[EP_X0FF]

@Krestig,

What is your system configuration?
Please attach minidump here if it is available.

@gjf

Okay.

[Krestig]

Configuration: WinXP SP3 Rus, patched up to date, ntkrnlpa version 5.1.2600.5938.
RkU Version: 3.8 (b140410.388.590), Type LE (SR2).
I could also upload kernel memory dump, but it's huge!

[EP_X0FF]

Hi,

I've send you PM with another build. Can you try it?
I can't reproduce this BSOD anywhere :?

Regards.

[Krestig]

EP_X0FF, could you upload to another fileshare, cause I can't download from there, I see just name of file and nothing else(no button download etc).
By the way, I cant figure out 100% seqeunce of actions to reproduce this bug :(, seems to be nasty bug.
Also, maybe it's some kind of self-protection of some rootkit, cause I'm amfaid, that I have some beast on my system:
ntkrnlpa.exe+0x0002D524, Type: Inline - RelativeCall 0x80504524-->EAEE8F00 [unknown_code_page]
ntkrnlpa.exe+0x0002D570, Type: Inline - RelativeJump 0x80504570-->80504587 [ntkrnlpa.exe]
ntkrnlpa.exe+0x0006ECAE, Type: Inline - RelativeJump 0x80545CAE-->80545CB5 [ntkrnlpa.exe]
ntkrnlpa.exe-->KeSetProfileIrql, Type: Inline - RelativeJump 0x806A1F1D-->8063D7CB [ntkrnlpa.exe]
ntkrnlpa.exe-->KeSetProfileIrql, Type: Inline - RelativeJump 0x806A1F24-->8069E378 [ntkrnlpa.exe]

[EP_X0FF]

I believe these are false positives, because of non meaningful addresses.
OnlineDisk and rapidshare links sent.

If you think that your PC maybe infected then try set of rootkit scanners additionally.

p.s.
what kind of security/backup/system software do you have installed on this PC?

[Krestig]

EP_X0FF, with new build that you have sent, everything works fine, i cant reproduce bug.
Soft installed:
security: Comodo HIPS
system: vmware workstation, Nero,Virtual CloneDrive.

[EP_X0FF]

Excellent. All this can be caused by Comodo or Virtual Clone drive.
So I recommend you uninstall everything from this list before trying any others antirootkits to reduce count of false positives and probably bugs ;)

edit, updated 14.04.2010 build (the same I send to Krestig)

locals located here http://www.kernelmode.info/forum/viewto ... p=699#p699

14.04.2010 changes:
added: ZeroAccess detection as part of stealth code page
fixed: BSOD caused by invalid dereference with some rootkits
fixed: some bug with initialization (can lead to invalid results with some rootkits)
changed: logic of stealth code page, it is not anymore starting automatic scanning
changed: some stealth code display messages
updated: locals

[ConanTheLibrarian]

Your reports page is not reflecting the full Stealth Code analysis (aka ZeroAccess driver). It says nothing found

[EP_X0FF]

ops :D
It because stealth code is not anymore doing scan automatic.
Latest fix from today, I promise :D

MD5 for exe
04626f4f4dbfa366ffca34034b026e35

SHA1 for exe
dedce79192e95e1197ee0530aff9bbf323a11db4

[EP_X0FF]

Update.

Contains compatibility fix.
There still several things needs to be done.
Release in plans for May 2010. It will be posted at rootkit.com and here.
After this SR3 work will be started and new beta test thread will be created (as far as it will be something to test).

MD5
022e8ba9a8fd641b2609ff6e87a6e324

SHA1
710b83e07324f1b80b0c3639da275d0efcc2fb92