Heads up! Keep an eye out for high GPU temps... hit by malware!

[OCMusicJunkie]

I'm just waiting for an ISO to download so I can reinstall my Windows 7 OS on one of my systems. Could have been saved, but I don't keep data on the OS drive, so this is just easier. Main warning sign: idle GPU temps in the 50-60c range! No other indicators in terms of CPU or easily suspect memory consumption! Keep HW monitor open if you're using Java on your system!

This was a pretty well designed and stealth bug. It was masked well from showing CPU activity or anything obvious in task manager or resource monitor. Once I figured out the windows services it was masking itself as, I couldn't use any of the normal tactics to shut down the process regardless of what I tried. Security Essentials missed it twice, so did Avast. Some research online pointed to a program that exploits Java for some sort of bitcoin scheme, and sure enough I had just installed java for the first time on this specific PC on Monday. Services and tasks it was running as or using were a match for what I had read about as well, and so apparently that's what it was.

I generally had gotten apathetic about using any sort of security software at all, since I have used luck and common sense to successfully avoid a single virus/malware issue for what must be five or more years. Not certain where this came from, but it got in quietly. Just watch out!

 

[c627627]

If this happened to me, I would have used the opportunity to see which of the anti-virus software would detect it, if any.

A long time ago, I was on Norton and malware slipped through Norton. I then installed all the top Antivirus software which at the time was free to try.


Only Avira Antivir detected it, which is the only reason I use Avira today. Some of the other software detected it later on, which means their zero day definitions were not as up to date as Avira's, which underscored the importance of zero day definitions - not just definitions in general. ANY site can be a host through no fault of their own (even Microsoft's own - it got hacked in the past). This is why browsing w/o protection is risky, no matter where you go.

 

[tungureanu]

good thing i have bitdefender on all my PCs

 

[OCMusicJunkie]

I had just been playing the odds and winning for a long time I guess. Having the redundancy of duplicate long-term storage on multiple systems (all in the same room) provided the luxury of having this be my worst-case scenario at least. Overall, I probably still had less of a headache having to re-install Windows once over that span than I would have had dealing with security software. That said, will likely use it now going forward once I settle on one....

I think that I'll actually take your suggestion and try to see what will catch this. Instead of reusing that drive I installed the new OS on the spare I had my benchmarking XP version setup on. So I still have the infected disk to tinker with. Might as well stick it in the bench rig there there is no other drives and see if I can't determine what anti-virus to use going forward... good call.

 

[awktane]

Kaspersky: Trojan.Win32.Jorik.IRCbot.xkt
Bitdefender: Trojan.GenericKDV.928214

Last I saw it was spread through skype. Supposedly all of the antivirus programs can detect it these days. Maybe there's a new flavour making the rounds.

 

[c627627]

In your case you had zero protection, so I guess that's different. For us it is how to best protect ourselves from zero day stuff.

What would you say to people (and we have them post in almost every discussion on this topic) who say that anti-virus protection is unnecessary as long as you watch which sites you visit.

 

[OCMusicJunkie]

What would you say to people (and we have them post in almost every discussion on this topic) who say that anti-virus protection is unnecessary as long as you watch which sites you visit.

Well, I was (sort of) one of those people yesterday. Today that's definitely not the case. I don't download torrents on this computer, I never download anything from unknown one-off mirror sites, never download any email attachments with windows since I manage my email through Thunderbird in Linux, and in this case I don't even use the program (skype) where this thing is supposed to spread. Beyond that I work in sales and know how to spot someone fishing for suckers because I've worked largely around those sorts of people.

Definitely didn't do anything that was "risky" that anyone else would have known better than to shy away from had they been behind the keyboard. Other than, of course, not using any security programs or firewall. So, if there is anyone who is assuming they can just make good decisions and avoid being hit eventually, I'm evidence it's not under your control sometimes to do so.

But if you just figure "meh" and that the tradeoff is worth eventually having to reinstall, I can obviously relate to that. I think it's part of the whole overclocker mentality that having to reconstruct your system over again is really no big deal. Heck, that's what we all do for fun around here.

 

[c627627]

The big picture is that it does not matter where you go, there are no safe internet destinations because the bad guys especially target "safe places" to set up malware on, without the knowledge of the web site owner.

Even some Google Store official apps had malware, and the authors didn't even know their software was injected with it. Google didn't know until the definitions were updated.

if anyone needs protection PM me i may have 2 free licences for bitdefender antivir 2013

When they asked Red Bull CEO why Red Bull is so expensive, he said "well how else will people know it's good?"

