Jump to content

BSOD during Heuristic scan; Probably infection ?


Recommended Posts

Following AdvancedSetup instruction:

 

https://forums.malwarebytes.org/index.php?/topic/158863-bsod-and-error-during-heuristic-analysis/

 

Attached new logs after trying to run another Threat scan and getting another BSOD.

 

I have a full Memory dump this time. Tell me if you need it because it is more than 2 MG size.

 

Thanks.

FRST.txt

Addition.txt

CheckResults.txt

Link to post
Share on other sites

Hello Iroc9555,

 

As we go along, just keep on attaching report / files when you reply.

I would like to get 1 file from you for review.

 

Set Windows to show all files and all folders.
Press and hold Windows-key+E key on the keyboard.  This will start Windows Explorer.
from the Windows Explorer menu options, select Tools, then  Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next un-check Hide protected operating system files.
 

 

 

From this folder C:\Documents and Settings\Hernan ******\Datos de programa\Mozilla\Firefox\Profiles\97lls9ym.default

Locate and then send the prefs.js

 

As regards the Anti-Malware program, have you done a Update run since 16 October ?

Have you done a Threat scan since 16 October?

Link to post
Share on other sites

Hi Maurice.

 

With regards to MBAM update and another scan. Yes. My db is 2014.10.19.5 and I ran others Thread scans after chkdsk and memtest. I also ran a scan in safe mode. All of them ended in BSOD during heuristic scan. Same 0x00000077 but different 4th parameter.

 

I have Minidump and a full memory dump if you want them.

 

I located prefs.js I had to zip it for attacment. also attached is minidump. The MEMORY.DMP is to big ( 581 MB )

 

prefs.rar

IROC9555 Minidump.rar

Link to post
Share on other sites

You will want to print out or copy these instructions to Notepad for offline reference!
These steps are for  member Iroc9555  only. If you are a casual viewer, do NOT try this on your system!
If you are not bottomshot and have a similar problem, do NOT post here;  start your own topic


Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
For directions on how, see How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs
Do NOT turn off the firewall

If you have a prior copy of Combofix, delete it now ! i_arrow-l.gif

Have infinite patience during the run & scan by Combofix. It has many phases:  some 50+ stages
It will display it's "stage" within the Command prompt window. Do NOT panic if it seems slow to change ! It has lots of work.
You may notice the desktop icons disappear. Do NOT panic, as that is expected behavior.
Combofix my take as little as 10 minutes and perhaps as much as 30-40 minutes. Time taken will depend on speed of your system and how much there is to scan & how much it needs to clean.

If this is on a notebook system, make sure first the notebook is connected to wall-power  (AC power)


Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1

Link 2

CF_download_FF.gif


CF_download_rename.gif


* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.
 

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
     
  • Double click on Combo-Fix.exe cf-icon.jpg accept the EULA & follow the prompts.
     
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
     
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RcAuto1.gif


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png


Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.


When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

Notes:
[1] IF after Combofix reboot you get the message

Illegal operation attempted on registry key that has been marked for deletion

....please reboot the computer, this should resolve the problem. You may have reboot the pc a second time if needed.

[2] Do not mouseclick combofix's window nor run any program while Combofix is running.
That may cause it to stall.

[3]When all done, IF Combofix did not do a Restart...then ... I need for you to Restart the system fresh icon_exclaim.gif

Reply & Copy / Paste the contents of C:\Combofix.txt log
and tell me, How is the system now icon_question.gif

RE-Enable your AntiVirus and AntiSpyware applications.

 

Link to post
Share on other sites

Thanks Maurice.

 

Attached CombFix log.

 

For some reazon it decided to eliminate CTFMON.exe from start up when booting. Also replaced my original host file ( it has instructions on how to make changes in it ) to plain 127.0.01  LocalHost.

 

I am concerned it deleted some DeLL folders in System32\drivers. Hope they are not necessary.

 

After the ComboFix finnished and I rebooted, 10 min later the sys BSOD with:

IRQL_NOT_LESS_OR_EQUAL

0X0000000A (0X415EE84D, 0X000000OC, 0X00000000, 0X805023B3)

 

No dump though. I rebooted again and now it is behaving fine. May be it did not like to be poked around :unsure:

 

I'll wait for you to tell me to try another Threat Scan after you check the logs.

