Strange malware

Hi!

I found a while ago a malware in a dowloaded installer, and i removed it at once, but there were some clues, that it hasnt been removed fully. I hav two OS-es, XP and Wn7. I have basically two problems:

On Xp the vga driver does not get loaded with startup, and i have no vga drver at all, i reinstalled it several times, the fresh driver install works until the first restart, but after the second restart the problem appears again.

On Win7, my USB thumbdrive does not work at all. It appeares in the device manager, but i cant see it in explorer, neighter in disk management. I have several other devices, scanners, wifi stick on the USB ports, and they work properly. The thumbdrive works with other computer, and also with mine on Xp.

A few days ago, comodo altered me surprising, it has found a malware in Xp win32 and win32/dll cache while i was using Win7. Its was the Heur.Suspicious@84139881.

I removed it, and the driver on XP became fine working. But since then i have some strange messages from chrome, that the site i visit does not have a trusted certificate, and i may use a fake DNS. Its really strange, because these sites are like gmail and such, and i am redirected onto a https port in these cases, what i have never seen before by these sites in my whole life.

I didnt care about it first time, but now i got the forceware on xp working false again, an it drives me insane now. The OS startup got longer, and also the sytem feels abit slower. I ran a scan with NOD(Win7),Avira(Xp), and Comodo, but i didnt find anything.

Any ideas?

Sounds like you’ve removed something you shouldn’t have.

Anything labeled heur.suspicious has a very high chance of being a false positive.

If you are ever in doubt about a file, submit it to VirusTotal and see what all the other scanners there think. If it looks like a false positive, submit it to Comodo Malware Analysis and they’ll fix it in the database.

No the problem appeared before the removal, so i couldnt have removed something what i shouldnt.

You mean the VGA driver? What’s the situation with USB drive on Win7?

then i have some strange messages from chrome, that the site i visit does not have a trusted certificate, and i may use a fake DNS. Its really strange, because these sites are like gmail and such, and i am redirected onto a https port in these cases, what i have never seen before by these sites in my whole life.

I didnt care about it first time, but now i got the forceware on xp working false again, an it drives me insane now. The OS startup got longer, and also the sytem feels abit slower. I ran a scan with NOD(Win7),Avira(Xp), and Comodo, but i didnt find anything.

Any ideas?

Yeah the VGA driver. I dont know about the usb now, i reinstalled both OS-s, and i didnt checked yet if it works. But right after the reinstall, as i wanted to create the shortcuts for my portable softwares, and navigated to the portable chromes folder, i caught a worm. I only entered the containing folder did not even opened the folder, which contained the infected file, and one of the active guards alerted me about it( i dont know if is was CIS or Avira i dont remember) and i removed it immediately.

Things seemded to be ok, because both OS worked perfectly, but a few days ago i got an alert from comodo while i was practicing VBA( so didnt do anything special, did not luch or install anything, i was typing into the editor ). It referred to the same file, i mentioned in my previous reply, so i thought that i have that malware again.

http://i50.tinypic.com/2mwtaw8.jpg

I searched for this filename in google, and its a windows system file, what has to do something with remote access. BUT the strange in all of this is that D:\ is my Xp volume, and i was on Win7 at that time, so i suppose that because of Xp wasnt running it should have been something that wanted to use this file for remote communication. What this could be i have no idea, because i havent found any suspicious file. I have got Avira, Spybot, and Comodo on Xp, and Comodo + Nod32 on Win7 and i scanned everything with all of them, but they found nothing. And in the top of that i woke up this morning, and stated Xp and my VGA driver went bad again.

Something should have happened yesterday, because now both systems boot significantly slower, and this problem with the VGA driver appeared again. I think that there is a bootstapper malware in the background, that uses the VGA driver to load itself into the memory, because after i removed the driver, the boot sequence became a lot faster. Without the driver i’m in in 30 seconds, and with the driver it takes approx 1:30 at least. So the driver gets started with the startup, it just does not work properly, i get a yellow exclamation mark in a triangle in the device manager, and there is absolutely no hardware acceleration( windows are moving slow and laggy, cannot start any 3D software etc… ).

