ntkrnlpa.exe error 0x86ee2168

[trustbyte]

Hello,

I got one ugly virus through Java applet last night (i should have uninstalled that piece of junk long ago) and even though i could unhide some of my missing desktop files he moved my quicklunch apps and lost them probably when i deleted all temp files..

Anyhow, these are the logs needed, attached.

Waiting for some news from your side.

Thanks.

ps: mbam does not find anything now, neither avast home edition or Stinger or other antivirus app.. only aswmbr pops the red flag

[DavidR]

I don't know what happened with your attachments, but the two most important ones are 0KB, empty.

[trustbyte]

yeap, thanks David. did not noticed. one of them is fixed. running again aswMBR as his log is messed up.

update: now even aswMBR does not pop up the error. i uploaded a log that i could recuperate.

[DavidR]

You're welcome.

I wish my malware removal skills extended beyond the obvious

However, the aswMBR log data you provided does Unknown entries different number in some cases (third log copy is a duplication of the second), but is consistent in the Disk 0 unknown MBR code one.

00:51:38.390    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86ee2168]<<
####
10:59:21.046    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86e42c50]<<

That will need further investigation, I will try and have someone take a look at this.

[essexboy]

Hi I see you have run combofix, so I may not be able to recover all the icons/folders.  Could you post the combofix log please

 

Download RogueKiller to your desktop
 

• Quit all running programs
• For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
• When prompted, type 6 and validate
  
• The RKreport.txt shall be generated next to the executable.
• If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe 

Please post the contents of the RKreport.txt in your next Reply.

THEN

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  

  :OTL
  O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - No CLSID value found.
  O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Archivos de programa\Java\jre6\bin\jp2ssv.dll File not found
  [2011/08/03 19:53:19 | 000,005,406 | -HS- | C] () -- C:\Documents and Settings\All Users\Datos de programa\hq01g0s5w55i87u83h06t5wlbps4s5g57jixp
  [2011/07/21 09:16:29 | 000,012,662 | -HS- | C] () -- C:\Documents and Settings\All Users\Datos de programa\g40oar5r55ds5exf8gb6ln
  [2011/07/04 11:05:28 | 000,013,712 | -HS- | C] () -- C:\Documents and Settings\All Users\Datos de programa\5g10dlpbayswnt6ic1kfu5n52cs32vkyjnm
  [2011/06/29 22:47:15 | 000,000,000 | -HSD | M] -- C:\Documents and Settings\All Users\Datos de programa\System Restore
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptyjava]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

[trustbyte]

The log from combofix i do not have it, that if that log is located inside the folder of combofix (if it is saved some other place, tell me and i'll provide it).

i deleted combofix yesterday after i had run it. after reboot combofix was in some kind of loop, opening and closing one DOS window without end, after 5 minutes force ended it and deleted combofix. today after more thinking it could be the fact that my Windows XP automatically logs in with a limited acces account. i ran combo initially as an admin account but at restart maybe he ran as the limited one, therefor the loop.

i attach the log from roguekiller and OTL after repair and quick scan.

at this point, the links from my programs and quicklunch are still gone and i don't believe is possible to get them back. i tried with GetDataBack NTFS, searched them but they are corrupt. it is my fault as i deleted immediately after being infected all my temp files.

thanks alot for all your help

edit: as we speak the aswMBR is running and again in poped up the red flag:

15:29:56.953    Disk 0 trace - called modules:
15:29:56.968    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86bfb3a8]<<
15:29:56.968    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86fd7ab8]
15:29:56.968    3 CLASSPNP.SYS[f755cfd7] -> nt!IofCallDriver -> \Device\00000089[0x86fd8f18]
15:29:56.968    5 ACPI.sys[f73cc620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x86f5e940]
15:29:56.968    \Driver\atapi[0x86fcdc00] -> IRP_MJ_CREATE -> 0x86bfb3a8
15:29:57.234    AVAST engine scan C:\WINDOWS
15:30:08.187    AVAST engine scan C:\WINDOWS\system32

[essexboy]

OK lets get as many icons back as we possibly can.  The combofix log should be at C:\Combofix.txt.  If you cannot find this, then re-run combofix and allow it to update if requested

Restore Accessories Program Files Menu  
  
Please download this tool here.  
  
