SetupCasino is a Poker770 client that is clamimed to be a FP, i didnt know why Comodo reports it, i disabled every protection os IS, but i still could not install it, so i had to make a VM in vbox without comodo to be able to play. But after i saw this video about the FTP client spying on the local host i would not be surprised if the heuristics would report the 770 client because of its spying characteristics. Could anyone check it at comodo if the 770 client is doin some dirty business like the FTP client did ?
The others above with the strange filenames (ZKJq…etc) are totally unknown to me, i am preetty sure that these arent FP-s.
And the last one, that Szótár 8.6.1…etc was a freeware dictionary i can live without, so i deleted it, does not matter if it was an FP or not.
BUT, after this scan, my comp remained still slow, and i noticed increased memory usage, that shows an intersting periodical pattern you can see on the following picture:
You can see that sawtooth shaped patter int the physical memory usage graph, and those spikes in the IO graph. These appear periodically all the time, the IO bursts belong to cmdagent, and also the largest working set is cmdagent.exe-s, i dont know why it makes that, it dont remember that it made things such as this before.
Im afraid that this could be caused by an exploit, that bypasses the defense this way.
If you’re not sure about a file please upload it here and post a link to the results. If you like, you can also evaluate it using the advice in this article.
As for your concerns about whether your computer is infected, please follow the advice I give in this part of one of my articles.
Thanks for your relpy Chiron it was helpful ! Tho i feel preety much like WTF now. I downloaded CCE and let a scan run, and guess what: it found 70 threats !!! Most of em are legit SW that i use every day, so there are two options, both of them is quite WTF:
A: CCE reported FP-s, but how many then ? 70 ???
B: These files are really infected, but then they must got infected after i installed them. But how on earth did they manage to bypass the whole CIS, and Avira also that i use on Xp (on a different partition) ??
My tip is B, and i think its still not clean, and i say this because when i tried to send this relpy, the Dragon suddenly crashed, then i wrote the reply again, pasted the imgs and it crashed again. The next time when i launched it it just crashed on start, and it keeps on crashing so that now i cannot use it. Perhaps im the paranoid one, but i feel like anyone else controls my comp, so i switched to my laptop. In this case it would not make any sense to upload the infected files, casuse i have to find the virus that infects them.
Tho i made a screenshot about the result, unfortunately the result window wasnt resizable, so i had to make quite a few. Here they are:
Ive let that Kaspersky stuff run, but it has not found anything. I also tried to upload some to virustotal, but it simply does not work. During the uploading the connection times out, no matter what or when i try to upload. I tried it in the moring in the afternoon and also a few minutes before despite that the site load was low, and i also tried it from my laptop, i never managed to upload any file. I am behind a router, is it possible that something blocks the uploading by the routers IP, or is my laptop also be infected ? Or can it be that just the site is broke today ?
I uploaded a lot of files to jottis malware scanner site too, but i got only 2 alerts from clamav for aimp and screamer radio.
So i zipped the filed i could restore from the quarantine (some i couldnt because the were on write protected areas ) and uploaded the zip to sendspace, here is the link
[Mod edit: link removed] Do not post links to possibly malicious files in the forum. Please PM a moderator if you would like the files for testing.
The files I found to be detected suspicious are clean on virustotal, which wonders me why CCE flagged them unless they where FP’s they should still be detected.
I also had issues with uploading to virustotal so it’s likely an issue on their end, today it worked fine.
Thanks 4 the article, a have made whats written there. Something must have been wrong with virustotal yesterday, cause there was no time problem today, so i have uploaded what i could:
I made a scan wint KAV rescue disk and it has found a rootkit
Status: Deleted (events: 4)
12/17/11 4:32 PM Deleted virus Rootkit.Win32.ZAccess.g F:/MY_Books/Szakirodalom/Szoftverfejlesztés.rar High
12/17/11 4:32 PM Deleted virus Rootkit.Win32.ZAccess.g F:/MY_Books/Szakirodalom/Szoftverfejlesztés.rar//Szoftverfejleszt?s/WEB/Young Xml l?p?sr?l l?p?sre/MSIE6/en/nt4sp6a/i386/sp6i386.exe High
12/17/11 4:32 PM Deleted virus Rootkit.Win32.ZAccess.g F:/MY_Books/Szakirodalom/Szoftverfejlesztés.rar//Szoftverfejleszt?s/WEB/Young Xml l?p?sr?l l?p?sre/MSIE6/en/nt4sp6a/i386/sp6i386.exe//PE_Patch High
12/17/11 4:32 PM Deleted virus Rootkit.Win32.ZAccess.g F:/MY_Books/Szakirodalom/Szoftverfejlesztés.rar//Szoftverfejleszt?s/WEB/Young Xml l?p?sr?l l?p?sre/MSIE6/en/nt4sp6a/i386/sp6i386.exe//PE_Patch//security.dll High
Do you know any other bootable AV-s that i could update via DVD or flash drive ? Unfortunately i have a wireless router and i have a network access only by that and these live linuxes cant handle the usb stick im connected with to the router. So i should somehow download the updates separately and put em to a flash drive or a DVD.
That doesn’t look like an active infection, it’s inside a .rar file, did you keep a copy of that file somewhere?
I think Avira has an option to ‘load’ updates from a zip file from USB. DrWeb should be able to run from USB completely, but then you need something to boot from (Hiren’s BootCD).
Man i have made that already. A said before that tdsskiller did not find anything. I also ran killswitch and i guess it found one file that was suspicious and also CCE and uploaded everything that i could to virustotal and pasted the result here. What did i miss ?
Also if you ask me this method is not really good. I mean, how on earth could you be sure about a process is clean by only comparing it to a list of safe processes. I mean lets say if i inject harmful code into a process that is on that list, will it be safe running that code ? Hell no ! Nay these pesky rootkits like to stick on kernel mode processes, to drivers and such, so that they can hide in the shadows. Youll never find em this way.
I think using a live CD is a much better option (however much more time consuming), cause so nothing can boot with the OS that could modify system calls to give back false return values. You can be completely sure, that the environment you running the scan in is clean. I think thats how that mothaf…ka was caught by KAV, and was missed by the previous searches ran under the host OS.
Finally uninstalling CIS solved the memory overusage and lag problem. Perhaps there was no malware, its just a CIS bug. Nowadays Comodo products are dross. I used dragon as well, but its crashing randomly all the time, and after restarting it it loads up the previous pages duplicated. I switched to Outpost and Iron and now everythings ok, no crashes no lag, everything runs lightning fast.
I mean lets say if i inject harmful code into a process that is on that list, will it be safe running that code ?
At the very least it would invalidate the digital verification.
I always find it hard to trust a computer once it becomes infected.
these pesky rootkits like to stick on kernel mode processes, to drivers and such, so that they can hide in the shadows. Youll never find em this way
Some rootkit writers don't bother going deep in the kernel because they don't need to and it would be more work then necessary and it could cause problem and tip off the user.
P.S. putting it in the kernel don’t make it harder to hide, just harder to clean. That’s all