On win7 i didnt noticed anything like that, it just got a lot slower, the boot up takes twice long as before but apart from this everything is functioning.

I think that this happened because yesterday i turned off comodo for a short time. I had a problem with starting a game( you can check it here and i had to disable the firewall to solve it. Maybe the malware got free to do his dirty work that time.

Try doing a scan with Hitman Pro:

It has an excellent detection rate and scans very fast. If your problem is related to malware this should be able to help.

Is this a joke or what? I downloaded Hitman, and it says that it scanned my whole comp in 32 secs ??? No way to scan it so fast, it couldnt even search the files in such a short time.

It doesn’t actually scan your computer. I think it’s like the quick scan for A-squared.

It scans the files that are in the memory and some important locations. It’s not the most thorough, but if there was active malware on your computer it should catch it.

Try GMER anti-rootkit scanner to seen if anything turns up… www.gmer.net
Also running to many security software next to each other could also cause “strange” behavior".

Yeah its already in plan and Sophos anti rootkit, Rootquest, and McAfee Stinger too. This thing has turned into a little antivirus test now. I have some interesting updates. Because of the unsuccessful scans i removed avira, and i am trying to scan different av-s. I already made a scan with AVG and Norton AV and both detected somthing, these were mainly tracking cookies what are unimportant, and i had 2 infected old archives too, what neither Avira, nor Nod was able to find, but these were not used for a long time, so these couldnt have been in connection with the current situation. Now i am testing avast! and it changed things a bit, from the very first moment.

When i tried to download it,i got an alert from comodo. I did not even download any portion of the installer in that moment, because chrome always asks a question before downloading an executable file, if i want to download it, and it places the download files only after that, so the alert couldnt have been related with the avast installer. It referred to a temp file, i was unable to make a screenshot from it, because the malware ruined my vga driver, and i got an error message from windows, that there was an error during the copy of the image from the clipboard, so i exported it to HTML, and this is what stands there:

12/28/2009 5:09:07 AM Detect D:\Documents and Settings\POK\Local Settings\Temp\175B.tmp UnclassifiedMalware@87633939 Success

I removed this temp file, and everything in that temp folder, and from that on the VGA driver works fine, that means i didnt had to reinstall it or anything like that, i just restarted the comp, and it worked well. But i didnt gave up the search, because i thought that i downloaded avast, and now i should do something with it so i gave the search a try.

And yeah it found a trojan on my Win7 drive( i was scanning on Xp ), in the pagefile:

http://img209.imageshack.us/img209/559/trj.jpg

As far as i remember, previous AV-s were unable to open this file, they said it was locked, although it couldnt have been locked, because the pagefile on both OS is restricted on the system drive, so it was not Xp-s pagefile, and so it couldnt have been used in that moment. I deleted the file, the scanner went on, and after 5-10 secs, i got blue screen

Regarding all of these this problem seems to be more serious that i thought, since my whole comp must be under control, and several av-s were fooled in this case, and it even managed to exploit avast the only av that could detect something so far.

About using several defense softwares at the same time i dont think it could cause such malfunctions. I have been using avira+spybot+comodo combo for years without any problem, and its quite useful, i detected many shrinkers with comodos av, that fooled avira during the scan. Aviras signature based scanner is one of the best, and that true for comodos heuristic guard, and of course i use it as a firewall mainly. Usually AV-s notify you during the install, if they find another incompatible product installed, and they dont let them install untill the incomatibility issue is present(like kaspersky for instance). And if a scanner is not in good relationship with another sw, you can alway turn it off during the scan, so they dont disturb each other.

I think the file was already downloading in the background, that’s where all files end up first in the \temp folder (for most browsers)… and after the download is finished it get’s “copied” to the destination folder you selected.

Well the trojan alert on the pagefile of Win7 is likely a False Positive, and it’s able to scan it because the OS is not active (Win7 was not loaded during scan)…

I would go for a scan with GMER to see if there is any rootkit activity.

