Author Topic: Possibly an undetectable backdoor infection?  (Read 6040 times)

Offline emanresuoseehc

  • Comodo Family Member
  • ***
  • Posts: 76
Possibly an undetectable backdoor infection?
« on: August 31, 2012, 10:32:45 AM »
Hi.

A couple days ago, my monitor suddenly went into stand-by mode and the computer was completely unresponsive (ie. no lights went on or off on the keyboard), so I had to boot by turning the power off and on again. Recently I noticed through Windows' system events log that ever since the incident, there have been numerous services launching that weren't present before. Such as Tapisrv (phone), RasMan (for remote connections), and something called tgptya, which I can't find any info on.

In addition to those entries, there are several references to disk errors and an entry saying that "The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'tvelms.sys' on the volume'HarddiskVolume1'. It has stopped monitoring the volume."

The latter, to me, would seem like an indication of a failing hard-drive and indeed I have had problems with the HD before: every now and then my computer is not able to boot, claiming that there is no hard drive connected. After waiting a few minutes and restarting, it is able to find the drive and boot normally. Since the odd crash, I've had Windows freeze & lock up very, very frequently, though without the monitor going into stand-by mode. I also had a blue screen upon launching Windows a few times, saying "pen list corrupted". This hints at memory, correct? Yesterday I removed some, and the crashes have not returned since.

However, the services Tapisrv and Rasman, among others, that have been launching upon each start-up of Windows since then, makes me wonder if it's linked to a trojan. I've never had need for any kind of remote access on my computer, though I have had GeekBuddy installed. Could this somehow explain the services running?

If it is a trojan, then Comodo is unable to detect it, as I've ran full scans with CIS Premium, Comodo Cleaning Essentials, and additionally with Malwarebytes' Anti-Malware. All of them up-to-date. And when my PC had that strange crash, I wasn't browsing any suspicious sites, and I had CIS running with Firewall in Safe Mode, Defense+ in Safe Mode and Antivirus on On Access. So assuming an unknown executable somehow made it on my computer prior to the crash, wouldn't Comodo have sandboxed it?

Could a failing/damaged hard drive or corrupt memory explain the strange behavior regarding the services, or does this strongly suggest the presence of a virus of some kind? In the case of the latter, I would appreciate a suggestion for next step, as 3 programs have already made thorough scans and found nothing (performed them in safe mode also, if that makes any difference).

My OS is Windows XP Pro, SP3.

Thanks in advance for any help.
« Last Edit: August 31, 2012, 10:44:26 AM by emanresuoseehc »

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 19560
Re: Possibly an undetectable backdoor infection?
« Reply #1 on: August 31, 2012, 11:55:12 AM »
Hi.

A couple days ago, my monitor suddenly went into stand-by mode and the computer was completely unresponsive (ie. no lights went on or off on the keyboard), so I had to boot by turning the power off and on again. Recently I noticed through Windows' system events log that ever since the incident, there have been numerous services launching that weren't present before. Such as Tapisrv (phone), RasMan (for remote connections), and something called tgptya, which I can't find any info on.
Are you on a dial up connection? Do you have remote desktop enabled in your Windows?

Run Autoruns and see what executable is connected to tgptya and upload that file to Virus Total to see if scanners think it is something malicious. Could you post the url to the page with the Virus Total report here?

Quote
In addition to those entries, there are several references to disk errors and an entry saying that "The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'tvelms.sys' on the volume'HarddiskVolume1'. It has stopped monitoring the volume."

The latter, to me, would seem like an indication of a failing hard-drive and indeed I have had problems with the HD before: every now and then my computer is not able to boot, claiming that there is no hard drive connected. After waiting a few minutes and restarting, it is able to find the drive and boot normally. Since the odd crash, I've had Windows freeze & lock up very, very frequently, though without the monitor going into stand-by mode.
Pl.ease check your hard drive with the analysis utility of the drive's manufacturer and see what it reports. If it reports bad sectors see if they can be fixed. Then run chkdsk /r from the command prompt. This will have Windows check your hard drive for anomalies and will try to fix it.

Quote
I also had a blue screen upon launching Windows a few times, saying "pen list corrupted". This hints at memory, correct? Yesterday I removed some, and the crashes have not returned since.
Please download Bluescreen view and see what the blue screen said. Did it say PFN list instead of PEN list?

Quote
However, the services Tapisrv and Rasman, among others, that have been launching upon each start-up of Windows since then, makes me wonder if it's linked to a trojan. I've never had need for any kind of remote access on my computer, though I have had GeekBuddy installed. Could this somehow explain the services running?
Live PC support service from GeekBuddy does not have any depencies. That means these services are not started by GB.

Quote
If it is a trojan, then Comodo is unable to detect it, as I've ran full scans with CIS Premium, Comodo Cleaning Essentials, and additionally with Malwarebytes' Anti-Malware. All of them up-to-date. And when my PC had that strange crash, I wasn't browsing any suspicious sites, and I had CIS running with Firewall in Safe Mode, Defense+ in Safe Mode and Antivirus on On Access. So assuming an unknown executable somehow made it on my computer prior to the crash, wouldn't Comodo have sandboxed it?
Please run the following scanners to see if anything potentially malicious is running: Hitman Pro, Super Antispyware and TDSS Killer.

Offline emanresuoseehc

  • Comodo Family Member
  • ***
  • Posts: 76
Re: Possibly an undetectable backdoor infection?
« Reply #2 on: August 31, 2012, 08:56:10 PM »
Thank you for the suggestions.

I'm on a DSL (cable) modem. However, I don't know much about its functionality, since accessing it from my computer, using its IP, it does not even ask for login details (it never has), nor does it offer options to change settings other than for WLAN and change the mode between either routed or bridged (it is on routed). No, remote desktop is not enabled in my Windows.

I ran Autoruns and searched for tgptya, but it found no references.

Since I have a Seagate hard drive, I used the SeaTools utility and ran a quick Drive Self Test, which gave a result of 'pass'.

Indeed, the blue screen said '0x4E: PFN_LIST_CORRUPT'.

I ran scans with all the software you listed. SuperAntiSpyware scan showed Geekbuddy's 'lps_migration_tool' as Heur.Agent/Gen-WhiteBox. I uploaded it to VirusTotal:
https://www.virustotal.com/file/77d1c15eb311788aa0a48574952168cac1027aca15b08a32f8e439ffaa405277/analysis/

TrendMicro-HouseCall has also identified it as a trojan.



Is it ok to post the results here? Hitman Pro gave the following:

------------------------------------------------------------------------------

C:\Documents and Settings\ComputerName\Local Settings\Application Data\COMODO\.tmp\ctx30.tmp
      Size . . . . . . . : 285 696 bytes
      Age  . . . . . . . : 864.7 days (2010-04-20 08:31:13)
      Entropy  . . . . . : 6.8
      SHA-256  . . . . . : 8338756C839AC9D0847F28DA117FC4C7DAD30F0BD95D9E879823DFE8BA9EEACA
      Product  . . . . . : Adobe Type Manager
      Publisher  . . . . : Adobe Systems Incorporated
      Description  . . . : Windows NT OpenType/Type 1 Font Driver
      Version  . . . . . : 5.1
      Copyright  . . . . : ©1983-1990, 1993-2004 Adobe Systems Inc.
      Fuzzy  . . . . . . : 44.0
         The file is hidden from Windows API. This is typical for malware.
         The file is completely hidden from view and most antivirus products. It may belong to a rootkit.
         The file name extension of this program is not common.
         The file is a device driver. Device drivers run as trusted (highly privileged) code.

