Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Kernel Fault Check On My Hijackthis Log


  • Please log in to reply
19 replies to this topic

#1 chardmj

chardmj

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 03 April 2007 - 09:54 AM

good day to all of you,i am recently troubled about the kernel fault check in my registry and savedump.exe that appears every startup..can you check my log and tell me what kernel fault check does?is it malware? here is my log: Logfile of HijackThis v1.99.1 Scan saved at 11:51:26 PM, on 4/3/2007 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Mozilla Firefox\firefox.exe D:\HijackThis.exe O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O17 - HKLM\System\CCS\Services\Tcpip\..\{75942C61-A4E9-459F-B0D9-5F1C53233A05}: NameServer = 203.167.0.16 203.167.0.17 O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe your help would be greatly appreciated..thanks

    Advertisements

Register to Remove


#2 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 03 April 2007 - 05:57 PM

Hi chardmj and welcome to the forums.

kernel fault check: Not Malware
Used in connection with memory dumps - you can disable these by - right clicking on My Computer, selecting Properties and then the Advanced tab. Click on the Settings button in 'Startup and Recovery'. In the bottom pane - under 'Write debugging information' - click on the down arrow and then select 'None' - OK your way out.

You could also have HJT fix the entry. HJT log looks clean. Let me know if you have any other questions.

Hope that helps.

Dave
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#3 chardmj

chardmj

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 04 April 2007 - 12:55 AM

thanks for your quick response to my queries. I followed the instructions you gave me but when i restarted my computer, kernel fault check was still present in my HJT log even though i have fixed it...i also tried to delete the kernel fault check using regedit but it always comes back...Even though this is not malware i am very bothered because it always appears at startup and is somehow suspicious...thanks for giving attention to my problem and more power to you

#4 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 04 April 2007 - 06:45 AM

Did you try using HJT to fix it?

Run HijackThis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on this:

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

Then close all windows except this one and press Fix checked.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#5 chardmj

chardmj

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 04 April 2007 - 09:03 AM

good day,yes i have used HJT to fix the problem but it always comes back everytime i restart my computer..this day i have installed Ad-Aware SE Personal and Spybot - Search & Destroy, and the programs found and removed a keylogger..but even though the keylogger was removed, kernel fault check still keeps coming back...to be more secure i also installed Zone Alarm firewall but i am still bothered by kernel fault check entry in my HJT log and i also see it when i go to msconfig...even when untick it in msconfig it always comes back even if i fix it using HJT...i hope you could help me with my problem because i think that it is unusual...thanks and Godbless!

#6 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 04 April 2007 - 09:31 AM

Hmm...that is interesting :scratch: Which program found the keylogger? Spybot or Adaware, or both? Do you have any information from them as to what it was? And are you sure it was removed? Sorry, a lot of questions but it is interesting and worth looking into. Dave
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#7 chardmj

chardmj

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 04 April 2007 - 09:49 AM

the keylogger was found by both programs and it was auto-quarantined by Ad-Aware. here is the auto-quarantine log from Ad-Aware: ArchiveData(auto-quarantine- 2007-04-04 16-26-31.bckp) Referencefile : SE1R148 29.01.2007 ====================================================== H@TKEYSH@@K »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»» obj[0]=File : C:\WINDOWS\system32\h@tkeysh@@k.dll i think that my computer is infected by a rootkit because i've heard that rootkits have the ablility to avoid detection...my zone alarm firewall says that 25 intrusion attempts have been blocked and three of them are high-rated.i have just installed zone alarm last hour. Is there a possibility that my pc is infected by a rootkit?

#8 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 04 April 2007 - 10:21 AM

OK, this link has some info. on it:

http://www.cimweb.co...h@tkeysh@@k.htm

Have you or do you use a game trainer?

Trendmicro also has some information on it:

http://www.trendmicr...c...2EA&VSect=P

To check for a rootkit:

Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-sec...light/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#9 chardmj

chardmj

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 04 April 2007 - 10:48 AM

ok, i've downloaded and installed blacklight but it didn't find any problems,here is the log: 04/05/07 00:28:46 [Info]: BlackLight Engine 1.0.61 initialized 04/05/07 00:28:46 [Info]: OS: 5.1 build 2600 (Service Pack 2) 04/05/07 00:28:47 [Note]: 7019 4 04/05/07 00:28:47 [Note]: 7005 0 04/05/07 00:28:53 [Note]: 7006 0 04/05/07 00:28:53 [Note]: 7011 1248 04/05/07 00:28:53 [Note]: 7026 0 04/05/07 00:28:54 [Note]: 7026 0 04/05/07 00:28:59 [Note]: FSRAW library version 1.7.1021 04/05/07 00:34:56 [Note]: 7007 0 i also used Helios lite but it also didn't detect any problems, but i found some suspicious looking registry items in the scan result: 1, SOFTWARE\Microsoft\Cryptography\RNG, Seed, Data Differs 2, SECURITY\Policy\Secrets\SAC, , Access Denied 3, SECURITY\Policy\Secrets\SAI, , Access Denied 4, .DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon, ParseAutoexec, Data Differs 5, S-1-5-21-527237240-1993962763-1202660629-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count, HRZR_EHACNGU, Data Differs 6, S-1-5-21-527237240-1993962763-1202660629-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count, HRZR_HVFPHG, Data Differs 7, S-1-5-21-527237240-1993962763-1202660629-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count, HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Qntnzv Snzvyl\Qrfxgbc\Uryvbf Yvgr.rkr, Data Differs i also found some suspicous improperly terminated processes: C:\WINDOWS\system32\savedump.exe C:\WINDOWS\system32\dumprep.exe i hope this can somehow help you in analyzing my problem

