peculiar case, worth documenting:
out of nowhere, i got STOP: c000021a {Fatal system error} Windows subsystem system process terminated unexpectedlywith a status of 0x0000005......
this shows once and after that it becomes STOP:0x000000F4 BSOD
it appears shortly after windows reaches desktop.
after this i did combofix and it finds 'logongui.exe' and 'msgsvc.dll' (system32 folder) as infected, on top of few weird files that FRST indicates too (files with ? mark, i can't see these files via windows explorer or total commander...tried erasing them via CFScript.txt and combofix, but to no avail), combofix says it can fix msgsvc (by copying it from another location in windows directory) but not the logongui.exe, so i copied that file from working machine, after this pc boots, but not for long, as error sequence repeats (with one and then (after reboot) another BSOD). probably worth mentioning that combofix is bleeping about avast being active, but i can't turn it off because i don't see it in safe mode. and i can't remove it via avastclear.exe. it is also bleeping about lacking recovery console, but tough luck there too, seems xp server for that purpose is down, and the version on xp cd seems too old (?)
did all sorts of different things too, checked for rootkits with rkill, tdsskiller and others, checked MBR etc. checked BSOD minudump (nir sofer's BlueScreenView says ntoskrnl.exe most of the time, windows debugging tools say csrss.exe...), swapped RAM sticks, reinstalled VGA driver, HDtune tested hdd etc.
probably the most interesting thing is that i restored hdd image from the time windows was working ok, and soon after BSOD reappears (i didn't use sector-by-sector mode of acronis true image to restore it, though). also at the time of that restoration i had 3 more hdds connected in the system..i dunno if rootkits like to skip from drive to drive...
i'm now writing this from safe mode which works ok. also, it's dual boot system, windows2000 is working too.
here are logs (regarding flash player version was 23 when BSOD appeared, this is a bit older disk image i restored, so it's still on flash 21):
Malwarebytes Anti-Malware
www.malwarebytes.org
Scan Date: 31.10.2016
Scan Time: 1:58:23
Logfile: mbam.txt
Administrator: Yes
Version: 2.2.1.1043
Malware Database: v2016.10.31.01
Rootkit Database: v2016.09.26.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
OS: Windows XP Service Pack 2
CPU: x86
File System: NTFS
User: izi-2
Scan Type: Custom Scan
Result: Completed
Objects Scanned: 313308
Time Elapsed: 32 min, 42 sec
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled
Processes: 0
(No malicious items detected)
Modules: 0
(No malicious items detected)
Registry Keys: 9
PUP.Optional.ASK, HKU\S-1-5-21-2000478354-73586283-725345543-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{D4027C7F-154A-4066-A1AD-4243D8127440}, , [833a4c53722865d10e2f545718ec0000],
PUP.Optional.ASK, HKU\S-1-5-21-2000478354-73586283-725345543-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{D4027C7F-154A-4066-A1AD-4243D8127440}, , [833a4c53722865d10e2f545718ec0000],
PUP.Optional.Conduit, HKLM\SOFTWARE\CLASSES\CLSID\{3c471948-f874-49f5-b338-4f214a2ee0b1}, , [25986f30d2c813234181f11c7d839868],
PUP.Optional.ConduitTB.Gen, HKLM\SOFTWARE\CLASSES\Toolbar.CT3072253, , [9f1e8a15d5c53105560b1f7254afbc44],
PUP.Optional.ConduitTB.Gen, HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\PACGPKGADGMIBNHPDIDCNFAFLLNMEOMC, , [9a23fda25446181e395886530af8df21],
Trojan.Agent, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\synsend, , [bb02366956441e18c13089b8a85b6b95],
PUP.Optional.ConduitTB.Gen, HKU\S-1-5-21-2000478354-73586283-725345543-500\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\PACGPKGADGMIBNHPDIDCNFAFLLNMEOMC, , [dce1603f8218191d147e1abf49b9867a],