   C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB2675157-IE8.cat
      Size . . . . . . . : 392 056 bytes
      Age  . . . . . . . : 141.3 days (2012-04-12 17:09:34)
      Entropy  . . . . . : 5.7
      SHA-256  . . . . . : 1111C7F0D0BAB98517562362D2CBA5BA7627D67A28AE6B570ABD9B23CB74CEDB
      Product  . . . . . : Microsoft® Windows® -operating system
      Publisher  . . . . : Microsoft Corporation
      Description  . . . : Windows Servicing Setup API
      Version  . . . . . : 6.3.0013.0
      Copyright  . . . . : © Microsoft Corporation. All rights reserved.
      RSA Key Size . . . : 2048
      Authenticode . . . : Invalid
      Fuzzy  . . . . . . : 26.0
         Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
         The file name extension of this program is not common.
         The file is in use by one or more active processes.

   C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB975467.cat
      Size . . . . . . . : 54 272 bytes
      Age  . . . . . . . : 861.0 days (2010-04-24 01:16:25)
      Entropy  . . . . . : 6.7
      SHA-256  . . . . . : FFC774F6F055B1A9A899AB76DAC3E141F582CE19DAE0B3D4DFF9D93916B42D09
      Product  . . . . . : Microsoft® Visual Studio® 2008
      Publisher  . . . . : Microsoft Corporation
      Description  . . . : Microsoft® C/C++ OpenMP Runtime
      Version  . . . . . : 9.00.21022.008
      Copyright  . . . . : © Microsoft Corporation.  All rights reserved.
      RSA Key Size . . . : 2048
      Authenticode . . . : Invalid
      Fuzzy  . . . . . . : 26.0
         Program is altered or corrupted since it was code signed by its author. This is typical for malware and pirated software.
         The file name extension of this program is not common.
         The file is in use by one or more active processes.

   C:\WINDOWS\system32\drivers\PnkBstrK.sys
      Size . . . . . . . : 137 176 bytes
      Age  . . . . . . . : 275.0 days (2011-12-01 00:07:37)
      Entropy  . . . . . : 7.7
      SHA-256  . . . . . : E56C38E22B5904C9BE86AB73A7521899355DA09B33CD95204C4C0E40C800F950
      RSA Key Size . . . : 1024
      Authenticode . . . : Valid
      Fuzzy  . . . . . . : 26.0
         The .reloc (relocation) section in this program contains code. This is an indication of malware infection.
         Entropy (or randomness) indicates the program is encrypted, compressed or obfuscated. This is not typical for most programs.
         Authors name is missing in version info. This is not common to most programs.
         Version control is missing. This file is probably created by an individual. This is not typical for most programs.
         The file is located in a folder that contains core operating system files from Windows. This is not typical for most programs and is only common to system tools, drivers and hacking utilities.
         Program contains PE structure anomalies. This is not typical for most programs.
         The file is a device driver. Device drivers run as trusted (highly privileged) code.
         Program is code signed with a valid Authenticode certificate.

------------------------------------------------------------------------------

Finally, TDSSKiller found the several files to be suspicious & of medium risk (unsigned file):

ABIT-IO.sys
ALCXWD.sys
ati2sgag.sys
DCService.sys
ServiceLayer.sys
vidstub.sys
vulfnth.sys
vulfntr.sys

I noticed that when viewing properties & the security tab of those files, ABIT-IO, vulfnth and vulfntr had an unknown user account S-1-5-21-1659004503-854245398-839522115-1003 (a question mark over the picture), with full administrator privileges. But this is a common occurence if one has installed a new Windows ontop of an older one, correct?

In any case, I checked all of those files with VirusTotal and they all came clean. I will try to run a complete disk check with SeaTools and post the results here. However, it might turn out to be problematic, as my computer has started randomly freezing/crashing again after I acquired and ran SeaTools. Any ideas?

Should I be concerned by the results from the various scanners?

edit: Was not able to run SeaTools, OS was crashing way too frequently. Ran a Repair installation off the XP CD but the crashes continued. Now Windows won't boot at all, and when running it off the XP CD, it won't even install a new Windows on it: it asks whether I'd like to install Windows or use Repair, I choose Install and it gets stuck at the next screen where it inspects the hard drive. It recognizes the correct disk size, but for the other information it gives a value 0 (disk 0, channel 0, etc) and says "atapi..."

So despite SeaTools initially giving a 'pass' on the quick test, does this sound like a failed hard drive nonetheless? Or some other hardware issue, with the motherboard perhaps? Assuming it was a virus, wouldn't a repair installation have solved the crash issue? Or at the very least, a virus wouldn't be able to render a hard drive unreadable for a new Windows installation, would it?

After the repair installation, when XP was still able to boot, system events log once again showed entries of Service layer (ALG) and Remote Access Service Manager trying to launch. This time RasMan gave the message that it was unable to load because it is dependent on the service Phone and that it had been disabled. I don't understand why RAS would try to run when I have remote desktop disabled. Is this very worrisome? Could hardware issues somehow explain the launching of services? After all, these started (from what I could notice) after the first major crash. And the only program I have/had installed on my PC that I can think of potentially requiring the Phone service, is GoogleTalk, though even then it wouldn't explain why I haven't noticed earlier entries about that service in the logs.

Any advice/opinions would be greatly appreciated.
« Last Edit: September 01, 2012, 11:40:32 AM by emanresuoseehc »

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 19560
Re: Possibly an undetectable backdoor infection?
« Reply #3 on: September 01, 2012, 08:56:32 PM »
For the moment I want to focus on the hardware side of things to check for possible instability there.

Start with a manual inspection of the capacitors on your motherboard to see if there are any bad capacitors on it. Look at the photos on the web site closely to learn how recognise bad capacitors. (Why do I advice to look at this because it is an older problem? You are running XP with a driver for Abit. Abit went out of business years ago after it spent too much money on helping out customers with bad capacitors.)

Memory problems may be causing problems when running the installation process of Windows. Please run Windiag for 10 or more rounds and see if it reports any errors. This may take a couple of hours so please run the test when you are out for  a while.

The judgment of SAS and Trend Micro about the Geekbuddy lps is more than likely a false positive. SAS detection is a heuristic detection which probably sees the GB program can call home. And since all other scanners but Trend Micro don't detect it it is highly unlikely the GB component is malware or infected by it.

ALG is a normal Windows service:
Quote
Application Layer Gateway service is a component of of Windows OS. It is required if you use a third-party firewall or Internet Connection Sharing (ICS) to connect to the internet. If you end this program using the Task Manager, you will lose all Internet connectivity until your next system restart or login.
Src: http://www.neuber.com/taskmanager/process/alg.exe.html .

Is your modem an ethernet of USB modem?

I did not answer all your question becasue I want to keep a c

Offline emanresuoseehc

  • Comodo Family Member
  • ***
  • Posts: 76
Re: Possibly an undetectable backdoor infection?
« Reply #4 on: September 02, 2012, 01:32:30 PM »
Unfortunately, I'm unable to run the WinDiag software right now as I don't have available CDs
or disks to burn the software on. I will get to it as soon as possible. In the meantime, can we
address the other issues?

