Jump to content

eset error communicating with kernel [tried eset knowledgebase]


Recommended Posts

I generally keep my computer on sleep and restart it once a week or so. I noticed odd behavior where explorer.exe would crash on me whenever I would try to open an exe or video unless I ran it as administrator.

 

I decided to reboot and as soon as I did I saw at the bottom left corner a very minimized window and I found in my processes something named "uninst000.exe". I promptly ended the process tree.

 

After that I figured it'd be a good idea to grab eset and spybot and give it a run.

 

 

 

______________________________________

 

 

 

Spybot yields:

 

Win32.Downloader.gen: [sBI $E6AD2227] Program directory (Directory, nothing done)
  C:\Users\(user)\AppData\Local\Conduit\
 
 
--- Spybot - Search & Destroy version: 1.6.2  (build: 20090126) ---
 
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-01-26 TeaTimer.exe (1.6.4.26)
2014-02-20 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2014-01-08 Includes\Adware-000.sbi (*)
2014-01-08 Includes\Adware-001.sbi (*)
2014-02-19 Includes\Adware-C.sbi (*)
2014-01-08 Includes\Adware.sbi (*)
2014-01-13 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2014-01-08 Includes\Dialer-000.sbi (*)
2014-01-08 Includes\Dialer-001.sbi (*)
2014-01-08 Includes\Dialer-C.sbi (*)
2014-01-08 Includes\Dialer.sbi (*)
2014-01-13 Includes\DialerC.sbi (*)
2013-04-11 Includes\HeavyDuty.sbi (*)
2014-01-08 Includes\Hijackers-000.sbi (*)
2014-01-08 Includes\Hijackers-001.sbi (*)
2014-01-08 Includes\Hijackers-C.sbi (*)
2014-01-08 Includes\Hijackers.sbi (*)
2014-01-13 Includes\HijackersC.sbi (*)
2014-01-08 Includes\iPhone-000.sbi (*)
2014-01-08 Includes\iPhone.sbi (*)
2014-01-08 Includes\Keyloggers-000.sbi (*)
2014-01-08 Includes\Keyloggers-C.sbi (*)
2014-01-08 Includes\Keyloggers.sbi (*)
2014-01-13 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2014-01-09 Includes\Malware-000.sbi (*)
2014-01-09 Includes\Malware-001.sbi (*)
2014-01-09 Includes\Malware-002.sbi (*)
2014-02-05 Includes\Malware-003.sbi (*)
2014-01-28 Includes\Malware-004.sbi (*)
2014-01-09 Includes\Malware-005.sbi (*)
2014-01-09 Includes\Malware-006.sbi (*)
2014-01-09 Includes\Malware-007.sbi (*)
2014-02-19 Includes\Malware-C.sbi (*)
2014-01-13 Includes\Malware.sbi (*)
2014-01-13 Includes\MalwareC.sbi (*)
2014-01-15 Includes\PUPS-000.sbi (*)
2014-01-15 Includes\PUPS-001.sbi (*)
2014-01-15 Includes\PUPS-002.sbi (*)
2014-02-19 Includes\PUPS-C.sbi (*)
2014-01-13 Includes\PUPS.sbi (*)
2014-01-13 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2014-01-08 Includes\Security-000.sbi (*)
2014-01-08 Includes\Security-C.sbi (*)
2014-01-08 Includes\Security.sbi (*)
2014-01-13 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2014-01-08 Includes\Spyware-000.sbi (*)
2014-01-08 Includes\Spyware-001.sbi (*)
2014-01-08 Includes\Spyware-C.sbi (*)
2014-01-08 Includes\Spyware.sbi (*)
2014-01-08 Includes\SpywareC.sbi (*)
2012-11-19 Includes\Tracks.uti
2014-01-15 Includes\Trojans-000.sbi (*)
2014-01-15 Includes\Trojans-001.sbi (*)
2014-01-15 Includes\Trojans-002.sbi (*)
2014-01-15 Includes\Trojans-003.sbi (*)
2014-01-15 Includes\Trojans-004.sbi (*)
2014-01-15 Includes\Trojans-005.sbi (*)
2014-01-15 Includes\Trojans-006.sbi (*)
2014-01-15 Includes\Trojans-007.sbi (*)
2014-01-15 Includes\Trojans-008.sbi (*)
2014-01-15 Includes\Trojans-009.sbi (*)
2014-02-19 Includes\Trojans-C.sbi (*)
2014-01-15 Includes\Trojans-OG-000.sbi (*)
2014-01-15 Includes\Trojans-TD-000.sbi (*)
2014-01-15 Includes\Trojans-VM-000.sbi (*)
2014-01-15 Includes\Trojans-VM-001.sbi (*)
2014-01-15 Includes\Trojans-VM-002.sbi (*)
2014-01-15 Includes\Trojans-VM-003.sbi (*)
2014-01-15 Includes\Trojans-VM-004.sbi (*)
2014-01-15 Includes\Trojans-VM-005.sbi (*)
2014-01-15 Includes\Trojans-VM-006.sbi (*)
2014-01-15 Includes\Trojans-VM-007.sbi (*)
2014-01-15 Includes\Trojans-VM-008.sbi (*)
2014-01-15 Includes\Trojans-VM-009.sbi (*)
2014-01-15 Includes\Trojans-VM-010.sbi (*)
2014-01-15 Includes\Trojans-VM-011.sbi (*)
2014-01-15 Includes\Trojans-VM-012.sbi (*)
2014-01-15 Includes\Trojans-VM-013.sbi (*)
2014-01-15 Includes\Trojans-VM-014.sbi (*)
2014-01-15 Includes\Trojans-VM-015.sbi (*)
2014-01-15 Includes\Trojans-VM-016.sbi (*)
2014-01-15 Includes\Trojans-VM-017.sbi (*)
2014-01-15 Includes\Trojans-VM-018.sbi (*)
2014-01-15 Includes\Trojans-VM-019.sbi (*)
2014-01-15 Includes\Trojans-VM-020.sbi (*)
2014-01-15 Includes\Trojans-VM-021.sbi (*)
2014-01-15 Includes\Trojans-VM-022.sbi (*)
2014-01-15 Includes\Trojans-VM-023.sbi (*)
2014-01-15 Includes\Trojans-VM-024.sbi (*)
2014-01-15 Includes\Trojans-ZB-000.sbi (*)
2014-01-15 Includes\Trojans-ZL-000.sbi (*)
2014-01-09 Includes\Trojans.sbi (*)
2014-01-09 Includes\TrojansC-02.sbi (*)
2014-01-09 Includes\TrojansC-03.sbi (*)
2014-01-16 Includes\TrojansC-04.sbi (*)
2014-01-09 Includes\TrojansC-05.sbi (*)
2014-01-09 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
 
