Help - Search - Members
Full Version: Experienced Users Only
Kaspersky Lab Forum > English User Forum > Virus-related issues
cd08
Ok I'm on the hunt for an unknown malware that is using legit methods to avoid detection. I believe it is inside the burned DVD copy of Vista HP that I have; it's a copy of the original version burned to DVD.

Obviously buying a new version of Vista would be a possible solution to this problem but that that solves nothing about the malware, how it works, where it's located, what it does, how it avoids detection, how to block it, or how to prevent it.

So that is the ultimate goal.

I reformated and installed from the DVD and customized my settings to maximum. I received:

"Desktop Window Manager is trying to take a screenshot"
"Windows Explorer is trying to take a screenshot"
"Consent UI For Admin Priv. Is taking a screenshot"

Consent.exe located in windows\system32 brings up "Is trying to take a screenshot" warnings a lot but I've found that it isn't set to snap at intervals unless it randomly takes screenshots which I doubt. I think it's set to take a screenshot whenever certain actions occur or when specified window is opened or closed.

AVZ4.zip\avz4.exe found these in safe mode. It never finds anything in regular mode...must be something blocking its access...?

C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{067a5ee9-b4a3-441b-89e7-b78b00d7745f}\snapshot.etl >>> suspicion for Backdoor.Win32.Canvas.10 ( 1CA2801C 1E621768 004D6E44 004D6E44 180224)

C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{2d63cb6a-50ce-4c29-bec5-c30dc511e7b6}\snapshot.etl >>> suspicion for Backdoor.Win32.Canvas.10 ( 1CA16CBA 1E621768 004D6E44 004D6E44 180224)

C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{3c8f003f-b020-459e-82bd-1d21c4d0f599}\snapshot.etl >>> suspicion for Backdoor.Win32.Canvas.10 ( 1CA180D5 1E621768 004D6E44 004D6E44 180224)

C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{494582a8-a11e-4892-810d-358019ce6b29}\snapshot.etl >>> suspicion for Backdoor.Win32.Canvas.10 ( 1C9FBA5F 1E621768 004D6E44 004D6E44 180224)

C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{6d485ff1-6f8d-467c-9f1d-6a8496a8e562}\snapshot.etl >>> suspicion for Backdoor.Win32.Canvas.10 ( 1CA330E8 1E621768 004D6E44 004D6E44 180224)

C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{a927cf38-7751-4a38-b393-4d7ae49c8b04}\snapshot.etl >>> suspicion for Backdoor.Win32.Canvas.10 ( 1CA1DE95 1E621768 004D6E44 004D6E44 180224)

C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{afe103f4-0d24-4ced-8875-75070baf6e03}\snapshot.etl >>> suspicion for Backdoor.Win32.Canvas.10 ( 1CA224DE 1E621768 004D6E44 004D6E44 180224)

C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\{b767e628-0ca6-4708-a9e8-800708ed1ada}\snapshot.etl >>> suspicion for Backdoor.Win32.Canvas.10 ( 1C9FA898 1E621768 004D6E44 004D6E44 180224)

There were 4 more that I forgot to log.


The second thing I can't figure out is why this:

Direct reading C:\Users\CeeD\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\index.dat
Direct reading C:\Users\CeeD\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\UsrClass.dat
Direct reading C:\Users\CeeD\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\UsrClass.dat.LOG1
Direct reading C:\Users\CeeD\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\index.dat
Direct reading C:\Users\CeeD\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\MSHist012009062620090627\index.dat
Direct reading C:\Users\CeeD\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\History\History.IE5\index.dat
Direct reading C:\Users\CeeD\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\UsrClass.dat
Direct reading C:\Users\CeeD\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\UsrClass.dat.LOG1
Direct reading C:\Users\CeeD\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\index.dat
Direct reading C:\Users\CeeD\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\index.dat
Direct reading C:\Users\CeeD\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\MSHist012009062620090627\index.dat
Direct reading C:\Users\CeeD\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\History\History.IE5\index.dat
Direct reading C:\Users\CeeD\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\History\History.IE5\MSHist012009062620090627\index.dat
Direct reading C:\Users\CeeD\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
Direct reading C:\Users\CeeD\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\UsrClass.dat
Direct reading C:\Users\CeeD\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\UsrClass.dat.LOG1
Direct reading C:\Users\CeeD\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\UsrClass.dat{3547556e-628f-11de-b2ec-00508dedb84d}.TM.blf
Direct reading C:\Users\CeeD\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Temporary Internet Files\Content.IE5\index.dat
Direct reading C:\Users\CeeD\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\History\History.IE5\MSHist012009062620090627\index.dat
Direct reading C:\Users\CeeD\Local Settings\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\History\History.IE5\index.dat

Why do I have 8 to 8 levels of Application Data? THERE IS ALMOST 50,000 FILES UNDER THESE - from a fresh install with nothing else installed.

Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\

It's like it's trying to bury itself or something. Trying to hide something.

I need to figure out how to get rid of this. I deleted the "suspected" files but still get "Is trying to take a screenshot" warnings - mostly from consent.exe

I can't find much information about it on google. I ran 5 other scanners and they've found nothing. It seems to be using legit methods so it won't be detected using a scanner.

Whatayathink?













Darrel_Kaspersky_UK
Hello,

Vista's formatting options are....interesting to say the least - try running (as basic as it sounds) a disc cleanup to clear out the old windows installations - this should help out.

With regards to the possible infection, send me a sample of the .etl files and I can have them analysed and confirmed.

Please remember to rar and password protect the files.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2014 Invision Power Services, Inc.