I do not connect through a USB modem. Ethernet, yes. It is a cablemodem (EuroDOCSIS 3.0), and
also offers a wireless network (which I don't use on this computer). Does this mean it is very insecure?

I checked the motherboard as you suggested, but found nothing. In addition, I plugged off the
hard drive(s) and started the computer with a Linux CD, and it seemed to work fine.

I think it was a hardware issue but now I'm also quite convinced it was a virus as well, because here's where it gets interesting:

I have another PC on which I ran a clean install of Windows XP SP2 (updated to SP3) about a month ago and hadn't used it since, until yesterday. Joined it into the network, downloaded and installed CIS, ran all the Windows updates. Booted several times and kept an eye on the system events log to see which services ran on start up of Windows. Everything seemed normal.

Then all of a sudden after one boot, it did the same thing as on my other computer: Telephony and Remote Access Connection Manager were now running. The only thing I did different before this boot, as opposed to the prior boots, was that I was signed in on Windows Live Messenger for a short time, talked to someone and initiated a file transfer (which wasn't accepted, however). Would it be realistic to think someone could gain remote access to your computer like that, with up-to-date CIS running, and in a matter of few minutes?

I stopped and disabled those services, and ran a smart scan with CIS, which found the following:

Rootkit.HiddenValue[at]0 HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\DhcpDomain

Rootkit.HiddenValue[at]0 HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer

Rootkit.HiddenValue[at]0 HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{1B0ECA69-55CD-449B-B7BE-318E60614A3C}\Parameters\Tcpip\DhcpSubnetMaskOpt

Rootkit.HiddenValue[at]0 HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{1B0ECA69-55CD-449B-B7BE-318E60614A3C}\Parameters\Tcpip\DhcpDefaultGateway

However, Comodo was not able to clean them, and once I booted and tried again, the scan did not
even find them anymore. Nor does a full scan reveal anything (also tried TDSSKiller).

A while later, this entry showed up in the system events viewer:

"The browser has forced an election on network
\Device\NetBT_Tcpip_{1B0ECA69-55CD-449B-B7BE-318E60614A3C} because a
master browser was stopped."

This entry has appeared frequently since then. It seems to appear whenever I go offline.

Next up, under the Applications events log, there was a 'crypt32' entry saying that a third party certificate has been automatically updated from
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/91C6D6EE3E8AC86384E548C299295C756C817B81.crt>

And a second entry, with the same timestamp, saying the following certificate has been updated:

<CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only",
OU=Certification Services Division, O="thawte, Inc.", C=US> Sha1-signature:
<91C6D6EE3E8AC86384E548C299295C756C817B81>

Since then, when offline, there appear various error entries saying how a third party mainlist
cannot be extracted from automatically updated Cab-file in the source;
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>

I then ran a scan with Malwarebytes Anti-Malware, which found a malware 'officekey.exe'. At the same time, CIS also detected it, among a couple other files in the same folder:

C:\DOCUMENTS AND SETTINGS\computer\LOCAL SETTINGS\Temp\RarSFX0\findkey.exe
C:\DOCUMENTS AND SETTINGS\computer\LOCAL SETTINGS\Temp\RarSFX0\officekey.exe
C:\DOCUMENTS AND SETTINGS\computer\LOCAL SETTINGS\Temp\RarSFX0\xpkey.exe

It quarantined them on the spot. However, a while later, after I booted, I got the notification that Windows did not pass the authentication test (which it had passed earlier the same day), so apparently the virus modified my license key.

I also noticed the following entries in setupapi.log in the Windows folder (my XP is not in English and I had to translate the following lines, so they may be inaccurate):

------------------------------------

[2012/09/02 02:17:16 1116.267]
#-198 Processed commandline: C:\WINDOWS\system32\svchost.exe -k netsvcs
#-166 Device installation function: DIF_PROPERTYCHANGE.
#I292 Device PCI\VEN_1106&DEV_3065&SUBSYS_30651849&REV_78\3&267A616A&0&90 properties are being changed.
#I300 DICS_DISABLE: Disabling device in profile (null).
[2012/09/02 02:17:35 1116.278]
#-198 Processed commandline: C:\WINDOWS\system32\svchost.exe -k netsvcs
#-166 Device installation function: DIF_PROPERTYCHANGE.
#I292 Device PCI\VEN_1106&DEV_3065&SUBSYS_30651849&REV_78\3&267A616A&0&90 properties are being changed.
#I296 DICS_ENABLE: Enabling device in profile (null).
[2012/09/02 02:19:10 1116.330]
#-198 Processed commandline: C:\WINDOWS\system32\svchost.exe -k netsvcs
#-166 Device installation function: DIF_PROPERTYCHANGE.
#I292 Device PCI\VEN_1106&DEV_3065&SUBSYS_30651849&REV_78\3&267A616A&0&90 properties are being changed.
#I300 DICS_DISABLE: Disabling device in profile (null).
[2012/09/02 02:26:53 1116.340]
#-198 Processed commandline: C:\WINDOWS\system32\svchost.exe -k netsvcs
#-166 Device installation function: DIF_PROPERTYCHANGE.
#I292 Device PCI\VEN_1106&DEV_3065&SUBSYS_30651849&REV_78\3&267A616A&0&90 properties are being changed.
#I296 DICS_ENABLE: Enabling device in profile (null).

------------------------------------

Is that normal?



Lastly, I'd like to ask a few things about CIS:
Is it normal to have "Allow system to send/receive requests if the target is in [Home #1]" under the Application and Global rules section, and is it normal for Privileged Ports to say "In [0 - 1023]"?

Is it also normal for Defense+ Trusted Files to include files without company name? There are a lot of \WINDOWS\ files without an apparent signature to them, including jscript.dll, netapi32.dll, rpcss.dll etc.?

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 19560
Re: Possibly an undetectable backdoor infection?
« Reply #5 on: September 03, 2012, 12:08:57 PM »
Unfortunately, I'm unable to run the WinDiag software right now as I don't have available CDs
or disks to burn the software on. I will get to it as soon as possible. In the meantime, can we
address the other issues?

I do not connect through a USB modem. Ethernet, yes. It is a cablemodem (EuroDOCSIS 3.0), and
also offers a wireless network (which I don't use on this computer). Does this mean it is very insecure?

I checked the motherboard as you suggested, but found nothing. In addition, I plugged off the
hard drive(s) and started the computer with a Linux CD, and it seemed to work fine.

I think it was a hardware issue but now I'm also quite convinced it was a virus as well, because here's where it gets interesting:

I have another PC on which I ran a clean install of Windows XP SP2 (updated to SP3) about a month ago and hadn't used it since, until yesterday. Joined it into the network, downloaded and installed CIS, ran all the Windows updates. Booted several times and kept an eye on the system events log to see which services ran on start up of Windows. Everything seemed normal.

Then all of a sudden after one boot, it did the same thing as on my other computer: Telephony and Remote Access Connection Manager were now running. The only thing I did different before this boot, as opposed to the prior boots, was that I was signed in on Windows Live Messenger for a short time, talked to someone and initiated a file transfer (which wasn't accepted, however).
May be WLM is the source of these services running. See if uninstalling it makes the start of the services stop.

Quote
Would it be realistic to think someone could gain remote access to your computer like that, with up-to-date CIS running, and in a matter of few minutes?
It is not impossible but CIS buffer overflow protection would likely have caught WLM crashing when an exploit tried to crash it in order to get a foot in the door.

