1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

STILL having same mysterious problem

Discussion in 'Virus & Other Malware Removal' started by FATCAT1MS, Sep 22, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. FATCAT1MS

    FATCAT1MS Thread Starter

    Joined:
    Dec 10, 2003
    Messages:
    23
    :confused:

    I have had this deal going on for some time now ...Norton's Firewall alerts me to the following:

    An instance of "C:\WINDOWS\SYSTEM\KRNL386.EXE" is preparing to access the Internet for the first time

    I have been told that KRNL386.exe should not attempt to access the internet ...I suspect that somehow spyware, keylogger etc. has somehow been introduced into this file ??? I previously had the stuff remotely installed and removed ...maybe this is another, smarter way to install it ?

    I've used several different scans of the KRNL386.exe file and all have said its clean ..but the alerts continue.

    Anyone got any ideas ?

    Thanks
     
  2. KrashedKris

    KrashedKris

    Joined:
    Dec 23, 2003
    Messages:
    262
    Well, according to Symantec's write-up here it is a low-risk situation ...

    http://service1.symantec.com/SUPPOR...85256ede00518d98?OpenDocument&src=bar_sch_nam

    But as I'm also a cautious individual like you then I'd also be inclined to enquire further (y)

    Maybe worth uploading your C:\WINDOWS\SYSTEM\KRNL386.EXE file to this multi-AV site for another round of scans -

    http://virusscan.jotti.dhs.org/

    What happens if you deny access? Can you still get on the web okay - any other symptoms, programs not working etc?

    Also worth posting a "Hijack This" log to this thread, as follows -

    Download the free diagnostic/repair application "Hijack This" from here -
    http://www.aumha.org/downloads/hijackthis.exe

    Create a new folder named "HJT" for it and move the hijackthis.exe file into the new folder. Run the scan, save the text logfile of the scan results and post the results back to this thread, but DO NOT FIX ANYTHING with HijackThis until your log has been examined by a knowledgeable responder, most of the items in the scan are required system or application files.
     
  3. KrashedKris

    KrashedKris

    Joined:
    Dec 23, 2003
    Messages:
    262
    Actually I just re-read that Symantec write-up and noticed that "The KRNL386.exe file may be loading the Windows File and Print Sharing client."

    Hmmmm - don't know too much about this but I have heard that Windows File and Print Sharing can be a security risk - do you have this enabled? If so, try disabling it and see what happens.

    Are you running WinXP and if so do you have SP2 installed? I believe SP2 closes off a lot of potential security loopholes of this nature.
     
  4. FATCAT1MS

    FATCAT1MS Thread Starter

    Joined:
    Dec 10, 2003
    Messages:
    23
    Logfile of HijackThis v1.97.7
    Scan saved at 11:28:05 AM, on 9/22/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\PROGRAM FILES\NORTON PERSONAL FIREWALL\NISSERV.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SYMTRAY.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\PROGRAM FILES\NORTON PERSONAL FIREWALL\NISUM.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\PROGRAM FILES\NORTON PERSONAL FIREWALL\IAMAPP.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\LVCOMS.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\NORTON PERSONAL FIREWALL\ATRACK.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\NMAIN.EXE
    C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\system32\blank.htm
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
    O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
    O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [nisserv] C:\Program Files\Norton Personal Firewall\NISSERV.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
    O4 - HKLM\..\RunServices: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
    O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
    O14 - IERESET.INF: SEARCH_PAGE_URL=
    O14 - IERESET.INF: START_PAGE_URL=
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38131.5918171296
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9.5/ticker.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: Yahoo! Chat - http://cs5.chat.sc5.yahoo.com/c381/chat.cab
    O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {DED22F57-FEE2-11D0-953B-00C04FD9152D} (CarPoint Auto-Pricer Control) - http://autos.msn.com/components/ocx/autopricer/autopricer.cab
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsouth.net/sdccommon/download/tgctlcm.cab
    O16 - DPF: HushEncryptionEngine - https://mailserver1.hushmail.com/shared/HushEncryptionEngine.cab
    O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
    O16 - DPF: {860D5AAC-D059-4C9F-93D3-3FD6FBB6872F} (AuroraCtrl Class) - http://www.theiceberg.com/aurora/1.0.2.78/client.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: DigiChat Applet - http://63.208.2.51/DigiChat/DigiClasses/Client_IE.cab
    O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
    O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
    O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/06972700cbe1de42ce17/netzip/RdxIE601.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
     
  5. FATCAT1MS

    FATCAT1MS Thread Starter

    Joined:
    Dec 10, 2003
    Messages:
    23
    Running WIN98SE
     
  6. FATCAT1MS

    FATCAT1MS Thread Starter

    Joined:
    Dec 10, 2003
    Messages:
    23
    Here's the JOTTI scan results:



    Service load: 0% 100%

    File: Krnl386.exe
    Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
    Packers detected: None

    AntiVir No viruses found (1.37 seconds taken)
    Avast No viruses found (4.79 seconds taken)
    BitDefender No viruses found (4.07 seconds taken)
    ClamAV No viruses found (6.95 seconds taken)
    Dr.Web No viruses found (4.21 seconds taken)
    F-Prot Antivirus No viruses found (0.37 seconds taken)
    F-Secure Anti-Virus No viruses found (4.38 seconds taken)
    Kaspersky Anti-Virus No viruses found (4.21 seconds taken)
    mks_vir No viruses found (1.51 seconds taken)
    NOD32 No viruses found (2.17 seconds taken)
    Norman Virus Control No viruses found (0.94 seconds taken)

    Statistics
    Last piece of malware found was Heuristic/Trojan.FWKiller in Main.exe, detected by:

