malware loading into graphics memory?

The symptoms of my problem were (1) a small rectangle in the upper left hand corner of my monitor dotted with a fixed set of inappropriate pixels that never changed and (2) Kaspersky Internet Security would periodically fail and have to reconstruct itself. At Kaspersky's direction I ran Combofix and the pixel problem was resolved. It is too soon to tell if the Kaspersky problem is resolved. Scans by Kaspersky and, prior to that, AVG, never turned up anything.

Just curious if anyone out there has ever heard of this sort of thing - interested to find out more about it.

Hi dharma bear,

Welcome to Bleeping Computer.

My attention was immediately drawn to the idea of inappropriate pixels. What do you mean? Do you mean that the pixels created an image that was explicit in some way?

The scan you ran removed malware and what it removed is often listed at the beginning of the report. We cannot use that tool or the log from it in this forum, but the information of what was deleted could be helpful in our identifying what infection this might have been.

I recommend that you additionally do the following:

Step 1: ATF Cleaner

If you're running XP, please run ATF cleaner according to the following instructions. If you're using Vista, right-click on the icon and select "run as Administrator".

Please download ATF Cleaner by Atribune & save it to your desktop.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main "Select Files to Delete" choose: Select All.
• Click the Empty Selected button.
• If you use Firefox browser click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
• If you use Opera browser click Opera at the top and choose: Select All
• Click the Empty Selected button.
  If you would like to keep your saved passwords, please click No at the prompt.
• Click Exit on the Main menu to close the program.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Step 2: MalwareBytes

Please download Malwarebytes Anti-Malware and save it to your desktop.
MalwareBytes

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable security programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Full Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Step 3: Next I would like for you to run an online scan called BitDefender

Note: You can only run this scan with Internet Explorer with Active X enabled.

Please run a BitDefender Online Scan

• Click I Agree to agree to the EULA.
• Allow the ActiveX control to install when prompted.
• Click Click here to scan to begin the scan.
• Please refrain from using the computer until the scan is finished. This might take a while to run, but it is important that nothing else is running while you scan.
• When the scan is finished, click on Click here to export the scan results.
• Click-on the Detected Problems tab. Then select Click here to export the scan report
• When the window comes up to save the report, change the Save as type box to Text (Tab Delimited) (*.txt)
• Then in the File name box enter bdscan then click save.
• Please upload this file with your next post as an attachment, or post the contents of the file into a code box. To do this, simply paste the contents of the file into your Add Reply box (do not use quick reply) and then highlight just those contents and click on the button five over from the smiley face beneath the fonts which is called Wrap in code tags. You can only see this if you allow your mouse to hover over that button.

Step 4: Please post the logs or reports for the following:MalwareBytes
BitDefender
Let me know how this went?
Zllio

Hi Zllio,

Much to my disappointment the "inappropriate" pixels have returned. The pixels are not "porn" but are inappropriate because they do not display what they should. They are unchanging. - some dots, some diagonal lines, different colors.

Kaspersky has not failed yet, since running combofix, but it did not fail all that often before, so the jury is still out on this one.

The combofix log starts with "other deletions" which lists only one temporary folder: c:\windows\Downloaded Program Files\Temp

I will run what you suggested and get back to you.

Best Regards,
d.b.

Hi dharma bear,

I looked for your symptoms and found a thread which displays a picture of a screen in which a tiny corner of the upper left of the screen does not load properly. I wonder if that is what you are experiencing? I first thought you meant something like a hole where a missing icon should be located.

If you go to this website: http://forums.mozillazine.org/viewtopic.ph...958&start=0

Look at the first two pictures in the very upper left-hand corner. There's a tiny piece missing. Does your screen look like that?
Then in the third picture, which is of the screen saver or the desktop, you'll see that it is not there.

Is this in any way similar to what you are getting?

The instructions I gave you in post 2 would be worth doing. They will not conflict with your Kaspersky and may give us some more information.

