CCE Hidden Service scan messed up my computer

Following the article at Gizmo’s TechSupport Alert I thought I would test out CCE, fortunately in a VirtualBox VM running Windows XP SP3 with VirtualBox running on Windows 7 64 bit. I am researching malware cleaning solutions for a course on malware that I am developing.

The scan did not find any threats (which is what I was expecting), and then it proceeded to ask to boot my computer to do a “Hidden Service Scan”. The results of this scan were a real surprise: lots of quite normal, and essential, Windows services being presented as potential “rootkit hidden services”, the registry entries for which it indicated had been cleaned! there was no option to choose whether to allow cleaning to go ahead; it just happened.

The result is a crippled system with dozens of essential services destroyed, especially the VirtuaBox Guest Additions supporting services.

I would post you the log file however the damage is such that network connectivity, USB, etc. is broken, and so just getting the log file off the computer is impossible (I can’t even attach a USB stick), however to give some idea of what’s in it (by “log file” I mean the CCE_YYYYMMDD_HHMMSS.txt file), the first service it selected to remove was:

HKLM\SYSTEM\CurrentControlSet\Services\Modem RootKit.HiddenService HIDDENSVR Clean OK

I abbreviated HKLM as I am typing this manually.

There is then a long list of normal, essential services in the M, N, P, R, S, T etc. alphabetical range, e.g. RpcLocator, Schedule, ScsiPort, through various Vbox* services, ending in things like yukonwxp etc. I would estimate it’s wiped out about a hundred services.

This seems like a major problem with the product. How can it apparently misidentify a set of normal, essential services as a RootKit?

Prior to starting the “smart scan” (yeah, right ) the only option on the configuration screen I chose was “report all MBR modifications”. I don’t see what MBR scanning could have to do with this anyway and I mention it only for completeness.

I realize this can’t be a general problem with the software, but this has not been a good experience for me.

I have not heard of a problem like this before. Perhaps it occurred because it was run in VirtualBox and not on an actual computer. I do know that certain security products often have issues when run in VirtualBox, which they do not when run on an actual computer or in VMWare.

That said, I’m looking into it.

Thanks for alerting me to the possible problem.

Hi

As it was a VM guest I managed to restore back to a previous snapshot and recover things. I have attached the logs and config files. Hope they help.

Happy to help with some more tests if required. I assume this board has a PM facility so let me know if you need any other info to help troubleshoot.

Thanks

[attachment deleted by admin]

I seem to recall that there are several security products that don’t function properly within VirtualBox, so it seems that VB has less than robust OS emulation. I am unsure whether or not this is the case in this instance, but I wouldn’t really be surprised.

I don’t have an XP SP3 machine in VB to test with, but I just ran a smart scan with the “report all MBR modifications” enabled on my VMWare XP SP3 machine running on an XP SP3 host, and didn’t have the issue that you did.

[attachment deleted by admin]

I readily accept that this can’t be a general problem with the software, but you will be able to see clearly from the log what happened to me, so I there is a (probably quite subtle) issue in there somewhere that it would probably be beneficial to investigate. I have also been able to take some time to recreate this problem. Having restored my VM Guest and re-run the scan it has done exactly the same thing, although it started trashing services at with one called “mraid” rather than “modem”. It’s interesting how this problem starts with services that begin with “m”…

Now that I can recreate this if you want help to diagnose what’s going on I will try and assist.

I tend to think that it’s something about my Windows XP image that causes the problem and the virtualization aspect is a red herring, but at least being a VM guest it means I can trash it repeatedly and restore to a snapshot

I apologize if you felt that I was saying you didn’t have this problem. That was not my intention.

I was just giving some data on Chiron’s conjecture that the problem may actually be with VirtualBox. As I do not have an XP SP3 machine in VB, but I do in VMWare, I just did a quick test to see if the same thing happened to me in VMWare.