Unnamed and unknown process in KillSwitch - trojan fakes as clean apps?

Hi!
Few months ago I’ve made similar topic about hidden process which doesn’t have a name and can’t be found. I’ve abandoned that research but decided to try again.

So, here’s the screen:

http://i.imgur.com/S2bWnQ0.png

As you can see, there’s unnamed process.
Using SysInternals TCPView I found that it has PID 0 and is hiding under [System Process] name: [System Process] 0 TCP skitpc 50134 80.150.191.185 http TIME_WAIT

Doing netstat -abno > netstat_result.txt I got that result:

[Dropbox.exe] TCP [my_ip]:50134 80.150.191.185:80 TIME_WAIT 0

Another time netstat result showed me that this process which has PID 0, faked iexplore.exe and other time it showed that information about proces name cannot be resolved.

Also while scanning for rootkits with GMER, I found that there’s something called ysyfer.sys in %SystemRoot%/System32/Drivers but it’s hidden, so I can’t locate it using Explorer.exe or GMER .etc
Also GMER keeps crashing during rootkit scan.

This proces can be seen by VirusTotal Uploader app, but can’t be uploaded:

http://i.imgur.com/KgmrJ5q.png

This unknow process keep sniffing on websites I browse using IE (but other apps also are sniffed) and occasionally but regularly (every few or dozens of seconds) refresh local ports and destination addresses.

How to find it and kill it?

Scanning with MBAM, MBAR (Malware Byte’s Anti-Rootkit), Kaspersky TDSSKiller, Kaspersky Rescue Disk, Comodo Cleaning Essentials, MS Security Essentials, Comodo Rescue Disk, didn’t found anything - both quick and full scans in normal mode, freshly after database updates, without network connection.

How to find it and kill it?

Let's back up a bit

In killswitch, look in "services folder instead of network folder

Ignore the files that says “trusted” files because you think your infected. So while ignore the files that are trusted. You could have trusted files that could be sniffing around like “panda AV” just basing that as an example but I highly doubt that its the case

Look at the unknown files.

I found that there's something called ysyfer.sys in %SystemRoot%/System32/Drivers but it's hidden, so I can't locate it using Explorer.exe or GMER .etc

http://www.bleepingcomputer.com/tutorials/show-hidden-files-in-windows-7/

Also open your browser and look at the addon and plugins. adware like “a lot”, “sweetpacks” and stuff
could also explain it too

Just some ideas for you

Taking the information from KS, TCP View and Netstat, they all point to IP address 80.150.191.185 which belongs to Akamai . Akamai is the world’s biggest Content Delivey Network where companies host their services and updates on.

Netstat shows that it is Dropbox being the cause of the Time Wait state. The Time Wait State is the before last step in the TCP/IP protocol. That means Dropbox is closing its connection with an IP address belonging to Akamai. That’s nothing strange.

As Radaghast has noticed before, sorry but I can’t find the quote right now, KillSwitch and apparently also TCP View are handling the closing part of a connection strangely.

You’re looking at an anomaly of an instrument rather than a malware.

Thanks for reply.

I used whois-like websites to check the IP origins. But during last few days I’ve uploaded few files to VirusTotal and they’re classified as malware - also posted links in this topic https://forums.comodo.com/av-false-positivenegative-detection-reporting/submit-malware-here-to-be-blacklisted-2013-no-live-malware-t89868.2910.html (pages 195 and 196). Extracted these files from live memory dump (which made with DumpIt), using volatility.exe – both .dll and .sys files.

So I still think my PC’s infected.

I checked the Virus Total reports and with only one or two programs flagging a file as suspicious or malware there is still a fair chance these files may not be malware.

But that being said let’s await what Comodo analysts bring to the table.

Can these files be found on your hard drive or with KillSwitch set to “Show only the untrusted images in memory”?

You scanned with a respectable arsenal of reputable scanners and they found nothing. If you want to go the extra mile you can try a couple of AV rescue disks from Kaspersky and Dr Web. But when that comes back clean I am calling your system clean.

What specific behaviour of your system, other than what you posted in your topic start, makes you suspect something is up with your system?

My HDD keeps working louder than normally. While scanning with GMER (newest version) I can see some strange services like hvbubo which can’t be killed or deleted, because GMER crashes immediately. So aswMBR.exe (avast! anti-rootkit utility). Also GMER shows ysyfer.sys driver in results.
I was scanning whole PC with F-Secure, Kaspersky, Microsoft Windows Defender Offline, Panda Cloud and Comodo - all mentioned were rescue disks - and nothing was found.