 

Thanks again for the help.

 

 

ComboFix.txt

Link to post
Share on other sites

It is hard to tell why the BSOD with the IRQ issue happened.

 

As to what Combofix removed, I dont see that it removed CTFMON.  There is no indication that it even did anything with it.

 

As to the Dell items, it looks like those had odd file-extension names.

c:\windows\system32\drivers\1028_DELL_XPS_Dell DXP061                  .MRK
c:\windows\system32\drivers\DELL_XPS_Dell DXP061                  .MRK

 

Let me suggest that you run this free tool to look for unwanted addons   ( such as potentially unwanted items).

Close any open work documents, if any, saving your work.
Make sure to close any other programs that you started before.

Please download Junkware Removal Tool by Thisisu to your Desktop
http://thisisudax.org/downloads/JRT.exe


Run the tool by double-clicking it. If you are using Windows Vista or 7 or 8, right-mouse click JRT.exe and select Run as administrator.
The tool will open and display information and disclaimer in a Command prompt window.

I'd suggest you close all internet browsers at this point.

 Press a key on keyboard to start scanning your system.

Please be very patient as this will take several minutes to complete, depending on your system's specifications.
There are approximatly 12 phases or so in this tool.  You will see each phase listed in the Command prompt window.
On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.  And the command prompt will have been closed.

Please attach JRT.txt into a new reply.
 

Link to post
Share on other sites

Attached JRT report.

 

Sorry for my English. I meant that CTFMON was removed from startup program list. It does not start automatically anymore. It is not in Processes in Task Manager.

 

Well... I just hope I do not have any use for those DeLL files. I do not have the slightest idea what they were for.

 

c:\windows\system32\drivers\1028_DELL_XPS_Dell DXP061
c:\windows\system32\drivers\DELL_XPS_Dell DXP061 

 

.MRK files are use for digital imaging in Photografy.

 

JRT besides deleting my preference for FF, It also deleted wininit.ini. This is the first time I have run JRT that this particular file is found and deleted. Could not find any concrete info on the file. A ot of info on WININIT.EXE but not .ini.

 

Waiting for more instructions.

 

Thanks Maurice.

 

 

JRT.txt

Link to post
Share on other sites

Good morning Maurice.

 

I ran a Threat Scan which ended without a BSOD :D

 

However, it found C:\WINDOWS\MBDEF.exe as Spyware Zbot.VXGen.

 

I imagined it was from one of the tools I've been running since it showed up in my system the 16th of this month when I downloaded mbam-check. I tried to ignored it to look for advice here and to send it to VT to know more about it, but MBAM quarentined it anyways through Malware Protection when I was looking for its properties to get more info about it.

 

Now what ?

 

Many thanks.

 

 

MBAM ThreatScan.txt

Link to post
Share on other sites

You did not take ACTION to have that 1 item removed. Did you notice "No Action By User" in the report?

Start the Anti-Malware program.

Click the Settings icon at the top bar. Then click on Detection and Protection.

Look at yours selections there:

Especially look at the Non-Malware protection
For the line marked
PUP

be sure your setting is made to Treat detections as malware


Click the Scan icon at the top bar.

Take a first look at the Scan window.

Do you see a green tick mark and a green line of text ( like from the last scheduled scan).

If you see a button marked Main menu at the bottom right, then click it.

In any event, have the selection selected for Threat scan and then click Scan now.

If it displays a orange sign with Updates are available, press the Update now button.

Have lots of patience as it gets and processes the Update.
 

Link to post
Share on other sites

Hi Maurice.

 

Not to worry. It was a F/P. Already reported here and fixed with new db update.

https://forums.malwarebytes.org/index.php?/topic/159211-mbdefexe-fp/

 

At first the name thru me off because the MB ( MBAM ) and the date, I thought it was from MB tool then I realized I had an error doing a database restore with my Creative Player, and a friend hinted me to the right file. Besides I never take action on files detected. I rather research the file and make sure it is not a F/P. If it is for real, the malicious file is there anyway, but if it is a F/P, it can bogged down a program eventhough it is restored.

 

Ok, I did another scan and it seems everything is fine now. Now, the million dollar question.

 

What was it ?

