KernelDrv.exe

Status
Not open for further replies.

Phobe

Posts: 8   +0
Hi, I recently encountered a problem with my computer involving 'blue screen of death'. I realised this when everything was running smoothly, whilst playing World of Warcraft, my computer crashed and up came the blue screen. The first time it said something about drivers, so I assumed my drivers were a little rusty and tried to load the game up again. Five minutes into playing the same thing occured, but it said nothing about drivers. The third time it happened was after 30 minutes of not loading the game to see if it only had an effect on the game. I load it up and the blue screen appeared again, showing my thoughts were correct. When I re-booted a message appeared saying KernelDrv.exe has encountered a problem etc. I searched the name and came accross this thread. techspot.com/vb/topic97552 . ( Sorry won't allow links )
I followed the instructions, however nothing appeared in my task manager. I then found it in C:\windows\system32 and thought I'd cracked it so went on to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, nothing appeared there so I ran a full Ad-Aware scan (as advised on the thread). Half way through the scan a message appeared saying KernelDrv.exe has encountered a problem and has stopped running...again. The scan deleted 2 critical items and I re-started the computer. As I knew the file seemed to only have an effect on World of Warcraft I loaded it straight away, with no luck the blue screen appeared again.
Sorry for the length of the thread. As general information goes, the computer is well used and is roughly 6 years old. What should I do now the other instructions didn't work? Any replies appreciated.
 
Sounds like you are infected with Vundo and your java is probably out of date

Highjackthis Instructions
  • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
  • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
  • After installing, the program launches automatically, select Scan now and save a log
  • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
 
Ok. I will do this by tommorow. Thanks for the reply. I think I may be infected with more than one virus as I havn't had security in a while so the log may be reasonably long!
 
considering that is most likely a malicious file that you are having a problem with that is a good idea -> the log won't be too long though. It only takes less than a minute for this scan
 
Here is the log. I spotted something about KernelDrv.exe in there. Hopefully this should shed some light though. Don't be too shocked!
 
avatar62338_1.gif
Combofix
  • Download Combofix to your desktop.
  • Double click combofix.exe & follow the prompts.
  • A window will open with a warning.
  • When the scan completes it will open a text window. Please attach that log back here together with the other logs requested below
Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

------------------------------------------------------------------

After that, Please follow this post and attach the 4 logs back here for me
https://www.techspot.com/vb/topic109461.html
 
Combofix is complete, now following the other instructions from the other linked thread.

EDIT: Will get the logs up for tomorrow, Malwarebytes is taking a while to complete it's scan. Maybe for later tonight.
 
In order of the attached files

-Combofix Log
-Malwarebytes' Anti-Malware Log
-SUPERAntiSpyware Log
-Final HijackThis Log


Thanks again for your help. Does this mean my computer is clean? Or this there more operations? I Hope these logs are correct and helpful.
 
The amount of malware we just got off there is amazing - but I think there may be more

First I want you to upload one of the random files in your Drivers folder - there appears to be a bunch.

Upload a File to Virustotal
Please visit Virustotal found HERE
  • Click the Browse... button
  • Navigate to the file C:\WINDOWS\SYSTEM32\DRIVERS\250lozjc.exe
  • Click the Open button
  • Click the Send button
  • Copy and paste the results back here please.

==================================================

75415740545070046c3ec0.gif
Run Smitfraudfix
  • Download Smitfraudfix by S!ri from HERE
  • Double-click SmitfraudFix.exe
  • Select 1 and hit Enter
  • The report can be found at the root of the system drive, usually at C:\rapport.txt

=================================================

Navigate to:
C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp

And delete everything inside but not the folder itself

==================================================

Manually clear cache

  • Open an Explorer folder window (for example, double-click My Computer).
  • From the Explorer menu select Tools | Folder Options | View. Make sure that you have checked the box next to "Show hidden files and folders" and uncheck "Hide protected operating system files".
  • Start Internet Explorer and click Tools | Internet Options | General tab | Settings | View Files.
  • IE should have opened up a folder window, typically viewing a folder with the name of C:\Windows\Temporary Internet Files. Put your cursor in the Address area of the folder window and add the name \content.ie5 to the name, so in our example the Address bar would now read c:\Windows\Temporary Internet Files\content.ie5.
  • You should see a series of folders with random eight-character names like ADOZMZS1. Delete each of these randomly named folders. You may get an error that some files are in use, this is normal if you are currently at a web site since those files are in the cache. Hold down the Shift key when deleting the files so they do not go to the Recycle Bin.

Empty your Recycle Bin anyways

==================================================

Please run Combofix again since doing the other steps so I can see what's left on there.


Attach rapport.txt here along with combofix2.txt
 
Here's the Virus Total report on C:\WINDOWS\SYSTEM32\DRIVERS\250lozjc.exe.