By using Sysinternals suite I found such entry in registry:

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\KRECWLENUZWGAI] "Type"=dword:00000110 "Start"=dword:00000003 "ErrorControl"=dword:00000001 "ImagePath"=hex(2):43,00,3a,00,5c,00,55,00,73,00,65,00,72,00,73,00,5c,00,41,00,\ 72,00,64,00,69,00,61,00,6e,00,5c,00,41,00,70,00,70,00,44,00,61,00,74,00,61,\ 00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,5c,00,54,00,65,00,6d,00,70,00,5c,00,\ 4b,00,52,00,45,00,43,00,57,00,4c,00,45,00,4e,00,55,00,5a,00,57,00,47,00,41,\ 00,49,00,2e,00,65,00,78,00,65,00,00,00 "DisplayName"="KRECWLENUZWGAI" "ObjectName"="LocalSystem"

And this app → C:\Users\Ardian\AppData\Local\Temp\KRECWLENUZWGAI.exe was running as a service.

Yet one of extracted from memory dump .dll files was recognized by Comodo scanner as malware → VirusTotal

And while doing research using netstat, TCPView or Process Explorer and volatility I saw that one of iexplore.exe instances had PID 0.

Still searching for solution. Will respond later.

Does GMER flag it as a rootkit? A 6 letter word with random name could be from GMER its self. It will create a driver with a random name of 6 letters.

So aswMBR.exe (avast! anti-rootkit utility).

What do you mean? When trying to terminate this with GMER your system will also crash? Unhooking something in the kernel can make your system crash; it does not mean that the driver being unhooked is malicious.

Also GMER shows [b]ysyfer.sys[/b] driver in results.

Does it state this is a rootkit or possible rootkit?

I was scanning whole PC with F-Secure, Kaspersky, Microsoft Windows Defender Offline, Panda Cloud and Comodo - all mentioned were rescue disks - and nothing was found.

By using Sysinternals suite I found such entry in registry:

And this app → C:\Users\Ardian\AppData\Local\Temp\KRECWLENUZWGAI.exe was running as a service.

Yet one of extracted from memory dump .dll files was recognized by Comodo scanner as malware → VirusTotal

When you don’t trust it disable the service with an Autoruns tool (when needed in Safe Mode).

Does it show up in KillSwitch? When it comes back after terminating it make sure to suspend it, and possible parents or siblings first, and then terminate it.

And while doing research using netstat, TCPView or Process Explorer and volatility I saw that one of iexplore.exe instances had PID 0.

Still searching for solution. Will respond later.

KRECWLENUZWGAI.exe

malicious files like this, why do you right click on it and click on properties. Find out the dates on it. Then use the search feature and find the files that were create around the same time as the malicious ones

No. It shows it as a normal service, but without any description or path to .exe file. Also KRECWLENUZWGAI was shown as a “normal” service – not classified clearly as malware.

Yeah, I know that GMER creates such driver, I’ve even saw it my own eyes, but hvbubo looks too suspicious for me.

You didn’t understand. I meant: GMER keeps crashing (don’t know why - but I heard it’s pretty common to it), while doing quick or full system scans. And when I stop scan, to kill or delete found services that I think are suspicious, GMER crashes also. Also this aswMBR.exe keeps crashing while doing scan - no matter what type of scan I do, quick or full. Both apps keeps crashing, but they don’t crash system - system still work, I just get info that app isn’t responding and should be killed. aswMBR is made by alwil software – creators of avast! AV. It’s an anti-rootkit utility based on GMER, so maybe that’s why it crashed also…

Yeah, I remember.

No, KRECWLENUZWGAI.exe doesn’t shows in KillSwitch or anywhere else as an actual existing app per se in my system. It’s just remnant after some malware, which probably was already deleted, or just was made to download something more dangerous and deleted itself after doing it’s work – but still is shown by GMER as an existing service or just entry in services list; couldn’t determine this for sure, because of this GMER crashes.

But I can assure you that this unknown, unnamed process keeps appearing, even if I kill it using TCPView.

I didn’t know aswMBR.exe is based on GMER.

Yeah, I remember.

No, KRECWLENUZWGAI.exe doesn’t shows in KillSwitch or anywhere else as an actual existing app per se in my system.It’s just remnant after some malware, which probably was already deleted, or just was made to download something more dangerous and deleted itself after doing it’s work – but still is shown by GMER as an existing service or just entry in services list; couldn’t determine this for sure, because of this GMER crashes.

Does it show up in the list of services running in KillSwitch or Proces Hacker?

But I can assure you that this unknown, unnamed process keeps appearing, even if I kill it using TCPView.

As stated before that is an anomaly of the instrument when closing connections.

It is not feasible to infer anything from GMER and its derivative because it keeps on crashing. We set that instrument aside as it is not stable.

TDSS Killer does not find anything. For further opinion on rootkits try Bitdefender Rootkit Remover. Also let VT rescan the suspected KRECWLENUZWGAI.exe and see if other scanners are not detecting it.