sandbox let me down in my latest test!

[PC__Gamer]

SO, that makes me the fool.

-------
[b] d:\games\battlefield bad company 2\support\battlefield bad company 2_code.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
[b] d:\games\battlefield bad company 2\support\battlefield bad company 2_uninst.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
[b] d:\games\call of juarez\cojbib_autoupdater.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
[b] d:\games\f.e.a.r\config.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
[b] d:\games\f.e.a.r\fear.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
[b] d:\games\f.e.a.r\fearmp.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
[b] d:\games\f.e.a.r\fearserver.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
[b] d:\games\f.e.a.r\fpupdate.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
[b] d:\games\f.e.a.r\wmfadist.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
[b] d:\games\fifa10\support\eadm\eadm-installer.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
[b] d:\games\fifa10\support\earegister.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
[b] d:\games\fifa10\support\fifa 10_code.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
[b] d:\games\fifa10\support\fifa 10_uninst.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
[b] d:\games\need for speed shift\support\eadm\eadm-installer.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
[b] d:\games\need for speed shift\support\need for speed shift_code.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
[b] d:\games\need for speed shift\support\need for speed shift_uninst.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
[b] d:\games\sims 3\support\eadm\eadm-installer.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
[b] d:\games\sonic & sega all-stars racing\config.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
[b] d:\games\sonic & sega all-stars racing\sonic & sega all-stars racing.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
[b] d:\games\unreal tournament 3\binaries\cookersync.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
[b] d:\games\unreal tournament 3\binaries\iscopyfiles.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
[b] d:\games\unreal tournament 3\binaries\uescriptprofiler.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
[b] d:\games\unreal tournament 3\binaries\unrealconsole.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
[b] d:\games\unreal tournament 3\binaries\unrealfrontend.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
[b] d:\games\unreal tournament 3\binaries\ut3.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
[b] d:\games\unreal tournament 3\binaries\ut3oshelper.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
[b] d:\games\unreal tournament 3\binaries\windows\ue3redist.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware

--------------

so, now im on a mission to get my system clean without hopefully losing my saved games. *lol*

should be fun.

[PX5: A63A6ECB007C31C580FA026826426D00573E76A3] < i hate you. (lol)

ive done countless tests in the past, and this was by far my biggest challenge, but lets just say - there was a nasty little bugger in there that has caused Chaos.

weird i would use that word, as my latest game is Just Cause 2 - the whole point is Chaos.

lol

[pling_man]

Sandbox isn't perfect. Do you make backup images of your system. If so, you could just "roll" back using one of those. It helps to store your user data, like your saved games on another partition though.

[PC__Gamer]

Quote:

Originally Posted by pling_man

Sandbox isn't perfect. Do you make backup images of your system. If so, you could just "roll" back using one of those. It helps to store your user data, like your saved games on another partition though.

i backup most things, including the saved games.

i think ive located it and sorted it, however... it did damage a few .exe files of my games, so i re-installation of those affected games may be needed.

just thought id alert people to the possibilitys of some of the newer samples.

[PC__Gamer]

ok, take it back.

still not found the solution.

prevx does pop up with an infection, even on a restored C:/, but im guessing it will be back.

obviously its now linked to my 2nd HD with the games installed.

time to use some tools and dig further.

however, i can tell you - this particular sample avaded Prevx, Hitman Pro with all its engines & even Malwarebytes too.

[Cudni]

Quote:

Originally Posted by PC__Gamer

however, i can tell you - this particular sample avaded Prevx, Hitman Pro with all its engines & even Malwarebytes too.

did you confirm it is malware and what is it? very unlucky all 3 missed it

[Triple Helix]

Quote:

Originally Posted by Cudni

did you confirm it is malware and what is it? very unlucky all 3 missed it

Yes that's true because there are allot of scanning engines involved!

TH

[PC__Gamer]

Quote:

Originally Posted by Cudni

did you confirm it is malware and what is it? very unlucky all 3 missed it

there was definatly malware, its changed some .exe's in my game files.

but figuring out how to track it is becoming troublesome!

prevx still pops up with the little square in the bottom-right of the screen to say its blocked it,but sometime down the line, it will do the same saying its blocked it, HMP and all the rest dont detect anything?

possible FP on this particular file?... maybe, shall see what Joe has to say, dont want to pester their support channels if its arrived from my-own-doing.

