I've been struggling with malware that keeps coming back to my Windows install.
This Windows install is not clean because I haven't had the need to use it since I use Debian as my main OS
This is the second time I do a Windows restore since everytime I try to clean dlls the system breaks down
I've used malwarebytes, spybot search and destroy and I get a clean analysis so I tried to use boot up recovery disks, sfc /scannow and lastly "Unhack me" where I could see the suspicious files but
manually since the programs above trust all "Trusted installer " signed files and processes, after that I used SVChostanalyzer and Security Task Manager and realized suspicious instructions inside of
wininit.exe, services.exe, lsass.exe ,one of them being a on purpose BSOD when you kill a certain process so that the rootkit can backup itself, another being a programmed memory.dmp creation instruction and as usually many instances of svchost.exe are not a good sign.
I uploaded two of these files to Hybrid-Analysis (online sandbox analyzer) ;
svchost.exe
Which showed header timestamps into the future (2050) and forged Microsoft signatures
Inside of lsass.exe I found TCP connections an Ip which seems to be part of Akamai-Technologies
I already know that the best option is to make a clean and secure install in this partition but I wanted to know if this is could possibly be work of an enteprise stealing data or just maybe someone who is playing with tools and tunneling this to that Ip, I would gladly receive any counsel, comment or help for this issue if there was any to kill this malware without the cleanup. Thanks
svchost.txt
lsass.txt