PUP.Optional.Conduit, HKU\S-1-5-21-2000478354-73586283-725345543-500\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{AFDBDDAA-5D3F-42EE-B79C-185A7020515B}, , [24998d12e7b35fd71068198312f10af6],
PUP.Optional.SmartBar, HKU\S-1-5-21-2000478354-73586283-725345543-500\SOFTWARE\SMARTBAR, , [427b425d87131323c12a7341d3306997],
Registry Values: 8
PUP.Optional.ASK, HKU\S-1-5-21-2000478354-73586283-725345543-500\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\WEBBROWSER|{D4027C7F-154A-4066-A1AD-4243D8127440}, | ÔJ f@ˇBCŘ t@, , [833a4c53722865d10e2f545718ec0000]
PUP.Optional.ASK, HKU\S-1-5-21-2000478354-73586283-725345543-500\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TOOLBAR\WEBBROWSER\{D4027C7F-154A-4066-A1AD-4243D8127440}, , [c5f8a2fd0397b87e82bb109b659fe020],
PUP.Optional.ConduitTB.Gen, HKLM\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\pacgpkgadgmibnhpdidcnfafllnmeomc|path, C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\CRE\pacgpkgadgmibnhpdidcnfafllnmeomc.crx, , [9a23fda25446181e395886530af8df21]
PUP.Optional.ConduitTB.Gen, HKU\S-1-5-21-2000478354-73586283-725345543-500\SOFTWARE\GOOGLE\CHROME\EXTENSIONS\pacgpkgadgmibnhpdidcnfafllnmeomc|path, C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\CRE\pacgpkgadgmibnhpdidcnfafllnmeomc.crx, , [dce1603f8218191d147e1abf49b9867a]
PUP.Optional.Conduit, HKU\S-1-5-21-2000478354-73586283-725345543-500\SOFTWARE\MICROSOFT\INTERNET EXPLORER\SEARCHSCOPES\{afdbddaa-5d3f-42ee-b79c-185a7020515b}|URL, http://search.condui...&ctid=CT3072253, , [24998d12e7b35fd71068198312f10af6]
PUM.Optional.LowRiskFileTypes, HKU\S-1-5-21-2000478354-73586283-725345543-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ASSOCIATIONS|LowRiskFileTypes, .zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;, , [833ad4cbcbcf86b08364567fae55768a]
Hijack.ControlPanelStyle, HKU\S-1-5-21-2000478354-73586283-725345543-500\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER|ForceClassicControlPanel, 1, , [7d40910e950535012e6ea18fdd26c63a]
PUP.Optional.SmartBar, HKU\S-1-5-21-2000478354-73586283-725345543-500\SOFTWARE\SMARTBAR|GlobalUserId, 6F7137A2-AB07-4939-83B9-C7EF7A034D54, , [427b425d87131323c12a7341d3306997]
Registry Data: 0
(No malicious items detected)
Folders: 6
PUP.Optional.ConduitTB.Gen, C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\CRE, , [f8c579260199b5812e625485788a867a],
PUP.Optional.ConduitTB.Gen, C:\Program Files\Conduit\Community Alerts, , [0faeb5ea6c2ee254feac6a456a98d62a],
PUP.Optional.uTorrentTB, C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pacgpkgadgmibnhpdidcnfafllnmeomc, , [36870e91d5c5082ecfa7289746bcf20e],
PUP.Optional.Conduit, C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\Conduit, , [2d909f001e7c6bcbd804972f8e742ed2],
PUP.Optional.Conduit, C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\Conduit\Community Alerts, , [2d909f001e7c6bcbd804972f8e742ed2],
PUP.Optional.Conduit, C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\Conduit\Community Alerts\Log, , [2d909f001e7c6bcbd804972f8e742ed2],
Files: 4
PUP.Optional.Conduit, C:\Program Files\Conduit\Community Alerts\Alert.dll, , [25986f30d2c813234181f11c7d839868],
PUP.Optional.ConduitTB.Gen, C:\Documents and Settings\Administrator.UNIMATRIX001\Local Settings\Application Data\CRE\pacgpkgadgmibnhpdidcnfafllnmeomc.crx, , [f8c579260199b5812e625485788a867a],
Rogue.Link, C:\Documents and Settings\Administrator.UNIMATRIX001\Favorites\Free Pornstars @ Pornstar Pile.url, , [5667faa5ecae90a6228e5dafe221f10f],
Rootkit.Agent, C:\WINDOWS\system32\drivers\str.sys, , ,
Physical Sectors: 0
(No malicious items detected)
(end)
DDS (Ver_2012-11-20.01) - NTFS_x86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by izi-2 at 19:19:26 on 2016-11-01
Microsoft Windows XP Professional 5.1.2600.2.1250.385.1033.18.3062.2358 [GMT 1:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ================
.
