Rootkits headed for BIOS

The only thing that is really for sure is that the csrss.exe does kill several security applications and it is only related to security tools, in safe mode everything works fine and when kernel driver are loaded the mentioned apps are killed by csrss.
I also found out by using a device monitor, that csrss.exe tried to send output data with a unknown protocol to a proxy called AHNA4. Seems to be something in USA, Arkansas or something like that.

 

Hi SystemJunkie,

In order to hide msdirectx.sys from Process Explorer, you just need to run the appropriate FU command and point it to msdirectx.sys. Works for me. There is, by the way, a new anti-rootkit tool, Darkspy, which does spot processes and drivers hidden by the "enhanced" FU. I'm sure you know where to find it.

Nick

 

Oh, so just because I have only posted a little bit here means I don't know anything? You really are quite pompous aren't you? The only reason you have over 70 posts is because of how much bloviating you've accomplished. I reiterated what others have suggested you do and questioned your motives behind this now 125+ long thread that shows no headway into figuring out what this "phantom" rootkit is.

I troubleshoot for a living like many others here, and it has been my experience that when I am corresponding with someone by phone, email, or chat and something isn't making any sense, it's usually because the person on the other end has not done exactly what I asked him/her to do or they told me they did something but they really didn't either because they thought it was not important or didn't completely understand something. And it is usually something very simple that had they done a half hour earlier, their problem would have been solved without all the work I just made them do.

You came here asking for help on something, gave lots of details about it, and some pretty smart people looked at those details and decided that based on their experience of how Windows works, that your problem was similiar to other problems they have encountered that was the result of bad memory. (And from what I know and have encountered in the past, it sounds hardware problems too.) They have come to know, like myself, that there is usually a pretty straightforward answer as to why something has become jacked up on someone's computer. Someone just has to be a good and knowledgable enough of a detective to find it. And it has to be done in a way that is has a logical method to it. Not running around saying, "This is wrong..., and that is wrong..., and what about this... and what about that..., and why is this happening..., and why is that happening..., and this is wierd..., and that is wierd..., and maybe this is jacked up..., and maybe that is jacked up..., and come to think of it... maybe I'm jacked up... and when will I ever stop... "

AND THEY HAVE BEEN TRYINGTO TELL YOU THAT WHAT IS GOING ON WITH YOUR COMPUTER IS TOO RANDOM AND AFFECTING TOO MANY THINGS ON YOUR PC TO BE A ROOTKIT. THEREFORE, YOUR PROBLEM IS MORE LIKELY TO BE CAUSED BY SOMETHING THAT AFFECTS YOUR WHOLE PC. YOUR RAM AFFECTS EVERYTHING ON YOUR PC, ROOTKITS DON'T. (Rootkits that cause everything you think is wrong with your PC are made by Symantec.) Basically, the only thing rootkits were designed for is to hide and survive power losses, so they can keep stealing info from you, or some other nasty little task. They were not designed to totally jack up your system, that would defeat their purpose of staying under they radar.

Why are you so afraid to test your Ram? It's not like it's going to beat you up or curse at you because you've accused it of being a bad little stick or anything.

 

Wow thank you System Junkie. I don't know I should kiss you or what LOL

Yes Da & I go way back

One thing I want to reiterate. I am not an expert. Oh yes I do kinda know windows and yes worked with the early spybot and knowing hidden windows files.

That is not what is important. I am also a very advanced Electronics technician.
Which means in a nut shell. I do know some software and I know alot about hardware.

Mr controler with one L trouble shot surface mount components to the bit for 12 years as a bench tech. This means that if you hook an Digital O-Scope to a data line, you record every bit accessed. This would intern mean if I hook an O-Scope to a I/O buss, I can record every bit. Add to this some advanced software, and you can see wher I am going.
I don't live only in the software world dude.
That is how I know so much about well let's say picking up your keyboard strokes.

This is not anything new.