Quote
I stopped and disabled those services, and ran a smart scan with CIS, which found the following:

Rootkit.HiddenValue[at]0 HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\DhcpDomain

Rootkit.HiddenValue[at]0 HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Tcpip\Parameters\DhcpNameServer

Rootkit.HiddenValue[at]0 HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{1B0ECA69-55CD-449B-B7BE-318E60614A3C}\Parameters\Tcpip\DhcpSubnetMaskOpt

Rootkit.HiddenValue[at]0 HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{1B0ECA69-55CD-449B-B7BE-318E60614A3C}\Parameters\Tcpip\DhcpDefaultGateway

However, Comodo was not able to clean them, and once I booted and tried again, the scan did not
even find them anymore. Nor does a full scan reveal anything (also tried TDSSKiller).
The detection may have been a false positive. If the rootkit scanner works by comparing a raw read of the registry with an API read and programs are active writing to the registry and  it will see a discrepancy and will report possible rootkit behaviour. Rootkit scans are best done with as little as other programs running because of this.

Please check with Gmer rootkit scanner and let it know if it reports something potentially malicious. Please post a screenshot of the scan result.

Quote
A while later, this entry showed up in the system events viewer:

"The browser has forced an election on network
\Device\NetBT_Tcpip_{1B0ECA69-55CD-449B-B7BE-318E60614A3C} because a
master browser was stopped."

This entry has appeared frequently since then. It seems to appear whenever I go offline.
This is regular behaviour when multiple computer are on a network and set to share file,folder or printers. In that scenario one browser is the master browser. When you go off line and your computer was master browser the other computer(s) will respond to that.

Quote
Next up, under the Applications events log, there was a 'crypt32' entry saying that a third party certificate has been automatically updated from
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/91C6D6EE3E8AC86384E548C299295C756C817B81.crt>

And a second entry, with the same timestamp, saying the following certificate has been updated:

<CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only",
OU=Certification Services Division, O="thawte, Inc.", C=US> Sha1-signature:
<91C6D6EE3E8AC86384E548C299295C756C817B81>

Since then, when offline, there appear various error entries saying how a third party mainlist
cannot be extracted from automatically updated Cab-file in the source;
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
This is normal Windows behaviour.

Quote
I then ran a scan with Malwarebytes Anti-Malware, which found a malware 'officekey.exe'. At the same time, CIS also detected it, among a couple other files in the same folder:

C:\DOCUMENTS AND SETTINGS\computer\LOCAL SETTINGS\Temp\RarSFX0\findkey.exe
C:\DOCUMENTS AND SETTINGS\computer\LOCAL SETTINGS\Temp\RarSFX0\officekey.exe
C:\DOCUMENTS AND SETTINGS\computer\LOCAL SETTINGS\Temp\RarSFX0\xpkey.exe

It quarantined them on the spot. However, a while later, after I booted, I got the notification that Windows did not pass the authentication test (which it had passed earlier the same day), so apparently the virus modified my license key.
Those files look like key generators when only judging them by name. They are usually not harmful but tend to get bundled with nasties. Are you using a legit Windows or an illegal version for which you need those type of programs (I am not the police; I just want to know if you may be used such programs).

Quote
I also noticed the following entries in setupapi.log in the Windows folder (my XP is not in English and I had to translate the following lines, so they may be inaccurate):

------------------------------------

[2012/09/02 02:17:16 1116.267]
#-198 Processed commandline: C:\WINDOWS\system32\svchost.exe -k netsvcs
#-166 Device installation function: DIF_PROPERTYCHANGE.
#I292 Device PCI\VEN_1106&DEV_3065&SUBSYS_30651849&REV_78\3&267A616A&0&90 properties are being changed.
#I300 DICS_DISABLE: Disabling device in profile (null).
[2012/09/02 02:17:35 1116.278]
#-198 Processed commandline: C:\WINDOWS\system32\svchost.exe -k netsvcs
#-166 Device installation function: DIF_PROPERTYCHANGE.
#I292 Device PCI\VEN_1106&DEV_3065&SUBSYS_30651849&REV_78\3&267A616A&0&90 properties are being changed.
#I296 DICS_ENABLE: Enabling device in profile (null).
[2012/09/02 02:19:10 1116.330]
#-198 Processed commandline: C:\WINDOWS\system32\svchost.exe -k netsvcs
#-166 Device installation function: DIF_PROPERTYCHANGE.
#I292 Device PCI\VEN_1106&DEV_3065&SUBSYS_30651849&REV_78\3&267A616A&0&90 properties are being changed.
#I300 DICS_DISABLE: Disabling device in profile (null).
[2012/09/02 02:26:53 1116.340]
#-198 Processed commandline: C:\WINDOWS\system32\svchost.exe -k netsvcs
#-166 Device installation function: DIF_PROPERTYCHANGE.
#I292 Device PCI\VEN_1106&DEV_3065&SUBSYS_30651849&REV_78\3&267A616A&0&90 properties are being changed.
#I296 DICS_ENABLE: Enabling device in profile (null).

------------------------------------

Is that normal?
This looks like regular under the hood behaviour: http://msdn.microsoft.com/en-us/library/windows/hardware/ff543712(v=vs.85).aspx .

Quote
Lastly, I'd like to ask a few things about CIS:
Is it normal to have "Allow system to send/receive requests if the target is in [Home #1]" under the Application and Global rules section,
That is normal.You would have gotten an alert about it and you would have answered you  trust your local network.
Quote
and is it normal for Privileged Ports to say "In [0 - 1023]"?
That's normal.

Quote
Is it also normal for Defense+ Trusted Files to include files without company name? There are a lot of \WINDOWS\ files without an apparent signature to them, including jscript.dll, netapi32.dll, rpcss.dll etc.?
The problem with signatures of Windows is that they not always show in the Properties tab of the file. You then need to use sigcheck to check their signatures.

I use a shell extension for sigcheck so I can right click and have a signature checked. Download this zip archive and unpack it to C:\Program Files\SysinternalsSuite\ . When done run sigcheck.reg to add it to the registry.

When this is done navigate to the system32 folder, look up and select a system file, click right and choose  Signature from the context menu. A black command box will pop up. See if it is signed or not.

Offline emanresuoseehc

  • Comodo Family Member
  • ***
  • Posts: 76
Re: Possibly an undetectable backdoor infection?
« Reply #6 on: September 03, 2012, 07:44:22 PM »
Thank you very much for the informative answer.

Quote
Please check with Gmer rootkit scanner and let it know if it reports something potentially malicious. Please post a screenshot of the scan result.
This is regular behaviour when multiple computer are on a network and set to share file,folder or printers. In that scenario one browser is the master browser. When you go off line and your computer was master browser the other computer(s) will respond to that.

I checked with GMER, both for rootkit/malware and autostarts. Nothing was displayed in red, and the remaining entries are too numerous to fit into a single screenshot. I can upload the logfile if it's useful? However, as I said, nothing was displayed in red.

Quote
This is regular behaviour when multiple computer are on a network and set to share file,folder or printers. In that scenario one browser is the master browser. When you go off line and your computer was master browser the other computer(s) will respond to that.

But it's odd because I do not have file/printer sharing enabled, and many times when I have received the BROWSER entry in the event logs, my computer has been the only one connected in the network.

