Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can someone interprete my Icesword scan?


  • Please log in to reply
9 replies to this topic

#1 joe blow

joe blow

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 09 December 2008 - 02:37 AM

Hi,

I posted a question about this on another site but a week later I have still had no response, so I hope that someone here can help me.

I ran an Icesword and it only came back with red entries on the "ssdt" scan. Everything else was clear. About 36 of the red entries were,

"\??\C:\WINDOWS\system32\drivers\AODriver.sys "

Under the "name" it had things like "NTAllocateVirtualMemory", "NTAssignProcessToJobObject", "NTConnectPort", "NTCreateFile", "NTCreateKey" (I can give you more but there was a lot and I am not sure which data is relevant).

Another entry was

"Programfile\Superantispyware\SASKUTIL.sys " (So I guess thats OK).

The other four were

index .. crnt_add .... kmodule ..... org_add ........ name
"0x35 0xF9992164 unknown 0x8058E64B NtCreateThread"
"0x7A 0xF9992150 unknown 0x805717C7 NtOpenProcess"
"0x80 0xF9992155 unknown 0x8058A1c9 NtOpenThread"
"0x115 0xF999215a unknown 0x8057E42A NtWriteVirtual"

Can someone tell me if these are false positives or not.

One other slightly strange thing that may be relevant. I ran GMER (not really sure how to use it) and it came up with a number of entries, not red, that were "oadriver.sys", they were to do with my firewall (online armour). It just seemed strange that Icesword found AOdriver.sys while GMER found oadriver.sys entries. AO as opposed to OA.

I have XP and everything else seems ok.

Any help would be appreciated.

Thanks.

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 PM

Posted 09 December 2008 - 02:44 AM

Hello joe blow.

Please try to upload that driver file to me.

Submit File Sample
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    http://www.bleepingcomputer.com/forums/t/185266/can-someone-interprete-my-icesword-scan/
  • Under Browse to the file you want to submit, input:
    C:\WINDOWS\system32\drivers\AODriver.sys
  • Under the comments section, say that Panda asked for the submission.
It may be possible that it can't be uploaded because it's in use.

Download and Run Scan with GMER
  • Download gmer.zip and save to your desktop.
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • Close all other running programs. There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click the >>>.
  • Click on Settings, then check the first five settings:
    • System Protection and Tracing
    • Processes
    • Save created processes to the log
    • Drivers
    • Save loaded drivers to the log
  • Click OK.
  • You will be prompted to restart your computer. Please do so.
After the reboot, run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan. You will know that the scan is done when the Stop buttons turns back to Scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose New>Text document. Once the file is created, open it and right-click again and choose Paste. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in Safe Mode. However, do not use the MsConfig method to edit the Boot.ini.
Important!:Please do not select the Show all checkbox during the scan..

Include the whole GMER log report please.

With Regards,
The Panda

#3 joe blow

joe blow
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 10 December 2008 - 04:38 AM

Hi Panda,

I could not upload the driver, when I browsed to the location it was not in the list, "oadriver.sys" was though.
I'm starting to think "aodriver.sys" was never actually there. Then I ran the GMER scan what came back as SSDT under the rootkit tab was almost identical to the Icesword SSDT scan except it had 36 entries of "OAdriver.sys" not "AOdriver.sys". Instead of the 4 unknown entries were the 4 that you see listed below. The "SASKUTIL.sys " was there too.

\??\C:\WINDOWS\system32\drivers\oadriver.sys

F98E7FF4 ZwCreateThread
F98E7FE0 ZwOpenProcess
F98E7FE5 ZwOpenThread
F98E7FEA ZwWriteVirtualMemory

I could not see a "copy" button so I could not copy everything under the rootkit tab. Here is the log under the LOG tab it was all I could copy.