You probably right with the downloading, but why dint it appear the second time, after i removed that tmp file, and started downloading avast? And also chrome places temporary, unconfirmed dl files into the default download directory( not in the temp folder), and such files have " .download" extesion, and the first word of them is “unconfirmed”, none of these match.

I would like to end the first scan with avast, but it still scanning, and then a scan with Malwarebytes, Panda, and Prevx(of course only one install ast the same time), and when i see what will be the best. Then i will search for rootkits, first with Root Repeal, cause i searched for that trojan, and found a site, where another guy had the same trojan in his pagefile, and he was suggested to try this antirootkit. And after this i will let the scan go on with the other anti rootkits.

BTW i forgot to mention, that since this problem with the VGA driver appeared, the number of updates has risen on both OS-s. I see the little shield sigh in almost every shutdown now, although i configured the system so that it should only download the updates, and prompt me if i want to install a specific update. Is there a malware that uses windows system update to download and install malicious code?

Another update:

I tried gmer, but didnt succeed to finish scanning. After i start it the cpu load gets heavy, altough i dont do anything special with it, so the user interface is running only. Not gmer is producing that, ist a service host of win update:

http://img685.imageshack.us/img685/3190/winupdate.jpg

Its only 50% showing on the graph, because it uses “only” one core 100%. The red part of the graph is kernel code, now guess…
And thats just the user interface, as i start scanning the other core gets also 100% load:

http://img20.imageshack.us/img20/7456/nvtelenkj.jpg

99% of the load is kernel code again, but its produced by lsass.exe, and what you cannot see ( because i couldnt make a screenshot from it by that point everything got unable to respond) is that in the last phase winlogon took the rule of the 2 processes mentioned before, and it also produced 100% load, and i was unable to kill it, and it made everything freeze, so i had to restart and this is the scenario evertime i start gmer. I tried a trick, and set the priority of these processes to the lowest, and so i managed to finish the scan, but was unable to save the results in a logfile, when i tried it, the system froze again.

So all evidence suggest that there is a rootkit in the background, i just dont know how to detect and get rid of it, and of course i would like to know the source too, how it infiltrated into the system, to avoid it next time.

Download and install the above programs (Microsoft Antivirus, Superantispyware and Malwarebytes Antimalware). Reboot in Safe mode, pressing F8 to do this once your PC starts. Do some scanning. Remove ANYTHING these tools find, scanning individually. Reboot, and scan again in normal mode and remove anything it finds.

Pls report back afterwards. Goodluck!

P.S - If possible, in the main CIS GUI. Go to Defense+>View Active process list. Take a snapshot of the entire list please and upload here.

Also do some cleaning using COMODO system cleaner: http://www.comodo.com/home/support-maintenance/system-cleaner.php - If anything goes wrong here, it has registry/file protection and back up for you.

Cheers,
Josh

Can you check two things?

First set process explorer to verify the signatures of the running processes and let them verify.
Options, Verify Image Signature and View, Select Columns, Verified Signer.
See if any non-verifiable items turn up…

Second Check you windows event logs and see if there is a clue there about Warnings or Errors that could be related to this…

Well i dont know what to say now, ive done what you told me, and so many things happened, it would be too much to tell everything, i will just make a short summary of them:

ALL SCAN WAS ON XP***********

• process explorer:

http://img63.imageshack.us/img63/9859/prcb.jpg

2 unsigned processes, one of them is an EPU app for my mobo, but i have no idea what the other one could be. Anyway…nothing related in the event log to these…

• malwarebytes: scanned successful found this in safe mode:

http://img519.imageshack.us/img519/9012/mwbytes.jpg

The first two sounded like a false alarm( i downloaded them from anandtech ), but i removed those too to be sure

• superspyware: found nothing but tracking coockies

• security essentials: isnt available in my country( thats what the webpage told me when i wanted to download it :S )

Other AVs:

• Prevx: Meant everything was a rootkit, all active guards( comodo, spybot ) and some apps what are sure not like that a lot of false alarms

• Panda: Slow and ■■■■, found only tracking cookies, and i think the malware took total control over it, my system lagged like never before, i was unalbe to run chrome, even if i reinstalled it, the application started, it also connected to the internet, but no webpage got rendered, just a blank window, although there was some traffic caused by it

• Rootquest: Was unable to start, referring to a missing ocx, i installed the ocx manually, then i got an error code, what i couldnt fix

• Avast was one of the best, found two trojans and also separeted some system files, and then the system got a bit faster, boot time got shorter, altough i got several blue screens during the scanning( possibly a buffer overflow exploit attack)

http://img685.imageshack.us/img685/9995/chestp.jpg

• Sophos Anti rootkit:

http://img39.imageshack.us/img39/7787/sophos.jpg

Removed the first one, the second is a false positive( d-tools driver ) the others i didnt know, so i left them

• F secure: Also good one, fast and found a malware but it was in an old file again, which i didnt used after total system reinstall

So these were the scans but there are other interesting things:

After installing panda, i suffered a lot with the startup, it took 5 minutes at least( or even more ) to boot, and after it i got this message( its about the driver helper service, it was unable to start )

http://img695.imageshack.us/img695/1128/84438606.jpg

BUT! The most important:

After installing panda, comodo made a lot of random alerts from the local setting/temp folder and i thought thats because the two apps are incompatible, and comodo thinks that panda is a malware, so i added the alerts to the exclusion. After installing Fsecure this thing appeared again, and it got suspicious for me, so i deleted the whole temp folder, and it seemed to be the end for this this phenomenon, but then after a few minutes the same .crv file appeared in the main directory of fsecure, and comodo alerted that too , it was even more suspicious, so i uploaded it too virustotal, and the result was 10% positive, it didnt seem too be a lot, and i had to allow access for it to be able to upload it to virustotal, so i added to the exceptions again. But then after a short while i switched to Win7, and i was messing around here and there when comodo alter window pop up again with the same file!!! This time F-secure wasnt running for sure, and not even the XP volume should be in use in anyway, because i dont store it on anything what could be in connection with the win7 system, and even though this file was able to get some CPU time somehow, and run into comodos hands…i said dang… its not a strange anymore, this is weird now!

http://img192.imageshack.us/img192/1544/fsecure.jpg

So it seems that this thing fools all the AV-s none of them could detect it, and if one could, that it makes impossible to do something because it causes a blue death, or makes the system lag, so much, that one cannot do anything with it. :o

I havent got any ideas what could be in the background but its pissing off me now slowly, and i wanna bust this bastard out of my computer >:(

Another angle would be to do an off line scan with the Live CD’s of Avira and Dr Web.

Hey the last two files SOPHOS ANTI ROOTKIT DETECTED are files part of windows update i guess.

I dont think there is any malware in your PC ,most probable is something related to data corruption ,hardware issues determining data corruption.
You should check the RAM properly ,apply the proper voltage and run test 5 from Memtest for 22 times in loop.
Any driver issue can be related to bad RAM.

Post your hardware configuration including your PSU specifications to see if there is some relationship between instability and power problems as well.

If you checked already with F Secure give a go to BitDefeder as well ,they use the BD engine but the rootkit components may be different.

Some files in your prints are back-ups ,like the ones in Avast (winsock bla bla) ,sptd sys is hidden because its used by Daemon tools etc.
Run a full boot scan with Avast and McAfee Rootkit Detective 1.1 ,aditionally you can install Outpost firewalll too to run a spyware scan (Outpost antispyware component may detect what some other antispyware miss).

If you have the habbit to install “free” games you should be aware that all of them come with trojans either in the iso s either in the gens or cracks.
If you want a clean PC stay legit .

First check the hardware ,then reinstall the OS-s and take care outthere.

The issue is that the vga driver seems to work well in his windows 7 installation. So is it realy a hardware related problem???