You will need to unzip the tool first.  
  
Once you've unzipped the tool, please double-click on it to run it.  
  
Ensure that the following check boxes are checked (as seen in this image below):  
  


  
Once they are, click on the Restore button.
 
 
 
Restore Admin Tools Program Files Menu  
  
Please download this tool here.  
  
You will need to unzip the tool first.  
  
Once you've unzipped the tool, please double-click on it to run it.  
  
Click on the Restore Administrative Tools Items button.  
  
As seen in this image below:  
  


 
This next one will produce the necessary shortcut links which you can cut and paste into the start menu folder
Download the repair.vbs file to your destop
Run the repair.vbs
It will ask for a folder name call it recovery
The tool will let you know when it is finished
On the desktop will be a recovery folder  
Open the folder
Cut and Paste the links that you want to C:\documents and settings\your name\start menu

[trustbyte]

thank you for your fast reply.

i managed to get back Accesories. No to administrative tools poped up an error (probably because of my spanish windows ?!) and No to that .vbs, the result in recovery is only a directory "Windows Sidebar"

I ran again combofix directly as and admin user, he did not restarted Windows just closed all apps, said it deleted some files and finished showing a log file.

I manually rebooted once it finished and ran again the aswmbr and got again the red flag this time another Unknown error.

Attached the log files.

[essexboy]

It looks as though it actually exported the icons and folders to somewhere on line - this is the first time I have seen this so I need to check it out.  But from a clean computer I would recommend that you change all passwords and alert any online banks that you may be compromised 

"161:TCP"= 161:TCP:snmp
"162:TCP"= 162:TCP:snmp2
"161:UDP"= 161:UDP:snmp3
"162:UDP"= 162:UDP:snmp4

Download the latest version of TDSSKiller from here and save it to your Desktop.
 
 

• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
   
  
   
  
• Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
   
  
   
  
• Click the Start Scan button.
   
  
   
  
• If a suspicious object is detected, the default action will be Skip, click on Continue.
   
  
   
  
• If malicious objects are found, they will show in the Scan results and offer three (3) options.
• Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
   
  
   
  
• Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

[trustbyte]

i believe those SNMP are some of my firewall rules exception..hope i'm not mistaken..anyway all my bank transactions require second confirmation code that is random and not stored on my pc even my gmail access has this..either way i changed them.

here you have 2 logs of this TDSSKiller..one in the evening of my infection and today, after many tries to get rid of the virus..

one other note, every time i scan with aswMBR i get a different UNKNOWN code..
there one is a few moments ago
Disk 0 trace - called modules:
19:37:48.953    ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86eb0d90]<<
19:37:48.953    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86ef6ab8]

this one is a 5pm

16:59:42.781    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86eac100]<<
16:59:42.781    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86ef1ab8]
16:59:42.781    3 CLASSPNP.SYS[f755cfd7] -> nt!IofCallDriver -> \Device\00000088[0x86f6a930]
16:59:42.781    5 ACPI.sys[f73cc620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x86f69d98]
16:59:42.796    \Driver\atapi[0x86f32030] -> IRP_MJ_CREATE -> 0x86eac100

[essexboy]

Aye I have just been informed of that by another expert.  It is just the coincidence that it is the same name as the folder where the malware hides the shortcuts and folders

THe aswMBR could be a part of Daemon tools however, I would like to do another check on the MBR

Please download MBRCheck.exe to your Desktop. Run the application.
 
If no infection is found, it will produce a report on the desktop. Post that report in your next reply.
 
If an infection is found, you will be presented with the following dialog:
 

Enter 'Y' and hit ENTER for more options, or 'N' to exit: 

 
Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

[trustbyte]

it reports as it could be a virus, and reports unknown MBR code. i do have CentOS with his bootloader installed, grub.

the log attached

thanks!

[essexboy]

Grub would produce the unknown MBR - what are your current problems ?

[trustbyte]

at this point no obvious signals from a virus...but i can't tell 100% that my system is clean..
it could be a false alarm that from aswmbr right?

avast! is on and does not report anything suspicious..

[essexboy]

I can see no apparent malware - but run for a day or so and if nothing re-appears I will remove my tools and tidy up