In the world of Antivirus software, we are dealing with the same thing, cost does not equal good zero-day definitions.
If pay-for Bitdefender's zero day defs are not as updated as freeware Avira's... then

 

[tungureanu]

Hey. They gave me 3 free codes for 2013 antivirirus plus when i first purchased my 2012 internet security. If anyone needs it i will give'em.

Pay it forward.

PS( 23.06.2013 )the licences have been given away

 

[OCMusicJunkie]

When they asked Red Bull CEO why Red Bull is so expensive, he said "well how else will people know it's good?"

You've got the exact right idea about how the software world is now that open-source has been embraced so widely. I'd argue that if you take out the compatibility issues (which microsoft keeps alive for their own survival), even free operating systems are better designed than the paid ones. VLC player, Foobar 2000, all of the entertainment apps are better on the open-source side. It's just the way the world is moving.

 

[OCMusicJunkie]

Well this will teach me a lesson about assuming what the worst-case scenerio is too quickly. Looks like it somehow made its way onto the HDD for this system and not just the SSD that the operating systems were on. I've got to take a look at that drive now and see if I can determine where it's hiding out at, because the antivirus programs (SE/Avira/Avast/Malwarebytes) are missing it, and it's disabling my ability to kill the tasks or services. \

Now I know how these things are all over the place. All I want to do now is figure out a way to write a worm to get into whoever's system coded this thing. Pretty sure that's why he wrote this, and so on down through history...

 

[SMOKEU]

Do all your web browsing in a sandbox, and get the sandbox to automatically delete the contents after each browsing session.

 

[OCMusicJunkie]

Well this has been a disaster. I'm now down to one working system (laptop) out of four. I can't install an OS or even boot into a live CD with all drives disconnected on the other three. Apparently whatever it is, there's no way to totally wipe it out and close the back door it opened with avira/mse/avast/commodo/avg/adaware. Trying to figure out how to just preserve the JPG files on my storage drives in one safe container before continuing on. Pretty sure it's embeded itself into the UEFI BIOS storage for the motherboards, as nothing else could be spreading it still. Not even sure how to wipe that, as flashing it seems to only update the version and leave behind the data (profiles and such).

When this is done, I'm running W7 inside of Linux via VM only. What a lesson here...

 

[c627627]

I'm trying to see what's going on here. How do you know you have a virus?

Your video card temperature jumps? Can you repeat this symptom using a different video card?

 

[OCMusicJunkie]

Hey thanks- I know I've left out some critical info here, so I'll try to lay it out a bit more clearly and with some luck, maybe you can tell me what I'm missing.

There are a few symptoms that make me think there is obviously something going on here that I'm not seeing. First, the GPU temp jumps regardless of what AMD card I stick in there. For some reason, my Nvidia GT 620 doesn't. I'm talking almost double normal temps, and somehow even after I just flashed the BIOS clean, formatted the SSD, and reinstalled Kubuntu as the only OS. No connection to any other disks, and the install disc was at least six months old, so I assume clean.

The easy one here is that I've found a handful of trojans using mostly Avira and CCE virus scans. I obviosuly have tried removing them, rescanning with both programs and hoping. But sure enough, I'll find more malware show up six hours later with a scan, even if I don't connect to the web. Actually, my ROKU even went buggy yesterday for the first time in over a year, and sure enough I had stuck a USB drive with music in the thing from an infected computer before I knew what was happening. Had to reflash the firmware back to factory to get it working.

Lastly, folders pop up that are hidden and serve as shortcuts to other areas of the drive. For a while I was fighting the system last night because it kept installing a third partition on the drive immediately before the system reserved partition for Windows.

So beyond flashing BIOS with the latest version, formatting the SSD to be free of all partitions, then booting straight to a Kubuntu/Windows disc with no other storage attached, what could I be missing? Could someone be accessing the systems through my router without me seeing it, or is there storage for things like the chipset drives that could be infected?

I've never heard of a virus actually rendering hardware useless other than stuxnet, but in my case, I'm just about ready to throw the towel in on these things.

 

[c627627]

OCMusicJunkie, I would not be surprised if your problems are *not* caused by malware.

There has been a huge assumption here - one that almost everyone who started to look at this thread was lead to believe was true - then walked away because they thought you have a virus problem. While anything is possible, I myself have not looked at all the details because the entire thread is drowned in the correct or incorrect virus assumption.


You need to to start from the beginning.... Let me read at least your last post here in more detail.

 

[c627627]

First, the GPU temp jumps.

OK so cooling problem, you are in Orange County, CA, summer time. Huge Leap to assume it's a virus. More likely other cause.