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
E:\Firefox40\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: FGCatchUrl: {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - c:\program files\flashget\jccatch.dll
BHO: avast! Online Security: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - e:\program files\avastxp\aswWebRepIE.dll
BHO: FlashGet GetFlash Class: {F156768E-81EF-470C-9057-481BA8380DBA} - c:\program files\flashget\getflash.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [mouseElf] c:\progra~1\scroll~1\MouseElf.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [Malwarebytes Anti-Exploit] c:\program files\malwarebytes anti-exploit\mbae.exe
mRun: [AvastUI.exe] "e:\program files\avastxp\AvastUI.exe" /nogui
mRun: [KernelFaultCheck] c:\windows\system32\dumprep 0 -k
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\filebo~1.lnk - c:\program files\filebx\FileBX.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - %SystemRoot%\web\related.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
TCP: Interfaces\{755DDF4B-EB2F-4494-9B33-2930EC276CD9} : NameServer = 195.29.166.116,195.29.166.117
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator.unimatrix001\application data\mozilla\firefox\profiles\naef66wq.default-1454634362109\
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/?gfe_rd=cr&ei=lPezVsjnIMGH8QfyvZ-4DQ&gws_rd=ssl,cr&fg=1
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\mozilla firefox\plugins\nppdf32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin3.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin4.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin5.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_21_0_0_182.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\nporbit.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2008-1-12 38656]
R3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [2009-7-11 6656]
S0 aswRvrt;avast! Revert;c:\windows\system32\drivers\aswRvrt.sys [2016-3-22 58776]
S0 aswVmm;avast! VM Monitor;c:\windows\system32\drivers\aswvmm.sys [2016-3-22 224616]
S0 wgptk;wgptk;c:\windows\system32\drivers\nfqida.sys --> c:\windows\system32\drivers\nfqida.sys [?]
S1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [2016-3-23 35096]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2016-3-22 815792]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2016-3-22 449640]
S1 ESProtectionDriver;Malwarebytes Anti-Exploit;c:\program files\malwarebytes anti-exploit\mbae.sys [2015-12-27 59976]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys [2016-3-22 32792]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2016-3-22 91168]
S2 avast! Antivirus;Avast Antivirus;e:\program files\avastxp\AvastSvc.exe [2016-10-31 243296]
S2 DLPortIO;DriverLINX Port I/O Driver;c:\windows\system32\drivers\DLPortIO.sys [2010-3-11 3584]
S2 MbaeSvc;Malwarebytes Anti-Exploit Service;c:\program files\malwarebytes anti-exploit\mbae-svc.exe [2015-12-27 155088]
S2 RadPciNT;RadPciNT;c:\windows\system32\drivers\RadPciNT.sys [2000-4-24 9417]
S2 zmatfkbg;zmatfkbg;\??\c:\windows\system32\drivers\wwqca.sys --> c:\windows\system32\drivers\wwqca.sys [?]
