What's Going On Here?

[Rezist]

This is pretty crazy, if you can solve this update us with what you did.

 

[ronbo613]

This is pretty crazy, if you can solve this update us with what you did.

I think I figured it out, but this was a real chore so I won't claim total victory until a few days of things going well.

If you got this far in the thread you know my graphics card was idling at 98% and falling to zero when the Task Manager or Process Explorer was open. Not that I ever hacked anything or produced malicious code, but if I was going to do so, I would have it work when you're not looking and stop when you are, which is what was happening here. There was nothing to see in the Task Manager or Process Viewers and no malicious files were detected by ESET NOD 32, MalwareBytes, MiniToolbox or SecurityCheck.

If I unplugged the computer network cable, the GPU usage went to zero, so, I opened the Resouce Monitor to the Network window and watched the network traffic as I toggled the Process Explorer program. When the Process Explorer was closed, a program appeared in the network window, when Process Explorer was opened, that program disappeared. The program was wdm.exe.

I couldn't find too much information about it, but it is located at C\Windows\SysWOW64\wdm.exe. Since I'm not sure about it quite yet, I renamed the file wdm.exe.XXXX until I'm sure it's the problem, then I'll delete it and clean up the registry.

And GRID Autosport that wasn't able to run at 800 x 600 at Ultra Low a couple days ago turns 88fps at 1920 x 1080.

Thanks to all of you for offering your insight and advice, it was a big help.

I believe I am going to have a beer.

 

[VirtualLarry]

Upload to VirusTotal.com, do an SHA-1 and MD5 of the .exe, and then google those hash numbers. Perhaps someone else came across this alleged malware too.

 

[ronbo613]

Upload to VirusTotal.com, do an SHA-1 and MD5 of the .exe, and then google those hash numbers. Perhaps someone else came across this alleged malware too.

Great idea. I think I uploaded half the programs in my computer there in the past couple days. If I got it, so does somebody else.

 

[AntonioHG]

Glad you got this one just about resolved -- this was so interesting, I had to share with my friends.

 

[ViRGE]

If I unplugged the computer network cable, the GPU usage went to zero, so, I opened the Resouce Monitor to the Network window and watched the network traffic as I toggled the Process Explorer program. When the Process Explorer was closed, a program appeared in the network window, when Process Explorer was opened, that program disappeared. The program was wdm.exe.

Very sneaky indeed. Shintai, you get an e-cookie for this.

dwm.exe is the Desktop Window Manager, a standard component of Vista and later. By naming is wdm.exe the author is clearly trying to fly below the radar by hoping no one notices the misspelling. Furthermore dwm is only located under System32; SysWOW64 does not have a copy since you would never need to run a 32 bit version of it on a 64 bit system.

I'm glad that you found it. However considering that no AV tools so far have been able to locate it, I would be concerned that there may be additional malware on your system that you have yet to discover. A full wipe and clean install is still your best option at this time.

Anyhow, along with submitting it to VirusTotal, I'd suggest submitting it to Microsoft as well.

https://www.microsoft.com/security/portal/submission/submit.aspx

If it gets into the Windows Defender definition update, then that would wipe out a large number of installations practically overnight.

 

[ronbo613]

dwm.exe is the Desktop Window Manager, a standard component of Vista and later. By naming is wdm.exe the author is clearly trying to fly below the radar by hoping no one notices the misspelling. Furthermore dwm is only located under System32; SysWOW64 does not have a copy since you would never need to run a 32 bit version of it on a 64 bit system.

I'm glad that you found it. However considering that no AV tools so far have been able to locate it, I would be concerned that there may be additional malware on your system that you have yet to discover. A full wipe and clean install is still your best option at this time.

Yes, the dwm.exe vs. wdm.exe made this bit of troubleshooting a little more challenging, especially since both programs manipulate graphics in some way. Location of suspect files is a major clue since most malware is packaged as a .dll or .exe file, those types of files are everywhere and there's lots of them. If it were not for the unexplained high GPU usage detected only by specific GPU monitoring software, I probably never would have found it. An average computer user who was just cruising the internet with a basic computer would never know this malware was there, they would probably just think "the internet was slow".

It must be a fairly sophisticated setup to steal small bits of GPU processing capability and make them do something useful, it's too bad I don't have the capability to find out where the stuff is going and maybe send along a little something more than a packet of processing. I'm going to consult a couple friends and see if we can get something out of that wdm.exe file.

The lesson here is to realize that the best antivirus, anti-malware programs and firewalls are not going to stop everything. The bad guys are always going to be a half step ahead of the good guys, so be careful.

 

[KingFatty]

Nice detective work - very clever thinking to use the network monitor tool while also using the process explorer as a toggle to switch the malware on and off.

 

[ShintaiDK]

Never have complete faith in anti malware/virus etc.

Logic demanded mining malware. I am happy you found it.

The taskmgr part was clever, yet very telling when you can run games/benches in windowed.

 

[ronbo613]

Furthermore dwm is only located under System32; SysWOW64 does not have a copy since you would never need to run a 32 bit version of it on a 64 bit system

Since this malware was placed in the SysWOW64 directory, are computers with 64 bit operating systems being targeted, perhaps because the hacker thinks that computer owners with these operating systems will have higher end components, including more powerful video cards with more GPU power to steal?

 

[ShintaiDK]

Possible. Or because they need 64bit to fully utilize the miner. Or the exploit simply works that way.