Quote
Those files look like key generators when only judging them by name. They are usually not harmful but tend to get bundled with nasties. Are you using a legit Windows or an illegal version for which you need those type of programs (I am not the police; I just want to know if you may be used such programs).

I actually do not know about my Windows' authenticity, as I received the computer from someone else who had already ran an XP installation. I was under the impression it was a legitimate Windows. It came with a license key sticker on the side of the computer also, and when I ran Windows updates, it downloaded a version verification tool which confirmed my copy of Windows was genuine. However, after Comodo quarantined the malware files (xpkey.exe, findkey.exe, and officekey.exe) Windows has notified me that my copy did not pass the authenticity test.

There are still two files in the RarSFX0 folder in which Comodo detected the malware: "chgxp.vbs" and "xpkey.log". The log file contains a license key, which is not the same one as on the license key sticker. Comodo, nor MBAM can detect anything in the chgxp.vbs file, though VirusTotal has something on it:
https://www.virustotal.com/file/00a3b8a2e8e04522ffd6955639a8f706b8955a4640744c53d05df517bbf147dc/analysis/1346715633/

So I'm wondering if it's possible that the application(s) somehow found its way, past CIS, to my hard drive shortly before being picked up by the scanners, and was able to run & modify my license key. Either that or the previous owner of the computer used the software to somehow pass the Windows validity test, and removing the files has now caused Windows to recognize this as a pirated copy. The latter case would seem a bit odd since the files were in the Temp folder, so they would have ended up getting sweeped sooner or later anyhow. However, looking at the properties, both the folder (RarSFX0) and the remaining two files in it were created a month ago, which according to system events logs seems to be the date on which XP was installed, so this would seem the more supported theory. Or is it common for malicious files to display a false creation/modification date?

Lastly, I noticed two new entries in the system events viewer:

"Source: Tcpip
Type: Warning
Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts."

and

"Source: atapi
Type: Error
Description:
The device, \Ide\IdePort0, did not respond within the timeout period."

Any ideas? The TCP/IP entry seems a bit worrying to me, and I noticed this on my other computer as well, after it started crashing. I do not use any P2P programs.

Edit: Due to the TCP/IP entry, I played around with Netstat -no when I was not connected to any websites, and it showed an IP (status TIME_WAIT) which when I access through a browser, shows me a page that says:

"Great Success !
Apache is working on your cPanel® and WHM™ Server

If you can see this page, then the people who manage this server have installed cPanel and WebHost Manager (WHM) which use the Apache Web server software and the Apache Interface to OpenSSL (mod_ssl) successfully. They now have to add content to this directory and replace this placeholder page, or else point the server at their real content."

What on earth is this? The same IP also seems to be linked with ghacks.net and deny.de.

Second edit: I did a localhost port scan with NMAP (nmap.org) and it indicated that the ports 135/tcp (service: msrpc) and 1025/tcp (service: NFS-or-IIS) were open. Other 998 ports were 'closed'. Why does Comodo's firewall leave those two ports open, and also, since I have opted to stealth all my ports, shouldn't all of them be hidden rather than be viewed as 'closed'?
« Last Edit: September 03, 2012, 09:38:28 PM by emanresuoseehc »

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 19560
Re: Possibly an undetectable backdoor infection?
« Reply #7 on: September 04, 2012, 05:29:07 PM »
Thank you very much for the informative answer.

I checked with GMER, both for rootkit/malware and autostarts. Nothing was displayed in red, and the remaining entries are too numerous to fit into a single screenshot. I can upload the logfile if it's useful? However, as I said, nothing was displayed in red.
With nothing in red you are in the clear.

Quote
But it's odd because I do not have file/printer sharing enabled, and many times when I have received the BROWSER entry in the event logs, my computer has been the only one connected in the network.
Please make sure that NETBIOS is disabled. Does your router have wireless and is it enabled or disabled?

Quote
I actually do not know about my Windows' authenticity, as I received the computer from someone else who had already ran an XP installation. I was under the impression it was a legitimate Windows. It came with a license key sticker on the side of the computer also, and when I ran Windows updates, it downloaded a version verification tool which confirmed my copy of Windows was genuine. However, after Comodo quarantined the malware files (xpkey.exe, findkey.exe, and officekey.exe) Windows has notified me that my copy did not pass the authenticity test.
May be the previous owner reinstalled Windows using another version than the version he bought with his computer.

Quote
There are still two files in the RarSFX0 folder in which Comodo detected the malware: "chgxp.vbs" and "xpkey.log". The log file contains a license key, which is not the same one as on the license key sticker. Comodo, nor MBAM can detect anything in the chgxp.vbs file, though VirusTotal has something on it:
https://www.virustotal.com/file/00a3b8a2e8e04522ffd6955639a8f706b8955a4640744c53d05df517bbf147dc/analysis/1346715633/
Most of the reports on VT are assessing it as riskware and not a virus. Riskware for when using this computer in a professional environment where one usually does not want illegal versions of Windows.

Quote
So I'm wondering if it's possible that the application(s) somehow found its way, past CIS, to my hard drive shortly before being picked up by the scanners, and was able to run & modify my license key. Either that or the previous owner of the computer used the software to somehow pass the Windows validity test, and removing the files has now caused Windows to recognize this as a pirated copy. The latter case would seem a bit odd since the files were in the Temp folder, so they would have ended up getting sweeped sooner or later anyhow. However, looking at the properties, both the folder (RarSFX0) and the remaining two files in it were created a month ago, which according to system events logs seems to be the date on which XP was installed, so this would seem the more supported theory.
I think the previous owner put these files on your computer and that was before CIS was ever installed. It is not necessarily difficult to let those files return after they are deleted. There needs to be an application running in memory which will monitor and put those files back after they got deleted.

A variation on this technique was found years ago by accident where a virus would stay in memory and would write back its self on the hd before Windows closed, set an autostart key, boot with Windows, remove the file from the drive and the autostart from the registry. That way it was very hard to find.

Quote
Or is it common for malicious files to display a false creation/modification date?
Not to my knowledge

Quote
Lastly, I noticed two new entries in the system events viewer:

"Source: Tcpip
Type: Warning
Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts."
SP2 brought a limitation to the amount of concurrent TCP connections which is a bit tight. There is well known hack to set that limit less tight.

Quote
"Source: atapi
Type: Error
Description:
The device, \Ide\IdePort0, did not respond within the timeout period."
A problem with CD or DVD drive.

Quote
Any ideas? The TCP/IP entry seems a bit worrying to me, and I noticed this on my other computer as well, after it started crashing. I do not use any P2P programs.
The limit imposed by SP2 was on the tight side of the spectrum. It is not something that worries me.

Quote
Edit: Due to the TCP/IP entry, I played around with Netstat -no when I was not connected to any websites, and it showed an IP (status TIME_WAIT) which when I access through a browser, shows me a page that says:

"Great Success !
Apache is working on your cPanel® and WHM™ Server

If you can see this page, then the people who manage this server have installed cPanel and WebHost Manager (WHM) which use the Apache Web server software and the Apache Interface to OpenSSL (mod_ssl) successfully. They now have to add content to this directory and replace this placeholder page, or else point the server at their real content."

What on earth is this? The same IP also seems to be linked with ghacks.net and deny.de.
What was the IP address and what process was connected to it?

