CureIt's setup.exe crashes at ntdll.dll
#1
Отправлено 23 Октябрь 2008 - 15:34
In the info dialog, it says:
AppName=setup.exe ModName=ntdll.dll
My Os is Windows Xp Pro service Pack 3 and normally, I am using a legitimate copy of Avira Antivir Premium and recently experienced a virus attack by accidentally running an application downloaded via p2p.
It was Dldr.Bagle.adp. Symptoms were slowness, disappearing of folder options and booting into safe mode was blocked. I recovered and scanned my PC using numerous on-line and on-demand virus scanners, and it seems clean now. But I also want to give a chance to Dr.Web CureIt.
I tried the technique of using fast.bat and renaming cureit to xyz.exe, it still crashes, and I am attaching the log file, though I cant see anything valuable in that file.
Thanks in advance.
#2
Отправлено 23 Октябрь 2008 - 16:04
---
С уважением,
Borka.
#3
Отправлено 23 Октябрь 2008 - 16:27
Even in safe mode, cureit crashes!!!
Sometimes it blows even before painting its main dialog, and sometimes after it.
If I use original _launch.exe to run, the crashing parameters slightly changes:
AppName:Setup.exe ModName:Setup.exe.
PC is Asus F3S series Notebook.
#4
Отправлено 23 Октябрь 2008 - 16:47
It's strange. Have you used any "tweak" utilities for "improving" windows? Have you patched any core windows files?No, I setup my interface for speed, nothing fancy.
Even in safe mode, cureit crashes!!!
Please download http://slil.ru/26188952 (renamed RkUnhooker, the full package from authors here http://www.rootkit.com/vault/DiabloNova/RkU3.8.342.554.rar) Run it, tab Report, Scan button, uncheck "Files", menu item File-save report.
Please download HiJackThis http://www.trendsecure.com/portal/en-US/_d.../HiJackThis.exe
Please run these utilities in normal mode, attach the logs here. Don't forget to unplug the internet cable before scanning.
#5
Отправлено 23 Октябрь 2008 - 16:53
---
С уважением,
Borka.
#6
Отправлено 23 Октябрь 2008 - 17:20
I am not using any "tweak utilities" besides a few tweaking options of AVG AntiSpyware. Since CureIt don't run under Safe Mode, I think this is not the case.
and I did not patch core windows files.
#7
Отправлено 23 Октябрь 2008 - 17:36
drwtsn32.log and user.dmp are attached.
#8
Отправлено 23 Октябрь 2008 - 17:58
http://www.virustotal.com/
---
С уважением,
Borka.
#9
Отправлено 23 Октябрь 2008 - 18:16
--
With best regards, Konstantin Yudin
TestLab, Doctor Web, Ltd.
#10
Отправлено 23 Октябрь 2008 - 18:20
#11
Отправлено 23 Октябрь 2008 - 18:41
try to locate C:WINDOWSSystem32Driversag20f9pn.SYS via RkUnhooker:I can not locate that file!
menu item Tools -- Wipe / Copy file, step 1 Browse, Direct File Copying to c:test
BTW, I posted the link to RkUnhooker 3.8.342.554 . Why do you use another, earlier version?
#12
Отправлено 23 Октябрь 2008 - 18:52
I discovered that its name changes every boot. Now it becomes agihlal.sys,
but its size remains constant 421888 bytes.
Can it be alcohol/daemon tools kind of driver, because I know they change their names every boot.
#13
Отправлено 23 Октябрь 2008 - 19:24
Maybe. Have you checked it on http://www.virustotal.com/ ?Can it be alcohol/daemon tools kind of driver, because I know they change their names every boot.
Please, start Dr Watson c:WINDOWSsystem32drwtsn32.exe and set Crash Dump Type to Full. If Cureit crashes again, pls upload full dump in archive to some file exchange server and post the link here.
Pls post here md5 hash of your ntdll.dll . You may use the attached file.
#14
Отправлено 23 Октябрь 2008 - 20:03
I am thinking there is something wrong with my ntdll.dll
I will check it at virustotal.
I consider to uninstall avira but that will pose greater danger, wont it?
#15
Отправлено 23 Октябрь 2008 - 20:17
MD5 of the file : 27D9ED8CB8B62D1E0A8E5ACE6CF52E2F
Second, when I uninstalled Alcohol, that creepy agXXXXXX.sys completely gone.
I had never have the oppurtunity to locate and examine the file, When it was appeared in Rkunhooker drivers tab, Wipe option gave "file not found".
Now, I checked with both Rkunhooker and Gmer and it is absent.
Third, I will post a link for full crash dump ASAP.
BTW, new report of rkunhooker is attached.
#16
Отправлено 23 Октябрь 2008 - 21:13
#17
Отправлено 23 Октябрь 2008 - 21:40
Yes, your ntdll.dll is OK.First I checked ntdll.dll at virsutotal, nothing suspicious.
MD5 of the file : 27D9ED8CB8B62D1E0A8E5ACE6CF52E2F
This one WINDOWSsystem32driversprcmondrv1041.sys
looks like it belongs to "Process Viewer for Windows" (PrcView) by Igor Nys
http://www.teamcti.com/pview/prcview.htm
have you installed PrcView ? Try to uninstall.
Pls tell us the exact version of COMODO Firewall you have installed.
Comodo, Avira, AVG - it seems you are rather overprotected.
#18
Отправлено 23 Октябрь 2008 - 22:35
I am using Comodo Firewall 3.0.25.378
I don't have any memory resident antivirus/antispyware other than Avira of which has no firewall component (hence is Comodo)
AVG was installed but not in memory. After virus attack I started its service, and now it is stopped.
#19
Отправлено 27 Октябрь 2008 - 13:00
#20
Отправлено 27 Октябрь 2008 - 20:33
The question is - where did prcmondrv driver come from? have you installed PrcView ? If not, I wont be surprised if this driver is part of some malware package.I moved prcmondrv driver and then restarted notebook
It is not. From your RkU log:AVG was installed but not in memory. After virus attack I started its service, and now it is stopped.
Driver: C:Program FilesGrisoftAVG Anti-Spyware 7.5guard.sys
AVG driver is active.
Developers are aware of your problem. But maybe it has a low priority.Still no solution, CureIt closes at ntdll.dll
Читают тему: 1
0 пользователей, 1 гостей, 0 скрытых