[0ffby1]

Most scanning tools don't find much of anything.
This is what I have found:

15:28:34.411 Initialize success
15:28:39.029 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
15:28:39.044 Disk 0 Vendor: WDC_WD2500BEVS-22UST0 01.01A01 Size: 238474MB BusType: 3
15:28:41.072 Disk 0 MBR read successfully
15:28:41.072 Disk 0 MBR scan
15:28:43.100 Disk 0 scanning sectors +488394752
15:28:43.132 Disk 0 scanning C:\Windows\system32\drivers
15:28:48.389 Service scanning
15:28:49.777 Disk 0 trace - called modules:
15:28:49.824 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
15:28:49.824 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x849247f0]
15:28:49.840 3 CLASSPNP.SYS[873178b3] -> nt!IofCallDriver -> [0x847d4a48]
15:28:49.840 5 acpi.sys[806156bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x847fa030]
15:28:49.840 Scan finished successfully

And...

This is part of a VBA32AntiRootkit scan log.
Drivers
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CSN5PDTS82x64 System32\Drivers\CSN5PDTS82x64.sys CSN5PDTS82x64 NDIS Protocol Driver PNP_TDI
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KR3NPXP \SystemRoot\system32\drivers\kr3npxp.sys SCSI Miniport
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aswMBR \??\C:\Users\PUNYMI~1\AppData\Local\Temp\aswMBR.sys Base

I am unable to locate the following driver on disk via Windows or Linux LiveCD.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\blbdrive \SystemRoot\system32\drivers\blbdrive.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\catchme \??\C:\Users\PUNYMI~1\AppData\Local\Temp\catchme.sys Base
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mbr \??\C:\Users\PUNYMI~1\AppData\Local\Temp\mbr.sys Base

I have come across a file labled TDL.cmd but don't know if it is related
Contains this info:

Code: Select all

@echo off
copy %PREPDIR%\b26513b.exe c:\
%TOWAIT% 10
start /wait c:\b26513b.exe /auto
%TOWAIT% 10
del %PREPDIR%\b26513b.exe
del c:\b26513b.exe

Agent ransack doesn't search all directories in Vista.

Looks like it may be TDSS but am unsure.
I can run any tool suggested but my debug skills are poor. I can check a process with windebug but can't navigate through the address space well, lost with virtual addresses.
I have an Image and can wipe the drive later.

Suggestions appreciated

[0ffby1]

Guess I should ask a question.

15:28:49.840 3 CLASSPNP.SYS[873178b3] -> nt!IofCallDriver -> [0x847d4a48]

Would this be a good place to start looking to verify if I have a problem?
What other tools should I run to verify?

[Alex]

Hi,

Please download the latest version of RkU (http://www.kernelmode.info/forum/viewto ... =150#p5175), rescan your system and post logs here.

[0ffby1]

The only suspicious things from the RKU scan is in Hooks section, as far as I can tell.
In Hooks section, ntkrnlpa.exe is most likely Sandboxie doing the hooking I believe.
I don't know what the Objects are.
I have tried to check Classpnp.sys and acpi.sys addresses mentioned in awsMBR report with Kernel Detective, but didn't see anything in the disassembly in ascii.

Other tools I have run:

Combofix
GMER
Radix, showed an Unlinked Eprocess, in February.
Kernel Detective 1.4.1
Process Hacker 2.12
TDSSKiller
VBA32Arkit latest beta, Haven't reviewed the log yet.
XueTR
Root Repeal 1.3.5, haven't run this in a while.
Tuluka

[Alex]

There are few unknown system threads and we can't be sure which kernel module allocated kernel pool and finally created them. I don't see any symptoms of TDL existence. I suggest to uninstall all software which may generate false positives and rescan system one more time.

[0ffby1]

Uninstalled most stuff with the exception of EMET and Sandboxie, the objects are still present.
VBA shows some anomalies in system process that have no more infos.
aswMBR still shows the same stuff. Maybe I should ditch EMET and Sandboxie temporarily and see what is what.

[0ffby1]

Uninstalled everything except Sandboxie and EMET, VBA scan detects a new driver in the Kernel called BlackBox.sys, unloaded.
Googling the driver came up empty for similar drivers.
Uninstalled EMET and Sandboxie ran RKU and VBA, objects are not present in RKU, still 1 ntkrnlpa.exe hook.
aswMBR has the same info as previous runs.
Reinstalled EMET, scan with RKU, VBA, and Radix.
RKU doesn't show objects but Radix does.
Radix shows Unlinked Eprocess.
When trying to get more infos about the unlinked eprocess got BSOD.
0x0000000A (0x81AA8425, 0x0000001B, 0x00000001, 0x81CCC80C)
VBA still shows BlackBox.sys in the kernel, unloaded.

I seem to be getting different results depending on the tool used, even for similar detection items, is this normal?
Are the base addresses in VBA memory or virtual?
How do I dump BlackBox.sys?
Since VBA is seeing this should I try to use VBA to dump the driver?
If unloaded will I still be able to dump it?

