Win32:Malware-gen trojan infection
Started by
gregahoffman
, Sep 24 2013 01:33 PM
#136
Posted 18 October 2013 - 07:40 PM
gregahoffman
- Topic Starter
-
- Member
-
- 400 posts
Member
#137
Posted 18 October 2013 - 07:53 PM
gregahoffman
- Topic Starter
-
- Member
-
- 400 posts
Member
event viewer logs after I disabled the fingerprint sensor and updated Kaspersky, I also cleared the logs
Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 18/10/2013 8:51:10 PM
Note: All dates below are in the format dd/mm/yyyy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 19/10/2013 1:43:42 AM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.
Log: 'System' Date/Time: 19/10/2013 1:43:42 AM
Type: Warning Category: 0
Event: 10002 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN Extensibility Module has stopped. Module Path: C:\Windows\System32\IWMSSvc.dll
Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 18/10/2013 8:53:00 PM
Note: All dates below are in the format dd/mm/yyyy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 19/10/2013 1:43:37 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-2271316084-460775634-2034437219-1000:
Process 2720 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2271316084-460775634-2034437219-1000
Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 18/10/2013 8:51:10 PM
Note: All dates below are in the format dd/mm/yyyy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 19/10/2013 1:43:42 AM
Type: Warning Category: 0
Event: 4001 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN AutoConfig service has successfully stopped.
Log: 'System' Date/Time: 19/10/2013 1:43:42 AM
Type: Warning Category: 0
Event: 10002 Source: Microsoft-Windows-WLAN-AutoConfig
WLAN Extensibility Module has stopped. Module Path: C:\Windows\System32\IWMSSvc.dll
Vino's Event Viewer v01c run on Windows 2008 in English
Report run at 18/10/2013 8:53:00 PM
Note: All dates below are in the format dd/mm/yyyy
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Critical Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - Warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 19/10/2013 1:43:37 AM
Type: Warning Category: 0
Event: 1530 Source: Microsoft-Windows-User Profiles Service
Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. DETAIL - 1 user registry handles leaked from \Registry\User\S-1-5-21-2271316084-460775634-2034437219-1000:
Process 2720 (\Device\HarddiskVolume2\Program Files (x86)\Kaspersky Lab\Kaspersky Anti-Virus 14.0.0\avp.exe) has opened key \REGISTRY\USER\S-1-5-21-2271316084-460775634-2034437219-1000
#138
Posted 18 October 2013 - 08:49 PM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
Kaspersky is better now tho still not perfect.
You have to right click on the memory.dmp file and rename it to memory.txt in order to attach it or you can Zip it up if you have the capability. (7-zip works well and is free but you have to make sure it uses the .zip and not the .7z).
You have to right click on the memory.dmp file and rename it to memory.txt in order to attach it or you can Zip it up if you have the capability. (7-zip works well and is free but you have to make sure it uses the .zip and not the .7z).
#139
Posted 19 October 2013 - 07:15 AM
gregahoffman
- Topic Starter
-
- Member
-
- 400 posts
Member
i'll try again
no luck even as a zip file.
no luck even as a zip file.
#140
Posted 19 October 2013 - 09:07 AM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
Make sure it has the .zip extension. 7-zip by default will use .7z.
You can also try Who Crashed:
http://www.resplendence.com/downloads
See what it says. Or we can run BlueScreenView again:
Download BlueScreenView
http://www.nirsoft.n...creen_view.html
Double click on BlueScreenView.exe file to run the program.
When scanning is done, go Edit, Select All.
Go File, Save Selected Items, and save the report as BSOD.txt.
Open BSOD.txt in Notepad, copy all content, and paste it into your next reply.
You can also try Who Crashed:
http://www.resplendence.com/downloads
See what it says. Or we can run BlueScreenView again:
Download BlueScreenView
http://www.nirsoft.n...creen_view.html
Double click on BlueScreenView.exe file to run the program.
When scanning is done, go Edit, Select All.
Go File, Save Selected Items, and save the report as BSOD.txt.
Open BSOD.txt in Notepad, copy all content, and paste it into your next reply.
#141
Posted 19 October 2013 - 09:15 AM
gregahoffman
- Topic Starter
-
- Member
-
- 400 posts
Member
I used who crashed, here is the report
System Information (local)
--------------------------------------------------------------------------------
computer name: HP
windows version: Windows 7 Service Pack 1, 6.1, build: 7601
windows dir: C:\Windows
CPU: GenuineIntel Intel® Core™ i5-2410M CPU @ 2.30GHz Intel586, level: 6
4 logical processors, active mask: 15
RAM: 8535261184 total
VM: 2147352576, free: 1922822144
--------------------------------------------------------------------------------
Crash Dump Analysis
--------------------------------------------------------------------------------
Crash dump directory: C:\Windows\Minidump
Crash dumps are enabled on your computer.
On Thu 17/10/2013 3:13:14 AM GMT your computer crashed
crash dump file: C:\Windows\Minidump\101713-25428-01.dmp
This was probably caused by the following module: ntoskrnl.exe (nt+0x74540)
Bugcheck code: 0x9F (0x3, 0xFFFFFA8007CC6A10, 0xFFFFF80000B9C3D8, 0xFFFFFA8010CFB6C0)
Error: DRIVER_POWER_STATE_FAILURE
file path: C:\Windows\system32\ntoskrnl.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: NT Kernel & System
Bug check description: This bug check indicates that the driver is in an inconsistent or invalid power state.
This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.