Quote
Second edit: I did a localhost port scan with NMAP (nmap.org) and it indicated that the ports 135/tcp (service: msrpc) and 1025/tcp (service: NFS-or-IIS) were open. Other 998 ports were 'closed'. Why does Comodo's firewall leave those two ports open, and also, since I have opted to stealth all my ports, shouldn't all of them be hidden rather than be viewed as 'closed'?
Did you run the test from your computer scanning your computer? If that is the case then it may see that ports being open. But  it does not see the firewall would be blocking the incoming traffic so the program would not be responding to it.

This type of test is best done from another computer on your local network.


Offline emanresuoseehc

  • Comodo Family Member
  • ***
  • Posts: 76
Re: Possibly an undetectable backdoor infection?
« Reply #8 on: September 04, 2012, 11:25:07 PM »
Quote
Please make sure that NETBIOS is disabled.

I checked. "Use NetBIOS settings from the DHCP server" was selected. I disabled it. However, I've read that that only disables the NetBIOS Session service that listens on TCP port 139. Should the entire netbt.sys be disabled entirely through System Tools? I tried that out of curiosity, and once I had disabled it and rebooted, I was no longer able to connect online (it fetches for a network address forever), and system events viewer had entries about DHCP-client and TCP/IP NetBIOS Helper being dependent on NetBIOS over TCP/IP. I had to enable it to be able to connect again.

As I was disabling the service, in the non-plug & play devices section I also saw Remote Access Auto Connection device (RasAcd.sys), Remote Access IP ARP Driver (Wanarp.sys), Remote Access NDIS TAPI Driver (NdisTapi.sys), RDPCDD, each of them running. Also services such as Null.sys and NDProxy.sys. The start-up rule for NDProxy.sys, Wanarp.sys and NdisTapi.sys were set as 'when required', yet they are always running, from the moment I sign on to Windows. For RasAcd.sys, the start-up rule is specified as 'System'.

Autoruns also shows a lot of references to remote connection related services (under hklm\system\currentcontrolset\services), such as Rasirda, Rasl2tp, RasPppoe, Raspti etc. Is this normal? I have
checked the signatures on them and they seem legit, but why do I have so many remote connection services showing up?

Additionally I found a service called Irmon (Infrared monitor) running, and irenum.sys file under system32/drivers. I find it odd to have this service on my system, since I was under the impression it is mostly for laptops? VirusTotal shows it's clean, nonetheless.

What would you recommend as the next step to ruling out the possibility of a virus/remote control here? Do the appearance of these services seem suspicious to you? Has the ""Use NetBIOS settings from the DHCP server" option placed my system in jeopardy?

By the way, I need to correct myself on something I said earlier: through checking the network settings, file & printer sharing was indeed enabled, though I have had no folders or files (to my knowledge) shared. Nonetheless, I have disabled it now.

Quote
Does your router have wireless and is it enabled or disabled?

My router* does have wireless and it has been enabled (I disabled Wifi yesterday though), but my computer has no way of connecting to a wireless network anyhow, so I don't see how it would be able to detect it and run services based on that. Today I noticed through services.msc that "Wireless Zero Configuration" (wzcsvc.dll) was running. I have disabled it now. I also noticed Dot3svc (Wired AutoConfig) in the services list. Both services seem to be related to a IEEE 802.1X authentication. I wonder how do I check if these are genuinely related to my modem?

*I have read that if ipconfig shows your IP address to begin with a 192.168, it should mean you're behind a router firewall. Also, amibehindnat.com says I'm behind NAT. However, the provider of my router/modem have claimed it does not have NAT protection or at least is not turned on by default, so I'm confused.

Quote
A problem with CD or DVD drive.

Hmm. From what I can remember I was not using the CD/DVD drive anywhere even near that time, though.

Quote
What was the IP address and what process was connected to it?

The IP-address was 96.30.22.116:80. The PID was 0. From looking at taskmanager, only System Idle Process used PID 0, from what I recall.

Quote
Did you run the test from your computer scanning your computer? If that is the case then it may see that ports being open. But  it does not see the firewall would be blocking the incoming traffic so the program would not be responding to it.

Ah. That is indeed how I ran it. So those two ports being displayed as open should not be something to worry about? Would you recommend any (free) websites that can run reliable port tests?

Additionally, would you happen to know why Defense+ shows entries of jusched.exe (Java) trying to modify the registry key \Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable ? I was not making any changes to Java's settings, nor have I ever meddled with any kind of proxy settings and I was offline when these entries showed up (they showed up just after starting Windows).

Thank you very much for the helpful answers & links.

Edit: Apologies for making these such long posts and jumping all over the place, but I had a question about CIS:

Regarding the firewall's network security policy, under the global rules section I have a "Block and log IP In from MAC any to MAC any where protocl is any". I keep having to tick the "Log as a firewall event if this rule is fired" checkbox on a regular basis, as it seems to be getting unticked on its own. Is it supposed to get unchecked after rebooting or something? Seems odd.

In addition, I've noticed that when starting Windows, CIS takes about 2 or 3 minutes to 'initialize'. I was just wondering, wouldn't that 2 or 3 minutes in theory give time for someone to possibly scan your ports and try to gain access to your system, and if you were to have malicious applications on your computer, would they not be able to execute before CIS has finished initializing?
« Last Edit: September 05, 2012, 09:08:15 PM by emanresuoseehc »

Offline emanresuoseehc

  • Comodo Family Member
  • ***
  • Posts: 76
Re: Possibly an undetectable backdoor infection?
« Reply #9 on: September 05, 2012, 07:56:45 PM »

Hey Eric, sorry to jump back and forth between subjects, but I have an update on the other PC that kept crashing until it was no longer able to boot or install Windows:

I managed to get it to boot by unplugging & plugging back in all hard drives. I ran the short test from WinDiag as you suggested, and everything seemed fine. I will be running extended tests on it tonight and will post the results tomorrow.

The system has been running for several hours now without the freeze issue. However, when I tried to run SeaTools, it immediately rebooted and I could hear one of the hard drives turn off. It went completely silent, and then a few seconds later it turned back on again.

System events viewer shows some interesting entries:

Event ID: 36 Source: WinMgmt
Source: WinMgmt
Type: Warning
Description:
WMI ADAP was unable to load the Spooler performance library because it returned an invalid return code: 0x80041001

Event ID: 5603 Source: WinMgmt
Source: WinMgmt
Type: Error
Description:
A provider Rsop Planning Mode Provider has been registered in the WMI namespace root\RSOP but did not specify the  HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the  provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has  been reviewed for security behavior and update the HostingModel property of the provider registration to an account  with the least privileges possible for the required functionality.

Event ID: 63 Source: WinMgmt
Source: WinMgmt
Type: Error
Description:
A provider, cmdtriggerconsumer, has been registered in the WMI namespace, root\cimv2, to use the LocalSystem  account. This account is privileged and the provider may cause a security violation if it does not correctly  impersonate user requests.

Event ID: 11 Source: Disk
Source: Disk
Type: Error
Description:
The driver detected a controller error on \Device\Harddisk0\DR0
 
Event ID: 7035 Source: service control manager
Source: Service Control Manager
Type: Information
Description:
The hqzpea service was successfully sent a start control.

(couldn't find anything about hqzpea, and it didn't show up on Autoruns etc. What on earth is this?)

Now, speaking of Autoruns, it also showed a file that could no longer be found, named "Xvkuxmkv.sys" Can't find any information on this either.