2008-12-10 17:50:15 gmer.sys System [4]: LoadDriver System32\DRIVERS\ipnat.sys
2008-12-10 17:50:15 gmer.sys System [4]: LoadDriver System32\DRIVERS\wanarp.sys
2008-12-10 17:50:18 gmer.sys System [4]: CreateProcess C:\WINDOWS\system32\smss.exe
2008-12-10 17:50:18 gmer.sys smss.exe [520]: CreateProcess C:\WINDOWS\system32\autochk.exe
2008-12-10 17:50:18 gmer.sys smss.exe [520]: LoadDriver \Registry\Machine\System\CurrentControlSet\Services\Cdfs
2008-12-10 17:50:19 gmer.sys smss.exe [520]: CreateProcess C:\WINDOWS\system32\csrss.exe
2008-12-10 17:50:19 gmer.sys csrss.exe [584]: LoadDriver \SystemRoot\System32\drivers\dxg.sys
2008-12-10 17:50:19 gmer.sys csrss.exe [584]: LoadDriver \SystemRoot\System32\ialmrnt5.dll
2008-12-10 17:50:19 gmer.sys csrss.exe [584]: LoadDriver \SystemRoot\System32\ialmdnt5.dll
2008-12-10 17:50:19 gmer.sys csrss.exe [584]: LoadDriver \SystemRoot\System32\vga.dll
2008-12-10 17:50:19 gmer.sys csrss.exe [584]: LoadDriver \SystemRoot\System32\ialmrnt5.dll
2008-12-10 17:50:19 gmer.sys csrss.exe [584]: LoadDriver \SystemRoot\System32\ialmdev5.DLL
2008-12-10 17:50:19 gmer.sys csrss.exe [584]: LoadDriver \SystemRoot\System32\ialmdd5.DLL
2008-12-10 17:50:19 gmer.sys smss.exe [520]: CreateProcess C:\WINDOWS\system32\winlogon.exe
2008-12-10 17:50:19 gmer.sys winlogon.exe [608]: CreateProcess C:\WINDOWS\system32\services.exe
2008-12-10 17:50:19 gmer.sys winlogon.exe [608]: CreateProcess C:\WINDOWS\system32\lsass.exe
2008-12-10 17:50:20 gmer.sys services.exe [652]: CreateProcess C:\WINDOWS\system32\svchost.exe
2008-12-10 17:50:20 gmer.sys services.exe [652]: CreateProcess C:\WINDOWS\system32\svchost.exe
2008-12-10 17:50:20 gmer.sys services.exe [652]: CreateProcess C:\WINDOWS\system32\svchost.exe
2008-12-10 17:50:20 gmer.sys services.exe [652]: LoadDriver System32\DRIVERS\ndisuio.sys
2008-12-10 17:50:21 gmer.sys services.exe [652]: CreateProcess C:\WINDOWS\system32\svchost.exe
2008-12-10 17:50:21 gmer.sys winlogon.exe [608]: CreateProcess C:\WINDOWS\system32\logonui.exe
2008-12-10 17:50:21 gmer.sys services.exe [652]: CreateProcess C:\WINDOWS\system32\svchost.exe
2008-12-10 17:50:22 gmer.sys services.exe [652]: CreateProcess C:\Program Files\Tall Emu\Online Armor\oasrv.exe
2008-12-10 17:50:28 gmer.sys services.exe [652]: CreateProcess C:\WINDOWS\system32\spoolsv.exe
2008-12-10 17:50:28 gmer.sys services.exe [652]: CreateProcess C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
2008-12-10 17:50:28 gmer.sys svchost.exe [932]: LoadDriver System32\DRIVERS\rdbss.sys
2008-12-10 17:50:28 gmer.sys svchost.exe [932]: LoadDriver System32\DRIVERS\mrxsmb.sys
2008-12-10 17:50:28 gmer.sys services.exe [652]: LoadDriver System32\DRIVERS\mrxdav.sys
2008-12-10 17:50:28 gmer.sys sched.exe [1356]: CreateProcess C:\Program Files\Avira\AntiVir PersonalEdition Classic\avwsc.exe
2008-12-10 17:50:29 gmer.sys services.exe [652]: LoadDriver \Registry\Machine\System\CurrentControlSet\Services\ParVdm
2008-12-10 17:50:29 gmer.sys services.exe [652]: CreateProcess C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
2008-12-10 17:50:29 gmer.sys services.exe [652]: CreateProcess C:\WINDOWS\system32\CTSVCCDA.EXE
2008-12-10 17:50:29 gmer.sys services.exe [652]: LoadDriver system32\DRIVERS\mdmxsdk.sys
2008-12-10 17:50:29 gmer.sys services.exe [652]: CreateProcess C:\Program Files\Sandboxie\SbieSvc.exe
2008-12-10 17:50:29 gmer.sys oasrv.exe [1168]: LoadDriver \??\C:\WINDOWS\TEMP\mc21.tmp
2008-12-10 17:50:30 gmer.sys services.exe [652]: CreateProcess C:\WINDOWS\system32\svchost.exe
2008-12-10 17:50:30 gmer.sys services.exe [652]: CreateProcess C:\WINDOWS\system32\MsPMSPSv.exe
2008-12-10 17:50:31 gmer.sys avguard.exe [1444]: LoadDriver \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys
2008-12-10 17:50:32 gmer.sys SbieSvc.exe [1496]: LoadDriver \??\C:\Program Files\Sandboxie\SbieDrv.sys
2008-12-10 17:50:35 gmer.sys svchost.exe [932]: LoadDriver System32\DRIVERS\ipnat.sys
2008-12-10 17:50:42 gmer.sys services.exe [652]: CreateProcess C:\WINDOWS\system32\alg.exe
2008-12-10 17:50:46 gmer.sys sched.exe [1356]: CreateProcess C:\Program Files\Avira\AntiVir PersonalEdition Classic\avwsc.exe
2008-12-10 17:50:59 gmer.sys winlogon.exe [608]: CreateProcess C:\WINDOWS\system32\userinit.exe