 

The wininit.ini and FF prefs.js deleted by JRT ?

 

The changes made by ComboFix ? Besides deleting a bunch of temps, which some of them are back, and the DeLL files, and stopping CTFMON.exe fron running automatically on boot. My sys was otherwise clean. No infection. wasn' it ?

 

BTW. Is there a way to restore those DeLL files ? I do not want to take a chance they are needed for DeLL diagnostic tool or to restore DeLL hidden image.

 

c:\windows\system32\drivers\1028_DELL_XPS_Dell DXP061
c:\windows\system32\drivers\DELL_XPS_Dell DXP061

 

Another thing. I do not know if you noticed in the logs for system event viewer that it still reports an error for :

 

Timeout (30000 ms.) transaction response to the service for MBAMService ( or something for that stile. It is difficult to translate exactly ). Attached report.

 

But this is happening since MBAM v. 2.0.2. It did not happened in v. 1.75 or older.

 

I think all is well. Crossing my fingers. Awaiting next instructions.

 

I thank you again Maurice. Kudos to you

 

 

MBAM 2 Threat scan.txt

Event viewer.txt

Link to post
Share on other sites

if you want the 2 Dell files back, we can restore them.  I first need you to find and send a copy of this file

C:\Qoobox\ComboFix-quarantined-files.txt

 

After you send that, I will review and provide you a script to restore those 2 Dell-related-items.

Link to post
Share on other sites

Sorry for my late response Maurice.

 

I appreiate it Maurice. I do not know what they are and I could not find any info on them. I could have asked in DeLL forums, but I was lazy about it.

 

Besides the ComboFix-quarantined-files.txt report, I also attached a copy of the files themselves. You would know what to do with them

 

Someone else was curious about similar files for another DeLL model three years ago.

https://www.virustotal.com/es/file/9377fd1e115548f004d3f9501c206590c7d9bbfb0b7d5835c60987a92c811db6/analysis/

 

I did not bother to send them to VT because the .vir name given by Combofix when they are placed into quarantine might not give a good analysis. May be I am wrong though

 

So Maurice.. What do you think was the cause of the BSOD ?

 

I appreciate your helping me with this. Thank you so much Maurice.

 

 

 

ComboFix-quarantined-files.txt

DeLLdrivers.rar

Link to post
Share on other sites

Virustotal scan result:

SHA256:

9377fd1e115548f004d3f9501c206590c7d9bbfb0b7d5835c60987a92c811db6


File name:

1028_DELL_XPS_Dell DXP061 .MRK

Detection ratio:
0 / 54


Analysis date:

2014-10-21 14:31:26 UTC
https://www.virustotal.com/en/file/9377fd1e115548f004d3f9501c206590c7d9bbfb0b7d5835c60987a92c811db6/analysis/1413901886/
 
 




SHA256:

9377fd1e115548f004d3f9501c206590c7d9bbfb0b7d5835c60987a92c811db6



File name:

DELL_XPS_Dell DXP061 .MRK

Detection ratio:

0 / 54
https://www.virustotal.com/en/file/9377fd1e115548f004d3f9501c206590c7d9bbfb0b7d5835c60987a92c811db6/analysis/1413902225/

 

 

The following is a scripted procedure to restore the 2 Dell files.   Please take your time when doing this.

Close any of your open programs while you run these tools.


Have infinite patience during the run & scan by Combofix.
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
For help reference, see http://www.bleepingcomputer.com/forums/index.php?showtopic=114351  How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Now,  save the attached CFSCRIPT.txt file   to the Desktop    { the same place where you have Combofix }.


Close any (all) open browsers.

CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe   ( the red-lion icon )

A window may open with a warning or prompts.  Accept the EULA and follow the prompts during the start phase of Combofix.

When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan may temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.  

A file will be created at => C:\Combofix.txt.  

Notes:
[1] IF after Combofix reboot you get the message ""Illegal operation attempted on registry key that has been marked for deletion""
....please reboot the computer, this should resolve the problem. You may have reboot the pc a second time if needed.

[2] Do not mouseclick combofix's window nor run any program while Combofix is running.
That may cause it to stall.

[3]When all done, IF Combofix did not do a Restart...then ... I need for you to Restart the system fresh

Reply & Copy & Paste contents of the C:\Combofix.txt log and tell me, How is the system now ?

