C0DF2]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwCreateMutant [0x9D28954E]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwCreateSection [0x9D289670]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwCreateSemaphore [0x9D289596]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwCreateThread [0x9D27DB24]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwCreateTimer [0x9D289780]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwDebugActiveProcess [0x9D27E3DC]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwDeleteBootEntry [0x9D27CB76]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwDeleteKey [0x9D2C1B04]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwDeleteValueKey [0x9D2C1DBA]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwDuplicateObject [0x9D281B58]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwEnumerateKey [0x9D2C196F]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwEnumerateValueKey [0x9D2C17DA]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwLoadDriver [0x9D27C75E]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwModifyBootEntry [0x9D27CBDC]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwNotifyChangeKey [0x9D281F4E]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwNotifyChangeMultipleKeys [0x9D27EE6C]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwOpenEvent [0x9D28960A]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwOpenEventPair [0x9D28964E]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwOpenIoCompletion [0x9D2897EA]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwOpenKey [0x9D2C114E]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwOpenMutant [0x9D289574]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwOpenProcess [0x9D281452]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwOpenSection [0x9D2896FE]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwOpenSemaphore [0x9D2895BE]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwOpenThread [0x9D28183A]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwOpenTimer [0x9D2897A4]
SSDT            \SystemRoot\System32\Drivers\lrfixwha.SYS                                                                                                     ZwProtectVirtualMemory [0x9D89A0CC]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwQueryKey [0x9D2C1655]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwQueryObject [0x9D27ED38]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwQueryValueKey [0x9D2C14A7]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwQueueApcThread [0x9D27E88E]
SSDT            \SystemRoot\System32\Drivers\lrfixwha.SYS                                                                                                     ZwRenameKey [0x9D8A7F1E]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwRestoreKey [0x9D2C0438]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwSetBootEntryOrder [0x9D27CC42]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwSetBootOptions [0x9D27CCA8]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwSetContextThread [0x9D27E256]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwSetSystemInformation [0x9D27C7F8]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwSetSystemPowerState [0x9D27C9CE]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwSetValueKey [0x9D2C1C0B]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwShutdownSystem [0x9D27C95C]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwSuspendProcess [0x9D27E5A6]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwSuspendThread [0x9D27E708]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwSystemDebugControl [0x9D27CA56]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwTerminateProcess [0x9D27E094]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwTerminateThread [0x9D27E236]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwVdmControl [0x9D27CD0E]
SSDT            \??\C:\WINDOWS\system32\drivers\aswSnx.sys                                                                                                    ZwWriteVirtualMemory [0x9D27D64A]

---- Kernel code sections - GMER 2.1 ----

.text           ntkrnlpa.exe!ZwCallbackReturn + 2D15                                                                                                          805045FD 7 Bytes  [95, 28, 9D, 2C, 96, 28, 9D] {XCHG EBP, EAX; SUB [EBP-0x62d769d4], BL}
.text           ntkrnlpa.exe!ZwCallbackReturn + 2E5C                                                                                                          80504744 4 Bytes  [EA, 97, 28, 9D]
.text           ntkrnlpa.exe!ZwCallbackReturn + 2F58                                                                                                          80504840 4 Bytes  CALL D030E56C
.text           ntkrnlpa.exe!ZwCallbackReturn + 2FD4                                                                                                          805048BC 12 Bytes  [42, CC, 27, 9D, A8, CC, 27, ...] {INC EDX; INT 3 ; DAA ; POPF ; TEST AL, 0xcc; DAA ; POPF ; PUSH ESI; LOOP 0x32; POPF }
.text           ntkrnlpa.exe!ZwCallbackReturn + 307C                                                                                                          80504964 12 Bytes  [A6, E5, 27, 9D, 08, E7, 27, ...] {CMPSB ; IN EAX, 0x27; POPF ; OR BH, AH; DAA ; POPF ; PUSH ESI; RETF 0x9d27}
PAGE            ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC                                                                                                   805A64DC 4 Bytes  CALL 9D27F519 \??\C:\WINDOWS\system32\drivers\aswSnx.sys
?               C:\WINDOWS\system32\Drivers\uphcleanhlp.sys                                                                                                   The system cannot find the file specified. !
?               C:\WINDOWS\system32\Drivers\PROCEXP152.SYS                                                                                                    The system cannot find the file specified. !
?               System32\Drivers\lrfixwha.SYS                                                                                                                 The system cannot find the path specified. !