I also noticed that "hklm\system\currentcontrolset\services\" included services such as: lanmanserver, lanmanworkstation, lmhosts, mnmsrvc, rasauto, remoteregistry, rpcss, and termservice. Is this normal? That is a lot of remote connection related services.

"hklm\system\currentcontrolset\control\networkprovider\order" also included lanmanworkstation, rdpnp and webclient.

Now here's the most puzzling part for me: Last week, about one day before my PC became unbootable, I had ran a Repair installation of XP. It seemed to reset some of the service settings that I had altered earlier (for example, after I had noticed RasMan and Telephony running, I disabled them). Telephony remains disabled still, but RasMan is now enabled. System events viewer shows error entries of RAS trying to run almost exactly every 5 minutes (sometimes there are a couple entries under one minute), but is unable to because it depends on Telephony which has been disabled. Would this point to a trojan? How do I find out what is trying to get RasMan to run all the time? I should mention that these entries appear even with no internet connection.

Just in case it might prove useful, I'll post a list of all the log entries I get when booting (I'll leave out the event ID's etc from some of them, to keep the post a little shorter):

Event ID: 7026 Source: Service Control Manager
Source: Service Control Manager
Type: Error
Description:
The following boot-start or system-start driver(s) failed to load: tffsmon, tffsysmon (both are connected to PC Tools' ThreatFire Filesystem Monitor, I believe. Something that I have uninstalled a long time ago)

NLA (Network Location Awareness) was started.

Event ID: 3100 Source: Tcpip6
Source: Tcpip6
Type: Information
Description:
The Microsoft IPv6 Developer Edition driver was started.

TermService was started.

Fast User Switching Compatibility was started.

ALG was started.

RAS could not start because it depends on service Telephony.

Imapi was started.

SSDP was started.


Also, this entry appeared in the logs once:

Event ID: 4609 Source: EventSystem
Source: EventSystem
Type: Error
Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 800706ba from line 62  of d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to  report this error.

According to some sources, the error code would point to W32.BLASTER.COM virus. But I've ran scans with up-to-date CAV, MBAM, HitmanPro and SuperAntiSpyware. You would think at least one of them would detect it.

Any ideas?

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 19560
Re: Possibly an undetectable backdoor infection?
« Reply #10 on: September 06, 2012, 05:32:10 PM »
I checked. "Use NetBIOS settings from the DHCP server" was selected. I disabled it. However, I've read that that only disables the NetBIOS Session service that listens on TCP port 139. Should the entire netbt.sys be disabled entirely through System Tools? I tried that out of curiosity, and once I had disabled it and rebooted, I was no longer able to connect online (it fetches for a network address forever), and system events viewer had entries about DHCP-client and TCP/IP NetBIOS Helper being dependent on NetBIOS over TCP/IP. I had to enable it to be able to connect again.

As I was disabling the service, in the non-plug & play devices section I also saw Remote Access Auto Connection device (RasAcd.sys), Remote Access IP ARP Driver (Wanarp.sys), Remote Access NDIS TAPI Driver (NdisTapi.sys), RDPCDD, each of them running. Also services such as Null.sys and NDProxy.sys. The start-up rule for NDProxy.sys, Wanarp.sys and NdisTapi.sys were set as 'when required', yet they are always running, from the moment I sign on to Windows. For RasAcd.sys, the start-up rule is specified as 'System'.
Please don't mess with Non Plug and Play devices section. There are numerous Windows system drivers there as well.

Quote
Autoruns also shows a lot of references to remote connection related services (under hklm\system\currentcontrolset\services), such as Rasirda, Rasl2tp, RasPppoe, Raspti etc. Is this normal? I have
checked the signatures on them and they seem legit, but why do I have so many remote connection services showing up?
On my clean Win 7 also various Ras*** services show up. Nothing to worry about. Windows has a lot of underlying services and drivers to be able to facilitate various network connections.

Quote
Additionally I found a service called Irmon (Infrared monitor) running, and irenum.sys file under system32/drivers. I find it odd to have this service on my system, since I was under the impression it is mostly for laptops? VirusTotal shows it's clean, nonetheless.
Windows has a lot of services and drivers to be able to service a wide range of computers.

Quote
What would you recommend as the next step to ruling out the possibility of a virus/remote control here? Do the appearance of these services seem suspicious to you? Has the ""Use NetBIOS settings from the DHCP server" option placed my system in jeopardy?
No next step.

Quote
By the way, I need to correct myself on something I said earlier: through checking the network settings, file & printer sharing was indeed enabled, though I have had no folders or files (to my knowledge) shared. Nonetheless, I have disabled it now.

Quote
My router* does have wireless and it has been enabled (I disabled Wifi yesterday though), but my computer has no way of connecting to a wireless network anyhow, so I don't see how it would be able to detect it and run services based on that. Today I noticed through services.msc that "Wireless Zero Configuration" (wzcsvc.dll) was running. I have disabled it now. I also noticed Dot3svc (Wired AutoConfig) in the services list. Both services seem to be related to a IEEE 802.1X authentication. I wonder how do I check if these are genuinely related to my modem?
Window has numerous services running in the background that are not always needed. There are several lists on the web which list services that can be disabled.

Quote
*I have read that if ipconfig shows your IP address to begin with a 192.168, it should mean you're behind a router firewall. Also, amibehindnat.com says I'm behind NAT. However, the provider of my router/modem have claimed it does not have NAT protection or at least is not turned on by default, so I'm confused.
You have a router in your set up. Either it is integrated with the modem or as a separate box. If you only have one box then the support people from had it wrong.

Quote
Hmm. From what I can remember I was not using the CD/DVD drive anywhere even near that time, though.
When opening Explorer Windows will reiterate all drives and Atapi devices.It can then find a problem communicating with a CD or DVD player. I have three hard drives and when one or two are sleeping and an instance of Explorer starts that will delay it for second because the hard drives start spinning up until they are ready and talking to Explorer.

Quote
The IP-address was 96.30.22.116:80. The PID was 0. From looking at taskmanager, only System Idle Process used PID 0, from what I recall.

[quote[Ah. That is indeed how I ran it. So those two ports being displayed as open should not be something to worry about? Would you recommend any (free) websites that can run reliable port tests?[/quote]Nothing to worry about. When using a website like from Gibson Research you will be probing your router and not your computer's firewall. Believe me CIS will stealth you. If you insist on testing you need to set your router to put our computer outside the local network and have it face the web directly. That is often called Demilitarised Zone (DMZ) or epxosed host in router language. That is too much effort for a firewall that is known to be stealth

Quote
Additionally, would you happen to know why Defense+ shows entries of jusched.exe (Java) trying to modify the registry key \Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable ? I was not making any changes to Java's settings, nor have I ever meddled with any kind of proxy settings and I was offline when these entries showed up (they showed up just after starting Windows).
That is regular behaviour.

Quote
Thank you very much for the helpful answers & links.
There is a lot to learn about your computer and what goes on underneath the hood of Windows.

Quote
Edit: Apologies for making these such long posts and jumping all over the place, but I had a question about CIS:

Regarding the firewall's network security policy, under the global rules section I have a "Block and log IP In from MAC any to MAC any where protocl is any". I keep having to tick the "Log as a firewall event if this rule is fired" checkbox on a regular basis, as it seems to be getting unticked on its own. Is it supposed to get unchecked after rebooting or something? Seems odd.
Not sure what is causing this but it should not happen.

