Malware code execution from zip/rar archive

[Nikos751]

Hello!!
Is there any possibility for my Windows system to be infected if I copy an zip or rar archive from a linux installation (on same pc) to my Windows desktop folder that contains real virus exe's? Ι did it with a malware archive that I downloaded from the malware hub of the forum (Interesting New Malware 14 Samples) to check my scanners detection rate myself.
I made this question, because before booting to my Linux installation, I accidentally loaded Windows at first time, and pressed ctr+alt+delete to do an immediate reboot after one or two secs showing the windows 8 loading screen. I know I must not do this thing but i did it. After downloading the file and copy it to Windows Desktop (from Linux) I booted into Windows and realized the following:
Eset SS could not start (error communicating with kernel), WSA was ok. I use both apps in real time.
Task manager could not be opened.
Command prompt could open only without admin priviledges.
services.msc could not start.
The menu at the right (settings etc in Windows 8) appeared but when clicked settings it did nothing.
I didn't do anything with the archive except deleting it with Shift+Delete.

I checked for integrity violations (sfc /scannow) and it did not find anything wrong. Also, I scanned with WSA, MBAM (quick scan), hitman pro in safe mode and they did not find any malware.
At the end, I reset system policies via WSA inteface, and after a reboot in normal mode task manager and all above mentioned were ok again.
For sure, after that I did a system restore some time ago so it'a allright now.
I suppose the problem was the immediate reboot I did as it is said to be rare to be infected in such way..But I am not sure, so I want your help.
Thank you and sorry for my English.

 

[Fiery]

I don't think malware can execute from archives since they need to be unpacked first. For that to happen, you need an executable or a .scr or .com file to be run first.

 

[Nikos751]

I don't think malware can execute from archives since they need to be unpacked first. For that to happen, you need an executable or a .scr or .com file to be run first.

Thanks for your info!

 

[Nikos751]

Update!
I reinstalled Eset (WSA is there till system restore) today and after some time I realized that Eset had frozen. I tried to sign oout but it was stuck in "signing out" screen. After the reboot I see exactly the same symptoms as I described in previous comment! Why does this happen? I need your help!
Thank you again!

 

[Fiery]

Sorry I don't use ESET so i'm not sure what you mean by "signing out." Or do you mean signing/logging off of windows?

Are you having issues with services.msc again?

 

[Nikos751]

Yes, I mean logging out of Windows. Yes, I have issues with services.msc, gedit, msconfig, gpedit.msc. Control panel does not work well also. It shows the window but anything inside. If I boot via safe mode they can start. Also ticking "reset system policies" and then Run tools from WSA interface, does not do anything this time. God bless WSA that allows me to boot into safe mode via it's option! I don't know any other way to do it at the moment Fortunately I have a Linux installation working and I can download anything needed as Chrome could not download anything from Win in normal mode..

 

[Fiery]

Let see if those registry entries were replaced:

Download & SAVE to your Desktop RogueKiller from here

• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or Windows 7/8, right-click and select Run as Administrator to start
• Wait until Prescan has finished, then click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
• The log should be found in RKreport[1].txt on your Desktop
  Exit/Close RogueKiller+

 

[Nikos751]

RogueKiller V8.4.4 [Feb 5 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 8 (6.2.9200 ) 64 bits version
Started in : Safe mode with network support
User : Nikos [Admin rights]
Mode : Scan -- Date : 02/07/2013 18:23:52
| ARK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 12 ¤¤¤
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (93.189.28.106:80) -> FOUND
[HJPOL] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKCU\[...]\System : DisableCMD (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\System : DisableCMD (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableTaskMgr (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableRegistryTools (0) -> FOUND
[HJPOL] HKLM\[...]\Wow6432Node\System : DisableCMD (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts



¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST3750528AS +++++
--- User ---
[MBR] 2813ec722610dc391176a11d6d18959e
[BSP] 50f181a794c0b0d45a289c4900e89981 : Windows 7/8 MBR Code
Partition table:
0 - [XXXXXX] EXTEN (0x05) [VISIBLE] Offset (sectors): 2046 | Size: 160000 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 327682048 | Size: 390000 Mo
2 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 1126402048 | Size: 165402 Mo
User = LL1 ... OK!
User = LL2 ... OK!

