Jump to content

MBAR detect TDSSKiller's driver as forged?


Recommended Posts

Hi,

 

I believe that the driver belongs to TDSSKiller (Kaspersky)

 

The log from TDSSKiller:

 

21:27:44.0828 0x08c0  ================ Scan services =============================
21:27:45.0187 0x08c0  [ ECBEC3AC6A9F6DF4923A3AAE099BF2F7, 50911ED3ACD473F0487428369B777378FE6FA4546B5C3C2C7A53422589A2B603 ] 12658221        C:\Windows\system32\drivers\23035821.sys
21:27:45.0375 0x08c0  12658221 - ok
21:27:45.0562 0x08c0  [ ECBEC3AC6A9F6DF4923A3AAE099BF2F7, 50911ED3ACD473F0487428369B777378FE6FA4546B5C3C2C7A53422589A2B603 ] 80523167        C:\Windows\system32\drivers\95808618.sys
21:27:45.0765 0x08c0  80523167 - ok

 

The log from MBAR:

 

File C:\WINDOWS\SYSTEM32\drivers\81169106.sys --> [Forged file]
C:\WINDOWS\SYSTEM32\drivers\81169106.sys will be destroyed

 

Аlthough MBAR wasn't able to delete it succesfully I decided to report the situation just in case.

 

The topic is here

 

Thanks!

 

 

Regards,

Georgi

Link to post
Share on other sites

  • Staff

Hi Georgi. Do you have the file? Without it, I'm unsure if there's much we can do.

I can't replicate this on a test box even when running MBAR at the same time as TDSSKiller.

Something missing from your user's TDSSKiller log though, it seems to me.
I see no line similar to:


KLMD registered as C:\Windows\system32\drivers\66539149.sys

 

It looks like TDSSKiller is having troubles registering it's service on that system?

Link to post
Share on other sites

Hi Bob,

 

I am truly sorry about the delay. I had no time for internet the in the past few days. I think that we can ignore this because the user had TDL4 (inactive and we removed the bad partition) and also his HDD had a lot of bad clusters making the OS unstable to operate properly (causing a lot of BSODs, freezes, etc.). The MBR was clean and the most of the tools (MBAR, TDSSKiller, Listparts) reported no active infection on board (only symantec reported Tidserv but I guess it was a false positive)...I had no chance to receive the results from (aswmbr and Avira to see if they still detect anything after the fix with listparts was performed because of the freezes) so I advised the user to replace the bad HDD with a new one and now all seems to be ok. Maybe the bad clusters damaged the file 81169106.sys in some manner and that's why MBAR detected it as forged.

 

It looks like TDSSKiller is having troubles registering it's service on that system?

 

Well, the TDSSKiller developer updated the tool twice the last 2 weeks...the first reason was that TDSSKiller detected his own driver as rootkit

 

http://www.bleepingcomputer.com/forums/t/520462/tdsskiller-apparently-detecting-itself-as-a-rootkit/

 

and the second reason was to improve TDSSKiller to be able to detect and remove the malicious partition of the inactive bootkit like in the topic above so something may happened with the last release (or maybe it was because of the HDD failure).

 

 

 

Regards,

Georgi

Link to post
Share on other sites

  • Staff

Hi Georgi. Sorry to hear about your connectivity issues. I hope all is well now.

Thanks for your report. It may have been either the bad clusters on the drive, or the issue now fixed by TDSSkiller developer, causing MBAR to hit that driver.

I believe was can say this is a non-issue for MBAR at this point. If you ever come across a similar issue, please don't hesitate to report, and be prepared to provide the suspect file. We might also require additional information so we could analyze the situation properly and make adjustments if needed. We can talk about that in PM, or if the issue happens to present itself again.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.