A process in my computer has tried to access the disk and keyboard directly and Explorer.exe in memory. The process doesn’t always behave in this way and it’s not needed for its duty. I’ve noticed it and blocked this behaviour using Comodo Internet Security, and the programs runs flawlessly.
I suspect I may have a trojan/rootkit that can insert malicious code into the working memory of any process when it’s executed. This has happened to me before when using other clean programs with MD5 and SHA hashes verified in VirusTotal.
It also can affect program setup files when launched from writable media (executing them from read only media like DVDs seems to be safe). Maybe the trojan/rootkit can replace the setup file when I click it’s icon to execute it.
Where could I upload the DMP file of the affected process?. It’s too large for an attachment (about 73 MB in size).
I made a basic paragraph structure for an easier read. Eric
The techniques that a security program like CIS will monitor are both used by regular programs as well as malware. As such getting a technique flagged does not mean a file is malicious or you’re being infected.
Part of the time denying a program to use a certain technique will not let it function less. I think programs will then switch to a less intrusive way of getting its job done. F.e a program needs to read the keyboard. It can use the Windows API or choose direct keyboard access. When we block the direct keyboard access it can fall back on using the API.
With CIS an unknown program cannot access processes in memory or access the keyboard directly. That means that a malware cannot either.
With the information you have provided it cannot be concluded you’re infected. What you’re reporting is CIS blocking certain techniques to unknown files. That means it is protecting you.
I think I’m infected because a given setup executable file (for example, a trusted one like notepad++ from sourceforge) doesn’t always try to access directly the keyboard, memory or disk. Sometimes the program behaves that way, sometimes not.
After a clean Windows 8 installation, I always begin to install several programs I need. At some point, one of these programs I’m installing, randomly requires direct access to keyboard, memory or disk. I suppose I’m getting infected when connecting to internet and after that infection, the trojan/rootkit injects its malicious code into the working memory of a random setup program to do their task, simulating that the setup program needs it to work properly. The fact is that even when I block the requests to allow direct access to keyboard, memory or disk, the setup program works correctly. I think that means that the code is being injected at the beggining of the working memory of the setup program, but if that code isn’t executed (blocking it in Comodo), the setup program works OK.
I think perhaps the injected malicious code could be traced in the DMP image of the program.
Are we talking about different behaviour when running the installer for the same version or are we talking about running installers for two different versions?
After a clean Windows 8 installation, I always begin to install several programs I need. At some point, one of these programs I'm installing, randomly requires direct access to keyboard, memory or disk. I suppose I'm getting infected when connecting to internet and after that infection, the trojan/rootkit injects its malicious code into the working memory of a random setup program to do their task, simulating that the setup program needs it to work properly. The fact is that even when I block the requests to allow direct access to keyboard, memory or disk, the setup program works correctly. I think that means that the code is being injected at the beggining of the working memory of the setup program, but if that code isn't executed (blocking it in Comodo), the setup program works OK.
I think perhaps the injected malicious code could be traced in the DMP image of the program.
As stated before actions monitored by CIS are not proof of an infection. Installers are executable files and therefor protected against modification. With Buffer Overflow detection CIS hardens your system further.
In case of doubt whether one is infected it is always a good thing to scan for malware with various scanners among which rootkit scanners: Gmer, TDSS Killer and Bitdefender rootkit removal tool.
I’m talking about running the installer for the same version. That is what is really odd. As I said, it seems the rootkit/trojan is injecting their own code at the beginning of the working memory of setup programs, following some algorithm (it’s not completely random).
Another strange thing I’ve discovered today is that in another computer I own, a hard disk has its partition table damaged. It can’t be detected using partition managers in Windows. I’ve found it using GParted with an Ubuntu Live CD (it reports the hard disk has a recursive partition). I’ve used the anti rootkits you mentioned in your post with no success. I think I’m being attacked with an “ad hoc” rootkit (due to my medical condition of split brain patient in my supposedly democratic home country, Spain. I found it watching an episode of House TV show and searching then the works of brain researchers like Gazzaniga and Sperry on the internet).