With a digital storgae scope and a spectrum analyser you can view anything to the bit level.

Both the CIA & FBI know my qualifications and I have somewhat put them forth on this forum for some time now and so like the other experst, I will fade from this thread.

Aloha

con

 

Ok Ok one last thing

The BUSS is not something a rootkit can change.
It can always be monitored to the BIT and unless a group can somehow exchange hardware components on a motherboard , oh oh but they can. the CIA can. And they have done it on again I will I say printers sent to 3rd world countries.

If you have not noticed, un duh, it is not about software at all in this day and age but rather hardware. Who can you trust?

OVER? LOL I love saying that


con

 

controler this sounds a bit confused, what are you talking about keystroke logging with hardware? You can tell more about this cia stuff. But VGA Card and ACPI are targets for rootkits.

@nich, good to know, nice tool you have there.

 

Are you trying to tell me that rootkits are able to damage my VGA Card ?

 

yes, go to rootkit.com and read, they can flash into your vga card, don´t ask me how, but it is possible..

now think you bought a 1000 $ VGA Card and then a little nothingness of sotware mess up your precious thing with persistence, how terrifying

here the quotation you even don´t have to visit this dark site, look:

and according to mcafee the rootkit invasion has exploded the last 3 years, open source freaks are the problem they should let this critical knowledge closed source, everyone can use this open source code, even symantec is now a big armored tank full of (unnecessary)kernel(rootkit)driver, maybe the knowledge came from open source? Who knows.. the big companies take profit from the open source community and they in turn make bigger holes in your system with kernel driver that exploit each other, how crazy the world has become.... it is the same with nature, nature had a good reason to create a crypted genetic code, decrypting such critical thing might result in mutation and chaos sometimes..

Beside actually they blog how bad and vulnerable is ad aware, it´s the most popular (but indeed poor) anti-spyware product.

 

Re: SystemJunkies VideoCardKit post; oh how convenient to post only part of the info SystemJunkie... Yes yes, I know you've been playing with us for the past couple of weeks (and what fun it was ), but this time you made an error that reveals (part) of your agenda.

http://rootkit.com/newsread.php?newsid=72

Now I like to present some quotes myself from above article "VideoCardKit" by Hoglund on Rootkit.com:

>> I have an idea for a new rootkit - if anyone has some skills that would help?[...]
[...]
>> Before you say it, I already know that making such a kit generic is a big challenge. I am just looking to get it to work on one specific machine of your choosing. Getting it to work on multiple hardware platforms is not likely - it would need to be tailored for each target I think...
[...]

Although the comments to the article suggest Hoglund was seriously looking into it, no further comments have been made after Feb 15 2004.

Show me a recent writeup, SystemJunkie! Lead the way...

 

It´s bad enough that there is a possibility for it, even if it is actually not mass compatible. Who really knows all about..

Beside Dark Spy looks very simple, IceSword has a better outfit.

 

Hoglund does NOT state that he had it working, only some general ideas are discussed.

 

So mr negator, what about this:

My HD1 has 2 primary partitions, one was hidden in fat32, the other is ntfs,
actually I turned the fat32 to active and the ntfs to hidden.

Tools installed on fat32: nearly nothing only windows stuff
Tools installed on ntfs: sygate, blackICE Demo, GData...

Now I hide ntfs partition, fat partition starts regularly, I am looking into software of the empty fat windows xp and guess what? no not nothing special! I see the installed apps from the hidden ntfs Win Xp? Now tell me how this is possible? The partition is not available for boot, not viewable in explorer or anything else, how is it possible to see the installed apps and devices of a hidden partition? Something must have stored something elsewhere.. but where? Registry informations, device informations.. and naturally this is again only hardware conflict.. haha.. silly silly..

 

Again you are changing the topic when your bluff has been called. Sorry, I'm not game for your games. Go find somebody else to scare.

Goodbye.

 

SystemJunkie,
You sure know how to screw up your system in no time as a junkie.