+++++ PhysicalDrive1: WDC WD1002FAEX-00Z3A0 +++++
--- User ---
[MBR] f4046cdb4da4ef072279083dc5c279c1
[BSP] 404f1db506daa3f8afaa1307877595c2 : Linux MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 953867 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_02072013_02d1823.txt >>
RKreport[1]_S_02072013_02d1823.txt

 

[Nikos751]

I want to add that the proxy that you see in the log, It was used by me, it's not sth set from a virus.

 

[Nikos751]

I just checked with Hitman Pro and It found the following:

Boot Configuration Data (BCD) WinPE mode
HKLM\BCD00000000\Objects\{0ce4991b-e6b3-4b16-b23c- 5e0d9250e5d9}\Elements\26000022\

 

[Nikos751]

I reinstalled Windows from the beginning, so I won't need any help. Thank you for your interest and will to helping me Fiery! I believe it was some kind of rootkit. Before formatting, I checked with GMER antirootkit and shows the csrss.exe file in the results, and another one like RNG@RNGAuxiliary in registry. The strange is that I checked in safe mode with many antirootkit tools and scanners and they did not find a thing..

 

[Nikos751]

From this problem, and one two similar that I had some years ago (the only times a virus bypassed the AV) I learn that if a virus manages to infect the system the AV's suck! Where is proactive detection, heuristics, self protection blah blah? Eset could not even start and Webroot while working ok, it did not show any warning. All the other 2nd opinion scannners and antirootkits had not better luck, just rogue killer and hitman pro found one-two malware remnants.. This incident made me disappointed and disqusted about AV companies and the fact that we must pay many of them to have one or two year protection. So, I will never never pay any AV vendor; only use free AV's and my common sense...and the fantastic free promos that you post in the forum xD

 

[Fiery]

From this problem, and one two similar that I had some years ago (the only times a virus bypassed the AV) I learn that if a virus manages to infect the system the AV's suck! Where is proactive detection, heuristics, self protection blah blah? Eset could not even start and Webroot while working ok, it did not show any warning. All the other 2nd opinion scannners and antirootkits had not better luck, just rogue killer and hitman pro found one-two malware remnants.. This incident made me disappointed and disqusted about AV companies and the fact that we must pay many of them to have one or two year protection. So, I will never never pay any AV vendor; only use free AV's and my common sense...and the fantastic free promos that you post in the forum xD

I just want to clarify. You have reinstalled windows and your problem no longer exist, is that correct?

I don't use ESET so I can't comment on its protection. I recommend you getting some behavioural protection or ones that don't require signatures. For example, Sandboxie or Comodo firewall is the best protection you can get for free (in my opinion)

Though I would caution you that Comodo firewall is difficult to use.

 

[Nikos751]

Ι reinstalled windows and my problem no longer exists, yes It's likey you are reading my mind! Just before I checked my mail for any notification I was in the middle of installing Comodo xD It's a bit advanced but I 've used it before and I believe I can handle it.

 

[Nikos751]

I installed WSA and Comodo Internet security premium. In the installation (Comodo) options I set it to show as few warnings as possible. After installing, I unclicked the two "do not show popup alerts in hips, firewall settings and realtime scan categories of settings. Also I 've followed Umbra Corp.'s guide for running WSA with other AV's. Is my current configuration ok?
Thanks!

 

[Deleted member 178]

If you followed my guide, it is ok

I prefer to allow popups in every modules, at least i know that i have full control of what is blocked/allowed.

 

[Nikos751]

I am sure it is ok ;D I made the question to be sure about my comodo notifications configuration.. Does option before installing refer to the ones that I 've changed afterwards?

 

[Nikos751]

Sorry for my continuous questions.. One last.. What preset is better for me now, Proactive security or Internet security?

 

[Deleted member 178]

Proactive is better for everybody ^^

 

[Nikos751]

Thank you again My only (not mayor) problem is that when a file is (firstly) quarantined by Comodo and can be detected by both products as a virus (tested eicar), Webroot is able to detect it in the quarantine folder of Comodo, and put it to it's own quarantine (though it does not seem to have a special folder for items). It's a bit annoying and I cannot exclude the folder vis WSA as WSA does not offer such option..