[Saraceno]

Download a-squared free, and scan your second drive with a deep scan. Found it and prevx to be quite good at identifying similar files.

[PC__Gamer]

Quote:

Originally Posted by Saraceno

Download a-squared free, and scan your second drive with a deep scan. Found it and prevx to be quite good at identifying similar files.

dont think i need to, think ive tracked it down to a file labelled 7433232.exe (i think it was called that) , i shall see if i notice anything from now on.

hopefully, i shouldn't.

messing with malware is a hobby of mine, sure.. i was a little stumped this time, but its all good fun trying to figure it out.

[acuariano]

did you post this problem in the sandboxie forum?

[Triple Helix]

Quote:

Originally Posted by PC__Gamer

dont think i need to, think ive tracked it down to a file labelled 7433232.exe (i think it was called that) , i shall see if i notice anything from now on.

hopefully, i shouldn't.

Upload to Virus Total and give the number of scanners that detect it as? Sounds like a nasty file infecter for sure!

TH

[PC__Gamer]

Quote:

Originally Posted by Triple Helix

Upload to Virus Total and give the number of scanners that detect it as?

TH

sorry TH, deleted it as soon as i found its location.

but i can tell you, HMP with all its engines didnt find it, nor did prevx (although prevx did keep blocking what it was trying to do, although it didnt block it creating its autorun/process), Malwarebytes was no luck either and neither did Panda's cloud either.

sometimes, the worst are the small ones, just 100k it was.

but, still not 100% my machine is all better, only some time will tell me, but i cant see anything in my usual searching/testing.

for safety reasons, ive also removed the games infected, most were old ones anyway so doubt i will be rushing to install them.

lots of games installed, was around 300gb of them, now i have just 125gb of them to play on.

[Triple Helix]

Quote:

Originally Posted by PC__Gamer

sorry TH, deleted it as soon as i found its location.

but i can tell you, HMP with all its engines didnt find it, nor did prevx (although prevx did keep blocking what it was trying to do, although it didnt block it creating its autorun/process), Malwarebytes was no luck either and neither did Panda's cloud either.

sometimes, the worst are the small ones, just 100k it was.

but, still not 100% my machine is all better, only some time will tell me, but i cant see anything in my usual searching/testing.

That's because the file infecter infected them in a certain way to evade detection! The reason given Malware Group: High Risk Cloaked Malware

TH

[PrevxHelp]

Quote:

Originally Posted by PC__Gamer

sorry TH, deleted it as soon as i found its location.

but i can tell you, HMP with all its engines didnt find it, nor did prevx (although prevx did keep blocking what it was trying to do, although it didnt block it creating its autorun/process), Malwarebytes was no luck either and neither did Panda's cloud either.

sometimes, the worst are the small ones, just 100k it was.

but, still not 100% my machine is all better, only some time will tell me, but i cant see anything in my usual searching/testing.

The file which has been copied over all of the program files you listed above is 163,840 bytes and was first seen + blocked by Prevx today. It appears to be a new Koobface variant which has an impressive dossier of behaviors in our database (had to scroll down multiple pages to get the full list of information on it )

I suspect we may have missed an ancillary file from the infection - could you possibly create a scan log and send it to report@prevxresearch.com to see if I can find any missed detection there?

Thanks, and good luck! Let me know if I can help in any other way as well.

[PC__Gamer]

Quote:

Originally Posted by Triple Helix

That's because the file infecter infected them in a certain way to evade detection! The reason given Malware Group: High Risk Cloaked Malware

TH

aye, i know.

Nod32 was the only engine to pick 2 games up in the HMP engines, apart from what prevx detected on my machine, but im sure these were community/age/heuristic type detections as Prevx in HMP didnt detect these, unless the signatures were only just created because of a first detection on my machine (this has happened with prevx before and the samples i play around with), either way - detection of the culprit avoided everyone!! (well, enough that i could be bothered to try) & Never really seen that before.

[Triple Helix]

Also I only play with nasties within my VM's in Shadow Mode just in case!

TH

[PrevxHelp]

Quote:

Originally Posted by PC__Gamer

aye, i know.

Nod32 was the only engine to pick 2 games up in the HMP engines, apart from what prevx detected on my machine, but im sure these were community/age/heuristic type detections as Prevx in HMP didnt detect these.