 
______________________________________
 
 
 
Keep in mind that I live in a place with several others and that has frequent guests, so I have my own keylogger on my system for when I am away, so anything with a keylogger may be a false positive. I have had this logger for half a year now and have not had issues. These issues I have been having only manifested within the last several days.
 
 
 
 
Spybot originally could not remove Win32.Downloader.gen so it tried to remove it during boot and it still could not. Eset also found it and could not clean nor delete it.
 
 
 
However, when eset ran a reboot, it refused to run giving an error message saying "error communicating with kernel". I ran through the eset knowledgebase. ESET Service entry in the services.msc was on automatic but was not started. When I tried to start it is displays an error message:
 
"Windows could not start the ESET Service service on Local Computer.
 
Error 1053: The service did not respond to the start or control request in a timely fashion"
 
I ran both the sirefef cleaner and the ircbot cleaner provided in the knowledgebase and both had no effect.
 
What should be my next step? Run eset or spybot in safemode?
 
Edited by Marcos
Dxdiag log moved to a file
Link to comment
Share on other sites

Hello Featherless,

 

I noticed your username in your posted logs.

Requesting you or ESET staff remove this for your own personal security.

 

uninst000.exe is not necessarily a malicious running process, but a common named used for uninstallers for a wide .... HUGE range of application. Its almost a standard etiquette in development.

 

Let's start with what version of ESET are you running ?

Have you tried Hitman Pro , TDSS Killer from Kaspersky for rootkits, and Emsisoft Emergency Kit ?

 

My first recommendation would be safemode with networking running HitmanPro, then immediately after , reset all your browsers. "RESET"

 

Do you know how to create a SysRescure Utility ?

Create SysRescue

 

Would advise creating one and scanning your machine using SysRescue with the latest up-to-date definitions, ESET now detects most variants of Conduit. Although a browser reset is also needed after the fact.

 

Good luck ;)

Link to comment
Share on other sites

If you have an active subscription with ESET, you have free US support by phone.

Contact them during normal business hours, and the techs @ level3 will provide assistance as well. :)

Link to comment
Share on other sites

Thanks for the reply Arakasi. I edited the post.

 

I just ran eset and spybot in safemode. Eset was able to function in safemode.

 

I returned back to normal windows and eset kind of worked for a little. The program was open but the control panel was blank white. After a about a minute the error window reappeared saying it had an error communicating with the kernal. So whatever it got rid of in safemode just re-executed itself.

