A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #1798  by EP_X0FF
 Thu Aug 05, 2010 9:41 am
It's not your fault. This is VirusTotal bug. Seems to be it not keep all report data in it's database.
Post logs which I am able to create from GMER, RKU, Rootrepeal?
Sure.
 #1799  by Every1is=
 Thu Aug 05, 2010 10:04 am
Virustotal is messing up. See the 4 screenies attached.

Ah... when replying I saw your reply below. Indeed it is virustotal bug. In the screenshots I took I went over HTTPS and the URL is clearly the same.

(so no 4 screenies attached).
 #1800  by Every1is=
 Thu Aug 05, 2010 10:28 am
This was all done in normal vista boot (not safe mode) :
Ran rootrepeal, did a per tab save of the logs. I skipped the files tab for now since I fear it will hang on it.
When I got to hidden services, the tool seemed to hang while the log screen part stayed empty/white. Waited about 30 seconds, clicked outside the window and the system hung. Only mouse could be moved. Forced system reboot. Ran RRP again: tab Shadow SSDT, tool hangs. Waited more than a minute this time, moved mouse over to the quick launch part of the taskbar to create some activity outside of the RRP window (icons/buttons get "highlighted" a bit) and after that the entire system stayed stuck in a loop again, only the mouse could be moved. No other activity achieved.
These are the logs I could create using RRP. Will be running the "files" scan now, but I fear it will hang.
Note the strange character trunkation of some of the driver filenames in the stealth objects log. It is not due to zip compression, it is there in the originals too.

Edit: nope, does not get passed its init fase. System hang, same as above. I'm going to make some lunch and let it run, see if it gets passed it, but seeing as no disk activity and/or (partly) screen redraws are happening..... I have not much hope ;)
Attachments
(11.76 KiB) Downloaded 35 times
 #1803  by Every1is=
 Thu Aug 05, 2010 11:09 am
Nopes. And rootkitunhookerle doesn't even get passed its init state. Not even one small bit of the progress bar. Redrawing of screen on mouse movements does continue with icons etc but opening a folder or process explorer is also a no-go.

Damn... where I used to get normal spam, now I get bombarded with virus infected spams according to ESET.

Is there a law against shooting those f*ckers? If so, we should lift it. How much time goes into this stuff worldwide, how much money does it cost? How much agony? This is the first time in my life I have not been able to get ahead (of course, that is only thanks to guys like you who write the tools with which I can help my family, friends and customers if needed, I realize that) but this "scares" me a bit frankly. In the sence that it makes me feel insecure and I feel I am missing stuff. Stress keeps me awake, get tired, don't get work done, more stress, keep me awake.

Sorry for ranting guys, but at this moment I am exploding inside.
 #1804  by Every1is=
 Thu Aug 05, 2010 12:20 pm
If this crap-a-hola virus is hiding itself so well, wouldn't it be an option to create a FULL (however that may be done, as "full" as possible) file list on disk in txt format. Do the same when booting into linux, and then have the lists compared to each other?
I'm guessing there must be tools that are capable of doing that right? So then the files should show.

When scanning my disk with the free bitdefender linux bootdisk however, I think it did not get access to all files/directories, since it finished pretty quick compared to a full scan under windows for example. Or it skips a bunch of files, even though I had set it to ALL...
 #1805  by EP_X0FF
 Thu Aug 05, 2010 12:37 pm
All your problems (hidden processes, bugs in security software) very likely hardware caused and non malware related.
 #1807  by Every1is=
 Thu Aug 05, 2010 3:02 pm
Hardware... how?

Locked registry keys like these:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158305b34e]
"0015a8996ce9"=hex:0c,82,8e,e9,2f,63,d2,05,78,12,f3,b4,4b,16,b3,d7
"000d18a0084f"=hex:fd,18,70,9a,fa,3e,ea,e7,4e,16,43,ad,6d,28,4f,98
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00158305b34e]
"0015a8996ce9"=hex:0c,82,8e,e9,2f,63,d2,05,78,12,f3,b4,4b,16,b3,d7
"000d18a0084f"=hex:fd,18,70,9a,fa,3e,ea,e7,4e,16,43,ad,6d,28,4f,98
That will not allow themselves to be removed while they are not supposed to be there in the first place.... that's not hardware.
At least, I cannot imagine...

To bad a tool like ERD commander for Vista isn't around. Then I could load the registry hive seperately, remove those keys. See what happens.

How would you say hardware related apart from that which I mentioned above? Memory, Harddrive? Can check easy enough. I can even excange the video adapter and CPU etc. No prob.

The funny thing is that yesterday, when I had ran combofix and repaired the MBR, windows booted and it reported installing new drivers. But for what, how or why I have no clue. Going through event log ATM for that.
 #1809  by SecConnex
 Thu Aug 05, 2010 4:06 pm
BTHPORT is a legitimate Windows NT Service that refers to bthport.sys, the Bluetooth Bus Driver. ;)

So, those locked keys are safe.
 #1823  by Every1is=
 Fri Aug 06, 2010 8:30 am
I'm sorry, I was not clear: I know that BTHPort.sys is the BT-Bus driver, however there were subkeys (note the word were ;) ) that in the past never have shown up on a catchme scan. Only the CD-rom emulator did. If the keys in this case really had nothing to do with an infection, be it recent or older, then I think that they must have contained the (coded?) keys to connect to a bluetooth device which needed keys to be connected with. However, I have not yet found documentation on that, but that would seem to me to be the most likely scenario.

I suspect(ed) them to be involved since I have never encountered them before. And at this point, since certain problems are still there, if it were any other system then my own, I would almost certainly start to think about hardware and/or other driver related stuff too. Admittedly I slowly am, but it seems so unlikely to me: I have been able to run any scan without problems in the past, but since the hidden iexplore.exe process that has not been possible, at least... not the scans which are aimed at rootkits: sometimes I could, sometimes I couldn't. In the script in my earlier posting you see definate traces of malware, which are now gone (will check again though) but the problem of not being able to perform certain scans worries me. I must say though after writing the new MBR I was able to partly run many scans again. Not anymore though. Really weird.

Yesterday a minidump was created though during a GMER initial scan and windbg shows csrss.exe as "causing" the BSOD with an F4 code if I recall correctly, will check later. I remember it not displaying a stop message or module on which it exited though, which I found odd at that moment.

I'll be testing the HW over the weekend at night. Removing drivers and installing new ones too. Exchanging stuff. I just don't know anymore but do not feel secure/comfortable since this all started when the infection became appearant. More than likely it is a combination of things going wrong. And I am almost tempted to just reinstall. But that would be giving up.
 #1845  by EP_X0FF
 Sat Aug 07, 2010 4:47 pm
Every1is= wrote:Yesterday a minidump was created though during a GMER initial scan and windbg shows csrss.exe as "causing" the BSOD with an F4 code if I recall correctly, will check later. I remember it not displaying a stop message or module on which it exited though, which I found odd at that moment.
This is just GMER bug. Sometimes it crash at initial scan :)

Did you tried memory tests?