File has already been analysed:
MD5: 3dda6008dd9c53840b6fb712c779c867
First received: 07.16.2008 03:21:19 (CET)
Date: 07.30.2008 16:32:49 (CET) [<1D]
Results: 22/34
Permalink: analisis/a34d033fe0a73626acfbe7e8f861782d

OR (Wasn't sure which part you needed, this is the part once 'Show Last Report' is clicked')

File 250lozjc.exe received on 07.30.2008 16:32:49 (CET)
Current status: finished
Result: 22/34 (64.71%)
Compact Compact
Print results Print results
Antivirus Version Last Update Result
AhnLab-V3 - - -
AntiVir - - TR/Crypt.XDR.Gen
Authentium - - W32/BackdoorX.AEGM
Avast - - Win32:Rootkit-gen
AVG - - PSW.Agent.TYI
BitDefender - - Trojan.Inject.HZ
CAT-QuickHeal - - Backdoor.Qmop.a
ClamAV - - Trojan.Agent.Qmop
DrWeb - - -
eSafe - - -
eTrust-Vet - - -
Ewido - - -
F-Prot - - W32/BackdoorX.AEGM
F-Secure - - Backdoor.Win32.Qmop.a
Fortinet - - W32/Qmop.A!tr.bdr
GData - - Backdoor.Win32.Qmop.a
Ikarus - - Backdoor.Win32.Qmop.a
McAfee - - Generic BackDoor
Microsoft - - Trojan:Win32/Meredrop
NOD32v2 - - -
Norman - - W32/Smalltroj.FKUB
Panda - - Generic Backdoor
PCTools - - -
Prevx1 - - Rootkit
Rising - - -
Sophos - - Mal/Generic-A
Sunbelt - - Backdoor.Win32.Qmop.a
Symantec - - -
TheHacker - - -
TrendMicro - - BKDR_QMOP.C
VBA32 - - Backdoor.Win32.Qmop.a
ViRobot - - -
VirusBuster - - -
Webwasher-Gateway - - Trojan.Crypt.XDR.Gen




All other instructions followed, here are the logs.

-Smitfraudfix
-Combofix
 
You have an info stealing rootkit

It's a bad combo too because you have A keylogger program that can capture all user keystrokes (including confidential details such username, password, credit card number, etc.) and A code with the rootkit-specific techniques designed to hide the software presence in the system

--------------------------------------------------------------------------------

First thing I am going to suggest is that either you subscription to Mcafee expired, in which case you should try one of the free suggested Anti-virus programs. Or you are not receiving updates as Mcafee clearly has definitions

McAfee - - Generic BackDoor

Make sure to update and run a full scan if you have a valid subscription or uninstall and pick up Avira or Avast free and update then run full scan

----------------------------------------------------------------------------------------------

Run CFScript

Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
Also ..

Pay particular attention to this :-

Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\SYSTEM32\DRIVERS\250lozjc.exe
C:\WINDOWS\SYSTEM32\DRIVERS\453lozjc.exe
C:\WINDOWS\SYSTEM32\DRIVERS\281lozjc.exe
C:\WINDOWS\SYSTEM32\DRIVERS\187lozjc.exe
C:\WINDOWS\SYSTEM32\DRIVERS\578lozjc.exe
C:\WINDOWS\SYSTEM32\DRIVERS\546lozjc.exe
C:\WINDOWS\SYSTEM32\DRIVERS\234lozjc.exe
C:\WINDOWS\SYSTEM32\DRIVERS\156lozjc.exe
C:\WINDOWS\SYSTEM32\DRIVERS\593lozjc.exe
C:\WINDOWS\SYSTEM32\DRIVERS\484lozjc.exe
C:\WINDOWS\SYSTEM32\DRIVERS\468lozjc.exe
C:\WINDOWS\SYSTEM32\DRIVERS\218lozjc.exe
C:\WINDOWS\SYSTEM32\lanmanwrk.exe
C:\WINDOWS\SYSTEM32\qmopt.dll
C:\WINDOWS\SYSTEM32\lanmandrv.sys
C:\Program Files\Uninstall My Web Search.dll

Folder::

Driver::
lanmandrv
LEGACY_LANMANDRV

Registry::
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LANMANDRV
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LANMANDRV\0000
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LANMANDRV\0000\Control
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmandrv
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmandrv\Security
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmandrv\Enum
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LANMANDRV
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LANMANDRV\0000
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_LANMANDRV\0000\Control
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmandrv
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmandrv\Security
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmandrv\Enum
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"lanmanwrk.exe clean"=-

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.
 
^^
Here are the two fresh reports. I hope they give better news. Also decided to get the new version of Avast!. It picked up and deleted a few things which I'm sure helped.
 
Download and Install SDFix
  • Download SDFix and save it to your Desktop.
  • Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

Boot into Safe Mode
  • Restart your computer and start pressing the F8 key on your keyboard.
  • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Run SDFix
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  • Attach Report.txt back here
 
Status
Not open for further replies.
Back