Thanks.
Zllio

Hi Zllio,

Thanks for searching! The pixels I am seeing are different. I first tried to do a screen capture with Prt Scr but they did not show up! So I had to resort to taking pictures with my digital camera. I have posted the shots on my flickr page here: http://www.flickr.com/photos/11182709@N00/

Interesting, eh?

Best Regards,
d.b.

If they don't show in prntscrn then it might be something in the video card, vga cable or monitor?

Running ComboFix resolved this problem, for a while, indicating to me it is not a hardware problem.

It might be your video driver but prntscrn should capture the bad pixels if your hardware is good, have you changed resolution to see if that affects the problem?

What make and model of computer and video do you have?

Hi dharma_bear,

I would like to add a couple of thoughts to those just posted by DaChew. The pictures you posted (very interesting by the way) looked like a standard icon size. Have you checked through your list of programs, to see if any program, which should have an icon on the desktop, is missing their icon? Secondly, what happens if you right-click on that patch? Do you get the dropdown menu you would get for the screen itself? Or do you get the dropdown menu you would get for a program? These two menus are different. If you get the dropdown which you would get for a program, what does it say in properties?

I don't know if you ran any of the scans I posted. I would be especially curious to know if BitDefender found anything. The ATF Cleaner has the purpose of keeping your temp files cleaned out. Since this is what CF removed and it led to an improvement with Kaspersky, I highly recommend running ATF whenever you shut down the internet. Also, please note two things. Not everything CF removes is malware. Secondly, MalwareBytes has some ability to pick up rootkits.

Thanks.
Zllio

I think Zllio's comment about the size is significant, 32x32 pixels is the size of the tiles that make up a VGA image, so it appears likely to be a corrupt tile, but as DaChew points out, a fault that exists in the image held in the frame buffer will appear in a screen capture.

Unless the effect is actually occurring in the monitor's own drive circuitry (check by using the monitor on another system, or vice versa), I'd suspect maybe a fault in the overlay generator. Overlay content is added after the image leaves the screen buffer so doesn't appear in a screen capture. That could be hardware (the effect would still be there if the card was temporarily fitted to another system), or possibly a driver issue, so if you haven't already done so, perhaps try re-installing video drivers?

Edited by Platypus, 04 July 2009 - 08:53 AM.

The area occupied by the stray pixels did not behave any differently to mouse clicks (left or right) than the blank areas of my desktop.

Interestingly, changing screen resolution caused these stray pixels to disappear, and to remain disappeared even when I returned the screen resolution to its previous value. This tells me it is definitely not the monitor or cable.

Computer is an HP Vectra with 2GHz Pentium, 1.5 GB RAM. Display is ACER 19” LCD

Platypus: could you give me link to better understand how the overlay generator fits into the scheme of things?

I ran ATF-cleaner. The menu options for Firefox and Opera were grayed out and inoperative. I do use both of these browsers.

I ran Malwarebytes anti-malware full scan and nothing malicious was found, log file below.

I attempted to run BitDefender. Apparently it requires IE. I loaded the page using IE, added it to my trusted sites list, and turned off the pop-up blocker. When I clicked on the “Start Scanner” button IE told me “error on page”.

----------------


Malwarebytes' Anti-Malware 1.38
Database version: 2372
Windows 5.1.2600 Service Pack 3

7/4/2009 11:14:04 AM
mbam-log-2009-07-04 (11-14-04).txt

Scan type: Full Scan (C:\|)
Objects scanned: 296632
Time elapsed: 2 hour(s), 47 minute(s), 2 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

What make and model of computer and video do you have?

Malware often damages drivers

One more thing - when I ran combofix part of the process was to use safe mode, which used a different screen resolution. So this may have been responsible for the disappearance of these pixels rather than anything that comboxfix did.

Platypus: could you give me link to better understand how the overlay generator fits into the scheme of things?

About halfway down this article:

http://www.sonic.com/products/Consumer/Cin...celeration.aspx

the section titled Overlay gives a concept illustration. The contents of an area of memory is injected into the data passing from the video memory to the display.