Re-enable your antivirus program.

 

NOTE:  These 2 filenames in normal practice shoud NOT have the embedded spaces in front (prior to) the (dot) MRK.

You may want to Rename each one so that it does not have spaces in the Name.

 

Lastly, I cant possibly tell why your pc had the BSOD.
 

CFScript.txt

Link to post
Share on other sites

Hi Maurice.

 

Folowed instructions, but only 1 of the files was restored. This one:

1028_DELL_XPS_Dell DXP061.MRK ( there was no space between the name or the dot or the MRK. Good )

 

I can not find DELL_XPS_Dell DXP061.MRK anywhere in my system.

 

Attached new log.

 

 

Lastly, I cant possibly tell why your pc had the BSOD.

 

Any db with fixes released before yesterday ? What were those fixes if any ? Otherwise it means that at any time running a scan I can get another BSOD. I am not calling it but.... if we do not know what happened, How can I be sure it will not happens again ?

 

Thanks Maurice. Awating for new instructions.

ComboFix.txt

Link to post
Share on other sites

No, that was a regular Combofix run.

 

It does not appear that you saved CFSCRIPT.txt   and dragged and dopped it onto the red-lion-icon marking Combofix.exe

 

The scripted run procedure ( the drag and drop) would have restored back the 2 Dell files.

They were saved to quarantine before.

 

I have no reason to believe that the database was involved in any way with the BSOD.  However, and I think you saw it, there was a false positive about a EXE file as you reported yesterday.  And our Research advised you that it was addressed the same day.

Link to post
Share on other sites

Wierd ! I did. The only thing was I did not updgrade ComboFix when it said they have a new version. Also what the heck 1028_DELL_XPS_Dell DXP061.MRK is doing there ( C:\WINDOWS\system32\driver ) if it was removed by Combofix the first run and it did not removed now ?

 

Do I run Combofix with the restore cfscript again ?

Link to post
Share on other sites

I am re-confused.

I sent the Cfscript originally.

 

Did you save it to the desktop?

Did you do the drag and drop?

 

where did I lose you?

 

You may as a last resort, find the file under the C:\qoobox\quarantine  folder

you can copy or move it from there.

Rename and take out the .vir  part of the filename.

Link to post
Share on other sites

Yes I did. I did downloaded the Cfscript.txt to my desktop where I have the ComboFix.exe. I dragged it and dropped it into ComboFix.exe just like the image .gif you attached above. ComboFix was launched, and It asked me if I wanted to upgrade because they have a new version. Here I said no because I was just restoring files. I thought ComboFix was doing its thing, but now you said that it just ran a regular scan so I am as baffled as you are.

 

I have to go back a make a correction though. The file in my system32\drivers\ is 1028_Dell_DIM_DXP061.mrk. I relized the mistake I made later on, but I couldn't edit the reply and I didn't want to post again. However, I did dragged and dropped the script into ComboFix. That I am sure of.

 

So, Do I try ComboFix again, or just get the files out of quarantine ( fix the embedded spaces and remove the vir ending ) and drop them in the drivers folder ?

Link to post
Share on other sites

Do the latter ----just get the files out of quarantine by either Copy or Move  ( fix the embedded spaces and remove the vir ending ) and drop them in the drivers folder

 

I did. My only concern is that they are only 1 KB in size while the one I misstook for one of the files removed by ComFix is 7 KB. I hope ComboFix did not do anything to them.

 

Now What ? Clean all tools from my sys ?

 

Thank again Maurice and I apologize for my questioning and inquisitiveness, and mistakes.

Link to post
Share on other sites

You are welcome.

You know, after a overnight rest, it occurred to me that I had asked for the wrong log file.  I should have asked for DeQuarantine.txt  from the Qoobox folder.

That was the one that was generated by CF in the last run.   My apologies.

 

Yes, I think we can start the cleanups if all is good now with your pc.

 

The following procedures will implement some cleanup procedures to remove the tools I had you use.

bwebb7v.jpgDownload Delfix from here and save it to your desktop.

  • Ensure Remove disinfection tools is checked.
  • Click the Run button.
  • Reboot



Any other programs or logs that are still remaining, you can manually delete.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.