 

The problem is people don´t like to hear the truth, you can see it very well in this topic.

I scare nobody I tell you what happens on my sys and the things are totally paradox, against all normal.

 

Don't you worry about it, I had the same problem with "hardware viruses" today. Everybody was against me.

 

ErikAlbert & SystemJunkie,

This is not a question of people being for or against you or wanting/not wanting to hear the truth. It is about:

• Critically understanding what you know and don't know,
• Having an appreciation of where that line is,
• Taking the time to perform an informal reality check with respect to the information in front of you and assessing whether it is consistent or inconsistent with your general understanding of things, and
• Trusting experienced fellow posters when they challenge you.

At times the challenge should help you present you views in a more informative fashion (edit - this is probably better stated as sharpening your view/argument), at other times the challenge should result in you reassessing the validity of the point that you are trying to make. In either case, the outcome is good and should be embraced.

Blue

 

Blue

Oh how I wish I had your diplomatic finnese.

You can interpert the things we can not.

You said it to a T

It is or was not about a persons creditentials at all it is how they are presented.

No disrespect to any posting here at all. On the contrare, I do respect Sj's posting in my wierd way

con

 

Hello,
SystemJunkie, rootkits do not exist - it's all in the mind.
Mrk

 

That was well said

Personally, I don't know why this thread continues. If they're not willing to do their part, there is just no point. In this case there has been copius amounts of energy invested in avoiding the steps necessary to actually troubleshoot, far far more than it would have taken to just do it. That leaves me with pretty strong suspicions about intentions... enough that I'm almost willing to say that everyone here has been taken for a ride.

SJ: Plain and simple fact- Hardware rootkits do not exist in the wild, and therefore you will not find a tool that can remove them. As such, if you did manage to get one, which I am 99.999% confident that you did not, your only recourse would be to replace the hardware. Whether your problem is faulty hardware or a hardware rootkit, the end result is the same: you need new hardware. Of course, if the hardware is faulty you'll get that replacement for free (assuming your warranty is still good), but there's no warranties for hardware rootkits. Flash your BIOS and use Derrick's Boot & Nuke to wipe the hard drive, including boot sector. If the problem persists, you can replace the video card. If the problem persists after that, you can replace either the motherboard or RAM, followed by the other. If you're smart you'll test the RAM before spending any amount of time or money, or just take the system to a shop where they can try different components until they find the culprit, without you having to buy them.

 

This tip was very good Notok!

But the mem is okay, I tested it. I also wiped the hd totally, then for a while the buffer overflows stopped until I connected to the net to update Windows XP, then the same "csrss monster terminator" started again.

I checked the pagefile memory and found AfxLoadLibrary and AfxFreeLibrary in it.

Beside does anyone know if this is a regular key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\HAL\CStateHacks

(The only thing what google finds: Sus Trojan XP, seems similar to my problems, the guy also tells
about disk wipes that doesn´t bring the clean solution.)

Concerning Sus I found that what Gss told me:
http://i3.tinypic.com/w9zm8o.png

Here a screen from icesword, while csrss.exe is trying to terminate apt.exe:

http://i3.tinypic.com/w9ww80.png

When I try to force kill the 0000000 Icesword replies with error that it wasn´t able to terminate.

Even if this is annoying but this list doesn´t disappear even when I am connected to the internet:
(the tcp list is much longer)
http://i3.tinypic.com/wa0b6f.png

thats what tcpview shows:
http://i3.tinypic.com/wa0du0.png

both ie udps contains following files: w2_32.dll, wininet.dll and kernel32.dll(!)

 

Hopefully you let it go overnight, and not just for a little while. It should go for several hours and return Zero errors. You might get some diagnostic tools to test all of your other hardware components as well. For things like modems and network cards, just try removing them.

