By Phobe
Jul 29, 2008
  1. Hi, I recently encountered a problem with my computer involving 'blue screen of death'. I realised this when everything was running smoothly, whilst playing World of Warcraft, my computer crashed and up came the blue screen. The first time it said something about drivers, so I assumed my drivers were a little rusty and tried to load the game up again. Five minutes into playing the same thing occured, but it said nothing about drivers. The third time it happened was after 30 minutes of not loading the game to see if it only had an effect on the game. I load it up and the blue screen appeared again, showing my thoughts were correct. When I re-booted a message appeared saying KernelDrv.exe has encountered a problem etc. I searched the name and came accross this thread. . ( Sorry won't allow links )
    I followed the instructions, however nothing appeared in my task manager. I then found it in C:\windows\system32 and thought I'd cracked it so went on to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, nothing appeared there so I ran a full Ad-Aware scan (as advised on the thread). Half way through the scan a message appeared saying KernelDrv.exe has encountered a problem and has stopped running...again. The scan deleted 2 critical items and I re-started the computer. As I knew the file seemed to only have an effect on World of Warcraft I loaded it straight away, with no luck the blue screen appeared again.
    Sorry for the length of the thread. As general information goes, the computer is well used and is roughly 6 years old. What should I do now the other instructions didn't work? Any replies appreciated.
  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Sounds like you are infected with Vundo and your java is probably out of date

    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
  3. Phobe

    Phobe TS Rookie Topic Starter

    Ok. I will do this by tommorow. Thanks for the reply. I think I may be infected with more than one virus as I havn't had security in a while so the log may be reasonably long!
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    considering that is most likely a malicious file that you are having a problem with that is a good idea -> the log won't be too long though. It only takes less than a minute for this scan
  5. Phobe

    Phobe TS Rookie Topic Starter

    Here is the log. I spotted something about KernelDrv.exe in there. Hopefully this should shed some light though. Don't be too shocked!
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    • Download Combofix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • When the scan completes it will open a text window. Please attach that log back here together with the other logs requested below
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt


    After that, Please follow this post and attach the 4 logs back here for me
  7. Phobe

    Phobe TS Rookie Topic Starter

    Combofix is complete, now following the other instructions from the other linked thread.

    EDIT: Will get the logs up for tomorrow, Malwarebytes is taking a while to complete it's scan. Maybe for later tonight.
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Good work - when done - please attach all 4 logs
  9. Phobe

    Phobe TS Rookie Topic Starter

    In order of the attached files

    -Combofix Log
    -Malwarebytes' Anti-Malware Log
    -SUPERAntiSpyware Log
    -Final HijackThis Log

    Thanks again for your help. Does this mean my computer is clean? Or this there more operations? I Hope these logs are correct and helpful.
  10. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    The amount of malware we just got off there is amazing - but I think there may be more

    First I want you to upload one of the random files in your Drivers folder - there appears to be a bunch.

    Upload a File to Virustotal
    Please visit Virustotal found HERE
    • Click the Browse... button
    • Navigate to the file C:\WINDOWS\SYSTEM32\DRIVERS\250lozjc.exe
    • Click the Open button
    • Click the Send button
    • Copy and paste the results back here please.


    [​IMG] Run Smitfraudfix
    • Download Smitfraudfix by S!ri from HERE
    • Double-click SmitfraudFix.exe
    • Select 1 and hit Enter
    • The report can be found at the root of the system drive, usually at C:\rapport.txt


    Navigate to:
    C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp

    And delete everything inside but not the folder itself


    Manually clear cache

    • Open an Explorer folder window (for example, double-click My Computer).
    • From the Explorer menu select Tools | Folder Options | View. Make sure that you have checked the box next to "Show hidden files and folders" and uncheck "Hide protected operating system files".
    • Start Internet Explorer and click Tools | Internet Options | General tab | Settings | View Files.
    • IE should have opened up a folder window, typically viewing a folder with the name of C:\Windows\Temporary Internet Files. Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.
    • You should see a series of folders with random eight-character names like ADOZMZS1. Delete each of these randomly named folders. You may get an error that some files are in use, this is normal if you are currently at a web site since those files are in the cache. Hold down the Shift key when deleting the files so they do not go to the Recycle Bin.