Quote
In addition, I've noticed that when starting Windows, CIS takes about 2 or 3 minutes to 'initialize'. I was just wondering, wouldn't that 2 or 3 minutes in theory give time for someone to possibly scan your ports and try to gain access to your system, and if you were to have malicious applications on your computer, would they not be able to execute before CIS has finished initializing?
Since SP2 of XP the network connection gets opened very late in the boot process when your firewall has already started to work.

I want to go back to the initial problem. You had a question about your freezing computer. Event viewer pointed towards hard drive problems. Bad sectors or whatever was happening. You also stated you had hd problems in the past sometimes even taking refuge in repair installation of Windows.

When hard disks start failing it may be the beginning of the end. If bad sectors get found fix them and if they keep coming back then your hd is probably on the way to the grave yard.

Next step is you start worrying that a trojan or virus is causing the instability. Starting from that perspective you see some network services are running that might indicate the presence of malware  Various scanners show no malware present.

Further investigation under the hood of Windows show that there is a lot happening that most people are not aware of but nothing pertinent that would indicate presence of malware.

I would suggest to focus on the apparent hard drive  failures happening. Run disk analysis tool from the hd manufacturer's web site and see what it can fix. Also run Windows checkdisk, run chkdsk /r from the command prompt, on all partitions. See if bad sectors are found.
« Last Edit: September 06, 2012, 05:36:52 PM by EricJH »

Offline emanresuoseehc

  • Comodo Family Member
  • ***
  • Posts: 76
Re: Possibly an undetectable backdoor infection?
« Reply #11 on: September 07, 2012, 06:26:29 PM »
Quote
The IP-address was 96.30.22.116:80. The PID was 0. From looking at taskmanager, only System Idle Process used PID 0, from what I recall.

Before we go back into the initial problem, I'd like to ask if you had something to address the above comment with? Since you quoted it but I didn't see an actual reply to it.

Quote
I would suggest to focus on the apparent hard drive  failures happening. Run disk analysis tool from the hd manufacturer's web site and see what it can fix. Also run Windows checkdisk, run chkdsk /r from the command prompt, on all partitions. See if bad sectors are found.

Ok, I was able to run SeaTools. First I ran S.M.A.R.T tests and short generic tests on two of my drives. The secondary one it found problems on (note that this was a hard drive that was plugged in when I first started getting those odd crashes/freezes, but even once it was plugged off, they continued to occur), but my main disk (which has the OS installed on) was found clean. I then ran a full generic test on my main disk which took over 10 hours, and it once again found nothing wrong. I then ran WinDiag for a couple of hours, I believe it ran about 14 rounds of extensive tests. No problems reported.

Then, I tried to run chkdsk /r. It couldn't run it because 'the volume is in use', and it asked if I want to perform it upon the next boot. I chose yes, and rebooted. However, nothing happened. Chkdsk was not initiated at any point. I then manually tried to run it again and did the same thing, rebooted, nothing. I then ran just chkdsk (without /r) and it reported errors and would not finish past the 1st of 3 scans. I figured I'd try to run it in safemode and that's when the old problems came in again: it would not boot to Windows, but it got stuck at the screen after it's done loading drivers and before the log-on screen is supposed to come. Now it would not start in normal mode either, it gets stuck at the Windows logo screen (or technically I have disabled bootscreen so I just see a line blinking at the top left of the screen). It stays in this screen forever, but I can hear constant activity on the hard drives.

After trying about 4 more times, it finally loaded Windows, I logged in on my account and immediately saw an error message: SAS window: winlogon.exe - Corrupt folder or file. C:\$Mft is corrupt and unreadable. Please run the chkdsk utility."

A few seconds later, the familiar freeze occurred. After this I was not able to get to Windows anymore, and I used the XP install CD to get to the Recovery console, in which I was able to run chkdsk /r. It found one or more errors and fixed them. But I still wasn't able to boot to Windows, in normal nor safe mode. I eventually tried "Start Windows with the last known good configuration", and it worked. I checked system events viewer to see more about the error message I received earlier, and it said:

Source: Application Popup
ID: 26
Description: Application popup: SAS window: winlogon.exe - Corrupt file :
The file or folder C:\$Mft is corrupt and unreadable. Please run the chkdsk utility.

In addition to that, there was another application popup entry:

Source: Application Popup
ID: 26
Description: Application popup: msnmsgr.exe - Corrupt file :
The file or folder C:\$Mft is corrupt and unreadable. Please run the chkdsk utility.

There was also an entry, timed right upon booting after having ran chkdsk /r, under the application events:

"Inspecting drive \DosDevices\C: file system.
File system type is NTFS.
Device is faulty.
File 0x12238 index $130 indexbitmap is not compatible or it is missing.
Fixing errors of file 74296 at index $130"

followed by a long list of code etc. And pardon, I had to translate the above, as I couldn't find an English equivalent.

Just to be sure, I ran chkdsk (without /r) again, and it showed no errors. While I was running the chkdsk, and wasn't doing anything else, Defense+ alerted me that msnmgr.exe was trying to install a global hook to msnmsgr.exe. Not sure why it would do that out of the blue.

The computer has been running now for a couple of hours without experiencing crashes or freezes. However, RasMan is still trying to run every 5 minutes. I was able to find out that whenever RasMan tries to run, at the exact same time (precisely down to the seconds), my wbemess.log (in system32\wbem\logs) is modified. It says "could not retrieve sid, 0x80041002". A couple of times it has said "unable to load event provider 'prevx.aveventprovider' in namespace '//./ROOT/Securitycenter' : 0x80041013."
Prevx is a security software that I used years ago, if I recall right.
Other entries included "Dropping event destined for event consumer NTEventLogEventConsumer="SCM Event Log Consumer" in namespace //./root/subscription".

With Procmon I was able to find out as much that wmiprvse.exe seems to be timed with the RasMan entries.

And before I forget, I'll throw this out here to provide as much info as possible for solving this issue:
I have 3 hard drives. Before I started getting these crashes initially, my 2nd hard drive was posing problems in that I could not boot to Windows if I had it plugged in. It would say something like "Startup error. Press CTRL + ALT + DEL". This was my drive "D" and I believe there were some mentions to a drive D in the error entries in system event viewer.  My third drive still 'works', but that is the one that both CrystalDiskInfo and SeaTools reported severe problems on. This was a drive that was plugged in during the first crash that I reported about here. Seems likely that at least two of my three hard drives are failing. That, however, does not explain why I experienced the crashes & freezes & the errors regarding C:\$Mft afterwards even with just my main drive plugged in, and SeaTools found nothing wrong with that drive.

So what's the next step?
« Last Edit: September 07, 2012, 06:31:50 PM by emanresuoseehc »

Offline emanresuoseehc

  • Comodo Family Member
  • ***
  • Posts: 76
Re: Possibly an undetectable backdoor infection?
« Reply #12 on: September 08, 2012, 06:01:33 PM »
Today I also received the SystemEvent error entry on my other computer...

"The COM+ Event System detected a bad return code during its internal processing. HRESULT was 800706BA from line 62 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp Please contact Microsoft Product Support Services to report this error."

Any idea what this is?
« Last Edit: September 08, 2012, 06:38:45 PM by emanresuoseehc »

 

Seo4Smf 2.0 © SmfMod.Com | Smf Destek