 

I will try what you said Arakasi.

 

EDIT: Also, I have only tried eset and spybot. The version of eset I am using is a 30-day trial version. I just downloaded it a couple hours ago off the website.

 

EDIT2: I just ran rkill and it found two processes:

 

 * C:\Windows\SysWOW64\ExMgr.exe (PID: 4300) [WD-HEUR]
 * C:\Windows\system\ATLOISAService.exe (PID: 4556) [WD-HEUR]
 
EDIT3: Also, pretty sure it is not a conduit issue. I accidentally installed a conduit search bar extension while installing a legitimate program. I believe it was mumble or something similar, I am not remembering at the moment. I know exactly how I got this issue and I am pretty sure it is not conduit (then again you never know. I don't want to rule anything out).
 
***EDIT 4: Possible solution?
Thank you Arakasi for all the suggestions. I grabbed everything just in case I need to use them.
 
I decided to try out Hitman Pro first.
 
I booted into safemode with networking mode. I ran rkill first and let that run. Then I ran hitman pro. It detected a number of conduit and rocketfuel entries both of which was on ignore at first but I deleted all of them. There were also a number of cookies.
 
I am not sure if it is fixed yet or not, but I can now at least run eset on normal windows now which is a good sign. Not sure how to make sure everything is cleared.
 
***EDIT 5: NOT SOLVED Things seemed to have been functioning much better and how they should. While making up for lost time for a couple hours and while malwarebytes was running a full scan, everything was fine. After the full malwarebytes scan and some more conduit registries found, I restarted my computer. Once the computer was booted back up again, eset once again had the kernel issue described above. So far everything else seems to be running fine however I feel like the malware still exists. Going to sleep.
Edited by featherless
Link to comment
Share on other sites

It really does sound like a rootkit, if its truly malware breaking the tie between eset and kernel.

 

Try ERA Remover from Safe mode hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN2372

&

TDSS Killer hxxp://usa.kaspersky.com/downloads/TDSSKiller

 

I would run ATF Cleaner, or ccleaner on your temp directories.

If you havent run EEK , i would run that also.

 

Sysrescue would probably trump all the above, because it would be similar to running ESET in safe mode.

 

IF at the very end the malware still exists. Create a SysInspector log that ESET Staff or myself can look at to provide better assistance.

Link to comment
Share on other sites

SERVICE_NAME: ekrn

        TYPE               : 110  WIN32_OWN_PROCESS  (interactive)

        STATE              : 1  STOPPED

        WIN32_EXIT_CODE    : 0  (0x0)

        SERVICE_EXIT_CODE  : 0  (0x0)

        CHECKPOINT         : 0x0

        WAIT_HINT          : 0x0

 

 

 

 

Also, I tried EEK again, TDSS, and ERA and nothing. I ran ccleaner as well but I am not sure if that does anything. Eset still has problems talking to the kernel. Also, ever since I ran hitman pro the first time and when I boot up into regular windows there is a run error for a conduit thing. I will write it down when I boot up again.

Link to comment
Share on other sites

To remove that conduit error, do the following :
 

Control Panel > Administrative Tools > Task Scheduler

Under Task Scheduler Library, remove the line item corresponding to your error.

Link to comment
Share on other sites

CCleaner is used to delete all the files in your Temp directories.

Temporary directories are the commonplace for malware to reside.

Rather I meant I wasn't sure if it did anything. I wasn't doubting its capabilities. Maybe eset just needs a reinstall? perhaps I truly did get rid of it? I am using my computer right now to do things and all the oddities are gone.

Link to comment
Share on other sites

Good.

 

Uninstall from Safemode using uninstaller, Boot to normal, and reinstall ESET.

 

Did you get the conduit error gone from startup in the Task scheduler ? If you are having troubles finding it, post a screen of your tasks.

 

Good luck !

Link to comment
Share on other sites

For future readers and on-lookers,

The thing with Antivirus protection, is active self-defense.

 

If you are already compromised, it is on occasion a tribulation to fix, repair, and clean everything all out after the fact.

Sometimes it even requires a reload of the operating system.

 

ESET will protect and keep harmful files and intrusions out of your computer, better than most; but installing antivirus protection in general after you have already been infected is trivial to say the least.

You must get yourself clean and the treats removed, plus patch up your system with all the security patches, then reinitialize your AV protection for self-defense.

 

_________________________

I know that you installed the ESET trial, however i encourage you to purchase a subscription to stay protected past the 30days. :)

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...