For some reason, my Nvidia GT 620 doesn't.

Must be some selective virus there - or no virus at all as the cause of GPU temps.

The easy one here is that I've found a handful of trojans using mostly Avira and CCE virus scans.

You may have some problems there but probably not the cause of your problem with temps.

You said you have the option to reinstall. Why not start there. Install one of these five after you reinstall Windows: Avira or 2013 versions of Norton or TrendMicro or Kaspersky or McAffee. You're on your own if you install other anti-virus software .

Actually, my ROKU even went buggy yesterday for the first time in over a year, and sure enough I had stuck a USB drive with music in the thing from an infected computer before I knew what was happening.

Other things go wrong for me 10/10 times whenever I OPEN my computer case. That doesn't mean the original problem caused it.

Scan your USB Flash drive with one of the five programs I mentioned. Is it infected? No? Then virus may not have caused your ROKU to go belly up.

Lastly, folders pop up that are hidden and serve as shortcuts to other areas of the drive.

Are you sure you are not talking about normal Windows behavior?

For a while I was fighting the system last night because it kept installing a third partition on the drive immediately before the system reserved partition for Windows.

Are you talking about the normal hidden boot partition Windows 7/8 install where your BCD info is installed?
Perhaps that is what it is and not someone remotely installing partitions willy-nilly on your system... for fun. They usually are too busy doing more sinister stuff.

What could I be missing?

Starting a thread dealing with not so unusual Video Card temperature problem that has nothing to do with virus causing it

 

[OCMusicJunkie]

Well, I know this sounds sort of like a leap. However, I run hwmonitor in windows and psensor in linux virtually 100% of the time... I know what temps are normal for my systems relative to room temp, +/- one or two degrees Celsius. For my 6870 and 6850 to have their temps shoot from the 38-40C range to 60-65C in two different systems within a day of each other means there is something fishy. Maybe it's not a virus, but I don't know how else to explain that. Especially considering I was clean going through malware scans just a couple of weeks ago, and now I have every computer/disk showing positive for them repeatedly.

I know some of what I'm noticing now is probably being hyper-alert to things I'd normally just overlook. However, some of it is just too unusual to have never caught before, I think...

The partition I am talking about was being placed in front of the hidden system partition where the normal boot record for windows would reside. It was moving the entire filesystem over by something like 10MB to place it's own partition there, which had a shortcut that would then come up in the primary C: partition's main directory. The shortcut belonged to the user "Trusted Installer", which is the same service running at around 5% cpu use and 100mb of RAM regardless of whether or not the system configuration is set to disable the Windows Installer. There was nothing placed there, hidden or otherwise, and the reserved space still had all the windows bootloader files.

I don't claim to know why the Nvidia is running normally compared to the AMD's, but the AMD cards all do share the same driver. It's not too crazy of hunch to say if there was something malicious going on, the individual may not have spent equal time finding holes in both manufacturer's drivers. Again, this part really is admittedly pure speculation.

The USB drive was an exact duplicate of the partition for my HTPC that I keep all of my MP3's in, which was the directory where Avira found one instance of the Trojan. . I wish I could recall the name. Will have to write it down once it's caught the next time. Had it by memory yesterday so didn't bother.

 

[c627627]

Repeat after me.

Virus is not the cause of my GPU problem.
Virus is not the cause of my GPU problem....


Now go over here:
http://www.overclockers.com/forums/forumdisplay.php?f=85

Start a short thread describing *only* your GPU temperature problem and nothing else. Do not mention the word 'virus' or discuss other issues, which we can resolve separately.

 

[OCMusicJunkie]

Okay, so maybe your whole Occam's razor approach is right here and I owe you an apology. \

While the intial symptom with the GPU was in fact spoted inside Windows, the persistent one was in fact the default driver for linux not using any powersave features with the GPU. Once I got into terminal and installed CCC 13.4 instead of the stock driver, temps came back down to normal.

I now have one functioning desktop and *hope* the other two will show the same to be true.

Had been so long since I had any malware before Avira and MSE picked up some at the time I started this tread, I guess I did let paranoia set in when I realized I had anything at all get into the things. Since I was alternating OS's and not isolating variables, I actually don't know at what stage the malware issue was resolved. I'm guessing somewhere right after I did the first secure format and clean OS install, which I'm thinking was of course probably Linux, and thus the temps going nuts.

Still have to sanitize the HDD's that have my storage data on them, as those do indeed get pinged with malware still if running consecutive passes with Avira and MSE or Commodo, but that should just be a matter of patience more than anything now.