Interesting, possible malware-caused problems scanning a Win ME system

Discussion in 'Trojan Defence Suite' started by Tuulilapsi, Dec 16, 2003.

Thread Status:
Not open for further replies.
  1. Tuulilapsi

    Tuulilapsi Registered Member

    Joined:
    Dec 8, 2002
    Posts:
    53
    Hi everyone,

    I hate to post this (as it's a not perfectly on the topic of this forum) here, but I rather wanted to get Gavin's and the rest of the DCS crew's attention on this one. I've just witnessed something a bit disturbing on a Windows ME system I myself set up (security wise) for a (somewhat computer-illiterate) friend to use as her working computer. (And don't ask me why I'm up at 2:30 AM...) ;) Long post ahead, and I apologize in advance. ;)

    Firstly, she's running ZAF 3.7.159 for the firewall and AVP 3.5.133.0 for the on-access AV backed up by F-Prot for DOS 3.14b. RegProt has also been installed since the beginning and is running at startup. Unfortunately, she uses IE 6 SP 1 (with all the patches, but there are those unpatched vulns out there...) Fortunately, the Internet Zone is highly restricted and she only visit a handful of sites, all of which I would trust. Email is Popcorn, and it doesn't even understand the usual html and attachment stuff. She's computer-illiterate, but she's bright, so she wouldn't be fooled easily by any of the blatantly obvious "click m3 i'm a m$ pacth for U" stuff anyway. ;) That, and she doesn't willy-nilly download random stuff, or actually any stuff. She phoned me complaining that whenever she scans her HD with AVP, the screen goes black after a few minutes of scanning and she has to reboot (which often leads to the system freezing at the desktop again after the reboot).

    Well, I went ahead and tried to find out what the problem is and started a scan with AVP. Two minutes, and it crashes into a BSOD mentioning VXDs (but no filenames) that I in my foolishness did not memorize. I hit the three-finger salute and boot into safe mode. Scan runs from there without any problems, detecting absolutely jack. Then I run F-Prot. It too detects nothing. Now, I reboot again and into normal mode. I run F-Prot and hit the scan button. After a minute, it crashes the system, which reboots itself. Now I'm getting pretty interested. I download TH and TDS-3 trials, update and run. Can you take two guesses as to what happens?

    I try TH first. The scan runs and completes, but nothing odd is detected. While TH is scanning, I look throught the autostarts with Startuplist, TH's AutostartExplorer and DCS Asviewer. I find nothing that looks out of place. I even play with TH's WindowList and check out just about every hidden window, but nothing seems odd. Time to load TDS. I run a Process Memory Scan first, and it completes without problems. I scan the dlls of the running processes, still no problems. Then I hit the full scan of the C: drive, and BANG. Two minutes into it, and the system reboots itself. HO-HUM.

    Again in safe mode, I run TDS. The scan is slower than usual because the disks are handled in DOS mode, but the scan completes and nothing is detected (aside the usual suspicious file extensions in the Windows\Recent folder). Repeat with TH, no problems or detections. I go through the autostarts in safe mode, and find nothing strange. I'm starting to think it's just Windows ME being itself. I mean, a trojan would likely kill AVs and ATs before they start scanning, but I can load AVP, F-Prot, TDS and TH all at once and leave them idling for half an hour with nothing going wrong. The system is otherwise stable, but when you start scanning with anything, it dies. It can't be a resource issue, it's an Athlon XP 2200+... I see no strange open ports either, even when I surf a few sites while keeping the other eye on TDIMon. Then, I decide to run a search for *.vxd. Result as usual, a massive (112) load of files. But but, there are two that are completely alien to me called SecDrv02 and 04.vxd (I don't have a ME box of my own anymore, but I'm rather sure I didn't have these files when I did). No company name, no anything. Curiously, created on the same day she installed CIV 3 (and that was a legit copy, in case you want to know). Sizes are 19 and 13 KB respectively. I manually scan these with everything I've got here. Nada, no detections. I open them in a hex editor, and can't make heads or tails out of them. There's the usual MZ, but the rest is Greek to me. Interestingly, there's no company name data or anything.

