PREVX CSI finds up C:\Device.exe

[polonus]

Hi malware fighters,

No trouble so far, downloaded a new version of PREVX CSI in detection mode, after scanning with this version it came up with Status Rootkit C:\Device.exe 1368 Hidden Process 1184
Of course could not find any Device.exe even making hidden files and folders searchable. Funny thing however when I start up scanning Gmer the computer on my normal account started to automatically reboot after some time, second time again automatically rebooted again spontaneously.

Is this the real thing, is this a FP that came with the new PREVX CSI version. How can I check this, and where to look for the hidden process? Anyone to advise?

polonus

[polonus]

Hi again,

Now I got a full gmer scan, and pid 1368 is Windows\system\svchost.exe -k netsvcs

polonus

[essexboy]

Have you tried an Icesword scan as that is quite good at finding rootkits ?

Please download and unzip Icesword to its own folder


If you get a lot of "red entries" in an IceSword log, don't panic. 

Step 1: Run IceSword. Click the "Processes" tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Note the filenames of processes in red color. Also, make a note of the folders.

Step 2: Click the "Win32 Services" tab and look out for red colored entry in the services list. This red colored service entry indicates that it’s rooted. Note the name of this service.

Step 3: Now, click "SSDT" tab and check for red colored entries. If there are any, note the file and folder names.

Now post all of the data collected under the headings
Processes
Win32 Services
SSDT

[polonus]

Hi essexboy,

Well. my friend, my findings: no hidden processes found up, no hidden win32 services running, none red found up, in SSDT a dozen or so for \System Root\system32\DRIVERS\cmdguard.sys
Info it is a legit Comodo file:
http://www.runscanner.net/process.aspx?p=cmdguard.sys

Nothing for 1368 02 1184. nothing on device.exe (this would be normally in Device Manager and would start up at boot-up). So what next? I start to think of an FP?

polonus

[polonus]

Hi essexboy,

I also did a scan with CatchMe by Gmer a stealth rootkit scanner, detected NTDLL code modification ZvClose,
here are the results of the scanning:
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 21:11:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
So what?

polonus

[essexboy]

Device.exe is generally related to WindowsCE not the full blown version which uses services.exe

FP ?

[polonus]

Hi essexboy,

Also scanned with MacAfee's Rootkit Detective. nothing found. Services.exe is there on the standard place: system32. I haven't the greenest what Prevx CSI flags,
If malware device.exe could be inside this:
Sophos W32/Gallory-A http://www.sophos.com/security/analyses/w32gallorya.html

pol

[polonus]

Hi essexboy,

I also encountered devic.exe in this particular ComboFix script:
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemDevic"=-
"System Service Manager Device"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"System Service Manager Device"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

File::
C:\0h00.exe
C:\WINDOWS\system32\lcvdlpis.ini
C:\WINDOWS\system32\bvkwijqt.ini
C:\WINDOWS\img5-2007.zip
C:\WINDOWS\devic.exe
C:\devic.exe
C:\WINDOWS\system32\VundoFixSVC.exe
C:\WINDOWS\system32\svho.exe

Folder::
C:\Program Files\Options.ini
C:\Program Files\license.txt
C:\Program Files\File_id.diz


pol

[polonus]

Hi essexboy,

Also try to check on this:
http://forum.telecharger.01net.com/telecharger/securite_virus_et_assimiles/trojan_et_spywares/resolu_win32_small_ikz_besoin_daide_svp_resolu-429898/messages-1.html

device.exe can be part of it,

pol

[polonus]

Hi essexboy,

Also performed a scan with Sophos Anti Rootkit, results: No hidden items, Time taken: 7 min 59 seconds.
That means Gmer: no results; MacAfee Rootkit Detective: no results; Gmer's stealth scanner CatchMe: no results, and also IceSword results, but they are known as part of Comodo's software. So more and more I lean to an FP on behalf of the Prevx CSI recent version, as I had that for some time and it did not signal anything with the former scanner, the only funny file I have in system32/drivers is  剐䍏塅ㅐ〰匮卙 = procexp.sys - but I checked on that some time ago and no malware found,
I did another test, uninstalled Precx CSI scanner then downloaded it again: it found the same Device.exe
but oh surprise as other processes now Hidden Process 140 Hidden Process 732 and Hidden Process, all green, and detection after Comodo FW alerted that the scanner wanted access to the Internet, this was enough for me to decide to uninstall Prevx CSI free scanner (trial without possibility to delete, that is included with the paid licensed version) period,

polonus

[essexboy]

Definitely smells like an FP to me especially as it can not be found

[polonus]

Hi essexboy,

Yes I lean to it more and more, because as I said the place in the scan where it apparently was found (Device.exe) varied, the hidden processes denoted by the scanner varied, two and three with the second downloaded version. It still have their past in mind abit , where they had accusations as being rogue,

polonus