    Empty your Recycle Bin anyways


    Please run Combofix again since doing the other steps so I can see what's left on there.

    Attach rapport.txt here along with combofix2.txt
  11. Phobe

    Phobe TS Rookie Topic Starter

    Here's the Virus Total report on C:\WINDOWS\SYSTEM32\DRIVERS\250lozjc.exe.

    File has already been analysed:
    MD5: 3dda6008dd9c53840b6fb712c779c867
    First received: 07.16.2008 03:21:19 (CET)
    Date: 07.30.2008 16:32:49 (CET) [<1D]
    Results: 22/34
    Permalink: analisis/a34d033fe0a73626acfbe7e8f861782d

    OR (Wasn't sure which part you needed, this is the part once 'Show Last Report' is clicked')

    File 250lozjc.exe received on 07.30.2008 16:32:49 (CET)
    Current status: finished
    Result: 22/34 (64.71%)
    Compact Compact
    Print results Print results
    Antivirus Version Last Update Result
    AhnLab-V3 - - -
    AntiVir - - TR/Crypt.XDR.Gen
    Authentium - - W32/BackdoorX.AEGM
    Avast - - Win32:Rootkit-gen
    AVG - - PSW.Agent.TYI
    BitDefender - - Trojan.Inject.HZ
    CAT-QuickHeal - - Backdoor.Qmop.a
    ClamAV - - Trojan.Agent.Qmop
    DrWeb - - -
    eSafe - - -
    eTrust-Vet - - -
    Ewido - - -
    F-Prot - - W32/BackdoorX.AEGM
    F-Secure - - Backdoor.Win32.Qmop.a
    Fortinet - - W32/Qmop.A!tr.bdr
    GData - - Backdoor.Win32.Qmop.a
    Ikarus - - Backdoor.Win32.Qmop.a
    McAfee - - Generic BackDoor
    Microsoft - - Trojan:Win32/Meredrop
    NOD32v2 - - -
    Norman - - W32/Smalltroj.FKUB
    Panda - - Generic Backdoor
    PCTools - - -
    Prevx1 - - Rootkit
    Rising - - -
    Sophos - - Mal/Generic-A
    Sunbelt - - Backdoor.Win32.Qmop.a
    Symantec - - -
    TheHacker - - -
    TrendMicro - - BKDR_QMOP.C
    VBA32 - - Backdoor.Win32.Qmop.a
    ViRobot - - -
    VirusBuster - - -
    Webwasher-Gateway - - Trojan.Crypt.XDR.Gen

    All other instructions followed, here are the logs.

  12. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    You have an info stealing rootkit

    It's a bad combo too because you have A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.) and A code with the rootkit-specific techniques designed to hide the software presence in the system


    First thing I am going to suggest is that either you subscription to Mcafee expired, in which case you should try one of the free suggested Anti-virus programs. Or you are not receiving updates as Mcafee clearly has definitions

    McAfee - - Generic BackDoor

    Make sure to update and run a full scan if you have a valid subscription or uninstall and pick up Avira or Avast free and update then run full scan


    Run CFScript

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.


    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
  13. Phobe

    Phobe TS Rookie Topic Starter

    Sorry I wasn't online yesterday, I will get to this right away.
  14. Phobe

    Phobe TS Rookie Topic Starter

    Here are the two fresh reports. I hope they give better news. Also decided to get the new version of Avast!. It picked up and deleted a few things which I'm sure helped.
  15. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Download and Install SDFix
    • Download SDFix and save it to your Desktop.
    • Double click SDFix.exe and it will extract the files to %systemdrive%
      (Drive that contains the Windows Directory, typically C:\SDFix)

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Run SDFix
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    • Attach Report.txt back here
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...