2008-12-10 17:51:00 gmer.sys userinit.exe [1076]: CreateProcess C:\WINDOWS\explorer.exe
2008-12-10 17:51:00 gmer.sys svchost.exe [932]: CreateProcess C:\WINDOWS\system32\wscntfy.exe
2008-12-10 17:51:00 gmer.sys svchost.exe [932]: CreateProcess C:\WINDOWS\system32\wscntfy.exe
2008-12-10 17:51:00 gmer.sys svchost.exe [932]: CreateProcess C:\WINDOWS\system32\wscntfy.exe
2008-12-10 17:51:04 gmer.sys explorer.exe [1888]: CreateProcess C:\WINDOWS\system32\verclsid.exe
2008-12-10 17:51:05 gmer.sys explorer.exe [1888]: CreateProcess C:\WINDOWS\system32\verclsid.exe
2008-12-10 17:51:08 gmer.sys services.exe [652]: CreateProcess C:\WINDOWS\system32\imapi.exe
2008-12-10 17:51:09 gmer.sys services.exe [652]: LoadDriver System32\Drivers\HTTP.sys
2008-12-10 17:51:09 gmer.sys explorer.exe [1888]: CreateProcess C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
2008-12-10 17:51:10 gmer.sys dlbtbmgr.exe [976]: CreateProcess C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
2008-12-10 17:51:10 gmer.sys explorer.exe [1888]: CreateProcess C:\WINDOWS\system32\rundll32.exe
2008-12-10 17:51:11 gmer.sys explorer.exe [1888]: CreateProcess C:\WINDOWS\Updreg.EXE
2008-12-10 17:51:11 gmer.sys explorer.exe [1888]: CreateProcess C:\WINDOWS\system32\igfxtray.exe
2008-12-10 17:51:11 gmer.sys explorer.exe [1888]: CreateProcess C:\WINDOWS\system32\hkcmd.exe
2008-12-10 17:51:12 gmer.sys explorer.exe [1888]: CreateProcess C:\WINDOWS\system32\igfxpers.exe
2008-12-10 17:51:13 gmer.sys svchost.exe [812]: CreateProcess C:\WINDOWS\system32\igfxsrvc.exe
2008-12-10 17:51:13 gmer.sys explorer.exe [1888]: CreateProcess C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
2008-12-10 17:51:13 gmer.sys explorer.exe [1888]: CreateProcess C:\Program Files\Tall Emu\Online Armor\oaui.exe
2008-12-10 17:51:14 gmer.sys explorer.exe [1888]: CreateProcess C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
2008-12-10 17:51:14 gmer.sys explorer.exe [1888]: CreateProcess C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
2008-12-10 17:51:15 gmer.sys csrss.exe [2356]: LoadDriver \SystemRoot\System32\vga.dll
2008-12-10 17:51:15 gmer.sys csrss.exe [2356]: LoadDriver \SystemRoot\System32\vga.dll
2008-12-10 17:51:15 gmer.sys csrss.exe [2356]: LoadDriver \SystemRoot\System32\vga.dll
2008-12-10 17:51:15 gmer.sys csrss.exe [2356]: LoadDriver \SystemRoot\System32\vga.dll
2008-12-10 17:51:15 gmer.sys explorer.exe [1888]: CreateProcess C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
2008-12-10 17:51:16 gmer.sys explorer.exe [1888]: CreateProcess C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
2008-12-10 17:51:17 gmer.sys explorer.exe [1888]: CreateProcess C:\Program Files\Eraser\eraser.exe
2008-12-10 17:51:18 gmer.sys sched.exe [1356]: CreateProcess C:\Program Files\Avira\AntiVir PersonalEdition Classic\avwsc.exe
2008-12-10 17:51:19 gmer.sys explorer.exe [1888]: CreateProcess C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
2008-12-10 17:51:20 gmer.sys explorer.exe [1888]: CreateProcess C:\Program Files\Sandboxie\SbieCtrl.exe
2008-12-10 17:51:27 gmer.sys services.exe [652]: LoadDriver \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
2008-12-10 17:51:27 gmer.sys svchost.exe [932]: CreateProcess C:\WINDOWS\system32\wuauclt.exe
2008-12-10 17:51:31 gmer.sys explorer.exe [1888]: CreateProcess C:\Program Files\Secunia\PSI\psi.exe
2008-12-10 17:51:36 gmer.sys spoolsv.exe [1308]: CreateProcess C:\WINDOWS\system32\dlbtcoms.exe
2008-12-10 17:52:21 gmer.sys sched.exe [1356]: CreateProcess C:\Program Files\Avira\AntiVir PersonalEdition Classic\avwsc.exe
2008-12-10 17:53:07 gmer.sys svchost.exe [812]: CreateProcess C:\WINDOWS\system32\wbem\wmiprvse.exe
2008-12-10 17:53:23 gmer.sys sched.exe [1356]: CreateProcess C:\Program Files\Avira\AntiVir PersonalEdition Classic\avwsc.exe
2008-12-10 17:54:26 gmer.sys sched.exe [1356]: CreateProcess C:\Program Files\Avira\AntiVir PersonalEdition Classic\avwsc.exe
2008-12-10 17:54:48 gmer.sys sched.exe [1356]: CreateProcess C:\Program Files\Avira\AntiVir PersonalEdition Classic\avwsc.exe
2008-12-10 17:55:49 gmer.sys sched.exe [1356]: CreateProcess C:\Program Files\Avira\AntiVir PersonalEdition Classic\avwsc.exe
2008-12-10 17:56:02 gmer.sys explorer.exe [1888]: CreateProcess C:\Documents and Settings\user\Desktop\gmer\gmer.exe