    I just don't get it. Is her system infected with some ridiculously clever rootkit-style thing, am I blind, or is Win ME being a buggy pain in the ass (pardon my French)? I just can't see (Ok, I guess I'm blind then) where she could have gotten a trojan...

    I'll respect anyone who can solve this mystery (and probably give them a big bearhug, but nobody likes that so I'll just leave it unmentioned). :)
     
  2. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    just for testing...
    have you tried disabling AVP ??
     
  3. Tuulilapsi

    Tuulilapsi Registered Member

    Joined:
    Dec 8, 2002
    Posts:
    53
    Yea, of course. That's the first thing I did. That on-access scanner is pretty resource-intensive, and just the thought of running a scan with some other scanner while it is sitting in the background gives me the digital creeps. ;)
     
  4. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Hold on I've to read your story again :rolleyes:
     
  5. Tuulilapsi

    Tuulilapsi Registered Member

    Joined:
    Dec 8, 2002
    Posts:
    53
    Ah, I know it's long. And the English makes me look like a monkey that just learned how to type with a keyboard, but... :D

    (Oh, and I don't actually mention that I unloaded AVP resident in the original post. But I did unload it. :p )

    ... 3:26 AM. This is going to be a LOOOOONG night.
     
  6. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    have you "powersavings" enabled
     
  7. Tuulilapsi

    Tuulilapsi Registered Member

    Joined:
    Dec 8, 2002
    Posts:
    53
    It appears that the system has the display and harddrive set to be shutdown after an hour of idling. But how could that be the problem here? o_O At any rate, I'd better try turning those off and observe the explosions that follow. ;)
     
  8. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    with w9.X, anything is possible
     
  9. Tuulilapsi

    Tuulilapsi Registered Member

    Joined:
    Dec 8, 2002
    Posts:
    53
    I just witnessed the biggest, most enormous, huge, awesome crash I've ever seen. :eek: F-Prot didn't crash the system this time, just gave a strange error about a CauseWay DOS extender error and aborted itself. TDS however crashed big into a blue screen (this time caught the data, more on that later), I rebooted which led into a blue screen "Windows protection fault, please reboot" message (error message translated from Finnish), then after about 7 failed reboots I got the desktop finally up again. I now hate Windows 9x, and want to bomb it with napalm. And a couple of nukes if you guys can spare them. And I don't even want to see what trying a scan with AVP would do.

    The blue screen I got gave this highly informative message about the filename that caused the BSOD:

    filename VMM(01) + 00008463 error 0E : 0028 : C0009463

    The closest thing to a VMM-anything here is VMM32.vxd. Doesn't that have something to do with the hibernation .. thingy? I noticed it's enabled in the power saving settings. Oh my aching head. The power saving settings say the system will shutdown to (lepotila in Finnish) what I'd translate into resting mode or maybe hibernation would do (other options are standby and so on) when you shut the system down from the power switch. Go figure. I've never dealt with this power saving stuff before, and seeing how it's nearly 5 AM, maybe I should just get some rest before I lose it. :)

    Edit: Yippee. :: Now TH crashes as well. Definitely time to go to sleep. Maybe I'll wake up and this will all be just a dream. ;)
     
  10. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Yeah, a hard job ahead :)
     
  11. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Hmm ok possibly a nasty VXD.. possibly bad RAM, or possibly just a bad Windows install that has decided it wants a rest :)

    Can you try replacing the RAM first with some which is known to be good ? Dont go wasting money, only if you have some handy..

    Send me the VXDs you found.. and we will follow this with interest
     
  12. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    Hey Gavin....in regards to the SecDrv02.vxd file, I believe it is a Securom SafeDisk file (aka copy protection sofware for games etc.). Have a read here.