On Thu 17/10/2013 3:13:14 AM GMT your computer crashed
crash dump file: C:\Windows\memory.dmp
This was probably caused by the following module: ntkrnlmp.exe (nt!KeBugCheckEx+0x0)
Bugcheck code: 0x9F (0x3, 0xFFFFFA8007CC6A10, 0xFFFFF80000B9C3D8, 0xFFFFFA8010CFB6C0)
Error: DRIVER_POWER_STATE_FAILURE
Bug check description: This bug check indicates that the driver is in an inconsistent or invalid power state.
This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.
On Sun 13/10/2013 2:36:51 PM GMT your computer crashed
crash dump file: C:\Windows\Minidump\101313-27674-01.dmp
This was probably caused by the following module: ntoskrnl.exe (nt+0x74540)
Bugcheck code: 0x9F (0x3, 0xFFFFFA80080A6A10, 0xFFFFF80000B9C3D8, 0xFFFFFA80103D7010)
Error: DRIVER_POWER_STATE_FAILURE
file path: C:\Windows\system32\ntoskrnl.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: NT Kernel & System
Bug check description: This bug check indicates that the driver is in an inconsistent or invalid power state.
This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.
--------------------------------------------------------------------------------
Conclusion
--------------------------------------------------------------------------------
3 crash dumps have been found and analyzed. No offending third party drivers have been found. Consider configuring your system to produce a full memory dump for better analysis.
Read the topic general suggestions for troubleshooting system crashes for more information.
Note that it's not always possible to state with certainty whether a reported driver is actually responsible for crashing your system or that the root cause is in another module. Nonetheless it's suggested you look for updates for the products that these drivers belong to and regularly visit Windows update or enable automatic updates for Windows. In case a piece of malfunctioning hardware is causing trouble, a search with Google on the bug check errors together with the model name and brand of your computer may help you investigate this further.
System Information (local)
--------------------------------------------------------------------------------
computer name: HP
windows version: Windows 7 Service Pack 1, 6.1, build: 7601
windows dir: C:\Windows
CPU: GenuineIntel Intel® Core™ i5-2410M CPU @ 2.30GHz Intel586, level: 6
4 logical processors, active mask: 15
RAM: 8535261184 total
VM: 2147352576, free: 1922822144
--------------------------------------------------------------------------------
Crash Dump Analysis
--------------------------------------------------------------------------------
Crash dump directory: C:\Windows\Minidump
Crash dumps are enabled on your computer.
On Thu 17/10/2013 3:13:14 AM GMT your computer crashed
crash dump file: C:\Windows\Minidump\101713-25428-01.dmp
This was probably caused by the following module: ntoskrnl.exe (nt+0x74540)
Bugcheck code: 0x9F (0x3, 0xFFFFFA8007CC6A10, 0xFFFFF80000B9C3D8, 0xFFFFFA8010CFB6C0)
Error: DRIVER_POWER_STATE_FAILURE
file path: C:\Windows\system32\ntoskrnl.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: NT Kernel & System
Bug check description: This bug check indicates that the driver is in an inconsistent or invalid power state.
This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.
On Thu 17/10/2013 3:13:14 AM GMT your computer crashed
crash dump file: C:\Windows\memory.dmp
This was probably caused by the following module: ntkrnlmp.exe (nt!KeBugCheckEx+0x0)
Bugcheck code: 0x9F (0x3, 0xFFFFFA8007CC6A10, 0xFFFFF80000B9C3D8, 0xFFFFFA8010CFB6C0)
Error: DRIVER_POWER_STATE_FAILURE
Bug check description: This bug check indicates that the driver is in an inconsistent or invalid power state.
This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.
On Sun 13/10/2013 2:36:51 PM GMT your computer crashed
crash dump file: C:\Windows\Minidump\101313-27674-01.dmp
This was probably caused by the following module: ntoskrnl.exe (nt+0x74540)
Bugcheck code: 0x9F (0x3, 0xFFFFFA80080A6A10, 0xFFFFF80000B9C3D8, 0xFFFFFA80103D7010)
Error: DRIVER_POWER_STATE_FAILURE
file path: C:\Windows\system32\ntoskrnl.exe
product: Microsoft® Windows® Operating System
company: Microsoft Corporation
description: NT Kernel & System
Bug check description: This bug check indicates that the driver is in an inconsistent or invalid power state.
This appears to be a typical software driver bug and is not likely to be caused by a hardware problem.
The crash took place in the Windows kernel. Possibly this problem is caused by another driver that cannot be identified at this time.
--------------------------------------------------------------------------------
Conclusion
--------------------------------------------------------------------------------
3 crash dumps have been found and analyzed. No offending third party drivers have been found. Consider configuring your system to produce a full memory dump for better analysis.
Read the topic general suggestions for troubleshooting system crashes for more information.
Note that it's not always possible to state with certainty whether a reported driver is actually responsible for crashing your system or that the root cause is in another module. Nonetheless it's suggested you look for updates for the products that these drivers belong to and regularly visit Windows update or enable automatic updates for Windows. In case a piece of malfunctioning hardware is causing trouble, a search with Google on the bug check errors together with the model name and brand of your computer may help you investigate this further.
#143
Posted 19 October 2013 - 09:24 AM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
Consider configuring your system to produce a full memory dump for better analysis.
Let's try what they advise: Start, Control Panel, System, Advanced System Settings, Startup and Recovery => Settings, Change Write Debugging Information to Kernel Memory Dump, OK.
Then we wait for the next one.
#144
Posted 19 October 2013 - 10:23 AM
gregahoffman
- Topic Starter
-
- Member
-
- 400 posts
Member
it was already set to kernel memory dump
#145
Posted 19 October 2013 - 10:51 AM
RKinner
-
- Expert
-
- 24,625 posts
Malware Expert
Then perhaps it is too big for the forum. I will send you my email address in a PM
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