If this is happening when it shouldn't, it could give the effect you're getting.

As DaChew points out, malware infection can damage drivers, or even part of DirectX could be corrupted and cause faulty overlay operation. So a fresh DirectX install is another thing to try if video drivers don't help. (DirectX should always be kept updated anyway for security.)

Hi dharma_bear,

I went to the link Platypus posted and looked at that and it sounds like it's describing what's happening. The question still remains why it might be happening. While Platypus and DaChew are pursuing the hardware/software questions, I will add a few comments about the malware side. First I want to ask you, is the problem of the pixels gone now? You said it went away when you changed resolutions and stayed gone when you returned to the original resolution. Is it still gone? If so, then I believe the problem is corrected and that it was related to a corrupted file.

What is of more concern to me now is the combination of malware comments you made. You mentioned that the one folder which was deleted was this one: c:\windows\Downloaded Program Files\Temp
After this folder was deleted, the problem with the pixels went away.
The ATF Cleaner options for Opera and Firefox are grayed out.
You cannot run BitDefender's online scan

First I would like to ask you, when you tried to run BitDefender, did you make sure ActiveX was enabled? BitDefender requires the use of Internet Explorer and the installation of an ActiveX file so it can run. I recently I ran into the problem that it no longer fully supports IE6, so if you tried to run it with IE6, that may explain the problem as well. If that is the problem, let me recommend another online scan further down.


Please do the following:

1) Check C:\windows\Downloaded Program Files\Temp and see if it appears in your Windows Explorer again? Make sure your computer is set to show hidden files and file extensions. Here are the instructions for that: [/b]

Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:

* Hide extensions for known file types
* Hide protected operating system files (Recommended)

You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:

* Show hidden files and folders

Click Apply and then click OK

If this folder C:\windows\Downloaded Program Files\Temp appears again, please open it and make a note of what's in it.


Also check the following two folders and if you find anything, empty out everything Windows allows you to empty: (Note: It will not allow you to delete anything from the current day)C:\Documents & Settings\your name\Local Settings\Temp
C:\Documents & Settings\your name\Local Settings\Temporary Internet Files
Then I would like for you to try a different online scan:

2) I would like for you to try a different online scan that can be run with Firefox.

For this scan, you need to have your Java updated. The current update is Java SE Runtime Environment (JRE)JRE 6 Update 14. If this is not the version you have (you can see this in add/remove programs), please do the following:

Updating your Java

The newest Java download and installation should remove old versions of Java.

Please go to Current Java Download and do the following:* Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 14.
* Click the "Download" button to the right.
* Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
* Click on Continue.
* Click on the link to download Windows Offline Installation (jre-6u14-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
* Close any programs you may have running - especially your web browser.
* Double-click on the Java installation program on your desktop and allow it to install the newest version.
(Vista users, right click on the jre-6u14-windows-i586-p.exe and select "Run as an Administrator.")
* Double click on the exe file which will look like: jre-6u14-windows-i586.exe
* The installation process will start. Follow the instructions accordingly
It the installation fails, please download the Microsoft Installer Clean Up utility file and save it to your desktop
This tool will ensure that all irrelevant Java Runtime Environment Microsoft Installer (msi) registries are removed. Detailed information and download is available at: Description of the Windows Installer CleanUp Utility

Removal instructions:

* Download the Microsoft Installer Clean Up utility file and save it on your desktop
* Double click on executable file which will look like: jre-6u14-windows-i586.exe
* The installation process will start. Follow the instructions accordingly
* Once installation process is over, go to Start -> All Programs -> Run Windows Install Clean Up utility
* This will launch the Windows Installer Clean Up utility dialog box
* Under the Installed products list, select the desired Java version that you want to remove
* Click Remove and Exit [/quote]

3) After you've completed the installation of Java, please run Trend Micro's online scan at Trend Micro HouseCall


Let me know how this goes? If anything is found, tell me.

Also, let me know if you decide not to continue because your computer is working.
Thanks.
Zllio