20 ответов в этой теме

[ssg7]

When I try to run CureIt to scan my pc, after advertisement and main window of cureit is displayed, instantly setup.exe crashes and says it needs to be closed.
In the info dialog, it says:
AppName=setup.exe ModName=ntdll.dll

My Os is Windows Xp Pro service Pack 3 and normally, I am using a legitimate copy of Avira Antivir Premium and recently experienced a virus attack by accidentally running an application downloaded via p2p.
It was Dldr.Bagle.adp. Symptoms were slowness, disappearing of folder options and booting into safe mode was blocked. I recovered and scanned my PC using numerous on-line and on-demand virus scanners, and it seems clean now. But I also want to give a chance to Dr.Web CureIt.

I tried the technique of using fast.bat and renaming cureit to xyz.exe, it still crashes, and I am attaching the log file, though I cant see anything valuable in that file.

Thanks in advance.

[Borka]

Do you use WindowsBlinds-like software?

---
С уважением,
Borka.

[ssg7]

No, I setup my interface for speed, nothing fancy.
Even in safe mode, cureit crashes!!!
Sometimes it blows even before painting its main dialog, and sometimes after it.
If I use original _launch.exe to run, the crashing parameters slightly changes:
AppName:Setup.exe ModName:Setup.exe.

PC is Asus F3S series Notebook.

[userr]

No, I setup my interface for speed, nothing fancy.
Even in safe mode, cureit crashes!!!

It's strange. Have you used any "tweak" utilities for "improving" windows? Have you patched any core windows files?

Please download http://slil.ru/26188952 (renamed RkUnhooker, the full package from authors here http://www.rootkit.com/vault/DiabloNova/RkU3.8.342.554.rar) Run it, tab Report, Scan button, uncheck "Files", menu item File-save report.

Please download HiJackThis http://www.trendsecure.com/portal/en-US/_d.../HiJackThis.exe

Please run these utilities in normal mode, attach the logs here. Don't forget to unplug the internet cable before scanning.

[Borka]

Watson's dump and log present?

---
С уважением,
Borka.

[ssg7]

I am attaching hijackthis.log and report.txt.

I am not using any "tweak utilities" besides a few tweaking options of AVG AntiSpyware. Since CureIt don't run under Safe Mode, I think this is not the case.
and I did not patch core windows files.

[ssg7]

I generate a new one using renamed cureit (xyz.exe)
drwtsn32.log and user.dmp are attached.

[Borka]

Locate C:WINDOWSSystem32Driversag20f9pn.SYS and check it here:
http://www.virustotal.com/

---
С уважением,
Borka.

[Konstantin Yudin]

if uninstall Avira or ASUS Security Protect Manager, CureIt! still crash?

--
With best regards, Konstantin Yudin
TestLab, Doctor Web, Ltd.

[ssg7]

I can not locate that file!

[userr]

I can not locate that file!

try to locate C:WINDOWSSystem32Driversag20f9pn.SYS via RkUnhooker:
menu item Tools -- Wipe / Copy file, step 1 Browse, Direct File Copying to c:test

BTW, I posted the link to RkUnhooker 3.8.342.554 . Why do you use another, earlier version?

[ssg7]

I downloaded from slil.ru
I discovered that its name changes every boot. Now it becomes agihlal.sys,
but its size remains constant 421888 bytes.
Can it be alcohol/daemon tools kind of driver, because I know they change their names every boot.

[userr]

Can it be alcohol/daemon tools kind of driver, because I know they change their names every boot.

Maybe. Have you checked it on http://www.virustotal.com/ ?

Please, start Dr Watson c:WINDOWSsystem32drwtsn32.exe and set Crash Dump Type to Full. If Cureit crashes again, pls upload full dump in archive to some file exchange server and post the link here.

Pls post here md5 hash of your ntdll.dll . You may use the attached file.

[ssg7]

I uninstalled Alcohol and Asus Security Protect Manager, but cureit crashes again both in normal mode and in safe mode.
I am thinking there is something wrong with my ntdll.dll
I will check it at virustotal.
I consider to uninstall avira but that will pose greater danger, wont it?

[ssg7]

First I checked ntdll.dll at virsutotal, nothing suspicious.
MD5 of the file : 27D9ED8CB8B62D1E0A8E5ACE6CF52E2F

Second, when I uninstalled Alcohol, that creepy agXXXXXX.sys completely gone.
I had never have the oppurtunity to locate and examine the file, When it was appeared in Rkunhooker drivers tab, Wipe option gave "file not found".
Now, I checked with both Rkunhooker and Gmer and it is absent.

Third, I will post a link for full crash dump ASAP.

BTW, new report of rkunhooker is attached.

[ssg7]

full crash dump:
http://rapidshare.com/files/156861968/Dr_Watson.rar.html

[userr]

First I checked ntdll.dll at virsutotal, nothing suspicious.
MD5 of the file : 27D9ED8CB8B62D1E0A8E5ACE6CF52E2F

Yes, your ntdll.dll is OK.

This one WINDOWSsystem32driversprcmondrv1041.sys
looks like it belongs to "Process Viewer for Windows" (PrcView) by Igor Nys
http://www.teamcti.com/pview/prcview.htm
have you installed PrcView ? Try to uninstall.

Pls tell us the exact version of COMODO Firewall you have installed.
Comodo, Avira, AVG - it seems you are rather overprotected.

[ssg7]

I moved prcmondrv driver and then restarted notebook, cureit still crashes, but sometimes at setup.exe instead of only ntdll.dll

I am using Comodo Firewall 3.0.25.378
I don't have any memory resident antivirus/antispyware other than Avira of which has no firewall component (hence is Comodo)
AVG was installed but not in memory. After virus attack I started its service, and now it is stopped.

[ssg7]

Still no solution, CureIt closes at ntdll.dll

[userr]

I moved prcmondrv driver and then restarted notebook

The question is - where did prcmondrv driver come from? have you installed PrcView ? If not, I wont be surprised if this driver is part of some malware package.

AVG was installed but not in memory. After virus attack I started its service, and now it is stopped.

It is not. From your RkU log:
Driver: C:Program FilesGrisoftAVG Anti-Spyware 7.5guard.sys

AVG driver is active.

Still no solution, CureIt closes at ntdll.dll

Developers are aware of your problem. But maybe it has a low priority.