I actually suspect it is the cached detection in HMP. Prevx first saw the infection at 10:31am today and added detection automatically at 12:01 (90 minutes later) after seeing the second user hit by it. According to our database, we have not issued any Age/Popularity detections on this particular infection as it was caught automatically before it would have been classified as such.

[PC__Gamer]

Quote:

Originally Posted by PrevxHelp

The file which has been copied over all of the program files you listed above is 163,840 bytes and was first seen + blocked by Prevx today. It appears to be a new Koobface variant which has an impressive dossier of behaviors in our database (had to scroll down multiple pages to get the full list of information on it )

I suspect we may have missed an ancillary file from the infection - could you possibly create a scan log and send it to report@prevxresearch.com to see if I can find any missed detection there?

Thanks, and good luck! Let me know if I can help in any other way as well.

lol, not the first time ive added new samples to your cloud Joe & it wasn't the only new Koobface sample i was playing around with

and your right - what a beast the little git is.

all the more fun i say.

sure, i'll do ya a log if you like - may be quite long, i'll email it you after i do a full scan.

---

scan completed:



lol, i can tell you this is load.exe and was one of the un-detected samples i was playing around with, not the main culprit of the infections, just a un-detected one that is now detected it seems.


edit: Log Sent to report@prevxresearch.com - although it will be a shortened one as ive reverted back to my C:/ config since the infections, but do let me know if you see anything out of the ordinary, i think all is clear - hopefully.

[Hugger]

PC__Gamer,
I hope your system is back to 100% now.
Do you have any idea of how this would slip through your sandbox?
Thanks.
Hugger

[PC__Gamer]

Quote:

Originally Posted by Hugger

PC__Gamer,
I hope your system is back to 100% now.
Do you have any idea of how this would slip through your sandbox?
Thanks.
Hugger

no idea no, but im waiting for Joe to tell me if anything still remains on my system.

hopefully, all clear, but doubt it.

I cant see anything myself, but he's the expert.

Just tried to go on Dirt2 and prevx popped up with an infection for it.

[PC__Gamer]

prevx is detecting loads on my D:/ now,

so im going to format it and restore that drive from a backup i have.