---- User code sections - GMER 2.1 ----

.text           C:\WINDOWS\system32\SearchProtocolHost.exe[2128] ntdll.dll!RtlDosSearchPath_U + 186                                                           7C916865 1 Byte  [62]
.text           C:\WINDOWS\system32\SearchProtocolHost.exe[2128] kernel32.dll!GetBinaryTypeW + 80                                                             7C868E04 1 Byte  [62]
.text           C:\WINDOWS\system32\SearchIndexer.exe[3976] kernel32.dll!WriteFile                                                                            7C8112FF 7 Bytes  JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL
.text           C:\Program Files\AVAST Software\Avast\avastUi.exe[4580] ntdll.dll!RtlDosSearchPath_U + 186                                                    7C916865 1 Byte  [62]
.text           C:\Program Files\AVAST Software\Avast\avastUi.exe[4580] kernel32.dll!GetBinaryTypeW + 80                                                      7C868E04 1 Byte  [62]
.text           C:\WINDOWS\Explorer.EXE[5588] SHLWAPI.dll!SHIsLowMemoryMachine + 6E02                                                                         77FBDD0B 5 Bytes  JMP 10013380 C:\WINDOWS\system32\WRusr.dll
.text           C:\Program Files\AVAST Software\Avast\AvastSvc.exe[7824] ntdll.dll!RtlDosSearchPath_U + 186                                                   7C916865 1 Byte  [62]
.text           C:\Program Files\AVAST Software\Avast\AvastSvc.exe[7824] kernel32.dll!GetBinaryTypeW + 80                                                     7C868E04 1 Byte  [62]
.text           C:\Documents and Settings\admin\My Documents\My Downloads\hcvj9hm8.exe[8908] ntdll.dll!RtlDosSearchPath_U + 186                               7C916865 1 Byte  [62]
.text           C:\Documents and Settings\admin\My Documents\My Downloads\hcvj9hm8.exe[8908] kernel32.dll!GetBinaryTypeW + 80                                 7C868E04 1 Byte  [62]

---- User IAT/EAT - GMER 2.1 ----

IAT             C:\WINDOWS\system32\services.exe[1180] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW]                                 00700002
IAT             C:\WINDOWS\system32\services.exe[1180] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW]                                       00700000

---- Devices - GMER 2.1 ----

AttachedDevice  \FileSystem\Ntfs \Ntfs                                                                                                                        tvtumon.sys
AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                                                      WRkrn.sys
AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                                                      bckd.sys
AttachedDevice  \Driver\Tcpip \Device\Ip                                                                                                                      aswTdi.sys
AttachedDevice  \Driver\Kbdclass \Device\KeyboardClass0                                                                                                       WRkrn.sys
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                                     bckd.sys
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                                     WRkrn.sys
AttachedDevice  \Driver\Tcpip \Device\Tcp                                                                                                                     aswTdi.sys
AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                                                     bckd.sys
AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                                                     WRkrn.sys
AttachedDevice  \Driver\Tcpip \Device\Udp                                                                                                                     aswTdi.sys
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                                                   WRkrn.sys
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                                                   bckd.sys
AttachedDevice  \Driver\Tcpip \Device\RawIp                                                                                                                   aswTdi.sys

Device                                                                                                                                                        mrxsmb.sys
Device                                                                                                                                                        rdpdr.sys
Device                                                                                                                                                        9CB31D20

AttachedDevice                                                                                                                                                fltmgr.sys
AttachedDevice                                                                                                                                                tvtumon.sys

Device                                                                                                                                                        Fs_Rec.SYS
---- Processes - GMER 2.1 ----

Library         pö¶ö¶ é||ö¶ (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [5588]                                                                          0x07EA0000                                                                                                                                  

---- Registry - GMER 2.1 ----

Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C5AA67A3-8FC1-CE36-67E4-375805A610F8}                              
Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C5AA67A3-8FC1-CE36-67E4-375805A610F8}@naljiggmdoamddagmenglpipglgo  0x6A 0x61 0x68 0x6B ...
Reg             HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C5AA67A3-8FC1-CE36-67E4-375805A610F8}@mafjkognommcmbegefglnojceb    0x6A 0x61 0x68 0x6B ...

---- Disk sectors - GMER 2.1 ----

Disk            \Device\Harddisk0\DR0                                                                                                                         unknown MBR code

---- EOF - GMER 2.1 ----



BC AdBot (Login to Remove)

 


#2 dbh369

dbh369
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:35 AM

Posted 10 November 2013 - 05:36 PM

Know I'm not supposed to but kept working on this: 1) Tried TDSSkiller, nothing found. 2) I had a coulpe of incidences where my graphics driver died, so figured I would update. Downloaded the latest (6.14.10.5218) from Lenovo (also on Intel's site) and tried to install. I get a strange message that "You must have administrator rights to complete this action. Setup will exit. <OK>". The driver never installs and reboot show the old driver (*.5043) still there. Even when I run in safe mode with full local machine administrator rights. Attempting this a coulpe of times has earned me a BSOD too.

Edited to add-mbam hangs on "checking other items"after file scan. Left it overnight. mbar gives me dda driver warning. would report myself for log posting (didn't realize that applied to more than the listed logs) for transfer to the other forum but can't on mobile view...


Edited by dbh369, 11 November 2013 - 03:21 PM.


#3 dbh369

dbh369
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:35 AM

Posted 13 November 2013 - 10:40 PM

OK, I'm going to post in the other forum for Logs. Explorer on my computer regularly runs at 20-30% of CPU now. Clearly something going on. I'll post the cross link.

 

edit: http://www.bleepingcomputer.com/forums/t/513995/ssltls-link-troubles-bsod-high-cpu-utilization-for-explorer/


Edited by dbh369, 13 November 2013 - 10:50 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,430 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:35 AM

Posted 14 November 2013 - 01:20 PM

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a Malware Removal Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.
From this point on the Malware Removal Team should be the only members that you take advice from, until they have verified your log as clean.
Please be patient. It may take a while to get a response because the Malware Removal Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the Malware Removal Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRL Team member is already assisting you and not open the thread to respond.
The current wait time is 1 - 2 days and ALL logs are answered.
If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.
To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users