    Regards,
    Jade.
     
  13. Bowserman

    Bowserman Infrequent Poster

    Joined:
    Apr 15, 2003
    Posts:
    510
    Location:
    South Australia
    Also, Civ 3 uses SafeDisk 2 protection, so I think that the answer lies around that somehow.

    Regards,
    Jade.
     
  14. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
     
  15. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Yep I was sure I had seen that name before, interested in the OTHER one though..

    Although my first impressions were RAM. VMM is the Virtual Memory Manager in Windows 9x
     
  16. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
  17. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    It might be little comfort telling my other winME pc i only keep alive for some extra beta testing and playing mahjong on it lefthanded as main tasks on that one; it also has the irritating habit to close and cause problems with rebooting, blue screens etc.
    What helps there is pressing the DEL (or whatever is needed on your system) to get into the BIOS, pressing the "load default CMOS" save with that change and reboot.
    I do look first how the settings are before that and after where possible to see possible changes.
    Most of times this is really helpful.
    It might help in your case too.

    Before i go for any scan on that or defrag i first in the settings get rid of screensaver and powersaving and put them all on "never".
    After the scan you can always put them back if you really want.

    (In the meantime i'm pretty good using two computers and two mice at a time on different activities -- good exercise :) )
     
  18. Tuulilapsi

    Tuulilapsi Registered Member

    Joined:
    Dec 8, 2002
    Posts:
    53
    Damn, I don't happen to have any extra RAM handy. Perhaps I should run some kind of a memory test proggy, then..

    And Gavin, what was your email again? (I hate the fact people need to hide their addresses everywhere thanks to those godforsaken spammers and their harvesters.)



    ... :D;)
     
  19. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Try support@diamondcs.com.au and it will reach Gavin too.

    But try that default CMOS button in the BIOS, it helped on more computers.
     
  20. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Tuulilapsi

    check your IM inbox over here ;)

    regards.

    paul
     
  21. Tuulilapsi

    Tuulilapsi Registered Member

    Joined:
    Dec 8, 2002
    Posts:
    53
    Thanks, Paul and Jooske. :)
     
  22. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    ...as ever Jooske is the fastest kid on the block ;)

    regards.

    paul
     
  23. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Maybe this along with the "DOS Extender" bit could mean that it's a memory handling problem which use(d) to happen frequently with games running in DOS mode... If it's not a hardware RAM issue.
    Do you know of any correlation between install of Civ3 and the current problems?
    Also, any indication of at what point the scanners cause the BSODs? A specific file/directory? or during memory scan? or when the scanners need to page memory (don't know right now how to best find this out)?
    Finally, can you post the list of drivers ASViewer reports (skip the autostarts, I'm interested in the drivers (->vxds) only)?

    Andreas
     
  24. Tuulilapsi

    Tuulilapsi Registered Member

    Joined:
    Dec 8, 2002
    Posts:
    53
    I'm thinking that DOS extender problem with F-Prot might be something caused by Win ME's separation from the old DOS environment of Win 98 and predecessors.

    It's been a while since she installed that Civ 3, and the game itself does seem to work in a stable fashion. She says she's had these crashes (occasionally) for months, but now they occur with every scan, and she seems to be right about that.

    As for when the scanners crash, I can't see a specific pattern. All memory scans and suchlike things run fine, only the full HD scans cause problems. As for what the scanners are doing with their own memory management, I've no idea. I do know that all scans complete successfully in safe mode with no crashes. Doesn't that rather mean it can't be bad RAM?

    Oh, and here's the list of drivers. As you can see, VSmon is there as well.

     
  25. Andreas1

    Andreas1 Security Expert

    Joined:
    Jan 29, 2003
    Posts:
    367
    Location:
    Mainz (Ger)
    Hi Tuulilapsi,
    This is unknown terrain for me, too. But do you see anything extraordinary with the file properties of these:

    Andreas
     
Thread Status:
Not open for further replies.