-----
[b] d:\programs\newsdemon\nb553-64.exe [PX5: A63A6ECB8C7C31C50AFA3E6826426D0035C2A132] Malware Group: High Risk Cloaked Malware
[b] d:\programs\hitman pro x64\hitmanpro35_x64.exe [PX5: A63A6ECB407C31C593FA5C6826426D00448F580F] Malware Group: High Risk Cloaked Malware
[b] (ACTIVE) d:\programs\registry mechanic 9 2010\rminstall.exe [PX5: A63A6ECB707C31C502FA976826426D0085A83CCB] Malware Group: High Risk Cloaked Malware
[H] c:\program files\7-zip\7zg.exe [64] [PX5: DD2EAC780003EAC88C090559F81C4C003DA3A422] Malware Group: Community.Heuristic
[b] c:\users\168957\appdata\roaming\system\svchost.exe [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
[b] (ACTIVE) d:\games\steam games\steamapps\common\just cause 2\vcredist\vcredist_x86.exe [PX5: A63A6ECBC07C31C50DFA2C6826426D00CBBF435A] Malware Group: High Risk Cloaked Malware
[b] (ACTIVE) d:\games\steam games\steamapps\common\just cause 2\directx\dxsetup.exe [PX5: A63A6ECB587C31C585FA0A6826426D002EBD3E50] Malware Group: High Risk Cloaked Malware
[b] (ACTIVE) d:\games\steam games\steamapps\common\just cause 2\justcause2.exe [PX5: A63A6ECB207C31C561FAE06826426D00AC4D5F55] Malware Group: High Risk Cloaked Malware
[b] c:\programdata\prevxcsi\qc.csi [PX5: A63A6ECB007C31C580FA026826426D00573E76A3] Malware Group: High Risk Cloaked Malware
[b] d:\games\dirt 2\dirt2.exe [PX5: A63A6ECB587C31C5E5FA5E6826426D00F1C465A8] Malware Group: High Risk Cloaked Malware
[b] d:\games\steam games\steamapps\common\fear2\support\directx9\dxsetup.exe [PX5: A63A6ECB507C31C587FA0A6826426D00DB507B43] Malware Group: High Risk Cloaked Malware
[b] d:\games\steam games\steamapps\common\fear2\support\vcredist_x86.exe [PX5: A63A6ECBA87C31C563FA2C6826426D00FF8B8E8F] Malware Group: High Risk Cloaked Malware
[b] d:\games\steam games\steamapps\common\fear2\support\wmfadist.exe [PX5: A63A6ECB907C31C5A7FA216826426D0058BA9281] Malware Group: High Risk Cloaked Malware
[b] d:\games\steam games\steamapps\common\fear2\fear2.exe [PX5: A63A6ECB287C31C599FA3A6826426D009AF9157D] Malware Group: High Risk Cloaked Malware
[b] d:\games\steam games\steamapps\common\call of duty modern warfare 2\iw4sp.exe [PX5: A63A6ECB587C31C5EEFA376826426D002414CA7E] Malware Group: High Risk Cloaked Malware
[b] d:\programs\sandboxie\sandboxieinstall.exe [PX5: A63A6ECBF17C31C5EFFA096826426D004F0B5669] Malware Group: High Risk Cloaked Malware
[b] d:\games\steam games\steamapps\common\left 4 dead\left4dead.exe [PX5: A63A6ECB007C31C500FA046826426D0043F778EE] Malware Group: High Risk Cloaked Malware
[b] d:\games\steam games\steamapps\common\left 4 dead\bin\addoninstaller.exe [PX5: A63A6ECB387C31C565FA046826426D00E7102076] Malware Group: High Risk Cloaked Malware
[b] d:\programs\intelburntest\intelburntestv2.exe [PX5: A63A6ECB007C31C5BEFA036826426D003B59B51F] Malware Group: High Risk Cloaked Malware
[b] d:\programs\newsdemon\new_rover.exe [PX5: A63A6ECBBD7C31C565FA5D6826426D00EBC94FE7] Malware Group: High Risk Cloaked Malware
[b] d:\games\steam games\steamapps\common\call of duty modern warfare 2\redist\vcredist_x86.exe [PX5: A63A6ECBC07C31C50DFA2C6826426D00CBBF435A] Malware Group: High Risk Cloaked Malware
[b] d:\games\steam games\steamapps\common\left 4 dead\bin\vpk.exe [PX5: A63A6ECB007C31C545FA056826426D00BD1D6B78] Malware Group: High Risk Cloaked Malware
[b] d:\programs\cyberlink powerdvd 9.1719\activation\keygen.exe [PX5: A63A6ECB007C31C5ACFA046826426D00D07B7A97] Malware Group: High Risk Cloaked Malware
[b] d:\games\steam games\steamapps\common\call of duty modern warfare 2\redist\directx\dxsetup.exe [PX5: A63A6ECB587C31C585FA0A6826426D002EBD3E50] Malware Group: High Risk Cloaked Malware
[b] d:\programs\ashampoo burning studio 9\ashampoo_burning_studio_9_910_sm.exe [PX5: A63A6ECB607C31C5A6FA326826426D03424D7E98] Malware Group: High Risk Cloaked Malware
----------

I think we just need to admit that all security tools are not up-to-the-task of this particular infection, ive tried MBAM, HMP, Prevx, Drweb, A-Squared and Panda Cloud Antivirus, all failed.

Prevx did keep telling me about 'new infections' & then deleting them, but then some other files would pop up infected, so the file infector itself is not being detected.

Never in 10+ years have i seen an infection avade so many security apps, its worrying to see, even to me who likes to see things on the wild side regarding malware, but at least i have alot of backups.

[Triple Helix]

That's the problem with file infecters most times you will have to Format & Reinstall the OS to make sure that it is gone! Sorry I don't have better news for you!

TH

[PC__Gamer]

Quote:

Originally Posted by Triple Helix

That's the problem with file infecters most times you will have to Format & Reinstall the OS to make sure that it is gone! Sorry I don't have better news for you!

TH

yep, prevx could go all day and detect new files infected, something i dont have the time for.

just disappointing that sooo many engines failed to detect this file infector.

[Triple Helix]

One other thing if I can suggest that if you are going to Play with nasties is to do it in a Virtual Environment of some kind to add to your security such as Virtual-box or VMware Player as they are free! Then add Shadow Defender so if any problems occur all you have to do is reboot and it's all gone! Just a suggestion!

TH

[Scoobs72]

PC_Gamer, just to be 100% clear, are you saying that you ran this malware under Sandboxie and that it escaped? You keep mentioning the generic term 'Sandbox' but it's not clear to me whether your Sandbox software is Sandboxie or something else. Could you clarify please. Thx