Jump to content

xxyyxx

Members
  • Posts

    4
  • Joined

  • Last visited

Reputation

0 Neutral
  1. Windows resource protection did not find any integrity violations.
  2. Thanks in advance, Ron. I also found that my explorer.exe location is in Windows/explorer.exe and not syswow.. FRST.txt registrymwb.txt AdwCleaner[S0].txt
  3. I've been struggling with malware that keeps coming back to my Windows install. This Windows install is not clean because I haven't had the need to use it since I use Debian as my main OS This is the second time I do a Windows restore since everytime I try to clean dlls the system breaks down I've used malwarebytes, spybot search and destroy and I get a clean analysis so I tried to use boot up recovery disks, sfc /scannow and lastly "Unhack me" where I could see the suspicious files but manually since the programs above trust all "Trusted installer " signed files and processes, after that I used SVChostanalyzer and Security Task Manager and realized suspicious instructions inside of wininit.exe, services.exe, lsass.exe ,one of them being a on purpose BSOD when you kill a certain process so that the rootkit can backup itself, another being a programmed memory.dmp creation instruction and as usually many instances of svchost.exe are not a good sign. I uploaded two of these files to Hybrid-Analysis (online sandbox analyzer) ; svchost.exe Which showed header timestamps into the future (2050) and forged Microsoft signatures Inside of lsass.exe I found TCP connections an Ip which seems to be part of Akamai-Technologies I already know that the best option is to make a clean and secure install in this partition but I wanted to know if this is could possibly be work of an enteprise stealing data or just maybe someone who is playing with tools and tunneling this to that Ip, I would gladly receive any counsel, comment or help for this issue if there was any to kill this malware without the cleanup. Thanks svchost.txt lsass.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.