    Scanner Malware name Time taken
    AntiVir Heuristic/Trojan.FWKiller 1.27 seconds
    Avast Win32:SdBot-451 3.35 seconds
    BitDefender X 2.72 seconds
    ClamAV X 7.42 seconds
    Dr.Web X 4.16 seconds
    F-Prot Antivirus X 0.35 seconds
    F-Secure Anti-Virus X 5.87 seconds
    Kaspersky Anti-Virus X 9.86 seconds
    mks_vir X 3.77 seconds
    NOD32 probably unknown NewHeur_PE 4.50 seconds
    Norman Virus Control Sandbox: W32/Backdoor 4.10 seconds
     
  7. KrashedKris

    KrashedKris

    Joined:
    Dec 23, 2003
    Messages:
    262
    Hi factcat, looks like your Krnl386.exe is legit then, so nothing to worry about in itself, however the fact that it wants to get on the net is still possibly something to address.

    I'm not a HijackThis log expert, but I looked at your log and I think these can be removed unless you are convinced they are safe and you need them for some purpose (run HijackThis, check the following and hit "fix checked") -

    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/0697270...ip/RdxIE601.cab

    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab


    Your version of HijackThis is slightly outdated so could you get the latest version (v1.98.2) from here and post a new log -

    http://www.aumha.org/downloads/hijackthis.exe

    When you get the Norton firewall alert about krnl.386.exe do you deny access, and if so, do you experience any problems using the net or other symptoms?

    Have you checked that you have disabled Windows File and Print Sharing?

    (Following instructions quoted from Symantec Support as linked at end.)

    Windows 95/98/Me users

    To Disable file and print sharing
    Perform these steps if you do not need to share files or printers on your network.

    Right-click the Network Neighborhood or the My Network Places icon on the Windows desktop.
    Click Properties.
    Click the Configuration tab.
    Click Client for Microsoft Networks.
    Click File and Print Sharing.
    Uncheck both boxes, and then click OK.


    http://service1.symantec.com/SUPPOR...00091415173339?OpenDocument&ExpandSection=2,3
     
  8. FATCAT1MS

    FATCAT1MS Thread Starter

    Joined:
    Dec 10, 2003
    Messages:
    23
    Thanks ...

    Yes to both denying KRNK386.exe access via Norton's firewall ...and to the disabling of file sharing.

    There's no problem connecting or surfing the net etc. ...its just the "strangeness" of the KRNL386.exe trying to access the net ...???

    The thing that really got me thinking "spyware" is the fact that the person who remotely installed the keylogger on my machine, verifiably, has just come online when the KRNL file attempts to make access. I've caught this scenario several times.

    Another thing I've noticed is that when this KRNL deal happens, my mouse cursor acts erratically, more/less on its own ...it may suddenly go anywhere on the screen, I can retreive it, but its the same movement that allerted me to the keylogger in the first place.

    I don't know if spyware could somehow be piggy-backed onto the KRNL386.exe file ...but I'd love to should anyone know.

    Thanks again.
     
  9. KrashedKris

    KrashedKris

    Joined:
    Dec 23, 2003
    Messages:
    262
    May be worth running an anti-trojan over your machine, try TDS-3 free evaluation version, I'm copying these directions for using TDS-3 from a recent post by dvk01 (thanks Derek) -

    TDS3 from http://tds.diamondcs.com.au/

    download & install the 30 day free trial, update it manually as described here http://tds.diamondcs.com.au/index.php?page=update as the trial version doesn't have auto update enabled

    then press scan control & tick all the little boxes in the bottom part of that window, press save configuration and then close that window by pressing the red X in top right corner, then select system testing and select full system scan

    sit back with a cup of coffee and watch what it finds

    NOTE:

    Unlike set and forget av's TDS works with you, it doesn't auto delete anything but puts a list of found suspect files in the bottom window

    right click any file it finds and it gives you options on dealing with it, the normal selection would be delete , but first select "save as text", that will create a logfile of all the found suspect files and put it in the TDS directory called scandump.txt.

    post back with the tds log after running please, just copy & paste the entries from the scandump.txt
    __________________
     
  10. FATCAT1MS

    FATCAT1MS Thread Starter

    Joined:
    Dec 10, 2003
    Messages:
    23
    KK ...

    I had previously dl'ed TDS and ran it (didn't understand much of it)...my 30 day trial has expired ...BUT,
    I just recovered some of the results and what do you know ...the entries you advised me of from the HJT scan were there.

    I already took care of them ...now I'll wait and see if I still have the problem.

    Thanks
     
  11. KrashedKris

    KrashedKris

    Joined:
    Dec 23, 2003
    Messages:
    262
    (y) hope everything stays :cool: now

    The other recommended anti-trojan that has a 30-day free evaluation is TrojanHunter from -

    www.misec.net

    It's easier to use for non-techies than TDS-3 but doesn't have quite such an extensive database or as many features - however may be worth you checking it out if you want to monitor your system for potential trojan activity for a while longer. In general it's worth having an anti-trojan program (TDS-3, TrojanHunter, BOClean recommended) in addition to an AV program if you can afford it, as it gives you an extra layer of protection.

    There is also a² free from http://www.emsisoft.com/en/software/free/ which I have seen mentioned as a worthwhile scanner.

    And of course those indispensable free anti-spyware/adware scanners Spybot Search & Destroy and AdAware SE if you don't have these already -

    http://www.safer-networking.org/en/download/

    www.lavasoft.de

    (y)

    btw found this thread at Broadband Reports Security Forum discussing krnl386.exe trying to access internet -

    http://www.dslreports.com/forum/remark,254271
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/276839

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice