4.2.40 consistently giving blue screens

Discussion in 'ESET NOD32 Antivirus' started by StevePA, May 14, 2010.

Thread Status:
Not open for further replies.
  1. StevePA

    StevePA Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    12
    Greetings,
    We're performing testing on the 4.2.40 update before upgrading company wide and we're seeing consistent blue screens after update. Prior 4.0.X versions all work fine.

    Specifics:
    SW:
    NOD32 AV 4.0 Business, connected to Remote Admin Server
    Vista Business 32-bit

    HW:
    Multicore machines (Core 2 Duo) with 4GB of RAM, Intel chipset motherboards, integrated or discrete video (doesn't matter)

    Bluescreen/crash dumps occur when PC's are left alone/locked workstation.

    Attached two traceback attachments from crash dump files. Third attachment is the minidump that goes with tb-01.txt, rename the file to .zip and unzip to debug. I have more if you want them, but they all seem about the same.

    More than happy to test patches.

    Cheers
     

    Attached Files:

  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    BSOD is certainly a result of a conflict with another driver. According to the dump, you have some suspicious drivers installed. For instance, google search gives no hits for azlnnr2q.SYS,
    %SystemRoot%\system32\DRIVERS\tunnel.sys as well as a bunch of other probably Microsoft drivers have no versioninfo, including \%SystemRoot%\system32\drivers\npf.sys which is even digitally signed on my Vista.

    Installing v. 4.0 should resolve the BSOD but there's surely something wrong with one or more drivers.
     
  3. Nerimash

    Nerimash Registered Member

    Joined:
    Apr 14, 2009
    Posts:
    86
    Location:
    Ukraine
    Also these files(drivers) may be camouflaged malware especially if they don't have digital signatures and / or version infos and have random names( file azlnnr2q.sys).
    You should send these files to ESET virus laboratory through samples<at>eset.com

    Read this KB article: How to submit virus or potential false positive samples to ESET's labs first.
     
    Last edited: May 14, 2010
  4. StevePA

    StevePA Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    12
    Hah! I must have been tired guys- sorry I didn't see that.

    It seems the 4.2.x upgrade, albeit inadvertently, has found a piece of mischievous malware we've got on a few NOD32 protected PC's. We're encountering this on more than one PC we upgraded to 4.2.X to test with. The azlnnr2q.SYS would be the unit.

    The legit drivers you listed must have been corrupted by my ->txt/zip trick as attachment or something similar as they look okay here in my Debug (WDK 7.1 version). They have version and signature info.

    The malware may be a little tricky to find as it renames itself each reboot. It renames itself each time, but seems to consistently start with "a", such as ac9z167z.SYS and the bogus path of C:\Windows\System32\Drivers\<random name of the day>.SYS. It's bogus info is "ATAPI IDE Miniport Driver" and from Microsoft Corporation to look legit.

    Full NOD32 scan isn't finding it. I'll try other scanners as well as diagnose the startup sequences/registry on the effected PC's. I guess on occasion blue screens aren't such a bad thing! :D
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Have you tried running a full scan from a rescue cd?
     
  6. StevePA

    StevePA Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    12
    RescueCD is on my queue but will be a while as I need to download the AIK (1.3GB!) to make this. It'll be a few hours on corporate T1.

    I'm still trying various scans with no luck but it's a typical root kit ala ATAPI miniport driver. It's pretty widespread as I'm seeing it on many Vista and above workstations here. No apparent infected XP users though.

    It slipped in totally under the radar with 4.0.474 AV/BE. It had no symptoms until we tried the new 4.2.40, which is consistently causing the blue screen error at least once a day on the PC beta testers we were trying it on (Vista Business 32-bit & Vista Ultimate 64-bit).
     
  7. bradtech

    bradtech Registered Member

    Joined:
    Nov 16, 2009
    Posts:
    84

    Those .sys drivers could be cloaked malware.. You may try booting up off a linux CD such as Gparted, and look through C:\windows\system32\drivers area.. I had a IRCbot hit an ESET machine that had local admin rights, and successfully install.. As soon as I extracted the .sys, and uploaded to VT it showed there were signatures for it now but still successfully cloaking from most AVs or Malware scans.. What usually happens is the stuff gets on at some point prior to definitions being released.. Only way to stop this from happening on a large scale is to lock them down with Domain SRPs, patch the boxes, block thumb drives, filter web or do away with web all together, and run an AV. I've had one guy tell me they will go back to typewriters after I told him that :argh: *puppy*
     
  8. Nerimash

    Nerimash Registered Member

    Joined:
    Apr 14, 2009
    Posts:
    86
    Location:
    Ukraine
  9. StevePA

    StevePA Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    12
    Thanks a lot for the suggestions, guys! I'm going to try to copy the entire system32 + Drivers + user/appdata directories from a bootable Linux Live media onto a memstick, then try scanning these files elsewhere.. so if it's cloaked, this should (hopefully) find the culprits.

    GMER appears to be on the right track as it runs for quite some time then blue screens... so looks like this particular nasty is quite elusive and doesn't wish to be evicted.

    I'd love to stronger filter the web and/or thumb-drives but it's usually the CEO and COO where all this trouble originates. :)

    I'm still in the process of downloading the AIK and should have a rescue disk made soon. I'm assuming I can make the rescue disk on another NOD system without any issue (i.e. Windows 7 64-bit box makes the disk, boot-it on an infected Vista 32-bit, etc.).
     
  10. StevePA

    StevePA Registered Member

    Joined:
    Apr 8, 2010
    Posts:
    12
    Well, Rescue CD found nothing.. so it looks like this particular root kit is not in current ESET definitions.

    I've had some luck manually hunting down some files (in AppData there were some randomly named files which I deleted) and believe I've got the rootkit down to it's root driver (from GMER):
    ? System32\Drivers\spfh.sys The system cannot find the path specified. !
    ...
    ...
    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [806986D6] \SystemRoot\System32\Drivers\spfh.sys
    IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [80698042] \SystemRoot\System32\Drivers\spfh.sys
    IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [80698800] \SystemRoot\System32\Drivers\spfh.sys
    IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [806980C0] \SystemRoot\System32\Drivers\spfh.sys
    IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8069813E] \SystemRoot\System32\Drivers\spfh.sys
    IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [806A7E9C] \SystemRoot\System32\Drivers\spfh.sys

    Seems to be something hijacking/hooking into all the hd/drive I/O drivers, but unsure if if this is the problem or not. The parent file: spfh.sys does not exist and I cannot find it anywhere on my system.

    Should I submit the sysinspector file? Is there something else I can do to trap this thing for submission?

    Thanks!

    [Edit- I should add that "sky is the limit" for the above system. I don't need it repaired as it is slated for Windows 7 complete format/re-install so even things destructive and/or dangerous can be applied if it helps trap and assist ESET with getting protection from this beasty.]
     
  11. Nerimash

    Nerimash Registered Member

    Joined:
    Apr 14, 2009
    Posts:
    86
    Location:
    Ukraine
    sp**.sys is an SCSI driver clone(sptd.sys - SCSI virtual disc emulator) probably installed by Daemon Tools.

    HINT. You can run GMER in Windows Safe mode ,if you are experiencing problems in normal mode, and run load partition scan but in some cases it's not recommended method because many of root-kits drivers won't run in safe mode.
     
    Last edited: May 19, 2010
Thread Status:
Not open for further replies.