I don't suppose you actually read up on what those "buffer overflow" errors actually mean? They're not a problem, and nothing that you can do about yourself. It's a normal thing, and has nothing to do with security breaches or exploits.

http://www.sysinternals.com/blog/2005_05_01_archive.html In other words, what you're seeing is program x asks program y to put some data in it's buffer, and program y says: "Sorry, the buffer is too small" (or "No, the buffer would overflow"). If a buffer overflow had actually occured, the process would crash.

Are you still blocking win32k.sys? Have you done any research to find out what these things are and do? It is indeed csrss.exe's job to terminate other processes, primarily when there is a problem. Win32k.sys is a part of the same subsystem, if you're blocking it then of course it's going to cause problems.

The whole situation has gotten so convoluted that it's not even clear what your symptoms are now, or if there really even are any, and to be honest I think you've probably worn out any amount of goodwill that folks here have had to help you, with your unwillingness to take any advice given seriously. IMO, if the problem isn't hardware then it's probably self imposed. The danger of using apps like AppDefend is that if you make the wrong decisions you can cause serious problems with your system. Kernel mode is reserved for components that work on a system-wide basis, it's the very core of the system, if you go blocking legitimate actions you are going to end up with some serious problems. Even if you reverse any blocks that you may have set, it's entirely possible that you've caused corruption that will continue to cause problems. Kernel mode is to Windows what your motherboard is to your hardware, if you go removing a capacitor it may damage something to the point that putting that capacitor back wouldn't help. Symptoms relating to your memory could well be due to a problem with the path between your memory and processor, and so on (heck, it could even be the memory on your video card).

That's just an example, but the motherboard may be something to consider as well. It does not matter how new your hardware is or what brand. Electronics are not mechanical, so there's no way for the manufacturer to be certain that it won't fail after a very short period of time. I've seen (and owned) lots of top brand hardware with a reputation for quality and reliability that died in the first year, after working perfectly well for the period before. That kind of reputation is gained by the frequency of failures, not by a complete lack of them.. they can and will happen, guaranteed. The only way you have to rule such things out is to actually bother to do the troubleshooting. If you don't have the time, know-how, tools, or inclination, you're best served taking it to a shop. Maybe the shop will cost some, but hey- it'd be done by now and you could go back to just enjoying the thing.

My advice above still holds. Wipe the system, flash the BIOS, do some tests, and above all do some research.. and don't go blocking system components or jumping to conclusions about things before you know what they are.

And for the love of god, when you ask for help and someone devotes hours of their personal time to help you without asking for anything in return, show a little respect. If you really knew more than these people, you wouldn't be asking them for help.

 

SJ did not mention a power surge so I won't think he has many problems.
My brother had one of those a while back and it fried his HD, video card, memory
and motherboard. That really sucked.

The only other thing I can think of with SJ's problem is that he has a cracked copy of Windows.


controler

 

SJ: You added the screenshots while I was posting. There's so much that you're misinterpreting there that it's not even worth addressing. You need to do some research on these things, you're not understanding any of what these tools are telling you.

 

wuauclt.exe = Windows Update Automatic Client and lives in C:WINDOWSSystem32wuauclt.exe, but could be a nasty !

Troj/Cult-B is a backdoor Trojan http://www.sophos.com/virusinfo/analyses/trojcultb.html

http://www.file.net/process/wuauclt.exe.html

http://help.lockergnome.com/lofiversion/index.php/t23631.html

Why don't you double check the file size, and also upload wuauclt.exe to http://virusscan.jotti.org/ and http://www.virustotal.com/en/indexx.html for a scan.

I understand your desire to try and get to get to the bottom of things, but

Any further time consuming tasks on this PC is keeping you from getting out and about and enjoying the sunshine and Real life etc, So if it were me, i'd bin the lot of it, build a brand new one with 100% fresh parts, and move on stress free.

Of course you are free to do whatever you choose to do, maybe you like the pain/aggro etc ?

By the way, you often post the screen shots as an edit afterwards, why ?

StevieO