I ran Icesword again and it now also says "oadriver.sys". Perhaps it always did but I did check carefully before posting. However, I guess that I am more likely to have made the error than Icesword, pity I didn't take a screenshot.

If you need any further information just ask.

Thanks.

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 PM

Posted 10 December 2008 - 05:00 AM

Hello Joe Blow.

SASKUTIL.sys is, as you said, part of SuperAntiSpyware.

The driver name "OAdriver.sys" is used by legit programs. The entry is most likely legit.

If you want to make sure.. boot into Safe Mode, and copy (not move!) "C:\WINDOWS\system32\drivers\oadriver.sys" to your desktop.

Reboot into normal mode. Send that file to Jotti or VirusTotal to be scanned. Post back with the results.

How to Boot into Safe Mode
  • Shutdown your computer.
  • Press the power on button.
  • Wait for your computer to beep.
  • After hearing the beep, hit the F8 key repeatedly until you see a selection screen.
  • Use your arrow keys to navigate the highlight to Safe Mode.
  • Hit Enter.
  • You will now be asked to choose your operating system. Again, use the arrow keys to select Microsoft Windows XP, if the highlight was not already on it.
  • Hit Enter.
Your computer will proceed to booting into Safe Mode. During the boot process, you may see random code go past your screen. Simply wait for it to pass. Your computer should boot like usually, except with Safe Mode written in the corners of your screen. Your screen may also appear to be a different size because the video drivers are not loaded properly in Safe Mode.

After the boot, you will be asked whether you wish to use system restore, or to continue to Safe Mode. Select OK to choose Safe mode.

With Regards,
The Panda

#5 joe blow

joe blow
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 11 December 2008 - 02:45 AM

Hi Panda,

Thanks for the help. Are the four entries that came back from Icesword as

index .. crnt_add .... kmodule ..... org_add ........ name
"0x35 0xF9992164 unknown 0x8058E64B NtCreateThread"
"0x7A 0xF9992150 unknown 0x805717C7 NtOpenProcess"
"0x80 0xF9992155 unknown 0x8058A1c9 NtOpenThread"
"0x115 0xF999215a unknown 0x8057E42A NtWriteVirtual"

and I guess were the same four GMER logged as

F98E7FF4 ZwCreateThread
F98E7FE0 ZwOpenProcess
F98E7FE5 ZwOpenThread
F98E7FEA ZwWriteVirtualMemory

do you think they are anything to worry about?

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 PM

Posted 11 December 2008 - 05:00 AM

Hello.

Those are nothing to worry about.

Were you able to send that file to Jotti?

With Regards,
The Panda

#7 joe blow

joe blow
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 13 December 2008 - 03:02 AM

Hi,

Jotti would not open, perhaps a problem at their end.

I went to VirusTotal and everything but VBA32 scanned "oadriver.sys" as clean. VBA32 said "suspected of Win32.BrokenEmbeddedSignature (paranoid heuristics)".

Don't know if that is a problem or not.

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 PM

Posted 13 December 2008 - 03:18 AM

Hello joe blow.

That is most likely a false positive. It does say "paranoid heuristics". "BrokenEmbeddedSignature" is not the name of an infection, but just what it say in the driver file.

Looks clean.

With Regards,
The Panda

#9 joe blow

joe blow
  • Topic Starter

  • Members
  • 78 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 14 December 2008 - 07:25 PM

Yes, I think your right, thanks for the help.

#10 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:57 PM

Posted 14 December 2008 - 07:59 PM

You are welcome.

The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users