PC Shuts Down

[Jintan]

Most of that log can be explained away as reads of other then malware functions, and then much of it is security suggestions as well. But there are some important system files that either have code added to them, or too the memory space they are loaded to. Let's get a few files checked for now.


Make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"


Then go here, press new topic, fill in the needed details and just give a link to your post back here (see the "Instructions for uploading files" there for help, if needed). Then press the browse button and then navigate to & select the following file on your computer.

c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll

You DO NOT need to be a member to upload, anybody can upload the files. You will not be able to see the file once uploaded.

Just click the "(more attachments)" next to the Browse button to upload more than one file.

[bearded]

Dear Jintan, I have uploaded the files as per your directions.
Expecting your response.. Thanks

[Jintan]

Thank you for posting the reminder. I am looking at them now, and will post after that.

[Jintan]

The files are okay, and not altered in any way. Just AVZ showing code being added. Might be added after the file is loaded into memory. Have to consider perhaps a problem with AVG causing the shutdown issues, but no way of telling unless it is uninstalled.


Go here, scroll down and download RootRepeal.zip to your Desktop. Unzip that, and then click RootRepeal.exe to open the scanner. Next click on the Report tab, and then click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click Ok.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services

You will then be asked which drive to scan. Check C: and click Ok again. The scan will start. It will take a little while so please be patient. When the scan has finished, click on Save Report. Name the log RootRepeal.txt and save it to your Documents folder (it should default there). When you have done this, please copy and paste it in this thread.

[bearded]

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/27 16:49
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB899A000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79B7000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB32C2000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: c:\windows\temp\0dd42c0d-e072-4dfb-a150-d250fafca1a6.tmp
Status: Allocation size mismatch (API: 2031616, Raw: 0)

Path: c:\windows\temp\3a8f5523-0f34-4556-b8b1-1ad37809095d.tmp
Status: Allocation size mismatch (API: 589824, Raw: 0)

Path: c:\windows\temp\f089b348-825a-4bd8-a52e-33fa51b30982.tmp
Status: Allocation size mismatch (API: 24, Raw: 0)

==EOF==

[Jintan]

Very unclear. I recall one other request thread, where a font install was causing the system to fail. That user was never clear about what software they had used. This shows recent activity - was it recently installed there, and a possible source of these problems?

FontSuvidha 5.0 - Professional

[bearded]

This, Fontsuvidha, I have been using since 10 yrs. I don't have any doubt on it, it is a precoded CD by the Software Trader.
Now, what should I do. Should I go for a Disk Format?
What about the software, I installed after your directions? Should I UN-install all of them?
OR any further directions from you ....

[Jintan]

I was just mentioning that software as I was not very familiar with it, and the other person's past problem. But no scans located anything of that worm that showed earlier, so we still need to determine if it remains there.


Disable your antivirus program and go here and run an online scan using ESET Online Scanner (you will need to use Internet Explorer for this scan, or download the installer to run it in a different browser). If you accept the Terms of Use, check the box and click Start. After the ActiveX Control has loaded, it will take a couple minutes for the scanner to get ready. Next, check the following boxes:

Remove found threats
Scan unwanted applications

Next to "Current scan targets: Operating memory, Local drives", click the "Change" word. Make sure you place a check next to all disk drives, including any external drives that are attached (no need to check off the floppy or DVD/CD-Rom drives).

Click Start. This scan may take a while, so please be patient. A log may open when the scan is complete (if not, go to C:\Program Files\EsetOnlineScanner\ and open the file log.txt). Click Edit - Select All then copy/paste that log back here please.


If you have any problems getting Eset started, one work-around is to have an open Internet connection, and then click here and download the esetsmartinstaller_enu.exe Eset installer. Then click that file, and follow the same previous steps to run the scan.

[bearded]

Dear Jintan, I scanned by EsetOnlineScanner as per your directions. The result said: No Threat Found. What to do...?

[Jintan]

Yes, what to check for a source? Let's see if the shutdowns created information.


Navigate (right click My Computer, left click Explore) to the following folder:

c:\windows\minidump

And if one is there, locate in it any recent minidump(date-somenumber).dmp files created, where "date-somenumber" matches dates of any recent crashes there. If they exist, then just zip a copy of it, and send it to jintan@malwarecrypt.com as an attachment. Please place "Submitted Files - bearded/hjt/dmp" as the email Subject.