S3 aswStmXP;Avast StreamFilter Driver;c:\windows\system32\drivers\aswStmXP.sys [2016-3-22 187208]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2015-7-2 14944]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2015-7-2 10208]
S3 FlyPCI;FlyPCI;e:\progra~1\slydiman\slycon~1\FlyPCI.sys [2003-10-10 4134]
S3 IT9135BDA;IT9135 BDA Devices;c:\windows\system32\drivers\IT9135BDA.sys [2013-3-31 145280]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
S3 pwdrvio;pwdrvio;c:\windows\system32\pwdrvio.sys [2014-12-29 15688]
S3 pwdspio;pwdspio;c:\windows\system32\pwdspio.sys [2014-12-29 10320]
S3 SKYNET;TechniSat DVB-PC TV Star PCI;c:\windows\system32\drivers\SkyNET.sys [2008-1-11 349184]
S3 SliceDisk5;SliceDisk5;c:\program files\a-ff find and mount\slicedisk.sys [2015-10-9 26192]
S3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [2015-7-9 123448]
S3 VBoxNetFlt;VirtualBox Bridged Networking Service;c:\windows\system32\drivers\vboxnetflt.sys --> c:\windows\system32\drivers\VBoxNetFlt.sys [?]
S3 vmci;VMware VMCI Bus Driver;c:\windows\system32\drivers\vmci.sys --> c:\windows\system32\drivers\vmci.sys [?]
.
=============== Created Last 30 ================
.
2027-11-27 03:34:00 -------- d-----w- C:\My Music
2027-11-27 02:14:33 -------- d-----w- C:\My PixAround
2027-11-27 01:49:16 -------- d-----w- C:\My Documents
2016-10-31 23:27:47 -------- d-----w- C:\FRST
2016-10-31 19:35:35 52184 ----a-w- c:\windows\avastSS.scr
2016-10-31 05:26:43 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes' Anti-Malware (portable)
2016-10-31 01:51:54 98816 ----a-w- c:\windows\sed.exe
2016-10-31 01:51:54 256000 ----a-w- c:\windows\PEV.exe
2016-10-31 01:51:54 208896 ----a-w- c:\windows\MBR.exe
2016-10-31 00:56:32 170200 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2016-10-31 00:56:10 24448 ----a-w- c:\windows\system32\drivers\mbam.sys
2016-10-31 00:56:10 121560 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2016-10-31 00:56:10 -------- d-----w- c:\program files\Malwarebytes Anti-Malware
2016-10-31 00:56:10 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
.
==================== Find3M ====================
.
2016-10-31 19:36:36 224616 ----a-w- c:\windows\system32\drivers\aswvmm.sys
2016-10-31 19:35:42 91168 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2016-10-31 19:35:42 58776 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2016-10-31 19:35:42 32792 ----a-w- c:\windows\system32\drivers\aswHwid.sys
2016-10-31 19:35:42 187208 ----a-w- c:\windows\system32\drivers\aswStmXP.sys
2016-10-31 19:35:24 815792 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2014-02-27 02:16:39 0 ----a-w- c:\program files\GUT3A7.tmp
.
============= FINISH: 19:20:09,93 ===============
Results of screen317's Security Check version 1.014 --- 12/23/15
Windows XP Service Pack 2 x86
Out of date service pack!!
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
Please wait while WMIC compiles updated MOF files.d
i
s
p
l
a
y
N
a
m
e
ECHO is off.
a
v
a
s
t
!
ECHO is off.
A
n
t
i
v
i
r
u
s
ECHO is off.
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Adobe Flash Player 21.0.0.182
Adobe Reader 9 Adobe Reader out of Date!
Mozilla Firefox (44.0)
````````Process Check: objlist.exe by Laurent````````
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 30% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
Edit: Please read the Instructions and post the requested logs (MBAM, FRST, Security Analysis). We need the information in order to help you.
Edited by Rocket Grannie, 01 November 2016 - 11:35 PM.