[Alex]

This is clean log of awsMBR:

Code: Select all

10:15:03.125    Initialize success
10:15:10.421    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-6
10:15:10.421    Disk 0 Vendor: SAMSUNG_HD161HJ JF100-19 Size: 152626MB BusType: 3
10:15:10.421    Disk 1  \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T1L0-e
10:15:10.421    Disk 1 Vendor: WDC_WD2500YS-01SHB0 20.06C03 Size: 239371MB BusType: 3
10:15:10.421    Disk 2  \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP3T0L0-1a
10:15:10.421    Disk 2 Vendor: SAMSUNG_HD103SJ 1AJ10001 Size: 953869MB BusType: 3
10:15:12.421    Disk 0 MBR read successfully
10:15:12.421    Disk 0 MBR scan
10:15:14.421    Disk 0 scanning sectors +312560640
10:15:14.437    Disk 0 scanning C:\WINDOWS\system32\drivers
10:15:16.546    Service scanning
10:15:17.328    Disk 0 trace - called modules:
10:15:17.328    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS 
10:15:17.328    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89d14ab8]
10:15:17.781    3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\0000006d[0x89d87f18]
10:15:17.781    5 ACPI.sys[b9f7e620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-6[0x89d79940]
10:15:17.781    Scan finished successfully

So, there is noting suspicious in your log. RkU also doesn't show nothing suspicious - the BlackBox.sys module you are trying to dump is a part of RkU.

[EP_X0FF]

RADIX is bugfest. All it's detections regarding processes part - nonsense.

[0ffby1]

The only anomaly I know of is the fewer 2500+ native sector difference from the past known sector count.
Current: sectors +488394752
Should be: +488397386
Can a driver load from outside the native sectors from the disk?

Are hidden modules an issue even if a driver isn't found?
This is what Root Repeal finds in stealth objects, but no drivers detected.

Code: Select all

Stealth Objects
-------------------
Object: Hidden Module [Name: winlogon.exe]
Process: svchost.exe (PID: 1132)	Address: 0x01120000	Size: 323584

Object: Hidden Module [Name: winlogon.exe]
Process: svchost.exe (PID: 1132)	Address: 0x01ca0000	Size: 323584

Object: Hidden Module [Name: profsvc.dll]
Process: svchost.exe (PID: 1132)	Address: 0x73d50000	Size: 163840

Object: Hidden Module [Name: WinMgmtR.dll]
Process: svchost.exe (PID: 1132)	Address: 0x6e280000	Size: 8192

Object: Hidden Module [Name: wevtapi.dll]
Process: svchost.exe (PID: 1132)	Address: 0x74ff0000	Size: 258048

Object: Hidden Module [Name: imageres.dll]
Process: Explorer.EXE (PID: 2460)	Address: 0x634d0000	Size: 15822848

and VBA shows similar results...

Code: Select all

[b]System	4	0	114	148		Anomaly detected[/b]
[b]System ( PID : 4 ) - 148 Modules[/b]
0x83999828	72	Waiting	0x81D55B00		0x896CCED0		No	No module corresponds thread's start address 
0x83999AD0	68	Waiting	0x81D55B00		0x80C5E948		No	No module corresponds thread's start address 
0x839982D8	56	Waiting	0x81D55B00		0x89697C00		No	No module corresponds thread's start address 
0x83998580	52	Waiting	0x81D55B00		0x80CADA78		No	No module corresponds thread's start address
0x83998828	48	Waiting	0x81D55B00		0x93C9B550		No	No module corresponds thread's start address 
0x83995968	8	Unknown	0x81D55B00		0x87C68AE0		No	No module corresponds thread's start address 

[b]svchost.exe	1040	624	17	65	C:\Windows\System32\svchost.exe     Signed Anomaly detected [/b]
[b]svchost.exe ( PID : 1040 ) - 65 Modules[/b]
0x01E20000	320.00 Kb	Image	C:\Windows\System32\winlogon.exe     Signed Hidden in memory 
0x74740000	164.00 Kb	Image	C:\Windows\System32\profsvc.dll    	 Signed Hidden in memory 
0x75AA0000	256.00 Kb	Image	C:\Windows\System32\wevtapi.dll      Signed Hidden in memory

[b]MOM.exe	2436	2404	17	61	C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe 	Anomaly detected [/b]
[b]MOM.exe ( PID : 2436 ) - 61 Modules[/b]
0x003A0000	112.00 Kb	Image  C:\Windows\assembly\GAC_MSIL\MOM.Implementation\2.0.2764.39730__90ba9c70f846762e\MOM.Implementation.DLL     Hidden in memory Handle opened
0x00960000	48.00 Kb	Image	C:\Windows\assembly\GAC_MSIL\LOG.Foundation\2.0.2729.30174__90ba9c70f846762e\LOG.Foundation.DLL	Hidden in memory Handle opened
0x00A60000	48.00 Kb	Image	C:\Windows\assembly\GAC_MSIL\LOG.Foundation.Private\2.0.2729.30188__90ba9c70f846762e\LOG.Foundation.Private.DLL	Hidden in memory Handle opened
0x00AD0000	72.00 Kb	Image	C:\Windows\assembly\GAC_MSIL\LOG.Foundation.Implementation\2.0.2764.39729__90ba9c70f846762e\LOG.Foundation.Implementation.DLL	Hidden in memory Handle opened
etc....
[b]CCC.exe ( PID : 2808 ) - 261 Modules[/b]	
0x00A10000	48.00 Kb	Image	C:\Windows\assembly\GAC_MSIL\CCC.Implementation\2.0.2764.39730__90ba9c70f846762e\CCC.Implementation.DLL	Hidden in memory Handle opened
0x00A30000	48.00 Kb	Image	C:\Windows\assembly\GAC_MSIL\LOG.Foundation\2.0.2729.30174__90ba9c70f846762e\LOG.Foundation.DLL	Hidden in memory Handle opened
etc...