#10 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 04 April 2007 - 12:12 PM

I'm not familiar with the Helios Lite tool and not sure what those results mean. Here is another tool I found which will scan for keyloggers.
  • Download avz4en.zip here
  • Unzip it to a folder on your desktop
  • Double click on AVZ.exe
  • Click on the webupdate icon Posted Image
  • Click on the start button.
  • Wait for the update to finish
  • You will get a message that says "Automatic update completed successfully. Update has been successfully downloaded and installed"
  • Click OK
  • Under the search parameter tab, change the heuristic analysis mode to "Maximum heuristics level" and tick the box next to "Extended analysis
  • Make sure that the following options are selected
    • Detect API hooks and rootkits
    • Check SPI / LSP settings
    • Search for keyloggers
    • Search for TCP/UDP ports used by trojan horses
  • Make sure the following options are not selected
    • Block user-mode rootkits
    • Block kernel-mode rootkits
    • Automatically correct SPI/LSP errors
    • Perform healing
  • Under the file types tab select all files
  • Under the search range tab, select the following options
    • Check running processes
    • Heuristic system check
  • Make sure that all the Disks listed are selected
  • Click start and wait for the scan to finish
  • When the scan has finished click on the save Posted Image icon
  • Leave the default name of avz_log and save it to your desktop
  • This will put the file avz_log.txt on your desktop, please post the contents of that file

IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi

    Advertisements

Register to Remove


#11 chardmj

chardmj

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 05 April 2007 - 07:32 AM

good day, i found out that i got the keylogger from a trainer that i used recently, and i was surprised that i was able to prevent kernel fault check from running at startup simply by unticking it (unlike before) and now it does not come back anymore..thanks for helping me and giving me tips on how to solve my problem, the tools you have recommended are surely useful for users who are conscious about security issues.more power to you and may you help many more people in solving security problems.

#12 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 05 April 2007 - 08:05 AM

Ahh :thumbup: As I mentioned in an earlier post I thought it was a trainer. Good job and good luck in the future. Peace, Dave
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#13 chardmj

chardmj

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 06 April 2007 - 07:20 AM

sir may i know your email address or other means to contact you because i'm currently working on something that will improve the security of our computer so i would like to seek your advice...thanks for your time in reading this post and more power to you..

#14 IndiGenus

IndiGenus

    Teacher Emeritus

  • Authentic Member
  • PipPipPipPipPipPip
  • 5,251 posts
  • Interests:Computer Security, Music, Sports

Posted 06 April 2007 - 08:47 AM

What are you looking to implement? If it's going to be a week or two I can keep this thread open and you can post back here to contact me. You can also contact me through my website that is in my signature. Let me know, Dave
IndiGenus

The help you receive here is free, but if you would like to help me continue the fight against Malware then Posted Image

Logs will be closed if you haven't replied within 5 days



Proud Graduate of TC/WTT Classroom



"To find perfect composure in the midst of change is to find ourselves in nirvana."

Suzuki Roshi


#15 chardmj

chardmj

    Authentic Member

  • Authentic Member
  • PipPip
  • 21 posts

Posted 06 April 2007 - 09:59 AM

ok sir i'm planning to do this as soon as possible,so here's the scenario: in our house we have 4 computer users including me, one of them just love to play pc games and emulators, and the other two loves two surf the internet, and i am the one who is in charge of keeping the computer at its optimal gaming performance and safety in the internet. since one of the users turns off the firewall and antivirus when he is playing, i created a batch file that launches spyware blaster and zonelabs firewall whenever they open mozilla firefox. i would greatly appreciate if you can give me some ideas on how to run my zone alarm firewall, spyware blaster, and activate the avast resident scanner automatically whenever the other users connect to the internet using a dial-up connection, and deactivate them whenever i disconnect.. i am doing this for the other two users because they are not that good in understanding things about security and safety. i am currently using mozilla firefox browser with the following extensions: noscript, adblock plus, adblock filterset G updater, adblock plus element hiding helper, dr. web antivirus link checker, fasterfox, and mcafee siteadvisor. i hope that you can give me some tips so that i can help the users in our house who like gaming, and the users who like surfing the internet.thank you and more power!

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users